Data breaches at SitePoint and Emsisoft, Morse code used for hiding a phishing attack and watch for bad browser extensions
Welcome to Cyber Security Today. It’s Monday February 8th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
SitePoint, a website that sells books and courses for web developers, has confirmed its user database of over 1 million people was copied and is now available to hackers. There had been evidence on hacking forums that the database was up for sale, and later being given away. Last week, after SitePoint users complained of getting email extortion demands and fake cryptocurrency giveaway emails the company sent a notice to users acknowledging the breach. SitePoint says it has reset passwords on all accounts so users now have to enter new credentials. One exception are users whose accounts log in automatically. They should manually change their passwords. Those who use logins from Google and Facebook can continue to use them. SitePoint suspects the hacker got into its system by compromising a tool from another software company it uses to monitor the company’s GitHub software development account.
The founder and managing director of cybersecurity provider Emsisoft says one of its systems was breached in mid-January. The system evaluates and benchmarks possible solutions for storing and managing log data generated by its products and services. This evaluation system was supposed to only have databases with technical logs. However, there were 14 email addresses of customers in one of the databases. The cause of the breach was an employee who misconfigured an application. As a result of this attack the company says it is spending more to spot configuration issues. It is also creating an isolated environment for testing and benchmarking, making sure the system only has artificially-generated data.
Hackers do all sorts of things to their code to evade detection. The Bleeping Computer news site has come across a new tactic: Using Morse code to hide a malicious internet address. The scam works like this: A targeted victim gets an email from a hacker with a request to open an attachment. The message may claim the attachment is something important, like an invoice. Often malicious attachments include links to suspicious internet addresses that start a chain of events that lead to stealing passwords or downloading bad software. Security software looks for suspicious internet addresses. So to hide the address this hacker has disguised it as Morse code. Security software misses the link. What happens when the victim clicks on the attachment there’s a message saying their Office365 password has timed out, and they have to enter it again to see the document. This, of course, is the point: To capture the victim’s username and password. Bleeping Computer has found 11 companies targeted with this attack, many of them in Europe. It’s another example of how people have to be careful to check who is sending a message asking them to click on an attachment.
Finally, some caution about browser extensions. Extensions are add-ons to your browser that give some helpful functionality. Your antivirus software may be an add-on to your browser. Extensions are available in the Google Play and Apple app stores. But for some time hackers have been creating bad extensions to help them. So you’ve got to be careful of what you allow. I’m telling you about this because last week Google deleted and disabled the popular Chrome extension called The Great Suspender for containing malware. According to The Hacker News, it seems the person who created the original extension sold it to someone last June who inserted malicious code.
Here’s another example of an abusive extension: A security researcher writing for the SANS Institute last week told of discovering an extension on a person’s computer that pretended to be from a legitimate security company. The goal was to alter the data in a web application the victim had access to. This particular extension had been manually inserted on the victim’s computer, meaning the hacker had physical access to their computer. One lesson from this incident is make be careful with your computer. When you leave it alone, make sure someone can’t just sit down and use it. If it’s a laptop, close the lid so a fingerprint or password has to be entered. If a desktop computer, turn on Sleep mode so a password is needed to wake it up. And periodically check your browser extensions to see if an app you haven’t approved is there.
That’s it for today. Links to details about these stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.