eBay Vulnerability Exposes Users to Data Theft and Phishing Attacks

The eBay site is used by millions of people and as a result, has a level of trust with its users buying and selling countless items each day. Imagine then, how lucrative a target this massive user base could be for an attacker. Check Point’s security researchers have found just such a vulnerability in eBay that allows malicious users to bypass the code validation that is in-place and remotely control the vulnerable code to execute malicious Javascript code on the browsers of targetted users.

Check Point warn that leaving the flaw unpatched will expose the online marketplace’s huge userbase to the risk of data theft and phishing attacks while eBay believes that the actual risk of a malicious attack is very low. eBay was made aware of the vulnerability on December 15th, but they are yet to issue a complete patch for the weakness, instead claiming to have implemented additional security filters based on the report to reduce the risk.

eBay told Security Week “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

One of the ways that an attacker could target eBay users is by first sending them to a legitimate page which contains the malicious code. By setting up an eBay store and adding malicious code to the description section of items, users can be tricked by attackers into visiting pages containing harmful code. This code could do a number of things once opened, from phishing for data or even downloading binaries to the computer or device. eBay report that as few as two in a million items listed on their site use active content, making the chance of being targeted by malicious content is low. Despite this, Check Point stated that they have demonstrated a proof-of-concept for the attack to the eBay security team, with them able to bypass restrictions and deploy malicious code to their seller page without any difficulty.

The finding was made public by Check Point public on Tuesday, hoping that it may push the e-commerce site to patch the vulnerability quickly. This is a good example of how even the sites that seem the most trustworthy can hide potential danger. Until a patch is released, taking care when using eBay may just be the best bet.

Stolen User Data Sells for as Little as $1 on the Dark Web

Online data breaches and stolen user details are becoming a sad reality of life on the internet. Whether it’s the infamous Ashley Madison hack or a phishing attack, it’s tough to stop your information from falling into the wrong hands. You might be surprised, however, how much your personal data is worth. According to a new report from Trend Micro, entitled “Understanding Data Breaches”, user data is being sold on for as little as one dollar on the dark web.

Trend Micro also found, thanks to the Privacy Rights Clearinghouse Data Breaches database, that only 25% of data breaches between 2005 and 2015 were due to online hacks. The most common breaches are inside jobs, committed by employees of a company, as well as device skimming and physical theft of laptops, flash drives, and mobile devices.

Credit and debit card details are still being most effectively gathered via skimmers or cameras connected to an ATM or point-of-sale terminals, or by hardware keyloggers on cash registers, rather than by online methods.

Much of this stolen data is then sold on through the dark web, with bank details fetching up to $500 per account, PayPal and eBay accounts going for around $300, while US mobile accounts can go for as little as $14. Personally identifiable information (PII) – name, address, date of birth, and social security/national insurance number – sells for $1 per line, which means that the tiny sum of $4 can effectively buy a person’s identity. Bump that fee up to $25, and a full credit report on that person is yours.

Thank you ZDNet for providing us with this information.

Image courtesy of WIRED.

Hackers Took Up Residence Inside Government PC for a Year!

I recently wrote an article which looked at the Cyber attack and subsequent theft of 4.2 million American Federal data of employees which was transferred from the Office of Personnel Management to an external source. At the time it seemed to be a well orchestrated planned attack which granted criminals access to a government network for a brief period of time, the word brief in this case is very much redundant now, as  new information has come to light.

This attack on the Personnel Management’s security-clearance computer system which is slightly different to the personal database was first breached in June, 2014 according to new information. This effectively means that hackers had access to a sensitive system for at least a year. Hackers had access to the personal database for 4 months before this intrusion was detected. The confirmation came from Stewart Baker who is a former National Security Agency general counsel. There is also strong speculation that these Hacks had originated from China, which means if true, this is one of the most sensitive pieces of information to be reached by state-sponsored hackers.  If these virtual intruders stayed any longer, officials would be asking them to pay rent.

There lays the murky layers of state organized crimes, if true, China will deny responsibility, but as we all know, China has farmed hacking and infiltration out to factory designed hackers who are still on the payroll, but the Chinese government can deny this as it was not directly them.

Perhaps it’s time for the US government to invest in protecting its citizens rather than placing them under virtual surveillance, if this information leakage continues; private citizens will find themselves virtually held in a different country.

Thank You The Washington Post for providing us with this information

Image courtesy of huffingtonpost

Retailers Must Invest in New Security Procedures, or Major Breaches Could Accelerate

Companies struggle greatly to try to keep their networks safe, including ensuring employee and customer data remains secure.  Major retailers are suffering data breaches that often lead to stolen customer debit and credit card data taken by hackers.

