2023 January Cyber Bytes

Massive Twitter Data Breach Affects Over 5.4 million Accounts

Source: SCMedia.com by Menghan Xiao on November 28, 2022

In August, Twitter confirmed that an API vulnerability fixed in January led to data exposure, but the company said there was “no evidence” that it was exploited. Now over 5.4 million stolen user information have been shared for free on a hacker forum. On top of that, a security researcher warned that there is an even larger data dump using the same vulnerability. A Twitter data breach reported earlier this year that affected more than five million users is worse than initially thought. 

In August, Twitter confirmed that an API vulnerability fixed in January led to data exposure, but the company said there was “no evidence” that it was exploited. Now over 5.4 million stolen user information have been shared for free on a hacker forum. On top of that, a security researcher warned there is an even larger data dump using the same vulnerability.  The API vulnerability was first reported by HackerOne through Twitter’s bug bounty program in January, revealing that people could identify one’s account if they had the user’s phone number or email address and vice versa. In July, a threat actor with the username “devil” began selling the dataset for $30,000. Pompompurin confirmed that the current free dataset on the forum is the same one that “devil” had.

The owner of the Breached hacking forum Pompompurin told BleepingComputer Sunday that they were responsible for exploiting the vulnerability, dumping 5.4 million records containing both private and public information, including phone numbers, email addresses, account IDs, location, and verified status. 
While the leak of 5.4 million users’ information is concerning, security researcher Chad Loder warned that tens of millions of other Twitter accounts’ information had been obtained using the same API vulnerability. Loder first broke the findings on Twitter and was promptly suspended for reasons that remain unclear. He then posted the details of the evidence on Mastodon. SC Media has reached out to Twitter with further questions. “I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and US. I have contacted a sample of the affected accounts, and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021,” Loder wrote on Twitter.  

Pompompurin told BleepingComputer that they were not responsible for this additional data breach, showing that multiple threat actors have utilized the API vulnerability. “API security is a relatively new concept, and while there have been many improvements on this front, APIs that have been around for several years have likely not benefited from the same security considerations as those developed more recently," Jerrod Piker, competitive intelligence analyst at Deep Instinct, told SC Media in an email. "As such, there are likely other open APIs within Twitter (as well as other public platforms) that are susceptible to the same type of vulnerability. It is highly likely that we will hear about similar data leaks in the future from Twitter and other public services." Chris Denbigh-White, security strategist at Next DLP, told SC Media that the security community should stay alert of the breach as the leaked information can be used for other attacks.  

“[This breach] represents a goldmine of opportunity for would-be identity thieves or those seeking to use the information in support of social engineering attacks or wider profiling,” Denbigh-White said. “In the case of accounts used in political activism in countries with oppressive regimes, this breach could represent a genuine threat to the account owners.”  From a business perspective, Justin Shattuck, chief information security officer at Resilience Insurance, told SC Media that Twitter’s data dump is an important lesson for organizations to realize and understand the elevating security risks of public platforms.   “Maybe [organizations’] leadership has accepted these risks, but the question is, do their advertisers also accept them?” Shattuck said.

FBI Warning: PC and Tech Support Scams Are Back. Here's What to Watch Out For

Scammers try to convince victims they're about to lose hundreds of dollars through a service payment - then use remote access software to get into their PCs.

Source: ZDNet by Danny Palmer November 16, 2022

The FBI is warning people to be alert to the threat of technical support scams, in which criminals pose as support staff from computer or software companies and try to trick unsuspecting PC users into giving up access to their bank accounts. The public service announcement by the FBI warns that there have been instances across the US recently of scammers posing as service representatives of software company tech support or computer repair services in attempts to trick victims into following instructions. 

They contact victims by phishing email or by phone, warning that an annual subscription service is about to be renewed within hours at a cost which is commonly in the range of $300 to $500 – and that the victim should get in contact if they want to cancel the payment. According to the FBI, the scammers offer services, "that would be found at major electronic store chains that sell electronics, computers, and other digital devices."

