STE WILLIAMS

Many staffers in the IT department of the much-hacked US city of Baltimore have been storing files on their computers’ hard drives – as in, they haven’t kept properly backed-up data, stored in the cloud or off-site, an audit has found.

The Baltimore Sun reports that Baltimore City Auditor Josh Pasch, who presented his findings last month to a City Council committee, told the committee that because of (outdated and strongly inadvisable) data backup habits, the city hasn’t been able to provide documentation regarding the IT department’s performance goals, which include modernizing mainframe apps.

Some key personnel kept files on their computers – files that were lost in a May 2019 ransomware attack that reportedly involved a strain of ransomware called RobbinHood. The attack partially paralyzed the city’s computer systems.

The Baltimore Sun quoted Pasch:

Performance measures data were saved electronically in responsible personnel’s hard drives. One of the responsible personnel’s hard drive was confiscated and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident.

The newspaper quoted an alleged exchange between Pasch and City Councilman Eric T. Costello, a former government IT auditor himself:

Costello: That can’t be right? That’s real?
Pasch: One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it.
Costello: Wow. That’s mind-boggling to me. They’re the agency that should be tasked with educating people that that’s a problem.

After the attack in May, Baltimore Mayor Bernard C. “Jack” Young not only refused to pay, he also sponsored a resolution, unanimously approved by the US Conference of Mayors in June 2019, calling on cities to not pay ransom to cyberattackers.

Baltimore’s budget office has estimated that due to the costs of remediation and system restoration, the ransomware attack will cost the city at least $18.2 million: $10 million on recovery, and $8.2 million in potential loss or delayed revenue, such as that from property taxes, fines or real estate fees.

The Robbinhood attackers had demanded a ransom of 13 Bitcoins – worth about US $100,000 at the time. It may sound like a bargain compared with the estimated cost of not caving to attackers’ demands, but paying a ransom doesn’t ensure that an entity or individual will actually get back their data, nor that the crooks won’t hit up their victim again.

The May attack wasn’t the city’s first; nor was it the first time that its IT systems and practices have been criticized in the wake of attack. The first publicly reported attack against the city came in 2018 when attackers went after Baltimore’s emergency service dispatchers.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/idJHYqiJ_xU/

In light of National Cybersecurity Awareness Month, we’re giving you a special splinter episode all about social media.

Host Anna Brading asks guests to offer their personal perspective on social media. Mark Stockley, father of two, shares his experience of setting boundaries with gaming and other digital platforms; Harry McMullin talks about what it was like to grow up with social media from a young age [8’53”]; and Alice Duckett discusses cancel culture and social media shaming [27’49”].

We record episodes every week discussing the latest and biggest cybersecurity news stories. Did you like this episode centered around one topic? Let us know, and also tell us if there’s another area you want us to explore in more depth like this one.

We’ll be back with the regular weekly podcast next Wednesday.

Listen below, or wherever you get your podcasts – just search for Naked Security.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PcHGnfZdIIM/

US, British and South Korean police announced on Wednesday that they have taken down Welcome To Video: a Darknet market that had what the US Department of Justice (DOJ) says is the world’s most voluminous offerings of child abuse imagery.

The DOJ called this the largest market for child sexual abuse videos, and that this is one of the largest seizures of this type of contraband. The 8 terabytes worth of child sexual abuse videos, which are now being analyzed by the National Center for Missing and Exploited Children (NCMEC), comprise over 250,000 unique videos, 45% of which contain new images that weren’t previously known to exist.

The global crackdown, which has so far led to the arrest of 337 alleged users and the indictment of the website’s admin, has led to the rescue of at least 23 victims living in the US, Spain and the UK. The DOJ says that the minors were actively being abused by site users.

The admin of Welcome to Video, who was indicted on Wednesday, is Jong Woo Son, 23, a South Korean national who was previously charged and convicted in South Korea. He’s now serving his sentence in South Korea.

The global dragnet has scooped up 337 alleged site users who’ve been arrested and charged worldwide: throughout the US, the UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia. About 92 individuals’ home and businesses in the US have been searched.

Five search warrants issued in the Washington, D.C. metropolitan area have led to the arrests of eight people suspected of both conspiring with Jong Woo Son and of being website users themselves. The DOJ says that two suspected users committed suicide after the search warrants were executed.

