Here are the stories that caught our eye this week:
TechRepublic posted on August 4 that a new report from cyber threat intelligence provider Check Point Research identifies some of the most impersonated brands during the second quarter of 2020. Check Point’s “Brand Phishing Report for Q2 2020” found that Google and Amazon were the most impersonated brands last quarter, each accounting for 13% of the brand phishing campaigns analyzed. Apple dropped from first place in the first quarter of 2020 to seventh place in the second quarter, accounting for only 2% of the brand phishing attacks. WhatsApp and Facebook tied for third place, each representing 9% of the observed brand phishing campaigns. Microsoft accounted for 7%, Outlook for 3%, and Netflix tied with Apple, Huawei, and PayPal for 2%. The most impersonated were technology, followed by banking and social networks. Among different attack vectors or platforms, email accounted for 24% of the brand phishing campaigns, with Microsoft, Outlook, and UniCredit the most impersonated. Web-based attacks encompassed 61%, with Google, Amazon, and WhatsApp the most spoofed. Mobile brands accounted for 15% of all attacks, with Facebook, WhatsApp, and PayPal the most imitated. To protect yourself and your organization against these types of brand phishing attacks, Check Point offers the following advice: Verify that you’re using or ordering from an authentic website.
Microsoft earlier today released its August 2020 batch of software security updates for all supported versions of its Windows operating systems and other products.
In a nutshell, your Windows computer can be hacked if you:
- Play a video file — thanks to flaws in Microsoft Media Foundation and Windows Codecs
- Listen to audio — thanks to bugs affecting Windows Media Audio Codec
- Browser a website — thanks to ‘all time buggy’ Internet Explorer
- Edit an HTML page — thanks to an MSHTML Engine flaw
- Read a PDF — thanks to a loophole in Microsoft Edge PDF Reader
- Receive an email message — thanks to yet another bug in Microsoft Outlook
Buzzfeed News reported that names, the last four digits of credit card numbers and other personal information belonging to hundreds of thousands of Instacart customers were being sold online. The information up for grabs included order history and addresses, the outlet reports. BuzzFeed says it confirmed with two Instacart users that the info included in the cache matched their recent purchases. Instacart told USA Today that it initiated an investigation and found no evidence that its hub of user data has been breached. “We take data protection and privacy very seriously,” Instacart said in a statement. “We have a dedicated security team as well as multiple layers of security measures across common vectors designed to protect the integrity of all user accounts.” The company said cybercriminals may target individuals via phishing attacks, which are easier to achieve when people use the same login credentials across various websites and apps. Instacart has grown in popularity during the pandemic as households increasingly order groceries online due to nationwide lockdowns. In June, the company announced that it raised $225 million in an investment round as it experienced “an unprecedented surge in customer demand.” Hackers and other online criminals tend to focus on new growth areas, cybersecurity professionals at Check Point have previously told USA Today.
The fine was imposed by the Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury that governs the execution of laws relating to national banks. According to a press release published by the OCC on Thursday, Capital One failed to establish appropriate risk management before migrating its IT operations to a public cloud-based service, which included appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. The OCC said that the credit card provider left numerous weaknesses in its cloud-based data storage in an internal audit in 2015 as well as failed to patch security vulnerabilities, violating the “Interagency Guidelines Establishing Information Security Standards,” that all US banks must comply with. These unsafe and poor security practices resulted in a massive data breach last year when a single hacker was able to steal credit card information of over 106 million Capital One customers. The hacker managed to steal approx 140,000 Social Security numbers and 80,000 bank account numbers linked to US customers, and 1 million Canadian Social Insurance numbers
On the social news aggregation service, which hosts numerous discussion forums, more than 70 specific online communities – known as subreddits – were temporarily hijacked and used to post messages in support of U.S. President Donald Trump over the weekend. Reddit has not named anyone suspected of launching the attack. While Reddit has yet to publish a full postmortem on the incident, it says the compromised accounts did not have two-factor authentication enabled. The availability of billions of usernames and password combinations gathered from countless data breaches means that someone could have methodically targeted subreddit editors, collecting valid credentials over a long period of time and waiting for the right moment to strike. An attacker compromised employee accounts at Reddit’s cloud and source-code hosting providers. After the Reddit data breach that came to light in 2018, the company said it moved away from sending two-factor codes via SMS because attackers used SIM hijacking to help compromise employee accounts.
Infographic of the Week!