InfoSec Round-Up: Jan 22nd
INTERPOL Warning, Leaked Pixlr Records & App Flaws
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
INTERPOL Dating App Warning
The International Criminal Police Organisation, INTERPOL has issued a warning concerning dating app users being lured into investment fraud schemes.
Having received reports from around the world, INTERPOL has warned that with the increasing number of people seeking relationships online, dating app users are being exploited via “artificial romance” intended to involve victims in sophisticated fraud schemes.
In a statement, INTERPOL noted, “Once communication becomes regular and a certain level of trust is established, criminals share investment tips with their victims and encourage them to join a scheme.”
Going on to say, “Victims download a trading app and open an account, buy various financial products and work their way up a so-called investment chain, all under the watchful eye of their new “friend”.
“As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”
“One day, however, all contact stops, and victims are locked out of the account. They’re left confused, hurt, and worried that they’ll never see their money again.”
Hackers Dumps 1.9 Million Records
A notorious hacking group known as ShinyHunters has leaked around 1.9 million stolen Pixlr user records that could be used in targeted phishing campaigns.
A popular online photo editing application, Pixlr is thought to have been breached at the end of last year, with the hacker claiming that the records were taken from an Amazon Web Services (AWS) S3 bucket.
Containing usernames, email addresses, hashed passwords and users’ countries, the 1,921,141 exposed records could leave users open to a variety of information security attacks.
The threat actors behind the leak are well-known for hacking websites and selling stolen data, and are thought to be behind dozens of significant breaches including Tokopedia, US bank Dave, Minted and Unacademy. In the first two weeks of May 2020 alone, the group is thought to have sold around 200 million stolen records.
With Pixlr yet to make a statement on the database breach, it is recommended that users update their passwords, especially if they are using repeat passwords, and to be on the lookout for online scams.
Retail and Hospitality App Flaws
Research suggests that more than three-quarters of retail and hospitality sector applications contain at least one vulnerability, as well as 26% containing ‘high severity’ vulnerabilities.
Having analysed around 132,000 applications, the Veracode research shows that 76% of apps, across sectors, contain at least one security flaw; with hospitality and retail matching that likelihood for ‘any flaw’, but exceeding the ‘high severity’ percentage with 26% vs 24%.
Despite this, the retail and hospitality sector did rank second-best for overall fix rate, with around half of flaws being remediated within 125 days, over twice as fast as government app flaws.
Speaking to their research, Veracode noted, “though [these] industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws.”
Adding, “Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach.”
Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Information security in 2021: blog by Information security awareness training and phishing simulation provider Hut Six Security.
Find out the key differences between ISO 27001 and SOC 2 and which one is best for your business. Learn about both security standards, focus areas, and the benefits of each one to make an informed decision.
The Five Biggest Breaches and Hacks of 2020. Information Security blog by Information Security Awareness provider Hut Six Security.
Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy
Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.
Building a Business Case for Information Security Awareness Training blog by Information Security Awareness Training provider Hut Six.
How Zero Trust Works - Zero Trust Security blog by Information Security Awareness Training provider Hut Six Security.
How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.
How to Build a Cyber Team - Top Points to Consider When Building Your Team. Blog by Information Security Awareness solution Hut Six Security.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.