Cybercrime , Fraud Management & Cybercrime , Identity & Access Management
Breach Roundup: Global Signal Exchange to Curb Online Fraud
Also: A Fidelity Breach, Mamba PhishingEvery week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, the Global Signal Exchange hopes to put a dent in online crime, Fidelity sent out data breach letters, phishing platform targets Microsoft 365 users, Microsoft issues 117 fixes in October patch Tuesday, Telegram CEO Durov said he has always cooperated with law enforcement, Highline Public Schools and CreditRiskMonitor attack updates, ADT and Casio suffered breaches.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Google Joins Global Signal Exchange to Combat Online Fraud
Google joined with the Global Anti-Scam Alliance and the DNS Research Federation to launch a global clearinghouse for online scams and fraud bad actor signals dubbed the Global Signal Exchange.
The platform will serve as a global clearinghouse for data on bad actors. In an initial pilot, Google shared 100,000 URLs linked to fraudulent merchants and processed one million scam signals.
Backers hope the exchange will create a cross-border, multi-actor view of cybercrime. "Nobody has the full picture," said Jorji Abraham, managing director of the Global Anti-Scam Alliance, during a Tuesday call with reporters. "At the moment, we're fighting a losing battle."
The platform is scheduled to launch on Jan. 1, 2025, with a focus on fostering cooperation between businesses, governments and civil society to tackle online scams.
Information sharing through the platform will initially be limited to domains and IP addresses, said Emily Taylor, a founder of the DNS Research Foundation. "Data sharing sounds like something that should be easy, but it is something that organizations that have a global reach have to be careful at navigating," she said.
The data swapping platform could be expanded to include fraudster bank account information, telephone numbers and the language cybercriminals use to rope in victims.
Amanda Storey, a senior trust and safety director for Google EMEA, said the exchange should enrich the computing giant's existing storehouse of scammer activity. A measure of the exchange's success, she said, will be whether its data can allow Google to confirm cybercriminal activity with outside data and then shorten the lead time to detection. "That's something we will shout about," she said, "and that's something we can assess quickly."
Fidelity Sends Out Data Breach Notifications
Multinational asset management firm Fidelity Investments is notifying roughly 77,000 individuals of a cybersecurity incident that exposed their personal information. The Boston-based investment company said in a notification letter that between Aug. 17 and 19, a third-party used "two customer accounts that they had recently established" to obtain information without authorization. Exactly what information the third party obtained is unclear. For now, Fidelity says it exposed names and other personal identifiers.
The company, which manages $4.9 trillion in assets, told affected customers that the incident "did not involve any access to your Fidelity account(s)."
Mamba 2FA Phishing Platform Targets Microsoft 365 Users
Emerging phishing-as-a-service platform Mamba 2FA is targeting Microsoft 365 accounts using adversary-in-the-middle attacks to bypass multifactor authentication. The platform charges a monthly fee of $250 and offers cybercriminals tools to capture authentication tokens and bypass security measures with well-crafted login pages.
Mamba 2FA has been active since November 2023 but it was first documented by Any.Run in June this year. Recent changes reported Monday by Sekoia include using proxy servers from IPRoyal to mask relay server IPs and rotating phishing URLs weekly to evade security blocks. Phishing campaigns also feature HTML attachments with hidden JavaScript and sandbox detection to avoid analysis.
Mamba 2FA targets corporate and consumer Microsoft 365 users, offering phishing templates for services such as OneDrive and SharePoint, as well as fake voicemail notifications. The platform's phishing pages mimic the targeted organization's login branding for added authenticity. Captured credentials and cookies are sent to attackers via Telegram bots, allowing immediate access.
To defend against AiTM-based phishing attacks, organizations should implement stronger security measures such as hardware security keys, geo-blocking, IP and device allowlisting, and shortening token lifespans.
Microsoft Releases 117 Patches in Latest Security
Microsoft issued 117 patches in its latest monthly update, including fixes for two actively exploited zero days.