These false alerts can include, among other things, claims that Microsoft Office is going to expire, or a subscription to anti-virus software needs to be renewed. The scammers don't know what software the victim is subscribed to, but by convincing the victim they're about to lose a significant sum of money because of some random subscription, the aim is to scare them into contacting the false support scheme to cancel it, either by contacting a phone number, replying to the email or clicking a link that claims to offer help. 

Once the victim contacts the scammers to explain they don't want the 'subscription' and want a refund, the 'support' operative persuades the victim to download remote desktop protocol software, to provide full access to their computer to help the 'tech support' issue a cancellation and refund. Installing this software provides the scammer with full access to the victim's computer and the attacker tells the victim that they're refunding the subscription amount to their bank account, before encouraging the victim to log in to their online-banking service to check. 

If the victim does this, the scammer sees their username and password and they can access the account. Once this happens, the scammers lock the user out their system or show them a blank screen to hide the next step, which is making wire transfers to foreign bank accounts using the victim's account – a method used to help launder stolen money – or simply stealing money directly from the victim.  

The information accessed in the victim's online bank account could also be used to conduct additional fraud. These scams use a sense of urgency to panic victims. As a result, the FBI is urging anyone who sees an email claiming to be urgent and relating to a subscription or service renewal to resist pressure to act quickly, as it's the sense of time running out that scammers aim to take advantage of. 

People are also urged not to be pressured into downloading software, particularly if it comes from unofficial sites and links as that carries the risk of allowing cyberattacks to gain access to your PC or even install malware. And the FBI stresses that people shouldn't send wire transfers, especially to foreign banks, on the instruction of someone you've only spoken to online or via phone – especially as real banks will rarely ask for you to send sensitive information via email or enter it into an online form. 

"When in doubt, search online for accurate financial institution information and initiate the communication from your end. If you are called by someone claiming to be an official institution, look up the contact information and call back," said the alert. "Monitor your credit card and bank account transactions for any unauthorized activity and immediately contact your financial institution if you observe irregular or unauthorized activity," it added.

Watch Out For This Triple-Pronged PayPal Phishing and Fraud Scam

We spotlight a nasty fraud attempt and show how you can protect yourself and your family.

Source: ZDNet by David Gewirtz, Senior Contributing Editor on December 2, 2022

My day started rough. It was 7 a.m., and I was just partially through my first cup of coffee, when I noticed a new message in my email inbox. It was from PayPal and the subject line said, "You've got a money request." And so began my first look at this three-pronged PayPal phishing scam.

The ask - email line saying You've got a money request. There's nobody I know who would ask me for money through PayPal and reasonably expect to get it, especially without telling me ahead of time that they were invoicing me for something. I started to investigate the money request in my Gmail box. In Gmail, you can right-click on the message sender before opening the message, to see the full email address. The message was from PayPal, so I felt safe enough opening it. Once inside the message, I again looked at the sender, and it was still PayPal. The body of the message claimed to be from one Susan Bowman. Here, take a look at the message. Message beginning "We have detected some fraudulently activities with your PayPal account." The mistaken "fraudulently" instead of "fraudulent" is one sign there. But the sentence that caught my attention was "You will be charged $699. 99 today." Interestingly, there was a space between the period after $699 and the 99. Odd punctuation and spelling are often indicators of a scam message.

Another part of the message said, "Please call us as soon as possible at toll free number [REDACTED]. to cancel and claim a refund." There was a period after the phone number, right in the middle of the sentence. Another important thing to note was that the idea of the message was to get me to call a number that I was supposed to think was PayPal, to stop the $699.99 from being sent out. Urgency is another common element of phishing scams. The bottom of the message had a Pay Now button, and a PayPal transaction ID. I do a lot of coding using the PayPal API. It did, indeed, look like what a PayPal transaction ID normally looks like. As it turns out, it was an actual transaction ID that had been created in the actual PayPal system. More about that in a minute.