Popular retailer Target was compromised late last year and 40 million customers were affected – and the company has reportedly spent more than $145 million in expenses stemming from the incident.  Target’s sales temporarily dropped, customers were weary to continue shopping there, and it has been an overall public relations nightmare.

Home Depot recently confirmed a breach with up to 56 million potentially affected customers, with some stolen data posted in online cybercriminal forums.  It’s too early to tell what type of financial damage the company will suffer, but Home Depot will deal with the same type of backlash Target did.

Here is what Joe Caruso, Global Digital Forensics CEO noted:

“Most people tend to focus on how many credit card numbers were stolen, almost like it’s a way to score a game… but the numbers that should really be seeing the spotlight more are the ones that put dollar signs to the costly aftermath of a successful breach.”

Companies sometimes fail to even install antivirus and anti-malware technology, and then forget to conduct vulnerability assessments.  GDF recommends that companies be aware of what threat vectors could cause them the most problems, along with identifying weak links in the security chain.

Thank you to Global Digital Forensics for providing us with this information

Image courtesy of SoftPedia

UK National Crime Agency Disrupts ‘Shylock’ Malware

Distribution of the “Shylock” malware has been disrupted by the UK National Crime Agency (NCA), in an effort to prevent a growing number of users from being compromised.

The Shylock malware reportedly infected more than 30,000 PCs across the world, with a specific focus on targeting bank accounts of UK residents.  Shylock, which included Shakespeare’s The Merchant of Venice passages hidden within its code, targeted PCs running Microsoft Windows.

The NCA confiscated servers responsible for distributing the malware – and the malware was able to steal banking login credentials.  Shylock could also capture data entered on select websites, and then upload it back to its home servers.

Here is what Andy Archibald, NCA’s National Cyber Crime Unit deputy director, said in a statement announcing the police operation:

“This phase of activity is intended to have a significant effect on the Shylock infrastructure and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime impacting the UK.  We continue to urge everybody to ensure their operating systems and security software are up to date.”

At the very least, security experts recommend users update their PCs and mobile OSes with the latest security updates, along with running anti-virus and anti-malware software.  Also, end-users need to be aware of clever phishing attacks using social engineering to trick them into clicking fraudulent links or downloading malicious programs.

Thank you to The Guardian for providing us with this information

Image courtesy of Getty Images

Cybersecurity Insider Threats Dangerous and Difficult to Defend Against


Cybersecurity experts are finding it difficult to keep hackers out of their networks, but the risk of insider threats continues to cause headaches.  It’s a troubling epidemic because most system and network security systems are designed to keep outsiders from breaching current infrastructure.

To make matters worse, 75 percent of insider crimes are underreported and don’t typically lead to prosecution – a troubling fact that insider threats normally cost more to combat, according to a US State of Cybercrime study published earlier in the year.

There will be a major effort to try to limit insider threats, with better monitoring services to better track what is being accessed.

Here is what Ron Ross, National Institute of Standards and Technology information risk management leader in “Security Agenda”:

“We talk about the geeks inheriting the world.  You got the system admins sitting on top of a treasure trove of gigabytes of classified information and they really have a lot of power out there.  And, it’s going to be really important that we take extraordinary measures where those assets are very critical to make sure one person can’t bring down the entire organization.”

The risk of insider threats is more prominent for governments, financial institutions, and critical infrastructure, security researchers say.  Stolen information is highly valuable on the black market, with cybercriminals interested in selling and trading data.

Thank you to the Information Security Media Group for providing us with information

Image courtesy of Blogs Absolute

UK Government Partners With Open University to Teach Cybersecurity Defense

The UK government has partnered with the Open University and plans to launch a cybersecurity course that will open up classes for future candidates.  The multi-year program will hopefully develop students interested in technology to focus on security, which will help boost UK defenses from foreign attack.

As western governments try to wrap their heads around growing cyberthreats, there is a shortage of skilled security specialists.  Unfortunately, it has proven to be a difficult and expensive process, while data breaches and cyberattacks continue to be successful.

Here is what Natalie Black, Cabinet Office deputy director of Cyber Defence and Incident Management said:

“A key tenet of the national cybersecurity strategy is developing the cybersecurity skills we need to keep the UK safe and to do that we have to work together, we have to work through industry and academia.  It goes without saying that the government takes cybersecurity incredibly seriously and we’re investing £860m over the course of five years.”

