Friday Five: 7/24 Edition
A new phishing campaign abuses enterprise cloud services, BadPower attack could set your device on fire, and the UK sports industry under near constant cyber attack - catch up on all the week's news with the Friday Five.
1. Coronavirus: England’s Test and Trace Programme ‘Breaks GDPR Data Law’ by Rory Cellan-Jones
England’s initiative to trace contacts of people infected with Covid-19 is receiving backlash as privacy campaigners say it was launched without an assessment of its impact on privacy. The test and trace program asks people for their sensitive personal information, including name, birthdate, postcode, who they live with, places recently visited, and names and contact details of people they have been in close contact with, including sexual partners. The Open Rights Group (ORG) says the initiative has been unlawful since it began on May 28th, but the government says there is no evidence of data being used unlawfully and there was no breach of any of the data that has been stored. The ORG had threatened to go to court to force the government to conduct a data protection impact assessment (DPIA), a requirement under the General Data Protection Regulation (GDPR) for projects that process personal data. A spokesperson for the Department of Health has stated they are committed to the highest ethical and data governance standards as they collect and retain data to fight the virus.
2. New Phishing Campaign Abuses a Trio of Enterprise Cloud Services by Ax Sharma
A new trend has gained traction among cybercriminals – they are now turning to enterprise cloud services, such as Microsoft Azure, Microsoft Dynamics, ad IBM cloud, as part of an attempt to steal your login credentials. This phishing campaign is making it more difficult for targets to detect the attack. The campaign uses a fake “servicedesk.com” email domain and imitates a “quarantined mail” notification that mimics similar wording used by real IT helpdesk domains in corporate environments. When a victim clicks on the “release messages” call-to-action button, they are brought to a legitimate Microsoft Dynamics 365 URL and then redirected to an IBM Cloud domain that hosts the phishing landing page. The victim is then prompted to enter their login information and the malicious page will extract that information. This phishing campaign is especially dangerous as using three well-known enterprise solutions to host the landing pages adds legitimacy to the campaign and makes it harder to detect.
3. BadPower Attack Corrupts Fast Chargers to Melt or Set Your Device on Fire by Catalin Cimpanu
Chinese security researchers recently discovered attackers have the ability to alter the firmware of fast chargers to deliver extra voltage to devices and melt components, or even set them on fire. Fast chargers were developed in the past few years and uses special firmware to “talk” to a connected device and negotiate a faster charging speed. Depending on whether or not a fast-charging feature is supported by the device, the fast charger can deliver up to 12V, 20V, or even faster charging speeds. The new corruption technique, named BadPower, works by altering the default charging parameters to deliver more voltage than the connected device can handle. This degrades and damages the receiver’s components as they heat up, bend, melt, or even burn. Because there are no prompts or interactions the attacker needs to go through, the BadPower attack is silent and fast. Suggestions to fix the BadPower problem include hardening firmware to prevent unauthorized modifications, but also deploying overload protection to charged devices.
4. Twitter Says Hackers Viewed 36 Accounts’ Private Messages by Leo Kelion
In its ongoing investigation of last week’s highly publicized security breach and cryptocurrency scam on behalf of high-profile accounts, Twitter has provided another update in its findings. The company has revealed that hackers viewed private direct messages from 36 of the accounts involved in the hack. The specific accounts were not publicly disclosed, but Twitter notified all affected individuals that hackers gained full access to their DMs. The company has publicly stated that they’ve “implemented safeguards to improve the security of our internal systems and are working with law enforcement as they conduct their investigations,” and they remain committed to being transparent in sharing their findings.
5. NCSC Reveals Scale of Cyber Attacks on UK Sports Industry by Alex Scroxton
In its first-ever report on the impact of cyber crime on one of the UK’s highest-profile industries, the National Cyber Security Centre (NCSC) found that at least 70% of sporting institutions, organizations, and teams have suffered a security incident in the past 12 months. Paul Chichester, operations director at the NCSC, said, “While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show that the impact of cyber criminals cashing in on this industry is very real.” Some of the incidents disclosed in the reports include blocked turnstiles at stadiums after systems were taken offline by ransomware, a large financial loss to a racecourse after a staff member fell victim to an eBay scam, and an attempt by organized criminals to sabotage a Premier League transfer deal after the club’s managing director had his email hacked. According to the NCSC, the three most common tactics that cybercriminals use against the sports industry are business email compromise, cyber-enabled fraud, and shutting down critical systems with ransomware. As the sports sector recovers from the impact of the Covid-19 pandemic, sporting organizations should reduce further risk by paying more attention to cyber security.