Rather than do anything with the message itself, I went to PayPal directly. I pointed my browser to PayPal.com and, after verifying my identity with two-factor authentication, logged in. I scrolled down on the page, and there was, in fact, recent activity from Susan Bowman. The screenshot below shows the transaction as canceled, but when I first logged in, the activity item was listed as pending. I clicked on the Help button at the top of the screen and scrolled down until I found the Contact Us option. I clicked on that, and after the usual hoop jumping, found myself talking to an agent in the company's fraud operation. I explained the situation. The agent knew exactly what I was calling about, and assured me that no money had been sent out. I was also guided through how to cancel this transaction.

If you click into a requested money transaction, there are two buttons that you can choose from. One is Send Money and the other is Cancel. Unfortunately, I didn't capture a screenshot before I canceled. I was much more focused (remember, I was still on my first cuppa coffee) on canceling the transaction. I clicked the Cancel button and the transaction was terminated. No money was lost. Then, I had a little chat with the PayPal agent and learned some things…

This was a three-pronged fraud attempt, in that the attackers had three different ways to win. As I suspected, and the agent confirmed, I was probably not personally targeted. Instead, my email address was one of thousands thrown against the wall to see what would stick. While the email address used for this account wasn't one of my most actively used accounts, my email addresses have been all over the Internet for decades, so they're undoubtedly available to attackers. Anyone can ask someone for money through PayPal. All they need to do is feed an email address into the PayPal interface and request money. It's a big part of what PayPal does, and it's a service that provides a lot of legitimate value to a lot of people. Once that email address is fed in, PayPal does most of the work. This makes it pretty ideal for phishing attackers.

There are three ways this attack works:

Prong No. 1: Pay out through PayPal: The first prong of the attack was the request for $699.99. While it's fairly unlikely that anyone who gets hit with this attack will click "Send Money," all it takes is one or two people doing that to make the entire attack worthwhile from the scammer's perspective. Don't pay enough attention, click the wrong button, and whoosh! Money gone.

Prong No. 2: Pay out by dialing the digits: The PayPal agent told me that the second prong of the attack that often also provides value to the scammers is the phone number they ask you to call. Depending on the scammer, the number itself may be billable. It's called a "one-ring phone scam" and it works by spoofing numbers, possibly connecting you to an international number where you're charged merely for connecting to the number.

Prong No. 3: Pay out by giving away too much personal info: The big score, I was told by the PayPal agent, is actually the third prong of the attack. That's when somebody gets the email and calls the number they think is PayPal to prevent the payment. It's at this point that the scammers, pretending to be PayPal's fraud department, start asking questions, and by the time they're done, they've separated their victims from a treasure trove of personal identifying information, which can fuel additional attacks into the future and can even be sold to other scammers and criminals.

How to protect yourself - My biggest piece of advice is simple: Pay attention. Don't go through your day just mindlessly clicking to get through your email. Be present and notice things. Next, follow my advice about protecting yourself from credit card fraud and check your bank accounts and credit cards every week. Keep an active eye on your finances and you'll be able to spot fraud attempts before it becomes too late to fix them. As for PayPal, understand that PayPal will never send payment without your explicit OK. The one exception to this is if you sign up for a subscription or a recurring donation. But even then, PayPal won't begin the process of sending money unless you have explicitly approved it. Don't click on links in suspicious email messages. Don't call numbers that you can't verify independently. Make sure your accounts all have two-factor authentication. Always update your operating system and browser when prompted. That will help prevent zero-day attacks from taking hold of your machine. And, finally, back up your devices. Follow my advice and institute a 3-2-1 backup strategy. That way, if you are hit by malware or some other attack, you can recover more quickly.

Sirius XM Flaw Unlocks So-Called Smart Cars Thanks To Code Flaw

Source: the register.com by Jessica Lyons Hardcastle on November 30, 2022

Sirius XM's Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN). Yuga Labs' Sam Curry detailed the exploit in a series of tweets, and confirmed that the patch issued by SiriusXM fixed the security issue.

When asked about the bug, which affected Honda, Nissan, Infiniti, and Acura vehicles, a Sirius XM Connected Vehicle Services spokesperson emailed The Register the following statement: "We take the security of our customers' accounts seriously and participate in a bug bounty program to help identify and correct potential security flaws impacting our platforms. As part of this work, a security researcher submitted a report to Sirius XM's Connected Vehicle Services on an authorization flaw impacting a specific telematics program. The issue was resolved within 24 hours after the report was submitted. At no point was any subscriber or other data compromised nor was any unauthorized account modified using this method."

