This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

INTERPOL Dating App Warning

The International Criminal Police Organisation, INTERPOL has issued a warning concerning dating app users being lured into investment fraud schemes.

Having received reports from around the world, INTERPOL has warned that with the increasing number of people seeking relationships online, dating app users are being exploited via “artificial romance” intended to involve victims in sophisticated fraud schemes.

In a statement, INTERPOL noted, “Once communication becomes regular and a certain level of trust is established, criminals share investment tips with their victims and encourage them to join a scheme.”

Going on to say, “Victims download a trading app and open an account, buy various financial products and work their way up a so-called investment chain, all under the watchful eye of their new “friend”.

“As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”

“One day, however, all contact stops, and victims are locked out of the account. They’re left confused, hurt, and worried that they’ll never see their money again.”

Hackers Dumps 1.9 Million Records

A notorious hacking group known as ShinyHunters has leaked around 1.9 million stolen Pixlr user records that could be used in targeted phishing campaigns.

A popular online photo editing application, Pixlr is thought to have been breached at the end of last year, with the hacker claiming that the records were taken from an Amazon Web Services (AWS) S3 bucket.

Containing usernames, email addresses, hashed passwords and users’ countries, the 1,921,141 exposed records could leave users open to a variety of information security attacks.

The threat actors behind the leak are well-known for hacking websites and selling stolen data, and are thought to be behind dozens of significant breaches including Tokopedia, US bank Dave, Minted and Unacademy. In the first two weeks of May 2020 alone, the group is thought to have sold around 200 million stolen records.

With Pixlr yet to make a statement on the database breach, it is recommended that users update their passwords, especially if they are using repeat passwords, and to be on the lookout for online scams.

Retail and Hospitality App Flaws

Research suggests that more than three-quarters of retail and hospitality sector applications contain at least one vulnerability, as well as 26% containing ‘high severity’ vulnerabilities.

Having analysed around 132,000 applications, the Veracode research shows that 76% of apps, across sectors, contain at least one security flaw; with hospitality and retail matching that likelihood for ‘any flaw’, but exceeding the ‘high severity’ percentage with 26% vs 24%.

Despite this, the retail and hospitality sector did rank second-best for overall fix rate, with around half of flaws being remediated within 125 days, over twice as fast as government app flaws. 

Speaking to their research, Veracode noted, “though [these] industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws.”

Adding, “Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach.”

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.