Canada Post informs 44 large business customers of third-party data breach
On May 26, Canada Post disclosed that the shipping manifest data for 44 of its large business customers was compromised in a November 2020 cyberattack at Commport Communications, one of its third-party suppliers. The contact information for over 950,000 mail recipients was involved.
Shipping manifests typically include the sender and receiver contact information found on shipping labels, such as names and addresses. In their press release, the Crown corporation advised they conducted a detailed forensic investigation and thorough review of the shipping manifest files disclosed, and determined that:
– The information is from July 2016 to March 2019
– The vast majority (97%) contained the name and address of the receiving customer
– The remainder (3%) contained an email address and/or phone number
Though Canada Post’s investigation found no evidence that any financial information was breached, the disclosed data could be used for targeted social engineering attacks. Canada Post continues to work closely with Commport and external cybersecurity experts to assess further actions.
Canada Post said that Commport Communications, an Aurora, Ontario-based data exchange solution provider, provided notice on May 19 of the data breach. Commport had initially notified Canada Post when it suffered a ransomware attack last fall, but had reassured them that there was no evidence of data disclosure at the time. No details were provided as to what new information had emerged since the initial report.
Researchers from Proofpoint reveal elaborate fake streaming site
In a fascinating May 26 report, Proofpoint details an elaborate phishing scam that involves broadcast emails, fake call centres, a completely fictitious video streaming website and service.
Launched in early May 2021, the complex scam worked like this: An initial phishing email advised targets that their free trial period on a (fake) streaming service called BravoMovies was coming to an end, and that their credit cards were going to be charged $39.99 per month for an extended, premium plan. The emails provided a contact address in Burbank, California (perhaps mimicking the address of BravoTV, a legitimate site, which is based in suburban Los Angeles), and one of a variety of customer service hotline numbers. The area codes for the numbers reportedly ranged from Pennsylvania to Texas.
The hotlines were staffed by confederates in the scam, who directed callers back to the FAQ section of the fake website. Here, the directions in the “Subscribtion” [sic] section explained how to cancel an account. Clicking the “Cancel” button, in reality, downloaded an Excel file to the user’s computer, at which point the target was instructed to permit editing and allow macros. This, in turn, installed BazaLoader malware on the target machine.
Remarkably, after all the effort expended in coercing the victim to fall for the scam, the Proofpoint researchers said that they found no evidence of a second stage of malware to take advantage of the exploit – a feature commonly found with BazaLoader attacks.
Fake or spoofed sites are commonplace, but the BravoMovies site was particularly elaborate, featuring a host of bogus movie titles and reviews. According to the Proofpoint report, “The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book How to Steal a Dog.”
The fake site has now been shut down.
Tampa Bay area teen crashes Internet service for Pinellas school system
The constant threat to educational institutions was illustrated yet again on May 26 with a cyber attack on Pinellas County Schools, the board representing schools in the St. Petersburg/Clearwater area in Florida.
According to the Tampa Bay Register, a 17-year-old student launched the attack on the system. The teenager, who cannot be identified, reportedly become “fixated” on the idea of hacking the school district’s network after seeing an online video showcasing the vulnerability of school networks.
Internet service for all 145 schools in the PCS system were knocked offline for two days by the denial of service attack. No data breach or ransomware was involved. The 17-year-old was arrested on a felony computer crimes charge and expelled.
Pinellas Schools said they paid Charter-Spectrum, their internet service provider, to provide defenses against this type of denial-of-service attack. However, when the school board’s security system was upgraded in 2020, Charter-Spectrum had inadvertently forgotten to continue a key layer of protection. The ISP acknowledged responsibility for the oversight (which has now been corrected), and provided the school with a $23,000 (USD) compensatory credit.
Microsoft issues advisory about new Nobelium hacking campaign
Microsoft has issued a bulletin about a recently identified wide-scale malicious email campaign launched by Nobelium, the notorious threat actors behind the recent SolarWinds breach.
Microsoft has been tracking the campaign since January 2021. The May 27 advisory describes how the campaign has evolved and been refined over the last few months, culminating in a large coordinated attack leveraging the widely-used “Constant Contact” broadcast email service. The latest campaign contained messages purportedly sent from a US-based development organization, intended to distribute malicious links to a wide variety of organizations and industries.
“Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below,” advised the article.
Microsoft’s blog provides additional background and details, and they have developed an extensive list of mitigation strategies and IOCs to monitor. Educate your staff, and review/implement these strategies as appropriate to avoid this latest widespread attack.