Curry and other bug hunters found several vulnerabilities affecting different car companies earlier this year, which prompted the researchers to ask "who exactly was providing the auto manufacturers telematic services" for the different automakers. The answer was Sirius XM, which handles connected vehicle services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. The researchers determined that the telematics platforms used the car's VIN, which is located on most cars' windshield, to authorize commands and also fetch user profiles: So as long as an attacker knew the VIN — this is easily obtained by simply walking by a car in many models — they could send requests to the telematics platform and remotely unlock, start, locate, flash the lights, and honk horns on the connected cars. According to Curry, the team plans to publish more of their findings from the car hacking case soon. Plus, they've already got requests on who and what to hack next, with one Twitter user begging: "Do OnStar next plz."

Earlier this year, security researchers discovered a different Honda bug that allowed miscreants to remotely start and unlock Civics manufactured between 2016 and 2020.  This flaw, tracked as CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart. In their research, they thanked mentor Sam Curry and explained "various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack." 

These File Types Are The Ones Most Commonly Used By Hackers to Hide Their Malware

Careful when you click: cyber criminals are hiding malicious payload to make it more difficult for users - and anti-virus software - to detect.

Source: ZDNet by Danny Palmer, Senior Writer on December 1, 2022

ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs. The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR. That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware. 

According to researchers, this marks the first time in over three years that archive files have surpassed Microsoft Office files as the most common means of delivering malware. By encrypting malicious payloads and hiding them within archive files, it provides attackers with a way of bypassing many security protections. "Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques," said Alex Holland, senior malware analyst on the HP Wolf Security threat research team. In many cases, the attackers are crafting phishing emails which look like they come from known brands and online service providers, which attempt to trick the user into opening and running the malicious ZIP or RAR file. This includes using malicious HTML files in emails which masquerade as PDF documents – which if run, show a fake online document viewer which decodes the ZIP archive. If it's downloaded by the user, it will infect them with malware. 

According to analysis by HP Wolf Security, one of the most notorious malware campaigns which is now relying ZIP archives and malicious HTML files is Qakbot – a malware family which is not only used to steal data, but also used as a backdoor for deploying ransomware. Qakbot reemerged in September, with malicious messages sent out by email, claiming to be related to online documents which needed to be opened. If the archive was run, it used malicious commands to download and execute the payload in the form of a dynamic link library, then launched using legitimate – but commonly abused – tools in Windows. Shortly afterwards, cyber criminals distributing IcedID - a form of malware which is installed in order to enable, hands-on, human-operated ransomware attacks – started using a template almost identical to that used by Qakbot to abuse archive files to trick victims into downloading malware. Both campaigns put effort into ensuring the emails and the phony HTML pages looked legitimate to fool as many victims as possible. 

"What was interesting with the QakBot and IcedID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we've seen before, making it hard for people to know what files they can and can't trust," said Holland. A ransomware group has also been seen abusing ZIP and RAR files in this way. According to HP Wolf Security, a campaign spread by Magniber ransomware group targeted home users, with attacks which encrypt files and demand $2,500 from victims.   In this case, the infection begins with a download from an attacker-controlled website which asks users to download a ZIP archive containing a JavaScript file purporting to be an important anti-virus or Windows 10 software update. If run and executed, it downloads and installs the ransomware. Prior to this latest Magniber campaign, the ransomware was spread by through MSI and EXE files – but like other cyber criminal groups, they've noticed the success which can be achieved with delivering payloads hidden in archive files. 

Cyber criminals are continuously changing their attacks and phishing remains one of the key methods of delivering malware because it's often difficult to detect if an email or files are legitimate – particularly if it has already slipped by hiding the malicious payload somewhere where anti-virus software can't detect it. Users are urged to be cautious about urgent requests to open links and download attachments, especially from unexpected or unknown sources.