The Week in Breach: 6/04/2018 – 6/10/2018
Breach news to share with your customers!
This week shows no shortage of targeted attacks designed to extract large datasets from a broad range of consumer sites. Travel, finance and entertainment sites were targeted, impacting more than 100,000,000 unsuspecting victims. If anything, this week clearly demonstrates why individuals need to proactively monitor for their compromised data with tools like ID Agent’s SpotLight ID – Personal Identity & Credit Monitoring Solutions. The events of this week also clearly demonstrate why businesses must monitor for compromised credentials that can be used to exploit internal systems and to compromise or takeover customer accounts.
Highlights:
- Leaked credentials from a 3rd party data breach used to exploit 45,000 Transamerica customers
- No Tickets for You! – TicketFly shuts down to identify and fix the source of leak impacting 26M customers
- Booking.com shows that phishing attacks never take a vacation
- Google Groups – taking a page right out of Amazon’s leaky bucket playbook?
In other news…The City of Atlanta’s losing streak continues thanks to ransomware hacks! This time, the city’s evidence chain of custody breached, allowing police evidence to be destroyed – impacting investigations and prosecutions.
https://cyware.com/news/atlanta-ransomware-attack-destroyed-years-of-police-dashcam-footage-potentially-critical-evidence-9e8134ac
Europol has a new team dedicated to cybercrime on the Dark Web, hoping to monitor and mitigate criminal activity. Multiple law enforcement agencies throughout Europe are participating in this team, in addition to some non-European organizations. Keep fighting the good fight!
https://www.welivesecurity.com/2018/06/01/europol-eu-team-fight-dark-web/
Google Groups can’t get its act together when it comes to privacy settings, resulting in accidental disclosure of users’ private documents. If your business uses Google Groups, make sure to set your group to private!
https://www.securityweek.com/thousands-organizations-expose-sensitive-data-google-groups
It looks like there’s more than just gators to watch out for in the sunshine state… Florida named the worse state in consumer cybersecurity.
https://www.darkreading.com/vulnerabilities—threats/survey-shows-florida-at-the-bottom-for-consumer-cybersecurity/d/d-id/1331983
What we’re STILL listening to this week!
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TicketFly
Exploit: Database misconfiguration, hacker doxing/ransoming
Risk to Small Business: High: Demonstrates the impact of database misconfiguration and security controls.
Risk to Exploited Individuals: High: Social engineering and identity theft as a large amount of personal information including names, addresses and phone numbers of customers.
TicketFly: Owned by Eventbrite, TicketFly is a popular site where customers can purchase tickets online for upcoming events and shows.
| Date Occurred Discovered |
|
|
| Date Disclosed | TicketFly made an official statement on June 6, 2018 | |
| Data Compromised | Email addresses
Phone Number Billing Address Home Address |
|
| How it was Compromised | A hacker attempted to contact the company about a vulnerability, demanding 1 Bitcoin as ransom to reveal the weakness. The hacker claims the emails to the company went unanswered so the cybercriminal vandalized the TicketFly site and leaked some of the information acquired to the press. | |
| Customers Impacted | 26 million, and even more if you consider the customers who are unable to buy tickets while the site has been down. | |
| Attribution/Vulnerability | Undisclosed at this time. |
MyHeritage
Exploit: Unsecured/misconfigured data store. Poor data at rest encryption. Poor password encryption.
Risk to Small Business: High: Demonstrates the impact of database misconfiguration, security controls and weak encryption.
Risk to Exploited Individuals: Moderate: Email addresses leaked but DNA/family history data supposedly stored separately.
MyHeritage: Users search historical records and create a family tree using this web-based service from Israel.
| Date Occurred Discovered |
October 26, 2017 | |
| Date Disclosed | June 4, 2018 | |
| Data Compromised |
|
|
| How it was Compromised |
|
|
| Customers Impacted |
|
|
| Attribution/Vulnerability | Unclear, but MyHeritage did not store passwords, instead of storing a one-way hash of each password that has a key unique to each user. All credit card information is located on third party sites and the most sensitive information the website holds such as family tree and DNA data is stored in segregated systems with additional layers of security. |
https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/#
https://motherboard.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million
Transamerica
Exploit: Compromised credentials
Risk to Small Business: High: Demonstrates the need to proactively monitor for compromised credentials from 3rd party data breaches and phishing attack mitigation.
