cybersecurity news showing on a tablet on a table with a notebook and coffee

Latest Cybersecurity News 2021-04-12 Edition

Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news

April 27 SIEM/security operations modernization virtual panel

IDC Canada, IBM Security and ISA Cybersecurity are teaming up to present a live panel discussion on how emerging trends in SIEM technology can help you achieve faster incident response, easier compliance, and transform your security operations. The event will be presented live on Tuesday, April 27, 2021 at 11:00 a.m. ET. 

“Data scraping” affects three major social network sites

Data scraping, the practice of bulk harvesting large volumes of information from websites, had Facebook, LinkedIn, and Clubhouse in the news this week.

Facebook: In an April 6 blog post, Facebook advised that it would not be notifying the 533 million users who were affected by the disclosure of their personal information in an incident discovered earlier this month.

In distancing themselves from responsibility for the disclosure, Facebook’s post points out that the data involved was not technically stolen from the social media giant; it was “scraped” from publicly-available information on the Facebook site. The bulk gathering of large volumes of data is against the terms of use of the Facebook site, and Facebook took steps to prevent this kind of activity (by disabling a feature that allowed users to find each other by entering a phone number as a search criterion) when the potential for abuse was discovered back in September 2019.

According to an April 9 report on the National Public Radio (NPR) website, a spokesperson from Facebook told the broadcaster that Facebook also declined to advise affected customers because it “does not have complete confidence in knowing which users would need to be notified,” and that the impact of the disclosure was mitigated by the fact that the information publicly available and did not contain financial information, health information or passwords.

The details of the data disclosure were first published on April 3 by Alon Gal of cybercrime research firm Hudson Rock, on Twitter. Gal reported that Facebook handles, user names, locations, birthdates, biographical information and, in many cases, email addresses had been discovered on an amateur hacking forum, affecting millions of Facebook users across 106 countries.

LinkedIn:  Data associated with over 500 million LinkedIn users has also appeared online, with an initial offer of sale for two million of the records. The LinkedIn database includes user names, email addresses, phone numbers, business titles, and other data that are publicly available with a free LinkedIn account. The only sensitive personal data involved in the breach would be details that a user had chosen to share online.

As with the Facebook incident, spokespersons from LinkedIn were quick to point out that they had not suffered a breach, but that some of the data appears to have been “scraped” from user profile pages. Data scraping is prohibited by the terms of use of the LinkedIn platform. The statement from LinkedIn also noted that the dataset appeared to be “an aggregation of data from a number of websites and companies,” making the currency and accuracy of the data unclear.

It remains to be seen whether LinkedIn – owned by Microsoft – will take the same position as Facebook in regard to user notification, but there is no indication that they will be making any direct contact with users who appear in the disclosed database.

Clubhouse: On April 9, 1.3 million user records for Clubhouse, the invite-only audio conference social network platform, were posted on the dark web as well. This database is not up for sale: rather, it is freely available to any interested party. The Clubhouse user listing contains user name and ID, Photo URL, Twitter and Instagram handles, follower information, account creation date, and “invited-by” user profile name. (Clubhouse is currently only available to people who are invited by another existing member of the service.)

Clubhouse’s communications have taken a somewhat different tack than Facebook and LinkedIn: while they also hotly deny any data breach, and their official terms of use prohibit the mass downloading of private information, their response on Twitter almost seems to offer tacit approval of bulk data gathering: “The data referred to is all public profile information from our app, which anyone can access via the app or our API.”

Are you affected? Individuals concerned that their data may have been involved in these incidents can use the free breach-tracking website service HaveIBeenPwnd to check if their information appears on the site’s listings. For Facebook users, a third-party lookup-by-phone-number service has been established as well. If you appear on any of the listings, be extra vigilant for attempted phishing or social engineering attacks that might leverage your online profile information.

While there is no indication that passwords were compromised in any of the incidents, it is a best practice to use a unique, complex passwords for each online service you use, and to change those passwords periodically. LinkedIn and Facebook also support two-factor authentication. Finally, always be cautious about the volume and nature of the data you share on any social platform, understanding that there is always a risk of privacy breach or content abuse.

Cybercriminals get a taste of their own medicine

The old adage “No honour among thieves” applied well to news emerging this week that an online trafficker of stolen payment cards (or “card shop”) was itself hacked and had data stolen.

On April 9, Singapore-based researchers at Group-IB reported that they had discovered a cache of stolen payment card data that had been leaked online on March 17. The data appeared to have been exfiltrated from “Swarmshop” – a Russian-language card shop site – and posted on a competing criminal website on the dark web. According to the Group-IB report, the stolen database contains “623,036 payment card records issued by the banks from the USA, Canada, the UK, China, Singapore, France, Brazil, Saudi Arabia, Mexico; 498 sets of online banking account credentials and 69,592 sets of US Social Security Numbers and Canadian Social Insurance Numbers”.

The disclosure didn’t stop at the twice-stolen payment cards: the report indicated that information about the operators and customers of the criminal enterprise were posted as well, with “12,344 records of the card shop admins, sellers and buyers including their nicknames, hashed passwords, contact details, history of activity, and current balance” appearing online.

Swarmshop appears to have started operations in April 2019 and, by March 2021, it had registered over 12,000 users and reputedly had data from over 600,000 payment cards available for sale. The Group-IB report suggested that the number of users of the card shop had increased 2½ times since January 2020.

Group-IB has advised that they have notified governmental cybersecurity organizations in each of the countries involved so further steps can be taken at a federal level in each jurisdiction as appropriate.

World’s largest association for pathologists discloses credit card incident

According to a report in Bleeping Computer, the American Society for Clinical Pathology (ASCP) has disclosed a cybersecurity incident that affected an undisclosed number of customers who entered payment information on the group’s e-commerce website in 2020.

The ASCP, based in Chicago, Illinois, has a member base in excess of 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and medical students. The ASCP website collects payment card information – including names, card numbers, expiry dates, and CVV numbers – when processing orders for memberships, certificates, books, online courses, exams, case reports, and more.

As of April 12, the ASCP had not announced the breach on its website or social media channels. However, Bleeping Computer obtained a redacted copy of a breach notice letter allegedly sent to customers who were potentially affected by the cyber incident.

The breach notice letter seeks to reassure customers that there is no evidence that the credit card information was used fraudulently, or that any personal data was stolen. Filings reportedly seen by Bleeping Computer suggest that the ASCP website may have been compromised on or between March 30, 2020, and November 6, 2020 – a period of 221 days. Further, the ASCP only discovered the suspected breach on March 11, 2021 – months after the incident is thought to have concluded.

The Bleeping Computer report mused that the ASCP incident bears many of the hallmarks of a “web skimming” or Magecart attack, in which hackers compromise a website with malicious code that skims a user’s credit card data when entered online. The skimmed data is gathered and transmitted to the hackers, who in turn use it for fraudulent or other criminal purposes.

NEWSLETTER

Get exclusively curated cyber insights and news in your inbox

Related Posts

Contact Us Today

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.