The bust

According to the indictment, on 5 March 2018, a global police force – including agents from the UK, the Korean National Police in South Korea, the US Internal Revenue Service’s Criminal Investigation Division (IRS-CI), and the US Homeland Security Investigations (HSI) – arrested Jong Woo Son and seized the server that he used to operate the market.

Welcome To Video specialized in exclusively selling child sexual exploitation videos. The site, which operated from June 2015 to March 2018, had a message on its landing page explicitly warning users to “not upload adult porn.” As of 8 February 2018, Welcome to Video indicated on its download page that users had downloaded files more than a million times.

The material documented abuse of pre-pubescent children, toddlers and infants as young as six months.

Bitcoin doesn’t hide “these disgusting organizations”

The indictment alleges that police tracked Bitcoin payments to the Darknet website by tracing the flow of funds on the blockchain.

A forfeiture complaint identifies blockchain wallets allegedly used by 24 suspects in five countries to promote the site and to pay for child abuse. The complaint is looking to claw back that money and return it to the victims.

Users purchased the videos by using points that they earned in a number of ways: by uploading child abuse videos, referring new customers, paying 0.03 Bitcoin (worth approximately US $352.59 as of the time the market was seized) for a six-month “VIP” account that gave them unlimited downloads, and/or by purchasing points incrementally.

IRS-CI Chief Don Fort said in the DOJ’s news release that it was “sophisticated tracing” of transactions between the site and those customer accounts that enabled agents to crack the criminal ring:

Through the sophisticated tracing of bitcoin transactions, IRS-CI special agents were able to determine the location of the Darknet server, identify the administrator of the website and ultimately track down the website server’s physical location in South Korea.

Fort said that it doesn’t matter whether illicit proceeds are virtual or tangible: police can and will track down “these disgusting organizations” and bring them to justice, he said.

Stripping cryptocurrency’s privacy protections

As we’ve previously explained, cryptocurrencies such as Bitcoin and even Monero, which was designed for privacy, rely on blockchains: cryptographically protected, decentralized transaction ledgers.

The robustness of those blockchains relies, in part, on transparency: there are thousands of copies of both the Bitcoin and Monero blockchains in existence, and every copy carefully details every single transaction ever made in that currency.

Changing the history enshrined in those blockchains is effectively impossible. If you’ve ever spent a bitcoin or a monero, then the proof that it happened is etched indelibly into that currency’s blockchain, forever.

Bitcoin users are pseudonymous – their activity is public but their real name is hidden – protected by one or more wallet IDs.

Bitcoin users can be exposed if any one of a wallet’s transactions can be linked to a real identity.

In the case of Welcome To Video, there were a number of links to Son’s real identity. One such link was multiple instances of unconcealed IP addresses that showed that Son was running the server out of his own home. He also used his name, his cell phone number and his email account at a Bitcoin exchange account.

The charges against Welcome To Video’s admin

Besides the charges that led to his conviction in South Korea, Jong Woo Son was indicted on Wednesday in the US on nine charges relating to money laundering and to producing, advertising and distributing child abuse imagery.

HSI Acting Executive Associate Director Alysa Erichs, calling the crimes “unthinkable”, said that technology has enabled them to stay tucked away. However, the criminals who do this can and will be tracked down, she said:

Sadly, advances in technology have enabled child predators to hide behind the dark web and cryptocurrency to further their criminal activity. However, today’s indictment sends a strong message to criminals that no matter how sophisticated the technology or how widespread the network, child exploitation will not be tolerated in the United States. Our entire justice system will stop at nothing to prevent these heinous crimes, safeguard our children, and bring justice to all.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U8nlPah7fZQ/

Uninstalling an Android app caught pushing adware is normally simple to deal with – click and drag it to the top right of the screen and into the trash can.

App gone, ideally followed up with a public-spirited one-star rating on the Google Play store to alert others to its bad behaviour.

But what happens if there’s no home screen or app tray icon?

New research by SophosLabs has discovered 15 apps on Google Play that install without icons as part of a campaign to keep themselves on the user’s device.

The motivation is to keep pushing obtrusive ads for as long as possible. But for some of the apps, the evasion doesn’t stop with disappearing icons.

