We round up reporting and research from across the web about the latest security news. This month: coinjacking for cryptocurrency, CEO fraud takings, Google gets into security, a hefty fine for data breach, and social engineering the CIA.
They got the jack
Irish Government websites were among 4,200 portals around the world infected with ‘coinjacking’ malware. This malicious code turned visitors’ web browsers into secret and illegal cryptocurrency miners. The Irish Times reported that the Health Service Executive, the Oireachtas, Safefood and some county councils were among the affected sites. Scott Helme, a UK-based security researcher, discovered the attack which exploited a plugin called Browsealoud. This plugin is mandatory for many websites for accessibility, as it reads text to visually impaired people. Until the developer Texthelp disabled the plugin, anyone visiting a site that had it inadvertently ran hidden mining code on their computer, generating money for “miscreants unknown,” as The Register described them. The Irish Times quoted BH Consulting CEO Brian Honan who said website owners using third-party plug-ins should perform due diligence to ensure the software is reputable.
Business email compromise = billions exfiltrated cleverly
CEO fraud, also known as business email compromise, is a large and growing business risk affecting organisations worldwide. How large? $9 billion this year, according to a forecast from Trend Micro. The security company analysed nine months’ worth of incidents to identify patterns and emerging trends. One popular tactic uses keyloggers and phishing kits to steal credentials and access an organisation’s email. The second approach is an email-only attack that relies on social engineering. Dark Reading’s roundup noted that attackers’ methods are getting more sophisticated. For businesses, CEO fraud is a significant but preventable threat, whereas criminals love it because it’s both relatively simple and highly effective. The full report is free to download.
Alphabet says C for cybersecurity
Google’s parent company Alphabet has launched a standalone security intelligence and analytics company called Chronicle. The announcement came via a post on Medium, where founder Stephen Gillett said “We think we’ll be able to help organisations see their full security picture in much higher fidelity than they currently can.” In addition, Chronicle will include the malware reporting network VirusTotal. The company claims it’s already working with Fortune 500 customers. Many news outlets carried the story, including The Verge, ZDNet and The Register. All noted the scarcity of technical details available so far, beyond references to using the cloud and machine learning.
A fine mess as Carphone Warehouse faces financial penalty for data breach
The UK Information Commissioner’s Office has fined Carphone Warehouse £400,000 over “significant and distinct inadequacies” in the company’s security controls. It’s one of the biggest fines the ICO has ever levied. In 2015, the telecoms retailer suffered an attack which exposed more than 3 million records. The ICO’s penalty notice contains many interesting technical details about the breach. For example, attackers exploited a weak point in WordPress. In Carphone Warehouse’s case, the WordPress installation was “considerably out of date”, said the ICO. Reuters’ report quoted Commissioner Elizabeth Denham saying: “Carphone Warehouse should be at the top of its game when it comes to cyber-security and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Norwegian loot (this data has flown)
Almost half the population of Norway had their data exposed in a breach of a regional health authority. Health South-East RHF, an organisation that manages hospitals in southeast Norway, announced the breach in late January. HelseCERT, Norwegian healthcare’s national information security centre, described the as-yet-unknown perpetrator as ‘advanced and professional’, reported the Inquirer. HelpNet Security speculated the attackers were either working for a foreign nation state, or simply wanted to sell the data. Bleeping Computer pointed out that the leak was not as large as that suffered by Sweden in 2015. By comparison, that wide-ranging breach involved millions of compromised records, including all Swedish driving licence holders.
Teenagers these days!
Lastly, a 15-year-old from Britain allegedly impersonated the former head of the CIA, John Brennan. In doing so, he accessed secret intelligence about US operations in Afghanistan and Iran. The Telegraph reported the prosecutor John Lloyd-Jones QC saying the teenager used social engineering to access emails, phones, computers and law enforcement portals. Kane Gamble from Leicestershire is alleged to have founded the Crackas with Attitude hacker group, which boasted about its exploits on Twitter, Hackread reported. John Dunn at Sophos’ Naked Security blog said the nature of intrusions hold “a big warning for organisations everywhere”. It didn’t take amazing technical skills, he wrote. “Gamble simply phoned up help desks for broadband services and utilities using public numbers, convincing staff they were speaking to the target as a way of gaining access or resetting accounts.”