The SecuriTea News - Issue #12
Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending Information Security News. Here's what is new for this week:
Trump Campaign Website Hijack. A misconfigured website development tool exposed hundreds of email servers to takeover, including President Donald Trump’s official campaign website. A mistake made by website developers left an official re-election website for President Donald Trump open to attack. The error, impacting hundreds of other websites as well, is tied to a website development tool called Laravel, used to test sites before they go live. The tool, accidentally left active on a slew of sites, would allow hackers to hijack the site’s email servers and intercept, send or read email messages sent from the site’s domain. “The problem is that many developers fail to disable the debug mode after going live, exposing back-end website details like database locations, passwords, secret keys, and other sensitive info,” said researchers Bob Diachenko and Sebastien Kaul, working on the behalf of the security firm. Read more about the blunder here.
From Ransomware to Sextortion. A recent wide-scale campaign indicates that a decade-old botnet is shifting gears from distributing ransomware to delivering millions of sextortion threats to innocent recipients. Worse, researchers say that the botnet’s spam campaign can affect up to 27 million potential victims. The botnet, Phorpiex, has been active for almost a decade and currently controls almost 500,000 computers globally. The botnet is known for distributing malware such as GandCrab as well as cryptocurrency miners on infected hosts. However, researchers with Check Point say the botnet has recently been spotted in a five-month campaign cashing in on a new form of revenue generation: Wide-scale sextortion. Sextortion is a type of attack where bad actors email spam messages to victims claiming to have sexual content and private data on the recipient — then, they demand a blackmail payment in exchange for not exposing the supposedly hacked data. Most of the time, the attackers are merely bluffing and hoping the intended victims will fall for the scare tactics.
The computers controlled by the Phorpiex botnet download a database of email addresses and corresponding credentials (likely acquired from Dark Web sites) from a command-and-control (C2) server. In the most recent campaign, researchers observed a downloaded database that contains up to 20,000 email addresses; but in various other campaigns, researchers said they observed between 325 and 1,363 email databases on the C2 server — racking up potentially millions of victims. Read more about this story here.
The Rise of Deepfake Technology. Deepfake technology is becoming easier to create – and that’s opening the door for a new wave of malicious threats, from revenge porn to social-media misinformation. About a year ago, top deepfake artist Hao Li came to a disturbing realization: Deepfakes, i.e. the technique of human-image synthesis based on artificial intelligence (AI) to create fake content, is rapidly evolving. In fact, Li believes that in as soon as six months, deepfake videos will be completely undetectable. And that’s spurring security and privacy concerns as the AI behind the technology becomes commercialized – and gets in the hands of malicious actors. “I believe it will soon be a point where it isn’t possible to detect if videos are fake or not,” said Li “We started having serious conversations in the research space about how to address this and discuss the ethics around deepfake and the consequences.”. Interested in learning more about this subject? Check out this articles.
Uh-Oh - Your spouse can get into your galaxy phone. Samsung has acknowledged that anyone can bypass the Galaxy S10 fingerprint sensor using a third-party case after a woman alleged that a $3 smartphone screen protector allowed unauthorized users to dupe her Samsung Galaxy S10’s fingerprint recognition sensor – giving access to her phone and banking apps. Samsung is promising a future software update to resolve the issue, according to a Thursday report. The U.K. woman, Lisa Neilson, told media reports this weekend that only her fingerprint was registered on her new Galaxy S10. However, after buying a third-party screen protector off eBay, Neilson’s husband was able to unlock her phone using his fingerprint – even though it wasn’t registered on the device. Worse, the pair found that Neilson’s husband could log into her phone and access various private apps using the fingerprint biometrics security feature. The couple also put the case on Neilson’s sister’s Samsung phone and discovered that the same issue occurred.
And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News. Follow us on social media for daily news.