The United States government wants to recruit cybersecurity specialists for the military – but has struggled to find qualified candidates – especially compared to private sector companies willing to open up their checkbooks.  There are similar efforts to partner with universities and private sector companies to help boost education to create future cybersecurity specialists.

Thank you to The Inquirer for providing us with this information

Image courtesy of Wired UK

McAfee Says Mobile Malware Threats on the Rise in 2014

Cybercriminals are finding great success using mobile malware to compromise features and vulnerabilities of legitimate apps and services, according to the McAfee Labs Threats Report: June 2014.

Much of the attention focuses on the Google Android mobile operating system, but Apple iOS users are vulnerable to malware and other sophisticated attacks, too.

In addition, there are a growing number of mobile malware that target trusted apps and services users grant permissions to on smartphones and devices.  Threats such as Android/BadInst.A, Android/Waller.A, and Android/Balloonpopper.A are increasingly common and can do everything from money-transfers to accessing app stores.

Here is what Vincent Weafer, McAfee Labs Senior VP, said in a press statement:

“We tend to trust the names we know on the Internet and risk compromising our safety if it means gaining what we most desire.  The year 2014 has already given us ample evidence that mobile malware developers are playing on these inclinations to manipulate the familiar, legitimate features in the mobile apps and services we recognize and trust.  Developers must become more vigilant with the controls they build into these apps, and users must be more mindful of what permissions they grant.”

McAfee’s “zoo” of mobile malware samples increased a whopping 167 percent year-over-year, with suspicious URLs also rising 19 percent – more than 18 million – during Q1 2014.

Mobile users should run some type of anti-virus software on mobile devices, though security researchers recommend also installing an anti-malware solution.

Thank you to McAfee for providing us with this information

Image courtesy of GSM Nation

Companies Struggle to Defend Against Growing Surge of Cyberattacks

Sophisticated cyberattacks are giving security experts around the world complete fits, indicating how serious the problem continues to be. Custom-created malware and cyberattack strategies are easily found online and used to exploit unsuspecting users on a frequent basis.

Most recently, Domino’s Pizza restaurants in Belgium and France suffered cyberattacks, in which hackers stole customer data.  Customer records of around 650,000 were affected by the breach, as hackers demanded a ransom payment or information would be posted online.

Although some companies are stepping up to embrace modern security platforms, the amount of data stored without password-protection and encryption is staggering. A data breach can be costly for companies, but many executives would rather ignore the problem, roll the dice, and hope they aren’t targeted.

If nothing else, it’s clear that companies are struggling in their effort to keep customer and employee data secure from data theft. Once information is stolen and made available on the underground market, it can be hours – or months – before bulk records are sold or traded.

Credit card data, for example, must be distributed quickly, as customers will alert banks to flag stolen data. However, companies that either don’t inform users of a data breach, or are unaware they have been compromised, give cybercriminals better opportunity to get rid of the information at their own leisure.

Thank you Fierce CIO for providing us with this information

GCHQ Wants to Share Cyber Threat Analysis With Private Companies

The GCHQ intelligence agency plans to become more proactive in its fight against cyberattacks, opening up cyber threat intelligence information with private companies. It’s a unique turn of events following former NSA contractor Edward Snowden’s snooping disclosures, which also accused the GCHQ of organized surveillance activities.

To bolster support for the initiative, Cabinet Office minister Francis Maude mentioned how a “state-sponsored” criminal group accessed an account on an intranet government secure network.

Here is what GCHQ said in a statement:

“GCHQ will commit to sharing its classified cyber threat information at scale and pace to help communications service providers protect their customers; starting with suppliers to government networks and then moving on the other sectors of critical national infrastructure.”

The GCHQ hopes to help companies become the first line of security defense against sophisticated cyberattacks – a growing problem, as cybercriminals are becoming increasingly sophisticated when launching attacks. Compromised stolen data is worth big bucks on the underground market, with bulk records from data breaches available for sale.

The UK has seen an uptick of organized attacks from China and Russia, in an effort to steal intellectual property and gain a competitive advantage, which officials are keen to defend.

Thank you to the Engineering and Technology Magazine for providing us with this information

Image courtesy of Wired UK

‘Human Error’ to Blame For 95 Percent of Data Breaches in 2013


Organizations can implement next-generation cybersecurity technologies, but 95 percent of security issues in 2013 were caused by “human error,” according to the IBM Security Services 2014 Cyber Security Intelligence Index.