For example, Flash On Calls Messages (1 million installs since January 2019) tries to convince users it never installed properly in the first place.

When first launched, users are greeted with the message “This app is incompatible with your device!” The app then opens the Play store and navigates to the page for Google Maps to distract users from the nature of this failure.

Others appear to install, complete with icons, before removing these some days later. Another trick is to use two different names and icons depending on where it is displayed. SophosLabs observed:

Nine out of the batch of 15 apps used deceptive application icons and names, most of which appeared to have been chosen because they might plausibly resemble an innocuous system app.

As is so often the case, there is no way to spot this kind of app just by looking at it before installation.

The list of deceptive apps included QR code readers, image editors, backup utilities, a phone finder, and one that claimed to clean the device of private data.

All detected by SophosLabs were from 2019, with anywhere from 1,000 to 1 million installations.

All were taken down after SophosLabs reported them to Google in July, which should mean they were automatically de-installed soon after that (see SophosLabs analysis for the full list).

Disgruntled users

Although these apps were different in intention to the ‘fleeceware’ Android apps publicized by SophosLabs in September, a common theme is that many users gave them negative reviews which didn’t seem to persuade Google to take a closer look.

In the latter case, that was despite those apps charging users outrageous sums of money once a trial period had elapsed.

We said it then and we’ll say it again – there must be a way for Google to spot fraudulent apps before they get their claws into the smartphones of users.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AoUMvk8i70E/

University of Cambridge researchers have been tossed £36m from the UK government to support their work with Arm to strengthen security by improving memory protection.

As part of the “Digital Security by Design” scheme, the funding will be funnelled into the research team’s Morello project to create a prototype platform to demonstrate how Capability Hardware Enhanced RISC Instructions (CHERI) can work.

Business secretary Andrea Leadsom said that while doing the basics – strong passwords and keeping software updated – remained important, businesses can also benefit from innovations in defence technology to deal with future threats.

Minister for Digital and Broadband Matt Warman said: “The government wants the UK to be the safest place to be online and the best place to start and grow a digital business. As these investments show, we are determined to create the right environment to foster our thriving digital economy while giving people renewed confidence and trust in online services.”

CHERI aims to improve security by strengthening memory protection to provide systems with better protection from unknown vulnerabilities and attempted exploits.

CHERI is the result of a 10-year DARPA-funded research project, led by Robert N M Watson, Simon Moore and Peter Sewell at the University of Cambridge’s Department of Computer Science and Technology, and by Peter G Neumann at SRI International (once known as the Stanford Research Institute).

The next step is to check that the proposed design for Morello will provide the promised security benefits. The team claims this will be the first time that formal proof has been applied to the security of a mainstream computing architecture.

There’s more on the project from the University of Cambridge here.

As part of the funding, there is also a call for teams of social scientists to apply for £3m to research the behavioural and adoption challenges of making systems secure. But interested boffins better be quick – expressions of interest must be in by 15 November. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/18/arm_security_by_design_research/

Last year, Google deployed Site Isolation in desktop versions of its Chrome browser as a defense against CPU side-channel attacks like Spectre. The technique renders websites in separate processes to prevent one from interfering with or snooping on another, augmenting browser sandboxing defenses.

On Thursday this week, the Chocolate Factory said it has activated the security mechanism in the Android version of Chrome 77, which debuted last month. The ad biz also extended Site Isolation defenses to protect against fully compromised renderer processes and universal cross-site scripting bugs on desktop versions of Chrome.

The Site Isolation in Android comes with some qualifications because the technique imposes memory overhead of about 3 to 5 per cent. So mobile devices must have at least 2GB of RAM to use Site Isolation, and even then, the defense is only activated when visiting websites with a login mechanism and only for 99 per cent of Chrome for Android users – 1 per cent of devices are excluded to provide a monitoring and performance baseline.

“Once Chrome observes a password interaction on a website, future visits to that site will be protected by Site Isolation,” said Google software engineers Alex Moshchuk and Łukasz Anforowicz in a blog post. “That means the site will be rendered in its own dedicated renderer process, walled off from other sites.”

Users not content with devoting such a small portion of memory to better security can set a flag (via chrome://flags/#enable-site-per-proces) to activate Site Isolation for all sites, not just sites with login forms.