CVE-2024-43572 merits a rating of "important" considering that hackers have used it to carry out a remote code execution attack that requires user interaction - a caveat that typically means hackers must socially engineer victims into clicking open a malicious file. The patch prevents users from opening untrusted Microsoft Saved Console files.
CVE-2024-43573, which Microsoft rates as "moderate" even as hackers use it to launch cross-site scripting attacks, involves a flaw in the proprietary browser engine MSHTML used by Internet Explorer 11 and older versions of Edge. Although both applications are legacy tech, MSHTML remains integrated into Windows for "Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control," Microsoft said.
Of the total number of patches, three were critical, 115 important, and two moderate in severity.
Telegram Founder Asserts He's Always Cooperated With Police
Telegram owner and CEO Pavel Durov asserted Oct. 2 that recent updates to the platform's terms of service regarding cooperation with law enforcement do not mark a significant change. Durov said that Telegram has been disclosing data on "dangerous criminals" for years, provided authorities submit properly formed legal requests.
Durov in September announced the platform would share IP addresses and phone numbers of rule violators to discourage bad actors (see: Telegram Pledges Closer Cooperation With Police).
Durov faces criminal charges in France, where authorities in late August arrested the native Russian, naturalized French owner of the messaging and social media platform on charges of complicity in hacking, distribution of child sexual abuse material and refusal to act on law enforcement requests.
Telegram has already processed around 200 legal requests in Brazil this year and nearly 7,000 in India, its largest market, Durov said. European requests have also increased recently.
Ransomware Attack Shuts Down Highline Public Schools
Highline Public Schools in Washington last Thursday blamed ransomware for an incident in early September that forced the closure of its 34 schools, affecting more than 17,500 students. The district - serving the Seattle suburbs - discovered the breach on Sept. 7, prompting a shutdown of schools while the central office remained open.
A third-party forensic specialist confirmed the attack as ransomware. The FBI is now investigating. The district is rebuilding its network and plans to re-image all staff and student devices starting Oct. 14, except for Chromebooks and Apple devices.
While it's unclear if any personal data was compromised, the district is offering staff one year of free credit and identity monitoring services.
ADT Reports Data Breach Involving Employee Accounts
Home security company ADT disclosed a breach after attackers gained access to its systems using stolen credentials from a third-party business partner. ADT stated that the breach resulted in the exfiltration of encrypted employee account data.
ADT terminated the unauthorized access on discovery and launched an investigation with the help of third-party cybersecurity experts. The company is also working with federal law enforcement and the affected business partner to address the breach.
While the attack caused disruptions to ADT's internal systems, no customer data or security systems were compromised, according to the company. The breach follows an earlier incident in August when ADT reported that 30,800 customer records were leaked on a hacking forum.
CreditRiskMonitor Data Breach Affects Employees and Contractors
Financial risk assessment service CreditRiskMonitor disclosed a data breach involving employee and contractor information. The company reported detecting unauthorized access on July 19, with attackers potentially viewing or copying personally identifiable information of of employees and independent contractors. Customer data was not impacted, and business operations were unaffected.
Cyberattack Disrupts Casio Services
Japanese electronics manufacturer Casio said Tuesday a cyberattack on Saturday caused system disruptions and led to a temporary service outage. The electronics giant is investigating whether sensitive information was compromised and has restricted external access as part of its response. No group has claimed responsibility. This attack follows a previous breach a year ago, when the personal information of tens of thousands of customers was exposed via unauthorized access to ClassPad.net, an educational platform managed by Casio.
Other Stories From Last Week
- Marriott Pays $52M to Settle US States' Breach Litigation
- Australia May Require Businesses to Report Ransom Payments
- US DOJ Developing Guidelines for AI Use in Law Enforcement
- Ivanti CSA Customers Targeted in New Zero-Day Attacks
- Malicious Pixels: Criminals Revamp QR Code Phishing Attacks
With reporting from Information Security Media Group's David Perera in Washington, D.C