Companies are struggling to keep employee and customer data secure, and cybercriminals are exploiting these weaknesses.  A major retailer with millions of leaked credit and debit card information could face upwards to £59 million in direct costs that also includes government fines.

Using custom malware is a popular technique, but phishing attacks are an easy way for criminals to compromise data.  Here is what Nick Bradley, IBM Threat Research Group practice lead said in a recent interview with SC Magazine:

“Protecting yourself or a company from a phishing attack is obviously not an easy task.  If it were, phishing would not be as successful as it is.  User education is a powerful tool… teach your employees that they should not provide personal information to unfamiliar requesters.”

The United States and Germany suffered the highest total average cost following a data breach, while Brazil and India have the lowest total average cost.  In 2013 alone, more than 500 million records of personal information were stolen by criminals, with the information sold online.

In addition to companies, colleges and universities that suffer 40,000 or more record losses might lose up to £3.2 million in losses.

Thank you SC Magazine for providing us with this information

Domino’s Pizza Europe Hacked, Criminals Demand Ransom Payment


Domino’s Pizza customers in Belgium and France have been compromised, with more than 600,000 customers affected, and a cash ransom demand issued to the company.  The Rex Mundi hacker group wants £23,890 payment or the stolen information will begin to leak online.

More than 58,000 records were stolen from Domino’s Belgium, with 592,000 customer records stolen from France.  The data taken includes names, email addresses, passwords, and phone numbers, according to Domino’s – company officials said the ransom will not be paid, confirming that financial payment information wasn’t stolen in the breach.

Here is what Rex Mundi said in a statement:

“Earlier this week, we hacked our way into the servers of Domino’s Pizza France and Belgium, who happen to share the same vulnerable database.  And boy’ did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones.”

The data theft hit independent franchise owners in just Belgium and France, while the incident has been described as an “isolated” occurrence, according to Tim McIntyre, Domino’s Vice President of Communications.  The information was encrypted, but the hackers appear to be well-organized and should be able to decode all stolen data.

The silver lining is that no payment information was taken, but it’s never good when personal customer data is stolen in a breach.

Thank you Daily Mail for providing us with this information.

Image courtesy of memphistanista

Irish Netflix Users Warned of Growing Phishing Security Issues


Netflix users in Ireland have been warned of a phishing scam that asks users to update their payment information or their accounts will be suspended.  There are around 175,000 Irish Netflix users, and it’s unknown how many customers received the phishing email.

If users click on the fraudulent link, they are taken to dummy page that requires financial information to be entered.

Here is what Ronan Murphy, IT security firm Smarttech.ie, said in a recent statement:

“Phishing scams like the Netflix one, pray on people’s tendency to trust the authenticity of message and the company logo.  Once the criminals carrying out the scam have collected enough information from the unsuspecting victims, they can use it for credit card fraud or identity theft.  As a general rule, one should always be wary of any unsolicited emails or messages looking for your personal information or credit card details, no matter how genuine they look.”

Murphy said users should immediately delete the email – and shouldn’t provide any financial details if they did click the link.  Netflix subscribers with any account questions should contact Netflix directly: 0843 506 9267 or https://www.facebook.com/NetflixUK

Phishing remains a serious threat to Internet users, with security specialists warning everyone to be careful on emails they open, links that are clicked, and to be careful not to provide any personal or payment information to suspicious websites.  If in doubt, contact the company or bank directly to resolve any problems.

Thank you Irish Times for providing us with this information

Image courtesy of Digital TV Europe

Bank of England Unveils New Framework to Defend Against Cyberattacks

The Bank of England officially launched its CBEST framework to help mitigate the risk of cyberattacks, as criminals continually target banks and other financial institutions.

Using guidelines and threat intelligence from the British government and security providers, CBEST is designed to identify attacks against specific banks.  And then attack strategies are replicated so banks are able to test their defenses to try to determine future methods to reduce risks.

In addition, the realistic penetration tests are replicated, with indicators available to assess cybersecurity maturity.  Banks will be able to better understand where and how they are vulnerable – and how IT staff can improve security efforts.

The Digital Shadows UK cyberintelligence company assisted in developing the new testing framework, and it will be monitored and modified as needed.

“The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment,” said Andrew Grace, Bank of England Executive Director, in a statement.  “The results should provide a direct readout on a firm’s capability to withstand cyberattacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”

Financial crime is a high-profile target, with cyberattacks targeting financial institutions serving as the second largest source of direct loss from cybercrime, according to McAfee’s “Net Losses: Estimating the Global Cost of Cybercrime” report.

Source: Bank of England.