Hundreds of Online Shopping Sites Vulnerable to Theft
Recent research exposed an ongoing cyber theft campaign that has been stealing credit card information from shoppers who visited over 105 online stores. The skimming code used to breach these sites was created with JavaScript and enables the hackers to acquire information such as credit card numbers, card expiration dates, CVV numbers, and card owners’ names while the information is being entered on the sites. Hosted on a known domain for more than seven months, the malicious script has been injected into hundreds of shopping websites.
Clever Trickery to Disguise the Hacking Activities
Although the way the affected websites were infected remains unknown, it has been determined that all of the affected e-commerce sites run on the Magento e-commerce CMS platform. The malicious domain, named www.magento-analytics[.]com, has no connection to the popular CMS platform whatsoever despite its similar name. The use of the CMS platform’s name as part of the malicious domain’s name is merely a ruse to confuse customers and thus to disguise the malevolent activity. Researchers discovered that www.magento-analytics[.]com is registered in Panama, but that the IP address that it used has jumped across the globe to countries including the United States, Russia, and China.
How the Hack is Perpetrated
The hacking technique used in this cybercrime is a fairly classic method of stealing digital data. The code is identical to what the notorious Magecart hackers used to gain access to the details of customers on the British Airways, Newegg, and Ticketmaster websites. Malicious script is inserted into checkout pages where it silently captures payment details as shoppers make their purchases. The information is then sent to a remote server where it is retrieved by the hackers.
Be Cyber Safe
Customers shopping online would do well to practice basic personal oversight of their credit cards and bank statements. Any unauthorized transaction appearing there, no matter how minute, should be reported immediately.
An enormous security breach was discovered at the end of April affecting more than 80 million American households. It is yet another example in a string of breaches demonstrating the vulnerability of online database platforms. The owner of the database is yet to be identified and researchers at VPNMentor, who discovered the breach, are asking for assistance from the public to help them find the owner.
The good news is that the database did not contain credit card information, social security numbers or passwords. However, it was thoroughly unprotected, hosted on a Microsoft cloud server, and required no password to access the data files.
VPNMentor Found the Unprotected Database by Accident
Hacker experts at VPNMentor, Ran Locar and Noam Rotem found the database by accident. VPNMentor researchers were running a routine web mapping project, looking for holes in web systems. They were using a port scanning tool which locates weaknesses and finds data leaks. When they find a database with leaks, they typically contact the owner so immediate action can be taken to correct the problem. But in this case, the database did not identify its owner. Even though there is an IP address associated with this database, the researchers say it does not necessarily lead to its owner.
A Staggering Number of Households Were Exposed
The fact that 80 million US households were exposed in this breach is very troubling. This is almost 65 per cent of the entire number of American households. The database contains 24 gigabytes of highly detailed information, including full addresses, names, birth dates, ages, and residences.
The coded information which is contained in numerical values appears to relate to marital status, income, gender, and dwelling category. Since each database entry ends with “score” and “member code” and everyone listed appears to be over the age of 40, researchers believe that the database owner might be a mortgage, insurance or healthcare company. The fact that social security numbers are missing from the database, as well as payment information and account numbers, makes it unlikely that the owner is a bank or broker.
For now, the unsecured database is offline. Researchers did not download all the data, although they did verify some segments in the cache for accuracy. It was more important to protect the already exposed accounts from further invasion.
Hoping for Some Help from the Public
VPNMentor researchers stress that even though the database did not contain social security numbers or credit card information, there is still a significant risk of nefarious activities with the data that was exposed. Affected households are vulnerable to phishing scams, fraud, identity theft and possibly even home invasions since addresses are included. They sent out a plea to the public for assistance in identifying the owner of the database so that steps can be taken as soon as possible to secure the data.
This is not the first time Noam Rotem has been involved in uncovering a potentially serious data breach. Earlier this year, he discovered a very damaging vulnerability in the Amadeus online air travel booking system. The platform’s security vulnerability would have made it easy for hackers to access the database, alter customer bookings and steal airline mileage credits.
Microsoft Releases New Edge Browser to Compete with Google
Microsoft released its new Edge browser on April 8, 2019, hoping to finally make a dent in the hold that Google Chrome has had over the browser market. This is not the first time Microsoft has tried to be more competitive against Google. Approximately three years ago, Google released an updated Edge browser. However, despite having made significant investments, Microsoft failed to have the browser measure up against Google Chrome. At the end of 2018, Microsoft announced that it would employ a different tactic and use Chromium’s Blink rendering engine to rebuild the Edge Browser.
Open-Source Engine May Produce a Better Outcome
Chromium is a Google open-source web browser that has proven to be a favorite of developers. Chromium powers several third-party browsers, including Samsung Internet, Vivaldi, Brave, and Opera. Microsoft has actually been collaborating with Google to increase Chromium’s reach and has been using the Chromium engine to power its Edge browser on iOS and Android devices.
