Instagram phishing uses 2FA as a lure

By Paul Ducklin

When cybercrooks first got into phishing in a big way, they went straight to where they figured the money was: your bank account.

A few years ago, we used to see a daily slew of bogus emails warning us of banking problems at financial institutions we’d never even heard of, let alone done business with, so the bulk of phishing attacks stood out from a mile away.

Back then, phishing was a real nuisance, but even a little bit of caution went an enormously long way.

That’s the era that gave rise to the advice to look for bad spelling, poor grammar, incorrect wording and weird-looking web sites.

Make no mistake, that advice is still valid. The crooks still frequently make mistakes that give them away, so make sure you take advantage of their blunders to catch them out. It’s bad enough to get phished at all, but to realise afterwards that you failed to notice that you’d “logged into” the Firrst Bank of Texass or the Royall Candanian Biulding Sociteye by mistake – well, that would just add insult to injury.

These days, you’re almost certainly still seeing phishing attacks that are after your banking passwords, but we’re ready to wager that you get just as many, and probably more, phoney emails that are after passwords for other types of account.

Email accounts are super-useful to crooks these days, for the rather obvious reason that your email address is the place that many of your other online services use for their “account recovery” functions.

Read more at https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-a-lure/

‘Privacy policy change’ hoax infects Instagram; it confirms its crud

By Lisa Vaas

Who are you going to believe: screen sweetheart Julia Roberts or Instagram chief Adam Mosseri himself?

Roberts and a host of other celebrities have unfortunately fallen for an Instagram version of the Facebook chain letter hoax. After making the rounds on Facebook, it spread to Instagram, bleating all the way with its legalistic, poorly written and puzzlyingly punctuated load of horsefeathers about a purported privacy policy change taking place “tomorrow!”

The hoax would have us all believe that Instagram is planning to tweak its privacy policy to let old messages and private photos be used in court cases against its users.

It’s not. Mosseri took to his verified Instagram Story feed to confirm that it’s a load of bunk:

Heads up!

If you’re seeing a meme claiming that Instagram is changing its rules tomorrow, it’s not true.

The meme reportedly jumped from Facebook to Instagram, appearing as a text blob that went viral on Tuesday.

This hoax is as old as Rip Van Winkle but lacks the graciousness to shut up and take a 20-year nap.

Snopes debunked the original Facebook version in 2012.

Read more at https://nakedsecurity.sophos.com/2019/08/23/privacy-policy-change-hoax-infects-instagram-it-confirms-its-crud/

Bumper Cisco patches fix four new ‘critical’ vulnerabilities

By John E Dunn

If you’re a Cisco customer, the company just issued some urgent patching homework in the form of 31 security fixes, including four addressing new flaws rated ‘critical’.

Three of the criticals (CVE-2019-1937, CVE-2019-1938, CVE-2019-1974) relate to authentication bypass vulnerabilities affecting the following products:

• UCS Director and Cisco UCS Director Express for Big Data.
• IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.
• Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.

All are remotely exploitable, resulting in the CVSS score of 9.8, which could allow “an attacker to gain full administrative access to the affected device.”

The fourth (CVE-2019-1935, also a 9.8) affects the Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.

This is described as a default credentials flaw which could allow an attacker to log into the command line interface using the SCP user account giving them “full read and write access to the system’s database.”

Read more at https://nakedsecurity.sophos.com/2019/08/23/bumper-cisco-patches-fix-four-new-critical-vulnerabilities/

Quick thinking by Portland Public Schools stops $2.9m BEC scam

By Danny Bradbury

Employees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.

BEC is a sneaky form of attack in which a criminal impersonating a third party convinces someone at an organization to wire them money. The crook targets someone with control of the purse strings and uses what looks at first glance like a legitimate account owned by a supplier or business partner.

Sometimes, a BEC scammer might compromise the email account of a senior executive at the target company, or at their supplier, to get a better idea of how they communicate. They could even send an email directly from that account to someone with access to company funds. Sometimes, though, they can spoof an email and request the funds without hacking anything, relying entirely on social engineering.

Who, you may ask, would fall for such a thing? Lots of people apparently, including two employees at Portland Public Schools. A fraudster contacted them pretending to be from one of the institution’s construction contractors, asking them to send payment to an account. Of course, the request was illicit, and the account illegitimate. Nevertheless, the employees approved the payments, sending $2.9 million into the ether.

Luckily, Portland Schools moved quickly to stop the transaction. In a letter to employees and schools, superintendent Guadalupe Guerrero said that the banks involved froze the fraudulent funds, adding:

PPS has already begun the process to recover and fully return funds back to the district, likely within the next several days.

Guerrero didn’t reveal how Portland Public Schools found the fraud, but the institution acted quickly after it did. It immediately contacted the FBI and Portland Police, along with the Board of Education.

