Some breach for money, some breach for political gain, and this week’s security news features both.
Android malware steals PayPal cash
Malware continues to grow smarter and more sinister, as evidenced by the newest Android scam, which researchers discovered yesterday. At the heart of the scam is a fake app called Optimization Battery. Users can only find Optimization Battery in third-party app stores, but not in Google Play.
When the app is installed on the phone, it requests Accessibility permission. Then it lies in wait for the user to open his or her PayPal app. Once the login credentials have been entered by the user — including two-factor authentication — then the malware uses its Accessibility privilege to carry out a theft right before the user’s eyes. The helpless user watches as screens flash by wherein the malware transfers 1,000 units of currency (dollars, Euros, pounds — whatever the currency is in that user’s country) to the hacker’s account.
The security researchers who discovered the malware have alerted PayPal, strongly recommending that they shut down the malware author’s PayPal account.
An updated Apple today keeps the hackers away
Updates released by Apple last week go a long way to bolstering the security for much of their core software, including iCloud, iTunes, Safari, Sierra, High Sierra, and macOS Mojave. The updates fix certain vulnerabilities such as privilege escalation and info disclosures that have been plaguing Apple users this year.
As Apple hardware and software has continued growing in popularity, and as malware developers have continued growing more savvy, Apple products, which were once seen as unbreachable, now find themselves the targets of all manner of cyberattacks. Avast recommends that Apple users download and install the latest updates as soon as they can, as well as get familiar with today’s best practices for Mac security.
Gov report bashes Equifax breach as “preventable”
For the past 14 months, the U.S. House Oversight and Government Reform Committee has been investigating the notorious Equifax breach of 2017. On Monday this week, the Committee published a report on its findings, stating that the credit reporting agency “...failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S.history. Such a breach was entirely preventable.”
The accusation comes as a result of the Committee learning that Equifax had received multiple warnings regarding the Apache Struts software vulnerability that caused the breach. Both the Department of Homeland Security and the Equifax Global Threat and Vulnerability Management internal team issued warnings that such a breach could result if action was not be taken, yet the company did nothing. Luis Corrons, Avast Security Evangelist, comments, “It has to be frustrating for the Equifax internal security team to warn about a potential problem, then be ignored, which caused the data breach they were warning about in the first place. It is of the utmost importance that business management teams listen to their security teams and take them seriously. Let's hope we all learn from this case to avoid similar cases in the future.”
For its own part, Equifax takes issue with the report, claiming it is riddled with factual errors, though the credit company does agree with many of the report’s recommended actions to protect consumers moving forward.
Breach of Starwood could be political
The Starwood Hotels breach, which we covered a couple weeks back, exposed the names and private info of up to 500 million of the hotel chain’s guests. The “unauthorized access” to the data seems to have been occurring since 2014, though it was just discovered in September 2018.
Articles published in The New York Times and The Washington Post this week suggest the breach may have been caused by Chinese Ministry of State Security. The articles claim that various aspects of the attack, including its tactics and scope, resemble those that have been used before. There may be other indications as well, but as of the writing of this piece, definitive conclusions have still not been drawn. It’s believed this attack could be politically motivated in that many US government officials stay in Marriott-owned hotels like Starwood, and this breach could be seen as an attempt to collect as much data on them for future use.
Luis Corrons at Avast, however, warns against jumping to conclusions. “We have to be extremely careful with attribution,” he notes. “False flag operations are common and easy to perform on the internet. An attacker could be drawing attention somewhere else just by mimicking actions usually done by other known groups.”
This story is still developing.
Phishing for government credentials
Cybersecurity experts are tracing a trend that’s been in effect for the last year and a half — cybercriminals are targeting government institutions with phishing campaigns and spyware tools to steal as many government logins as possible. So far, experts believe more than 40,000 government credentials have been compromised. More than 30 countries have been targeted, with the majority of the attacks happening in Italy, Portugal, and Saudi Arabia.
The researchers who discovered these credentials believe they are being sold on the dark web for a pretty penny. “Government-related credentials have always been very valuable,” states Avast researcher Luis Corrons. “In the past, we have seen how after big data breaches where millions of credentials were stolen, cybercriminals went through them in search of valuable targets such as politicians or government officials, as they can make more money selling them separately.”
In an effort to help, the experts who discovered the credentials contacted Computer Emergency Response Teams in every country that was affected, warning them of the issue.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.
Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.