Hello! Here we are again at the fourth Gone Phishin' post. Long may it live and prosper! Without further ado, here's the companies (and the leaks, hacks, and attacks) you need to know about this week.
Don't plug in that USB
There's nothing hackers love more than sitting around an open network, throwing another USB on the fire(wall), and regaling others with tales of how they broke into bank accounts and mainframes and stole top-secret information. Yet there's a whole other sector of malicious actors who are literally mailing USB sticks out and making unsuspecting recipients do all the hard work for them. A hacking ring based in the UK has been doing just that recently, and have been mailing USBs falsely labeled as full copies of Office to people, hoping that they'll install the malware onto their computers for free.
Here's the catch: not a lot of people have been dumb enough (sorry, but true) to actually stick one of these things into their computers, but enough people have done so in order to warrant Sky News, MSN, PC World, and other media outlets to write about it. Apparently, one recipient of one of these sticks was the mother of a security consultant who recognized the IRL phishing scheme right away and reported it. Office 2021 costs about $150 last we checked, so although it's tempting to think you're saving some money by doing so, it's better to spend the money on the real thing.
Your takeaway: Not to get graphic, but it's good in terms of cybersecurity to think of your computer as an extension of your body. Would you stick something you were randomly mailed into your body? Probably not.
PayPal? Not your pal
There's a string of people getting fake invoices demanding payment... from PayPal. The invoices are, in all technicality, quite real... yet the purchases they say you (the user) made are entirely false; usually they're for a Walmart gift card (a common "prize" for hackers as gift cards are untraceable). The idea is for someone to get so alarmed that they received one of these that they'll go ahead and call the supplied customer service number. When someone does that, they're directed by the (fake) customer service agent to go to a (real-looking but, you guessed it, fake) website where they're asked to download a program that will infect their computers and ultimately lock them out of their own computers unless they pay a ransom. How rude! Hat tip to Krebsonsecurity for the find.
Your takeaway: See something alarming? Don't get mad - you might lose your cool enough to lose your bank account.
No haga clic en enlaces malos
Spanish and Portuguese speakers take note... there's a group called TA558 speaks your language and is coming after you! Mostly targeting the travel and hospitality industries, this rag-tag group of rogue hackers has been using phishing bait that looks like reservation emails and other travel-related ephemera. The strange part is that unlike most hacker groups they haven't changed their "lure themes" (i.e.; what "phishermen" use to catch you) since the group was first identified in 2018. I guess if it ain't broke, don't fix it. One thing to note about why they're trending is that they've recently hacked into hotels and have been sending out emails disguised as coming from the hotels themselves, and have been successfully able to phish unlucky travelers... as well as the hotel chains. Crazy stuff. Hat tip to Dark Reading for this one and Proofpoint for the data.
Your takeaway: No haga clic en enlaces malos = "don't click bad links." Especially if you're in part of the world where TA558 operate.
Russia targets diplomats
Living where I do in the world (Helsinki) and working in the industry I work in (cybersecurity), I'm fairly aware that if I type anything more spicy than "Here we go again with Cozy Bear" then that'll make me some sort of target of the uber-famous Russian hacking crew, so I'll simply say that they're most likely a bunch of lovely lads who enjoy nothing more than petting dogs, calling their mums every Sunday, and kindly helping old ladies across the street.
That said, they appear to be targeting diplomats and embassies with some very intense phishing campaigns, according to Bleeping Computer. They also seem to be trying to hack into / overwhelm / and ultimately take control of the embassy's cloud services, such as Atlassian, Trello, and others. This affects not just the day-to-day operations of the embassies themselves but also the messages that they could (potentially) send out to the public, which would then put the general public in danger.
Your takeaway: Um, don't work in an embassy for a country that has any issue with Russia right now. If you do, pay very (VERY) close attention to the emails coming from your management. They might not actually be coming from management.
Apple's VPN problem
Oh, boy. Ever used a VPN with an Apple device? Millions do, but it appears that Apple is letting traffic just leak out of the VPNs.
The issue isn't quite "VPNs don't work with Apple" as much as it is that processes that are started before the VPN is turned on will still happen outside of the VPN. You would think that the VPN would just take all the traffic, but apparently on Apple devices it doesn't work this way. According to privacy company Proton, the issue has been known about for more than 2 years and Apple still hasn't done much about it.
This isn't a traditional "data leak" story in as much as it is a "data is leaking" story — this issue could have huge ramifications for certain people who's lives and jobs depend on being able to talk in private.
The primary issue with non-tunneled connections persisting is that they could be unencrypted and that the IP address of the user and what they're connecting to can be seen by ISPs and other parties. "Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," ProtonVPN wrote at the time. That might not be a pressing concern for typical VPN users, but it's notable.
Your takeaway: Don't use VPNs on Apple devices for now. If you do, close all your apps, turn off your phone, turn it back on again, start the VPN, and then do whatever it is you do on a VPN. I'm assuming watching Ken Burns documentaries.
Plex does the right thing
Streaming video company Plex had a big data breach yesterday (August 23rd) and went public with it... today (August 24th). If you're a fan of numbers or even casually acquainted with calendars, you'll see that that's a remarkably short amount of time for a data breach to go public.
In contrast, most companies wait for months before announcing any sort of breach. Take Home Depot's 2014 breach that affected 56 million people; that breach took 6 months to become public.
Your takeaway: Have a think about this. Should this be the new model for reporting data breaches to the public? What do companies have to lose (besides quarterly earnings reports) by reporting breaches quicker? What do they have to gain (besides oodles of public trust)?
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt