External Threat Summary for December 2018
An attacker gained access to personal data belonging to some 500,000 students from the San Diego Unified School District. The assailant used phishing emails to collect log in credentials from district employees between January and November 2018.
The question and answer website Quora announced that up to 100 million users’ account data, including data from linked networks and all public and non-public account activities, were stolen by an unknown attacker, whose method for obtaining access to the system remains unknown.
A botnet consisting of 20,000 infected WordPress pages has been observed attacking other WordPress pages in order to spread the botnet infrastructure. The botnet attacks the sites using an XML API used by mobile app developers to link to WordPress pages.
Rogue Mobile Application
The DanaBot banking trojan has received an update which allows it to harvest email addresses from an infected user’s address book, and then distribute spam message directly from that user’s mailbox.
The 2018 trend of “sextortion” emails, in which an attacker uses previously stolen account credentials to scam a victim with threats of releasing videos of the victim’s purported pornography habits, has undergone a significant shift in tactics. Recently, such emails have included ransomware and/or spyware payloads, shifting the attack from a scam to a direct attack against the victim’s computer.
Social Media Threat
A cyber criminal group known as Speedworm has been observed using the online code repository GitHub to post, analyze, and modify its malware code. In addition, the group has conspicuously updated its code quickly after researchers on social media have posted new vulnerabilities or patches against known vulnerabilities.
Holiday Shopping Scams
In 2018, a phishing scam in which attackers send emails pretending to be order confirmations from Amazon reached new levels of realism, as the new campaign’s emails are virtually indistinguishable from Amazon emails. Many of the links in the emails direct to legitimate Amazon pages, whereas the “Order Details” button links to a malicious document.
Social Media Threats, Alternative Infection Vector
A large-scale malware campaign dubbed Operation Sharpshooter has leveraged several social media-based social engineering techniques to direct victims across several critical infrastructure industries to download malicious files through Dropbox. The primary lure behind the campaign is job recruitment.
A Chinese ransomware has forgone the traditional ransomware method of demanding ransom via cryptocurrency, and instead demanded that victims pay via WeChat, one of China’s most used social network platforms, which allows for monetary transfers from user to user.
Social Media Abuse
A cyber criminal group has been observed providing instructions to its malware via the use of steganography. The users would upload “meme” images contained hidden text to Twitter, which would instruct the malware to take screenshots of the infected computer and then relay those images back to a command and control (C2) server