Friday Five: 4/26 Edition
A new phishing scam asking for selfies, embedding malware in video games, and the latest IoT vulnerability are all covered in this week's Friday Five.
1. Devious Chase Bank Phishing Scam Asks For Selfies by Lawrence Abrams
A courtesy share here, especially if you happen to bank with Chase Bank: There's apparently a sinister new phishing scam making the rounds that tricks victims into uploading a selfie while holding your ID or driver's license. While it may easy to dismiss for some, the fact that a company wants to confirm your identity may not sound that far-fetched for some customers, desperate to get into their account. The problem here is that by handing over all of this information - your credit card mother's maiden name, billing address, etc. - you're really giving attackers the keys to the castle by giving them your ID. It may sound like common sense but it's always important to ensure you're on the right website by examining the URL in the address bar before submitting sensitive data to a website.
2. Source Code for Carbanak Backdoor Shared with Larger Infosec Community by Ionut Ilascu
It's been a big week for FireEye, which dug deep on CARBANAK over the course of four blog entries Monday-Thursday. Developed and used by the FIN7 group, Carbanak, a nasty backdoor, led to the theft of $1 billion from 100 financial institutions not too long ago. It turns out the source code for the malware has been on VirusTotal for years; FireEye shared the source code with malware researchers this week and described, in the first blog, how challenging it was for researchers to analyze. "Reading the source code entailed two steps: displaying the files in the correct encoding, and learning enough Russian to be dangerous." Tom Bennett, one of the researchers said, "I spent several hours on Russian language learning websites to study the pronunciation of Cyrillic characters and Russian words. Then, I looked up the top 600+ words and created a small dictionary.” If you're interested in taking a deeper dive, the second, third, and fourth blog posts are just as informative.
3. Coffee with Privacy Pros: Three Constants of Privacy by Jared Coseglia
Not an article but a quick conversation with Ruby Zefo, the Chief Privacy Officer of Uber, on what she calls the three pillars of privacy: law, customer, and technology. In the latest in CPO Magazine's series, Coffee with Privacy Pros, Zefo talks about keeping up with the changing privacy laws, how automation is affecting privacy programs, and how the company has to think about data regulation, especially as customers travel across state lines. "How could this affect data regulation? Will an application technology know when or if data generation is created in different states? Are notifications necessary? Will this nuance require any unique user experience differentiation? Should it? Laws are my job. I have to make sure my company is compliant," Zefo says.
4. Supply Chain Hackers Snuck Malware Into Videogames by Andy Greenberg
We include a lot of Andy Greenberg articles here for a reason - he gets ahold of a lot of scoops and this one, via Wired on Tuesday, is an interesting one that highlights inherent instability in the supply chain. Fascinating story here about how supply chain hackers are getting upstream access to programming tools used by video game developers to distribute malware in games. A gaming company in Thailand, Electronics Extreme, and its video game Infestation is one of the victims, according to the piece. It's believed the gaming studios that have been targeted were hit by the same hackers who infected Asus' software update mechanism earlier this year. Researchers with Kaspersky Lab, who discovered the attack vector, alongside ESET, reportedly found the malware while looking for code similar to the backdoor installed by the ASUS updates. “Rather than indiscriminately planting crimeware on as many machines as possible, the videogame hackers appear to be performing reconnaissance. The malware seems to be a first-stage trojan that simply gains a foothold and uploads a unique identifier for the machine back to the hackers' server, so they can decide which computers to target later with a second-stage tool,” Greenberg writes. How fitting this story arrives at the tail end of National Supply Chain Integrity Month.
5. P2P Weakness Exposes Millions of IoT Devices by Brian Krebs
A late week scoop via Krebs on what sounds like a scary but not surprising weakness in a Chinese internet of things technology, iLnkP2P. The software, bundled with IoT devices like webcams, smart doorbells, and digital video recorders, could open the devices to eavesdropping, password theft, and remote compromise, according to Paul Marrapese, a security research who wrote a proof of concept script for the vulnerability and shared his findings with Krebs. It'll be interesting to see if the story gets any traction. Marrapese told the reporter none of the companies who manufacture the products responded to his concerns, nor did China's CERT. Even if the companies do respond, it’s unlikely there’s a fix here, Marrapese told Krebs: The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons. Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process.”