Doing so is likely to bring Chrome for Android closer to desktop Chrome levels of memory overhead – 10 per cent to 13 per cent, as tested on Chrome 67, when Site Isolation is applied to many browser tabs.

Nix to the mix: Chrome to block passive HTTP content swirled into HTTPS pages

READ MORE

The desktop versions of Chrome have been beefed up to do more than just prevent data leakage from a render process. Site Isolation in desktop Chrome can now defend effectively even if an attacker is able to exploit a memory corruption bug in Chrome’s rendering engine, Blink.

It’s able to do so because Chrome’s browser process can identify the website associated with a given render process and can limit the cookies, passwords, and site data available, thereby preventing cross-site data grabs.

And that’s for the best. As Google observes, bugs in Chrome’s Blink engine turn up regularly, despite considerable efforts to avoid them, including fuzzing, bug bounty programs, and developer education. There were 10 potentially exploitable bugs in renderer components in Chrome 69, five in Chrome 70, 13 in Chrome 71, 13 in Chrome 72, and 15 in Chrome 73.

Beyond memory overhead, Site Isolation has implications for web developers in terms of how they craft websites. Google warns that the unload handlers – implemented to trigger a when a document or child resource is closed or unloaded – may not run reliably. Also, full-page layout under Site Isolation is no longer synchronous, which could mess up calculations pegged to not yet rendered page elements. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/18/chrome_solitary_confinement/

Updated A Register reader says that for months he has been dealing with unwanted emails and alerts because a domain he purchased is connected to someone else’s PayPal account, and PayPal doesn’t seem to care.

Aaron Sadler says the trouble began last year when he repurchased a domain he had previously owned and allowed to expire. After that initial expiry, someone nabbed the dot-net address, but then also let the domain expire, allowing Sadler to reacquire it from its registrar.

Unfortunately, there was a little something extra that came with the terrabithost.net domain: the previous owner had used it to register a PayPal account, and they were still using that account despite no longer having access to the email address. Rather, the emails were being forwarded to Sadler.

“I have received receipts (monthly), password resets, account locking / unlocking notifications etc,” Sadler said.

“PayPal initially said these were phishing emails, but on checking they originated from their servers, and when I carried out a password reset to the email address via the PayPal website, it worked, as expected.”

So, at this point our man had a domain that was spamming him with emails from PayPal, while a complete stranger was desperately trying to get back control of a PayPal account that, for all they knew, had been hacked and was being used or sold.

PayPal’s pal Venmo spaffs your pals’ payments – and yours

READ MORE

You would think that, at this point, PayPal customer service would take an interest in the case and promptly resolve the matter by disabling or transferring the account. Unfortunately, Sadler tells us, that is not the case.

“None of the advisors I have spoken to seemed to have any understanding of how the domain name/email systems works,” our reader explains, “and how someone else can end up receiving the emails, (I have a basic catch-all forwarder setup on the domain.)”

Unfortunately, other branches of PayPal don’t seem much interested in dealing with this either. El Reg has made multiple inquiries to the payments giant without getting any human response.

Now, Sadler says he is open to suggestion on how to address this situation and give control of the account back to its rightful owner.

“I have searched for the account owner via Facebook, Google etc with no luck, I have contacted the company which the receipts are for with no luck (to be expected due to data protection),” Sadler said.

“I just want the account owner to secure his account, I can’t believe PayPal have allowed this to go on for a year, not lock the account, or even contact the account owner to advise him on the problem.”

If PayPal or anyone else would like to resolve this situation, they can get in touch. ®

Updated to add

And as if by magic, within hours of this story going live, the owner of the PayPal account was traced, and the profile was updated with a new email address. A win for the good guys. Still no word nor any signs of caring from PayPal, though.

If you have hit similar security nightmares, let us know, please, via the address above, and we’ll try to help.

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/17/paypal_account_domain/

Organizations of all sizes should include both human firewalls and virtual tools in their cybersecurity budgets.

The average cost of a data breach is now $3.92 million, according to IBM and Ponemon. Hackers are taking advantage of the many smart and Internet of Things devices in modern offices, which give them more attack vectors to penetrate networks.

But enterprises are fighting back by training employees to become human firewalls who can secure online resources and act as an added line of defense against phishing attacks. Companies should use technologies such as machine learning and artificial intelligence (AI) to safeguard digital assets further. Combining people and technology is the best way to keep networks and their data safe.

Too Many People and Devices to Protect
There will be more that 20 billion internet-connected devices worldwide by 2020, and that number is growing daily. Many people also employ their smartphones, tablets, and laptops in both personal and professional settings. That may be more convenient, but it heightens the risk of human error because users no longer have a network edge to protect them.

An employee reading personal email on a corporate device bypasses the protections in place. An executive who falls victim to cybercrime on a personal device can similarly endanger the office network.

Phishing scams, which account for more than 90% of these hacks, are disguised in seemingly innocuous messages like banking alerts, travel offers, or (especially during the holiday season) shopping deals. They play on peoples’ emotions: An excited or scared user clicks on the link and inputs personal information without asking too many questions.

These attacks are a constant presence in the media, so it might seem surprising that people still fall for them. In recent years, laws like Europe’s General Data Protection Regulation and the California Consumer Privacy Act have also highlighted the importance of data privacy.

Users alone aren’t at fault, however. Many enterprises don’t put time or money into educating personnel on hacking risks. But a properly prepared workforce can be a human firewall that prevents attacks before they begin, so companies must put online safety at the forefront.

Creating a Human Firewall
Everyone from entry-level to C-suite should know how to identify and report breaches so they can defend the enterprise. Training is the most crucial step in this process, and it doesn’t need to include rote messages and endless PowerPoint slides. Learning sessions can be humorous, fun, and — most importantly — educational.

One best practice is having the corporate IT department send a simulated phishing email to all employees. Administrators can include a fraudulent offer for a free vacation or other amenity to see which employees recognize the trick. They should then follow up with anyone who clicked the link or opened the attachment to educate them on the dangers of this practice.

Leaders must conduct this instruction in a way that’s informative but not heavy-handed. Everyone in the enterprise is on the front lines of this fight, so those with more experience need to help their less-seasoned colleagues rather than shame them.

Once employees know the warning signs, they’ll stop falling for hacker schemes. More importantly, they’ll start reporting suspicious phishing emails so the IT department can investigate them and keep the company informed about new scams. In this way, the human firewall achieves its real purpose.

The best part is that enterprises don’t have to do this work alone. Technology can be an invaluable partner in these initiatives when used correctly.

How Virtual Tools Can Help
Even the best human firewall can’t protect and secure a network all on its own. Indeed, 61% of enterprises say they need technologies like AI and machine learning to help detect data breaches. Large companies should use these methods to augment existing processes, thwart attacks, and strengthen security.

Machine learning and AI algorithms study network traffic patterns, email subject lines, and body text. They then compare these elements to a pre-existing bank of malicious content to protect sensitive data and detect threats faster.

If a breach occurs, these technologies can also respond quickly to reduce dwell time. That saves enterprises from client churn, hefty fines, and negative publicity. Companies that put in the effort to develop a robust AI or machine learning interface have more protection against online attacks.

Organizations of all sizes should include both human firewalls and virtual tools in their cybersecurity budgets. Business leaders also need to evolve training programs frequently and update their software as new digital dangers emerge. These critical investments in people and technology help protect companies from risk and strengthen emergency response plans.

Cybercriminals never stop attacking networks, so organizations should never stop defending them. Every business needs to educate its staffers about online security, so they become human firewalls. Industry leaders can also keep enterprise systems safe with state-of-the-art digital resources like AI and machine learning. When human ingenuity and smart technology come together, the whole company benefits.

Related Content:

• 8 Ways Businesses Unknowingly Help Hackers
• Cybercrime: AI’s Growing Threat
• Does Personality Make You Vulnerable to Cybercrime?
• Security Training That Keeps Up with Modern Development

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: ““How to Build a Rock Solid Culture“

 

Debby Briggs has more than 20 years of experience in cybersecurity and has been with NETSCOUT for the last 15 years. Prior to joining NETSCOUT, Debby held various network administrator and IT infrastructure roles with leading companies, including RSA, Healthsource, and GTE. … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/smart-prevention-how-every-enterprise-can-create-human-firewalls/a/d-id/1336013?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SMBs still perceive themselves at low risk from cyberthreats – in spite of attack statistics that paint a different pictur

Image Source: Adobe(Pablo Lagarto)

Even as attacks and breaches at small to midsize businesses (SMBs) continue unabated worldwide, these companies still don’t consider themselves at high risk from cyberthreats, reports show.

