22Line Code “Scalpel” to Removes British Airways Customer Data

A couple weeks ago British Airways confirmed that the personal data of 380,000 customers had been stolen.

Magecart Again. Still?

On September 11th the simplicity of this surgical strike was revealed by RiskIQ and the details are pretty amazing. According to RiskIQ the incident, which lasted 15 days, was very similar to the breach of Ticket Master UK earlier in the year. That similarity combined with crawl data allowed them to quickly confirm that the threat actors were one in the same, Magecart.

Magecart is a group of criminals that specialize in web based credit card skimmers. RiskIQ actively monitors 2 billion pages of the world wide web for Magecart activity and Magecart is so active that RiskIQ gets hourly notifications of sites being hacked!

The 22 Line Scalpel

In the case of the British Airways hack, Magecart slightly modified their code so it went unnoticed by the RiskIQ automated crawlers and only after the fact could RiskIQ manually identify their handiwork. It turned out that the 22 lines of javascript shown below is what excised the personal data of 380,000 customers.

The same code also appears to have affected the British Airways mobile app for the same period of time. This is because the app was developed as an empty shell that simply pulled in functionality from the desktop site. While past Magecart attacks grabbed form data indiscriminately, these 22 lines were highly targeted, extracting payment information and sending it off to their own servers.

Konsultek Knows Security

Threat prevention, detection and quarantine are the hallmarks of a robust security solution. If your current approach to network security is a patchwork quilt of boxes and software that has been cobbled together over time it’s probably time to have us perform a comprehensive review. Simply give us a call and we’ll schedule a time to chat. It’s really that easy to get started.

Too Smart to Fall for a Phishing Ruse? Think Again!

Ever wonder how stupid or careless someone has to be to be fooled by a phishing scam? Well, according to research conducted by a group of German experts, virtually anyone can be fooled.

In their study “Unpacking Spear Phishing Susceptibility” the researchers showed that although email  phishing scams get more publicity, Facebook scams would appear to be more effective.

“By a careful design and timing of a message, it should be possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message’s content and context.”

The Goal of the Study

The researchers, sensing there was a dearth of research related specifically to spear phishing decided to create a study that would fill the gap. They constructed a study that would explore the differences in delivery medium effectiveness (Facebook vs. email) while at the same time quantify the personal motivations that led to people either clicking on the phishing link, or just as importantly, not clicking on the link.

The Phishing Scam

The selected participants were sent a phishing link either as part of an email or a personal Facebook message from fake, non-existing person. The message claiming the link led to pictures from a party.

Facebook Gets 2X Clickthrough Rate

As Table 2 shows, when the same phishing message is presented via Facebook as compared to email individuals are over 2X more likely to click on the link and begin the phishing process.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

 

Why Did They Click?

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

Why Didn’t They Click?

Just as important to the researcher’s was attempting to understand why people didn’t click. Here is what they found.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

How Can Konsultek Help?

Whenever humans are involved there are going to be errors in judgement and successful phishing. That’s why all of our custom security solutions take a holistic approach to network security using a proven model of intrusion prevention, detection and mitigation. When you are ready to take your network security to the next level, give us a call.

 

Cyber-Espionage Exploding in Education Services Sector

There has been a major shift in the type of breach incident happening in the education services sector according to the Verizon 2017 Data Breach Investigations Report.

Can you spot the shift in the graphic below?

Source: Verizon 2017 DBIR

Cyber-Espionage has exploded since mid-2012! That’s right, because of the cutting-edge research that happens at many colleges and universities they have become a target for state-sponsored hacking.

As Verizon puts it…

“So college isn’t just pizza and tailgates—research studies across myriad disciplines conducted at universities put them in the sights of state-affiliated groups.”

So while of course the personal information of students and faculty were commonly extracted during breaches (a little more than half of all breaches) intellectual property losses were tied to a little more than a quarter of all breaches.

Targeted or Random Acts of Unkindness?

The evidence is clear that state-sponsored hacking and some criminal, profit based hacking is specifically targeting the hallowed halls of our academic institutions.

How do They do it?

Good question. Here is the answer in a graphic from the Verizon report.

Phishing email was the predominant threat vector in the social category while the use of stolen credentials was the dominant hacking technique. One interesting thing to note is the number of incidents involving Social and one or more other vector.

How Would You Like to Get a Threat Vulnerabilty Education for FREE?