Risk to Exploited Individuals: High: Highly sensitive personal information was stolen and could be used to impersonate an employee; or an outside agent could pose as a relative of an employee to phish for information
Transamerica: This company offers mutual funds, retirement strategies, insurance, and annuities.
| Date Occurred Discovered |
Between March 2017 and January 2018 | |
| Date Disclosed | May 2018 | |
| Data Compromised |
|
|
| How it was Compromised | Third party compromised credentials were used to access user’s account data | |
| Attribution/Vulnerability | Outside actor |
https://cyware.com/news/transamerica-hacked-nearly-45000-retirees-personal-and-sensitive-details-stolen-c2c419f5
https://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/
Booking. com
Exploit: Phishing
Risk to Small Business Risk: High: Demonstrates how well-crafted phishing attacks can lead to massive data loss even with strong end-user security awareness training program and security tools in place.
Risk to Exploited Individuals: High: Money was stolen from the individuals who responded to the convincing email, and their stolen personal information could be used again.
Booking. com: A popular site for booking hotels, houses, apartments and boats.
| Date Occurred Discovered |
June 2018 | |
| Date Disclosed | June 3, 2018 | |
| Data Compromised | Names
Addresses Phone Numbers Dates Price of bookings Reference Numbers |
|
| How it was Compromised |
|
|
| Attribution/Vulnerability | Outside actors, deployed through spam email campaign |
https://www.independent.co.uk/travel/news-and-advice/travel-website-hackers-cyber-crime-phishing-holidays-a8382771.html
https://www.thesun.co.uk/money/6437309/hackers-target-booking-steal-thousands/
https://www.scmagazine.com/cybercriminals-phish-bookingcom-customers-after-possibly-breaching-partner-hotels/article/771091/
PageUp
Exploit: Malware
Risk to Small Business Risk: High: Demonstrates that malware exploits are often very difficult to detect and defend against.
Risk to Exploited Individuals: High: It is unclear what information has been compromised and from which customers of PageUp, but given the nature of the company and the information they store, the risk is serious.
PageUp: A large Australian company that provides HR, career, and recruitment service to large and small businesses around the world.
| Date Occurred Discovered |
May 23, 2018 | |
| Date Disclosed | June 6, 2018 | |
| Data Compromised | Unclear, but passwords were hashed and salted | |
| How it was Compromised |
|
|
| Attribution/Vulnerability | Malware was found on one of PageUp’s IT systems, but how the malware entered the system is still being investigated |
An important takeaway from this week finds its origin in research done by Dr. Michael McGuire, funded by Bromium and titled ‘The Web of Profit’: The unfortunate truth is that crime does pay. Cybercrime produces 1.5 Trillion each year, which rivals Russia’s GDP and would place cybercrime at number 13 in a comparison of the world’s highest gross domestic product. $500 Billion of that can be contributed to intellectual property theft and data trading accounts for $160 Billion.
The scope of cybercrime profits and influence points to the conclusion that it is an economy in and of itself, a conclusion that is supported by the growth of platform criminality. Platform criminality is much like the business models of platform businesses such as Google, Uber, or Amazon that trade in data. Data is a profitable business as demonstrated by these famous companies (or at least two of them), and criminals have taken note.
Using the Dark Web as a means of facilitating transactions, cyber criminals are able to buy and sell anything from data to a day-zero exploit. The main takeaway from looking at how cybercrime has evolved is that cyber criminals are selling crime rather than committing it. Much like how Uber is selling a platform where drivers are paired with passengers, criminals are selling the tools and data needed to commit cybercrimes over ‘back alley’ marketplaces.
The research done by Dr. McGuire also highlights the importance of monitoring the Dark Web for personal information, stating:
“New kinds of software tools are required for uncovering how cybercriminals are using digital technologies for hiding and laundering revenues. One example would be virtualization tools that can generate safe havens, isolated from the internet, where illicit revenue-generating activity can be diverted and neutralized. Another would be more sophisticated scanning tools capable of better tracking and locating items of value across the net – in particular, personal data”(125).
The Dr. also concluded that while Dark Web monitoring is vital to combatting the economy of cybercrime, it is far from an easy task. The difficult nature of monitoring the Dark Web is not just because it is harder to navigate than the traditional web… explains McGuire, it is “because many of the sites only grant access by word of mouth, or on the basis of ratings status and trust, which may take some time to build up” (57). The Dark Web and the economy surrounding it is nothing to take lightly, and ignoring its existence only adds to the ability for cyber criminals to go about their work unscathed. Dark Web ID by ID Agent fulfills this need for Dark Web monitoring, instead of turning a blind eye to the complex and dynamic reality of the cybercrime economy our services dive right in.
https://learn.bromium.com/rprt-web-of-profit.html
https://www.darkreading.com/cloud/cybercrime-is-skyrocketing-as-the-world-goes-digital/a/d-id/1331905
We’re always very excited to see how our Partners are using The Week in Breach to educate their customers! Contact us at [email protected] and let us know!
And if you’re looking to see how Dark Web ID™ can help you protect your customers’ credentials? Learn about ID Agent’s Partner Program now!