Read more at https://nakedsecurity.sophos.com/2019/08/22/quick-thinking-by-portland-public-schools-stops-29m-bec-scam/

Humans may have been listening to you via your Xbox

By Lisa Vaas

Microsoft has (once again) joined the “our contractors are listening to your audio clips” club: up until a few months ago, your Xbox may have been listening to you and passing those clips on to human contractors, Vice’s Motherboard reported on Wednesday.

Like all the other revelations about tech giants getting their contractors and employees to listen in to voice assistant recordings – they’ve been coming at a steady clip since April – the purpose is once again to improve a device’s voice recognition.

Another similarity to earlier voice assistant news: Xbox audio is supposed to be captured following a voice command, such as “Xbox” or “Hey Cortana,” but contractors told Motherboard that the recordings are sometimes triggered and recorded by mistake. That’s the same thing that’s been happening with Siri: as we found out in July, Apple’s voice assistant is getting triggered accidentally by ambient sounds similar to its wake words, “Hey, Siri,” including the noise of a zipper.

This is Microsoft’s second eavesdropping headline this month: a few weeks ago we reported that humans listen to Skype calls made using the app’s translation function, as well as to clips recorded by Microsoft’s Cortana virtual assistant.

Can anybody NOT hear me?

Also earlier this month, thanks to whistleblowers who were disturbed by the ethical ramifications, we found out that Facebook has been collecting some voice chats on Messenger and paying contractors to listen to and transcribe them.

They were all doing it: Facebook, Google, Apple, Microsoft and Amazon.

Read more at https://nakedsecurity.sophos.com/2019/08/22/humans-may-have-been-listening-to-you-via-your-xbox/

Facebook delivers ‘clear history’ tool that doesn’t ‘clear’ anything

By Lisa Vaas

Post-Cambridge Analytica/Cubeyou/et al. privacy-stress disorder, privacy advocates, members of Congress and users told Facebook that we wanted more than the ability to see what data it has on us.

We wanted a Clear History button. We wanted the ability to wipe out the data Facebook has on us – to nuke it to kingdom come. We wanted this many moons ago, and that’s kind of, sort of what Facebook promised us, in May 2018, that we’d be getting – within a “few months.”

Well, it’s 15 months later, and we’re finally getting what Facebook promised: not the ability to nuke all that tracking data to kingdom come, which it never actually intended to create, but rather the ability to “disconnect” data from an individual user’s account.

The browsing history data that Facebook collects on us when we visit other sites will live on, as it won’t be deleted from Facebook’s servers. As privacy experts have pointed out, you won’t be able to delete that data, but you will be getting new ways to control it.

Facebook announced the new set of tools, which it’s calling Off-Facebook Activity and which includes the Clear History feature, on Tuesday.

Facebook Chief Privacy Officer of Policy Erin Egan and Director of Product Management David Baser said in a Facebook newsroom post that the new tools should help to shed light on all the third-party apps, sites, services, and ad platforms that track our web activity via Facebook’s various trackers.

Those trackers include Facebook Pixel: a tiny but powerful snippet of code embedded on many third-party sites that Facebook has lauded as a clever way to serve targeted ads to people, including non-members. Another tool in Facebook’s tracking arsenal is Login with Facebook, which many apps and services use instead of creating their own login tools.

Read more at https://nakedsecurity.sophos.com/2019/08/22/facebook-delivers-clear-history-tool-that-doesnt-clear-anything/

The Silence hacking crew grows louder

By Danny Bradbury

The Silence crew is making a lot more noise. The Russian-speaking hacking group, which specializes in stealing from banks, has been spreading its coverage and becoming more sophisticated, according to a new report from cybersecurity company Group-IB.

It follows a report from the company last year which was the first to identify and analyses the Silence group. You can find both reports here.

Group-IB characterizes Silence as a young and relatively immature hacking group that draws on the tools and techniques of others, learning from them and adapting them to its own needs. It has been traditionally cautious, waiting an average of three months between attacks.

That hasn’t stopped it profiting, though. A string of heists has bought the group’s total ill-gotten gains to $4.2m as of this month. As it evolves, the group has been broadening its geographical reach and developing new malware to refine its techniques, the report says.

It has also added a new step to its hacking process: a reconnaissance mail. Since late last year, it has started sending emails to potential targets containing a benign image or link. This helps it update its active target list and detect any scanning technologies that the victims use.

Then, armed with a list of valid addresses, it sends them a malicious email. It can carry Microsoft Office documents with malicious macros, CHM files (Compiled HTML, often used by Microsoft’s help system) or.LNKs (a link to an executable file). Successful exploits install the group’s malware loader, Silence.Downloader (aka TrueBot). It has rewritten this loader to build encryption into some of the communication protocol with the command and control (C2) server.

More recently, the group has begun using a fileless loader called Ivoke, written in PowerShell. Silence began using fileless techniques later than other groups, showing that they are studying and then modifying other groups’ techniques, Group-IB said.

Read more at https://nakedsecurity.sophos.com/2019/08/22/the-silence-hacking-crew-grows-louder/