Testing and More Testing
Consumers should not get too excited yet, as it will take some time for the test versions to be reviewed and tweaked. In fact, it is not even in the beta stage. Two test versions of the rebuilt browser are accessible only to developers. The prototypes, called Developer and Canary, can be downloaded from the Edge insider website.
What is the difference between Canary and Developer? Canary, as its name would suggest, is a real-time channel. At the end of each day of work, developers will release it to Canary. Microsoft will test new features and fix bugs on the Canary channel. For developers, it means they can test out the version, hot off the press, as long as they don’t mind navigating through the bugs.
The Developer channel will also be fresh, but not real-time like Canary. The bugs identified on Canary will be fixed, user feedback will be analyzed and incorporated, and then it will go to the Developer channel. Developers can use this version of Microsoft Edge if they would like a smoother experience.
The Gentoo Linux GitHub Account Cybersecurity Failure
While one may expect software developers to usually have better-than-average security systems in place, the team behind Gentoo Linux’s GitHub account were the victims of an unfortunate event in June 2018. Hackers gained control of the account’s code repository, made changes to its content, and locked out its developers, preventing them from using GitHub for five days. Gentoo has still not been able to discover who was behind the attack.
How Did the Attackers Gain Access to the Gentoo GitHub Account?
Gentoo suffered from several deficiencies that made it easier for the attack to be perpetrated. Evidence collected in the investigation of the incident led the Gentoo security team to the understanding that the hackers gained access using a password scheme that enabled them to obtain the administrator’s password and thus to simply guess the passwords for other sites. The Gentoo developers did not have a backup copy of the GitHub organization detail and the system repository was not mirrored from Gentoo, rather it was stored directly on GitHub.
The attack did cause all the other developers to received email alerts, as they were systematically locked out of the GitHub account, which spurred them to take action and stop the attack in just over an hour. The private keys of the account were also not stolen, which helped keep the attackers from completely deleting and removing all files.
How the Attack Could Have Been Avoided
Attention to the simplest fundamentals of cybersecurity could have prevented the attack from ever happening in the first place. Two-factor authentication for access to a website is an essential aspect of any cybersecurity plan and makes sure that an authorized individual must authenticate access. On a practical level, this usually means that when a password is entered on a website, a message is sent to a mobile phone or secondary email address with a token (another password) that has to be entered to gain access. Even if hackers could gain access to the first password with relative ease, it would be harder to obtain the second term or to access the email account as well.
Lessons That Can Be Drawn From the Attack and Applied Universally
Gentoo has released a list of their new implementations to help reinforce their security protocols. Anyone who has access to or control over sensitive or proprietary information would do well to learn from this attack and apply these simple security measures to their own organizations:
• Back up everything regularly in case of an attack or even a system failure. Backups should be stored offsite and should have the capability of being reached easily in case of an emergency.
• Enable two-factor authentication by default on all accounts where access is available to a group of people.
• Have an incident-response plan along assigning designated users to act immediately upon notification of a security breach.
• Ensure that former employees and group members have their access completely revoked if they are no longer working on a specific project.
New MacBook Security Feature Helps Prevent Microphone From Being Hacked
Apple has introduced a new MacBook security feature called the T2 security chip that is meant to help stop hostile takeovers of the computer’s camera and microphone that would allow hackers to eavesdrop on users. The company explained in the chip’s guide that the feature has been implemented in the computer’s hardware and that it physically disconnects the microphone when the lid of the computer is shut, thus prohibiting any software from using the microphone regardless of the level of its privileges. (Apple argued that since the camera’s field of view is totally blocked anyway when the lid is closed, there was no need to do anything more about that.)
You Have to Shut Your Lid
Although the new T2 chip security feature is effective in principle, it does not do anything about the camera and microphone being commandeered when the lid is open and the computer is in use, which is what the FruitFly malware attacks did to biomedical research center computers in 2017. While the addition of the feature is a positive development, a better idea might have been had Apple also installed a manual switch that would have allowed users to manually toggle their computer’s camera and microphone on and off.
What Else Does the T2 Chip Offer?
The T2 chip also enables better security through a secure enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities. The chip also works with the MacBook’s FaceTime HD camera to allow for enhanced tone mapping, improved exposure control, and auto-exposure and auto-white balance based on face detection.
Mac computers that contain the T2 security chip include the iMac Pro as well as Mac Mini, MacBook Air, and MacBook Pro models from 2018.
Shimon Sheves truly embodies the adage, “Think Global, Act Local”. He is deeply passionate about his homeland of Israel and works tirelessly to support his community. Sheves is also the founder and chairman of HolistiCyber company that provides nation-state level cyber protection.