At Konsultek we believe an educated client is the best client. That’s why we offer a variety of free vulnerability assessments to help you determine both your risk exposure and the likelihood of that exposure in regards to the veracity of your current security measures. Who would you rather educate you, the good guys at Konsultek or the bad guys out in the wild? Well, what are you waiting for? Pick up the phone and give us a call today so we can get your vulnerability assessment scheduled ASAP!

 

Hacking Insights from Verizon

The 2017 Verizon Data Breach Investigations Report (DBIR) has been released and as always, it is chock full of fascinating facts about the current state of the hacking and cyber threat world. You can get the full report from Verizon for free here.

Who are the Perps?

According to this year’s DBIR the breakdown of who’s been doing the most hacking looks like this:

  • 75% Perpetrated by outsiders
  • 51% Linked to organized criminal groups
  • 25% Involved internal actors
  • 18% Starred state affiliated actors
  • 3% Featured multiple parties
  • 2% Involved partners

How Did They Do it?

  • 62% Of breaches featured hacking
  • 51% Involved Malware
  • 81% Leveraged stolen or weak passwords
  • 43% Were social attacks
  • 14% Were linked to errors or privilege misuse
  • 8% Involve physical actions

The above information is just a sneak peek at a portion of the summary data contained in the 2017 DBIR. Next week we’ll take a deeper dive into what industries were hardest hit and by whom as well as get into specifics of how these industries were attacked.

 

 

 

James Comey and Nigerian Spam

Woke up today to find this gem in the mailbox. Who knew that the FBI and the Central Bank of Nigeria would be looking for me!

This email is entertaining for a couple of reasons (at least!) beyond the alleged working relationship between Mr. Comey and the Central Bank of Nigeria.

Take a look at the portions highlighted with blue text! First a warning that “you should ignore any message that does not come from the above email address and phone number for security reasons.”

Next, look at Mr. Comey’s email address. I would have thought that after all the email scandals in Washington that Mr. Comey would not be using an AOL  email address for such important and sensitive business!

Re: Urgent January Notice…….

From: James B. Comey, Jr., <fbidirector@openmailbox.org> 

Jan 18 at 12:37 PM

OFFICE OF THE EXECUTIVE DIRECTOR,

MR. JAMES B. COMEY, JR,

FEDERAL BUREAUOF INVESTIGATION,

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001. USA.

Attention: Beneficiary,After proper investigations, we, the Federal Bureau of investigation (FBI) discovered that your impending (over-due contract) payment with Central Bank of Nigeria is 100% legal and has been approved for release to you.

We recently had a meeting with the Executive Governor of the Central Bank of Nigeria, in the person of Mr Godwin Emefiele and other top officials of the concerned Ministries regarding your case and we were made to understand that your files have been held in abeyance pending on when you personally apply for the claim.

Investigations also revealed that a lady, by name Mrs. Joan B Melvin from New York has already contacted Central Bank of Nigeria with a power of attorney and some documents, which stipulated that you have mandated her to claim your fund of US$25,000,000.00 (Twenty Five Million United States Dollars) on your behalf due to your ill health.

In view of this, we have been urged to warn US citizens who have received information pertaining to their outstanding contract payment to be very careful and not to be a victim of ugly circumstance. In case you are already dealing with anybody or office of the Central Bank of Nigeria, you are strictly advised to STOP further communication with them in your best interest and thereby contact the real office of the Central Bank of Nigeria via the below information:

 

NAME: MR. GODWIN EMEFIELE

OFFICE ADDRESS: Central Bank of Nigeria,Central Business District,

Cadastral Zone, Abuja, Federal.

Capital Territory, Nigeria.

Email: central.bnk0015@aol.com

NOTE: In your best interest, you should ignore any message that does not come from the above email address and phone number for security reasons. And to enable the Central Bank of Nigeria to process and release the fund to you, you are required to re-confirm your full details such as

FULL NAMES: __________________________________

CITY: _________________________

STATE: __________________________________

ZIP: ______________COUNTRY: _______________________

SEX: _______________AGE: __________________

TELEPHONE NUMBER: _____________________

Ensure that you follow the Central Bank of Nigeria due process as enshrined in the International Banking Secrecy Act to avoid any form of discrepancy, which may hinder your fund transfer.Thanks for your understanding and cooperation as we earnestly await your urgent response.

Best Regards,

James B. Comey, Jr.,

Federal Bureau of Investigation

J. Edgar Hoover Building,

935 Pennsylvania Avenue,

NW Washington, D.C

E-mail: jjbcomeyjr@aol.com

 

© Copyright 2018 Konsultek