Cybersecurity Week in Review: 11/9

This week’s news suggests that cybercriminals are increasingly and creatively taking advantage of the upsurge in the number of people engaged in remote work during the pandemic. Our stories focus on a rash of corporate data breaches, the use of Facebook advertising by cybercriminals to encourage ransomware payment and a dramatic increase in the use of encrypted malware.

Cybercriminals ramping up data breaches as holidays approach

Multiple online retailers and entertainment services corporations announced this week that they were the target of data breaches, suggesting that threat actors are busily preparing for an eventful holiday season crime spree.

The organizations targeted include a large retailer of outdoor clothing and accessories, an online children’s gaming platform, the world’s largest eyewear company, a popular stock photography service and a global media and entertainment company. The types of data stolen ranged from usernames and passwords to personally identifiable information (PII) and protected health information (PHI), including doctor’s notes and health insurance and credit card numbers. The total number of individuals collectively affected is estimated to be over 60 million.

In the case of the outdoor gear producer, customer passwords had to be reset due to a “credential stuffing” attack. Credential stuffing involves leveraging usernames and passwords stolen in previous unrelated breaches. Since many people employ the same username and password across multiple accounts, criminals attempt to reuse them on a target account to gain unauthorized access. The credential stuffing process is often automated, enabling fast access to accounts and quicker attacks.

The data breach on the eyewear company involves highly personal information on close to one million individuals. In addition to selling some of the world’s best-known eyeglass brands, this company also operates one of the largest eye vision benefit companies in the U.S., partnering with major retailers to offer professional eye care services. While the attack appears to have taken place in August, patients were only being notified this month. In a “security incident” notice, the company warned its customers: “The personal information involved in this incident may have included: full name, contact information, appointment date and time, health insurance policy number, doctor or appointment notes that may indicate information related to eye care treatment, such as prescriptions, health conditions or procedures.”

The hacker group “ShinyHunters” appears to be behind two other data breaches announced this week—one on a hugely popular online children’s gaming platform affecting 46 million accounts and another on a 5.22 GB database owned by a major online media and entertainment company. In the case of the children’s gaming platform, not only were customer usernames and passwords exposed, but the official data breach alert also states that more than 5 million of the breached accounts included a full birthdate. More than 12 thousand of the breached accounts contained a parent’s full name and billing address.

The breach of the online media and entertainment company affected users that login with the social media sign-in feature. In this breach, it appears full names, locations, genders, email addresses, IP addresses, and links to social media profiles were exposed. 

More information on each of these data breaches can be found at the following links:

• Outdoor clothing and accessories company experiences credentials stuffing attack
• 46 million accounts exposed in online children’s gaming platform data breach
• PII and PHI stolen from world’s largest eyewear company
• Global media and entertainment company hit with 5.22 GB data breach
• 8.3 million records stolen in data breach from popular stock photograph service

Ransomware extortion ads appearing on Facebook 

Ads appearing on a hacked Facebook account this week suggest that cybercriminals believe that public pressure can help make their victims pay up after ransomware attacks.

Last week a well-known Italian liquor company suffered a “Ragnar Locker” ransomware attack. The criminals demanded a $15 million ransom to unencrypt 2 TB of data from servers in 24 countries. If the ransom wasn’t paid, the hackers would release sensitive information, including bank statements, passport information, employee tax forms and social security numbers.

But then, the hackers took their crime one-step further. Using the hacked Facebook account of a Chicago-based dee-jay (who it appears had forgotten to turn on two-step authentication), the criminals started advertising their ransom threats. The ads, entitled “Security breach of Campari Group network” by the “Ragnar_Locker Team” warned that further sensitive information would be released if the ransom wasn’t paid. According to the hacked Facebook account owner, the ads appeared to over 7,000 Facebook users before Facebook detected the fraudulent campaign and removed it. Unfortunately, despite the ads’ fraudulent nature, this did not stop Facebook from billing the hacked account owner for a portion of the advertising, although it appears the bill only came to $35.

You can read more on the Facebook ransomware extortion case here.

Encrypted Malware Surging Dramatically

Cyberattacks using SSL/TLS encryption jumped 260% in the first nine months of 2020 compared to the same period last year according to a recent study by an information security company. Experts believe the surge in encrypted attacks are the result of cybercriminals taking advantage of the spike in the number of individuals working remotely during the Covid pandemic.

According to this research, encrypted ransomware attacks also increased by a massive 500% between March and September. Companies in the healthcare industry were the most often attacked during this period, with finance and insurance coming in second and manufacturing coming in third.

Experts have been warning about an increase in ‘encrypted’ attacks for several years now. Past research has suggested that internet users do not necessarily understand URL or website security indicators. And, the increase in the number of HTTPS URLs (or URLs containing the “padlock” security icon) has led many internet users to assume that the encrypted website is safe from malware and other threats, which couldn’t be further from the truth.

This most recent research into SSL/TLS encrypted cyberattacks supports what security researchers have been concerned with all along—that cybercriminals are taking advantage of this false sense of security by placing malware on encrypted sites. Researchers believe the dramatic increase in encrypted attacks over the last few months is a direct result of the shift from in-office operations to remote work with more people collaborating via the cloud and threat actors hosting malware on large, trusted cloud service platforms. Victims are lured to the cloud services sites via phishing emails. Since many organizations consider encrypted sites and encrypted content as “trusted” they fail to inspect the traffic, leading to an increase in attacks.

You can read more about the increase in encrypted malware attacks here.

Final Words

Criminals have always taken advantage of tough times. So, it should really come as no surprise that hackers are exploiting the pandemic and the changes the pandemic has wrought on our society. A recent survey of CISOs found that 63% had experienced an increase in cybercrime since the start of the pandemic. 

These massive changes mean that cybersecurity professionals are under more pressure to find different ways of protecting the company and its employees. One of the best ways for coping with cybersecurity risk and challenges during the pandemic is to build a comprehensive security strategy that incorporates not only the latest cyber technology but also the support of other departments, such as HR and marketing—who may be able to better reach and promote security strategies and tools with employees.

Vulnerability will never go away entirely. But collective corporate vigilance and education can bring some relief.

We need to all remember that security is an action. We get out what we put into it.