InfoSec Round-Up: Jan 22nd
INTERPOL Warning, Leaked Pixlr Records & App Flaws
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
INTERPOL Dating App Warning
The International Criminal Police Organisation, INTERPOL has issued a warning concerning dating app users being lured into investment fraud schemes.
Having received reports from around the world, INTERPOL has warned that with the increasing number of people seeking relationships online, dating app users are being exploited via “artificial romance” intended to involve victims in sophisticated fraud schemes.
In a statement, INTERPOL noted, “Once communication becomes regular and a certain level of trust is established, criminals share investment tips with their victims and encourage them to join a scheme.”
Going on to say, “Victims download a trading app and open an account, buy various financial products and work their way up a so-called investment chain, all under the watchful eye of their new “friend”.
“As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”
“One day, however, all contact stops, and victims are locked out of the account. They’re left confused, hurt, and worried that they’ll never see their money again.”
Hackers Dumps 1.9 Million Records
A notorious hacking group known as ShinyHunters has leaked around 1.9 million stolen Pixlr user records that could be used in targeted phishing campaigns.
A popular online photo editing application, Pixlr is thought to have been breached at the end of last year, with the hacker claiming that the records were taken from an Amazon Web Services (AWS) S3 bucket.
Containing usernames, email addresses, hashed passwords and users’ countries, the 1,921,141 exposed records could leave users open to a variety of information security attacks.
The threat actors behind the leak are well-known for hacking websites and selling stolen data, and are thought to be behind dozens of significant breaches including Tokopedia, US bank Dave, Minted and Unacademy. In the first two weeks of May 2020 alone, the group is thought to have sold around 200 million stolen records.
With Pixlr yet to make a statement on the database breach, it is recommended that users update their passwords, especially if they are using repeat passwords, and to be on the lookout for online scams.
Retail and Hospitality App Flaws
Research suggests that more than three-quarters of retail and hospitality sector applications contain at least one vulnerability, as well as 26% containing ‘high severity’ vulnerabilities.
Having analysed around 132,000 applications, the Veracode research shows that 76% of apps, across sectors, contain at least one security flaw; with hospitality and retail matching that likelihood for ‘any flaw’, but exceeding the ‘high severity’ percentage with 26% vs 24%.
Despite this, the retail and hospitality sector did rank second-best for overall fix rate, with around half of flaws being remediated within 125 days, over twice as fast as government app flaws.
Speaking to their research, Veracode noted, “though [these] industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws.”
Adding, “Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach.”
Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Information security in 2021: blog by Information security awareness training and phishing simulation provider Hut Six Security.
Ryuk Ransomware Gang, Cryptocurrency Fortunes & SolarWinds - InfoSec Round-Up Jan 17th
ISO 27001 vs SOC 2 Certifications - what's the difference? SOC 2 is a type of audit report focusing on security controls. ISO27001 is a compliance standard focused on high level information security.
Assange Extradition, Vaccine Scams, App Bans & SolarWinds Hack - InfoSec Round-Up Jan 10th
Inside Attacker Jailed, GDPR Fines Twitter & Trump’s Twitter Password - InfoSec Round-Up Dec 20th
The Five Biggest Breaches and Hacks of 2020. Information Security blog by Information Security Awareness provider Hut Six Security.
Foxconn Ransomware, FireEye Hacked & Google Fined €100M - InfoSec Round-Up Dec 13th
Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy
Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.
iOS Wi-Fi Exploits, School Ransomware & Vaccine Supply Chain Targeted - InfoSec Round-Up Dec 6th