Attackers hijack Chipotle email marketing account

Plus, the U.S. Senate calls out federal agencies for weak security and ransomware attackers launch their newest scam by phone

Mass-mailing service Mailgun had one of its larger accounts – the email marketing account for fast-food chain Chipotle – compromised and used to target USAA users, Microsoft users, and others with malware, according to anti-phish agency Inky, which detected 121 phishing emails originating from the compromised account. Of those attacks, 2 were vishing scams (fake voicemail notifications), 14 impersonated USAA Bank, and 105 impersonated Microsoft. The 2 vishing scams were meant to deliver malware, but the other 119 scams were attempts to harvest credentials. Inky notes that the Chipotle attackers used the same technique as the SolarWinds attack earlier this year, perpetrated by Russian threat group Nobelium. The threat group compromised SolarWinds email marketing account and sent roughly 3,000 malicious emails. It is still unclear who is behind the Chipotle attack. For more on this story, see Security Week

FB hack victims buy Oculus to restore accounts

According to NPR, 19 listeners reported that their Facebook accounts were hacked or disabled in July, and some found the only recourse that stimulated the social platform to restore their accounts was the $299 purchase of an Oculus Quest 2, Facebook’s VR headset. When one hack victim discovered that it was impossible to find any live help from Facebook – either on the phone or over the web – he followed a tip he saw on Reddit and purchased an Oculus Quest 2. As soon as he contacted Oculus with the product’s serial number, support got back to him right away and restored his Facebook account. Several other users claim to have done this to fix their accounts, after which they simply return the unopened headsets. 

Snapchat horoscope feature remembers birth info

Addressing user concern over the fact that Snapchat knows some users’ birth information down to the location and hour, The Verge reminded users that they submitted their birthday when they set up their Snapchat account. Users also must input their birth city and time if they want to use the platform’s horoscope feature. The app keeps that information and stores it in the “Birthday” section of the user’s profile settings. Snapchat will not share a user’s birthday details without permission, and users always have the option to delete the info from the app if they choose. 

U.S. Senate calls out fed agencies for poor security

The Senate published a report this week called “Federal Cybersecurity: America’s Data Still At Risk,” in which 8 federal agencies are called out for having weak cybersecurity protections. After an investigation, the Senate committee found many of the agencies had failed to implement baseline cybersecurity practices, and most were using outdated systems. The investigation also found that some of the agencies were not updating or patching their systems when new versions of their security software were released. “It is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Republican Senator Rob Portman, ranking member of the investigative committee.

Microsoft warns of “BazaCall” scams

A new ransomware trend that popped up this year involves a phony call center, where users are guided through a process that has them unknowingly download malware onto their systems. Microsoft calls the campaign “BazaCall,” and the malware that users are tricked into downloading is called “BazaLoader Malware.” Attackers first lure victims with phony emails that claim they’ve been subscribed to an expensive service. The email provides a phone number if the user has any questions. When the user calls the number, the attacker poses as customer support, leading the user through the steps necessary to “unsubscribe,” but which really downloads ransomware onto their systems. Read more at Microsoft

This week’s ‘must-read’ on The Avast Blog

In celebration of this week's 30th anniversary of the World Wide Web, Avast CEO Ondrej Vlcek looks back on the internet's development over the past three decades.

--> -->