Security News

US parries Russian propaganda & Magecart casts a dark spell on Magento

Avast Security News Team, 26 October 2018

Yahoo pays up to settle 2 year old debacle and Avast is PCMag’s Editors Pick for 2018.

US starts counter-espionage operation against Russia

As the November midterm elections draw closer, the US Cyber Command is gearing up to ward off Russian disinformation efforts to influence its outcome. The operation comes after a recently released report on information warfare by Russian elements from the Justice Department.

While the Cyber Command has not detailed its MO, or the number of operatives it’s targeting, senior officials stated they are sending direct messages to suspects. Many of them pose as social media “influencers,” posting political rhetoric to seed discord and dissent in a targeted demographic.

For instance, Elena Alekseevna Khushyaynova ran a multi-million dollar disinformation campaign on Facebook, Instagram, and Twitter, promoting divisive posts as part of Project Lakhta. The scheme included thousands of fake social media profiles through which inflammatory content would be posted. Project Lakhta’s budget is thought to be $35 million and would use everything from immigration rules to gun laws and women’s rights to spark unrest and tension.

Yahoo yields to two-year old lawsuit

Victims of one of the biggest hacks in history may finally get some closure as Yahoo has agreed to pay $50 million in damages. The breach, which affected three billion email accounts and 200 million consumers worldwide, took Yahoo by complete surprise and was later revealed to be a state-sponsored attack by Russia.

As part of its settlement efforts, Yahoo will pay $50 million in compensation to consumers, another $35 million in lawyer fees and provide affected users in the US with a credit monitoring service called AllClear for two years, a retail value of $350. Small businesses have the option to issue claims against identity theft, delayed tax refund, and any other data loss. Consumers of premium services are further entitled to a 25% refund. To date, no one has been able to explain how the attack took place.

The incident came to light in 2016, just a few months after Verizon announced it will acquire Yahoo for $4.8 billion. Not surprisingly, Verizon was able to negotiate a $350 million discount on the deal following the hack.

Magecart goes after Magento extensions

Clearly encouraged from its Newegg heist, Magecart has launched another offensive, this time against zero-day vulnerabilities in Magento extensions. The attack was discovered by Dutch researcher Willem de Groot who identified 20 hacker-targeted extensions and has listed a series of URLs through which Magecart card-skimmer are being installed.

Says de Groot: "While the extensions differ, the attack method is the same: PHP Object Injection (POI)." The attack isn’t new either. The Magento platform itself was once affected by this issue and was fixed through the SUPEE-8788 update. However, many extension developers failed to follow Magento’s example and ended up publishing software with the same vulnerability. In doing so, they provided hackers with the perfect backdoor to Magento.

Magecart attacks have gotten more sophisticated over the years. While injecting card skimmers is their prefered mode, hackers are now redirecting users to their own fake phishing websites to collect as much information as possible. So far, Webcooking_SimpleBundle Magento extension has heeded de Groot’s warning and issued a patch. Another extension TBT_Rewards was abandoned several months ago and users are advised to uninstall it.

This is a clear example of how patching is critical,” adds Luis Corrons, Avast security evangelist. “The truth is painfully clear: By deploying vulnerable software, victims are opening a door for attackers to clean them out.”

Avast Free Antivirus named PC Mag Editor’s Choice

Following an exhaustive review of antivirus software by PC Mag, Avast has been selected as Editor’s Choice. The review highlighted Avast’s network security inspector, password manager and many bonus features that are usually paid upgrades in competing products.

Says Neil J. Rubenking: “You might expect that a free antivirus company would offer basic protection for free, but reserve advanced bonus features for the paid edition. However, in the real world, many of the most popular free antivirus tools pack full-scale protection along with a ton of extra features. Avast Free Antivirus gives you more than many competing commercial products.”

The review calls out the high scores Avast received from four independent testing labs, three of which awarded the software Advanced+ rating - their highest.