• Dominique

The SecuriTea News - Issue #13

Every Friday The Weekly SecuriTEA Report brings you the latest week’s trending Information Security News. Here's what is new for this week:

Be Weary of #CashApp Friday Blessings. Scammers looking to piggyback on the #CashAppFriday trending topic on Twitter are stealing between $10 to $1,000 from each victim that falls for their efforts. According to researchers at Tenable, the scams include phishing (using emails to deliver an attack), a hoax called “cash-flipping” and user impersonation, among others. The legitimate Cash App Friday is a marketing ploy; the money-transfer app tweets out a picture and people are supposed to comment on the posting and include their “cashtag” (user ID) for the app. The company then randomly selects users on the thread to give money away to what it calls “a blessing.” It’s attracted a lot of notice where the Cash App Friday promotion has garnered 1.2 million Twitter mentions, with a reach of 1.4 billion in the past year alone, according to Tenable stats. This trend has also gained the attention of attackers who will direct message (DM) those who have commented on the legitimate posting, claiming that they’ve won the #CashAppFridays giveaway and sending them a website link. If the target clicks on the link, it takes them to a website that says that the cashtag “$cash” has “initiated a deposit of $1,000 to your Cash App.” Then, “the website uses a valid SSL certificate from Let’s Encrypt, a non-profit certificate authority, to ask for the email or phone number used to sign into the Cash App,” researchers wrote. “When the user provides the information, a ‘payment failed’ notification pops up on a fake webpage.” Pulling statistics from two of the phishing URLs, Tenable identified that each link received over 500 clicks each, mostly from U.S. users.

**Be vigilant on verifying who is contacting you, what links you click on, and always double-check before giving out any personal information**

The War Against Honesty Campaigns Continue. Recently, you might have seen U.S. Representative Alexandria Ocasio-Cortez intensely question Facebook founder Mark Zuckerberg regarding the extent the company will go to remove dishonest campaigns from running on their site. This battle has now been taken to the floors for a vote where Congress recently blocked a trio of law bills aimed at making America's elections more secure and transparent. The Honest Ads Act, spearheaded by Amy Klobuchar (D-MN), if passed, would have forced social media networks to reveal the organizations paying for political ads on their platforms. The bill was introduced in 2017 in response to the thousands of divisive and controversial adverts that were purchased by Russia’s Internet Research Agency troll farm. It was reintroduced this year after stalling in the 115th Congress. It was stopped on Tuesday by John Thune (R-SD). While any senator can introduce a new bill, one objection can be enough to kill the whole thing. “The goal of the Honest Ads Act is simple: to ensure that voters know who is paying to influence our political system,” Klobuchar said when she introduced the bill. “The bill would put in place the same rules of the road for social media platforms that currently apply to political ads sold on TV, radio, and in print regarding disclaimers and disclosures so that Americans know who is behind the ads they see online.” With the election season coming into full-swing, it put the spotlight on how the government plans to address the growing concerns of foreign interference and the importance of honest information being disseminated to the country.

Peeping Tom Robots Found in Japan Hotels. Japanese hotel chain HIS Group has apologized for ignoring warnings that its in-room robots were hackable to allow attackers to remotely view video footage from the devices. The Henn na Hotel is staffed by robots that allow guests to check-in, via facial recognization, to their rooms by humanoid or dinosaur reception bots before proceeding to their room. Several weeks ago a security researcher revealed on Twitter that he had warned HIS Group in July about the bed-bots being easily accessible, noting they sported "unsigned code" allowing a user to tap an NFC tag to the back of robot's head and allow access via the streaming app of their choice. Having heard nothing, the researcher made the hack public on October 13th, which is normal in the cybersecurity community. (Researchers who find these vulnerabilities give proper disclosure notice to the vendor early enough so they have the option to fix the flaw before being disclosed to the public). The vulnerability allows guests to gain access to cameras and microphones in the robot remotely so they could watch and listen to anyone in the room in the future. The hotel is one of a chain of 10 in Japan that uses a variety of robots and so far the reference is only to Tapia robots at one hotel, although it is not clear if the rest of the chain uses different devices.

Apple and Android App Malware Impersonations. Two weeks ago we highlighted the vast amount of Android applications that contained malicious software, typically adware, and the importance of understanding the applications you are downloading. Apple is also having issues vetting their approved applications as they had to do a purge themselves recently. Consumers don’t vet apps well enough to mitigate mobile threat risk, according to the latest mobile-threat report from RiskIQ. Malicious mobile apps that try to dupe consumers by mimicking reputable apps is a persistent problem that’s on the rise, making an app store’s commitment to security a key factor to consider for mobile users who want to avoid these threats, according to a new report. The number of blacklisted apps — i.e., those that are known to be malicious and compiled on industry blacklists — increased 20 percent in the second quarter of 2019, from 44,850 to 53,955, according to the Mobile Threat Landscape Q2 report by RiskIQ, released Thursday. Moreover, the percentage of blacklisted apps relative to the total number of apps known by RiskIQ also increased for the second-straight quarter, jumping from 1.95 percent to 2.1 percent. With global app spending expected to surpass the $101 billion mark it hit last year, mobile risk is a significant part of the overall corporate attack surface, according to RiskIQ. It’s also one over which security teams often lack control because of individual user behavior of lack of corporate visibility into these devices, researchers said.

Smart Devices At Home Still Have A Ways To Go In Terms of Security. Karsten Nohl, who was behind this week’s research that outlined new eavesdropping hacks for Alexa and Google Home, says that privacy for smart home assistants still has a ways to go. Researchers this week disclosed new ways that attackers can exploit Alexa and Google Home smart speakers to spy on users. The hacks, which rely on the abuse of “skills,” or apps for voice assistants, allow bad actors to eavesdrop on users and trick them into telling them their passwords over the smart assistant devices. Unfortunately, when it comes to smart speakers, “there’s no silver bullet” for protecting the privacy and security of data, said Karsten Nohl, managing director at Security Research Labs. Nohl, a cryptography expert and hacker, has been behind several high-profile research projects.

And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News. Follow us on social media for daily news.


    Drop Me a Line, Let Me Know What You Think