Information belonging to more than 66 million individuals was discovered in an unprotected database, within anyone’s reach, if they knew where to look on the web. The records look like scraped data from LinkedIn profiles. The cache includes personal details that can identify users and could help adversaries create phishing attacks that are more difficult to recognize.
According to Bob Diachenko, Director of Cyber Risk Research at Hacken, the trove was exposed via a MongoDB instance that could be accessed without authentication. He found 66,147,856 unique records containing full name, personal or professional email address, user’s location details skills, phone number, employment history and a link to the individual’s LinkedIn profile.
Trend Micro revealed that 43 percent of surveyed organizations have been impacted by a Business Process Compromise (BPC). Despite a high incidence of these types of attacks, 50 percent of management teams still don’t know what these attacks are or how their business would be impacted if they were victimized.
In a BPC attack, criminals look for loopholes in business processes, vulnerable systems and susceptible practices. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. If victimized by this type of attack, 85 percent of businesses would be limited from offering at least one of their business lines.
RFC 7252, also known as the Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attacks. If readers don’t recognize the name of this protocol that’s because it’s new –being formally approved only recently, in 2014, and largely unused until this year.
CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce. CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the amplification of a DDoS attack.
Read more about CoAP and how it may be abused in DDoS attacks on ZDNet.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. The company now believes that information on up to approximately 500 million guests who made a reservation at a Starwood property may have been compromised.
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Read more about the massive data breach, including industry reactions, on Help Net Security.
As we move forward to 2019, expect credit card and payment information theft to continue to rise. Yes, this isn’t a major surprise; however, if organizations can better address the reasons for the rise in cybercrime, they will be better prepared.
The good news: advanced security technologies are constantly being brought to market. The not-so-good news: threat actors are not letting that get in the way; witness more intensified and ever more sophisticated attacks.
Cybersecurity tends to focus on dangers that appear on networks or in messages. The attackers may be half a world away, so the threat is the only thing that matters. But what happens when the threat actor is walking through the front door or sitting next to you at an airport coffee shop? Firewall rules and DNSSec can have minimal impact on the thief sliding a company-owned laptop into his backpack and walking out the door.
“If we all took our computers, encased them in concrete, and dropped them into the middle of the Atlantic Ocean, nobody would ever steal our data, but it wouldn’t matter because our data would be on the bottom of the Atlantic Ocean,” says Tim Callan, senior fellow at Sectigo. The challenge, he says, is reconciling physical security with the fact that people need to use their computers and mobile devices for legitimate work.
Read about 7 real-life threats to cybersecurity on DarkReading.
A phishing campaign with a clever Spotify lure has been spotted trying to harvest user credentials for the popular streaming service. Researchers at AppRiver detected the offensive earlier this month, in a campaign looking to compromise Spotify customers using bogus – but convincing – emails with the purpose of hijacking the owner’s account.
The emails attempt to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password, where it would go directly into the bad guys’ repository of compromised things.
Read more about the recent Spotify phishing campaign on Threatpost.
Black Friday will see millions of shoppers heading online to take advantage of deals, but it’s also a major target for cybercrime. So much so, that cyber criminals are starting to use tailored approaches to target individual retailers.
A common scam involves using stolen payment cards to buy both items and gift cards from selected retailers – including eBay, Nike, Best Buy, Dell, Samsung, Target and Walmart, says Rafael Amado, senior strategy and research analyst at Digital Shadows. He says criminals are using ‘carding’ tutorials, which are available for $20 to $30 “with specific modules dependent on the retailer they want to target”.
Read about the top five threats to watch out for online on Forbes.
The holiday season has become an unbridled online spending extravaganza, and threat actors have taken notice. For shoppers, what starts out as an attempt to fulfill their holiday shopping checklist for pennies on the dollar can turn into a financial nightmare. For brands, what begins as an event that significantly boosts sales can turn into a security fiasco that erodes the trust between them and their customers and prospects.
If you’re visiting a top e-commerce site this holiday shopping season, it’s crucial to pay attention to detail while shopping online and be aware of your surroundings. As a brand, it’s important to realize that there are actors out there leveraging your branded terms to target your customers and prospects.