“Cyberattacks are a global phenomenon — and so is the lack of awareness and preparedness by businesses globally,” says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority.”

The fact of the matter is that SMBs don’t prioritize cybersecurity. It’s to their detriment. Here, Dark Reading examines a recent Ponemon report on the state of cybersecurity at SMBs (done in partnership with Keeper Security), along with several others released over the past few months, to get a picture of SMB insecurity by the numbers.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/state-of-smb-insecurity-by-the-numbers/d/d-id/1336073?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers make use of an old trick and evade detection by blocking users from viewing an embedded link when hovering over the URL.

Researchers have spotted a new phishing campaign targeting credentials and financial data of people using the Stripe payments platform. Emails are disguised as alerts from Stripe support.

Stripe enables e-commerce, facilitates payments, and helps run businesses with its software-as-a-service platform. Online companies use Stripe to receive payments, manage workflows, and update payment card data, among other things. Its millions of global customers include major brands, among them Amazon, Google, Salesforce, Microsoft, Shopify, Spotify, Nasdaq, and National Geographic.

Now attackers are trying to gain access to credentials for Stripe’s platform and the billions of dollars it handles each year. This access could enable the adversaries to steal payment card data and defraud customers, report researchers with the Cofense Phishing Defense Center today.

Emails in the campaign pretend to be notifications from “Stripe Support,” telling the account admin the “details associated with account are invalid.” The admin must take immediate action or the account will be placed on hold, the attacker warns. The idea is to cause fear or panic among businesses that heavily rely on their online transactions and payments to keep running.

These emails include a “Review your details” button with an embedded hyperlink. A common security practice is to hover the mouse over a hyperlink to see its destination. The attackers behind the campaign blocked this by adding a title to the HTML’s a tag. Instead of displaying the URL when a mouse hovers over it, the button simply shows “Review your details” in text.

“When rendered in the email client, instead of seeing the underlying link of that button, you just see the title that pops up,” says Cofense CTO Aaron Higbee. “In this case, the user wouldn’t have been able to see where the misleading domain went.” It’s a common evasion technique.

When clicked, this button redirects targets to a phishing page disguised to imitate Stripe’s customer login page. This part of the attack includes three separate pages: One collects the admin’s email address and password, the second requests the bank account number and phone number, and the third redirects the admin back to the initial Stripe login page with a “Wrong Password” error so they don’t suspect anything.  

Another interesting factor in this attack was the credential compromised, Higbee says. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim company’s MailChimp account. This is the platform they ultimately used to launch the phishing campaign, he explains. As a result, the phishing emails appear to originate from the email address of a compromised organization.

“This is saying to me the attackers are looking for ways to make sure their phishing emails are successfully delivered,” Higbee continues. Most people have MailChimp whitelisted, and many companies use it for things like password resets.

Red Flags
While the attackers were savvy with HTML, their writing skills could use some work. Misspelled words (“Dear Costumer”) and obvious grammatical mistakes could tip off any user to suspicious activity, Higbee says. Employees who suspect foul play should approach emails with caution.

What’s more, these emails didn’t originate from a “stripe.com” email address, he continues. Even though the display name said Stripe Support, recipients of these emails should also check for a Stripe domain name in the sender’s email address. Higbee also warns people to be wary of emails seemingly intended to provoke fear or urgency, which many attackers prey on.

He suspects this type of attack will continue, especially against users of the payment platform.

“If there is a way for an attacker to automatically discern whether a company uses Stripe, I’d guess this type of attack would be on the rise,” Higbee says. “There’s money at the end of that.”

Related Content:

• 8 Ways Businesses Unknowingly Help Hackers
• Typosquatting Websites Proliferate in Run-up to US Elections
• How to Build a Rock-Solid Cybersecurity Culture
• Sodinokibi Ransomware: Where Attackers’ Money Goes

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/phishing-campaign-targets-stripe-credentials-financial-data/d/d-id/1336117?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple