Weekly Axis Of Easy #221
Last Week’s Quote was “Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly, and applying the wrong remedies.” was by Groucho Marx and this week’s winner is Richard Turner (Marcello Pavan got it first but already won this year).
This Week’s Quote: “Since a politician never believes what he says, he is quite surprised to be taken at his word.” … by???
THE RULES: No searching up the answer, must be posted to the blog– the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
In this issue:
- The DC government was provided with billions of location records through a data broker during the pandemic
- DDoS attacks increased more than expected in Q3, reaching thousands per day
- 7 million Robinhood users’ emails are being sold on a forum by hackers
- Sucuri: Hackers are tricking WordPress site owners into paying bitcoins to restore their sites
- Godaddy managed WordPress breached: 1.2M account details
Elsewhere online
- Cloudflare blocked a multi-vector DDoS attack of almost 2 Tbps
- B.C. residents lost millions in 2021 after falling victim to “sophisticated” crypto investment scams
- BlackBerry reveals three distinct hacker groups behind Initial Access Broker
- Github commits to improving its npm ecosystem security by enabling two-factor authentication
- Windows 10 is prone to security disasters
- US lawmakers reintroduced Online Privacy Act
- Is “Click to subscribe, call to cancel” coming to an end?
The DC government was provided with billions of location records through a data broker during the pandemic
Conforming to public records, the data broker Veraset shared billions of phone location records with the DC government during the pandemic.
Even if sharing raw data with the Washington Department of Health was pitched as useful for tracking Coronavirus spread, it suggests the possibility of data abuse since this information is often collected without consent and can be sold to both public and private buyers.
According to email correspondence obtained by the Electronic Frontier Foundation (EFF) through Freedom of Information Act requests, Veraset provided the data as part of a free trial, which District officials refused to renew.
Researchers explained that the data was authorized for coronavirus-tracking purposes only and did not include any personal data. Anyway, Bennett Cyphers, an EFF technical expert, stressed that the emails show how data brokers try to hide their controversial work under “covid-washing” while doubting whether the data is truly anonymous.
As stated by Cyphers, Veraset’s location data contains advertising-identifier codes that can be used to pinpoint individual phones. Furthermore, researchers have shown that the data can be de-anonymized and tied back to a particular individual.
By sharing their raw data with public health agencies, science researchers, and news outlets, Veraset and other data brokers claim to improve their public image and address privacy concerns, stating that by collecting such data, they can monitor potentially hazardous crowd movements, mass gatherings, and other public events.
Read: https://www.washingtonpost.com/technology/2021/11/10/data-broker-shared-billions-phone-location-records-with-dc-government-part-covid-tracking-effort/
DDoS attacks increased more than expected in Q3, reaching thousands per day
According to Kaspersky’s third-quarter report on DDoS attacks, the amount of strikes has soared to several thousand per day over the past three months, indicating a shift away from crypto mining by malicious actors.
According to the report, even when July started “relatively quiet,” daily attacks surpassed 1,000 in the middle of the Q. “For August 21 and 22, the daily count of five thousand was exceeded, and over three thousand attacks were detected on August 2 and 6, September 16, 18, 19, and 22.”
According to Ben Pick, a consultant at nVisium, numerous DDoS attacks are on the horizon. Hence, organizations need to be prepared and protect internet of things (IoT) devices connected to public networks against being hijacked and turned into botnets.
Read: https://threatpost.com/ddos-attacks-records-q3/176082/
7 million Robinhood users’ emails are being sold on a forum by hackers
After a recent data breach on Robinhood’s support system, about 7 million Robinhood customers’ data is sold on a hacking forum and marketplace.
Pompompurin, the user who posted the forum post, claimed he was selling stolen Robinhood customer data for at least five figures, which is $10,000. This threat actor was also responsible for abusing FBI email servers over the weekend in another attempt to send threatening emails.
According to reports, the stolen data includes email addresses, full names, dates of birth, and zip codes. “As we disclosed on November 8, we experienced a data security incident and a subset of approximately 10 customers had more extensive personal information and account details revealed,” Robinhood said.
The stolen email addresses, especially those for financial services, are trendy among hackers since they can be used in phishing attacks that steal even more sensitive information.
Read: https://www.bleepingcomputer.com/news/security/7-million-robinhood-user-email-addresses-for-sale-on-hacker-forum/
Sucuri: Hackers are tricking WordPress site owners into paying bitcoins to restore their sites
As reported by the cybersecurity firm Sucuri, the perpetrators of a new wave of attacks have hacked nearly 300 WordPress blogs to display fake encryption notices, making the site owners pay 0.1 bitcoin to restore their blogs.
A countdown timer is used with these ransom demands to create urgency and perhaps to induce panic in the admin.
Rather than encrypting the websites, the attackers modified an installed WordPress plugin to display a ransom note. The site returns to normal as soon as the plugin is removed and the posts and pages are republished.
In the analysis, the actor’s IP address first appeared in the WordPress admin panel, indicating the hackers logged in using stolen credentials or brute-forcing the password.
As stated by Sucuri, there have been approximately 291 websites affected by the attack, while a Google search reveals a mix of clean-up sites and those with ransom notes still visible.
Read: https://www.bleepingcomputer.com/news/security/wordpress-sites-are-being-hacked-in-fake-ransomware-attacks/
Godaddy managed WordPress breached: 1.2M account details
Godaddy has filed a disclosure with the US SEC revealing that their managed WordPress service had been penetrated by hackers since September 6th, 2021.
That means the hackers have been in the system for over a month, also, Godaddy was storing the passwords for the WordPress admin accounts in cleartext, along with the email address, customer number, and private SSL keys of the sites at the time they were provisioned.
The list of possible attack vectors downstream from this are innumerable, including: phishing, data theft, installing malware plugins, etc.
The WordFence article gives a quick list of steps you should be taking in case you’re an affected user. Ideally, you have your Managed WP site from Godaddy backed up and you can take a snapshot from prior to Sept 6th, reinstall the entire site and then rebuild your changes since.
Read: https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/
In case anybody is wondering, we do not store easyPress passwords (or any other passwords) in cleartext. Also, easyPress sites also come with Blogvault backups included so if disaster does strike, you’ll be in a position to restore.
Elsewhere online:
Cloudflare blocked a multi-vector DDoS attack of almost 2 Tbps (the largest we’ve seen to date)
Read: https://blog.cloudflare.com/cloudflare-blocks-an-almost-2-tbps-multi-vector-ddos-attack/
B.C. residents lost millions in 2021 after falling victim to “sophisticated” crypto investment scams
Read: https://www.cheknews.ca/b-c-residents-losing-millions-to-fraudsters-using-sophisticated-crypto-scams-on-social-media-dating-sites-906879/
BlackBerry reveals three distinct hacker groups behind Initial Access Broker
Read: https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html
Github commits to improving its npm ecosystem security by enabling two-factor authentication
Read: https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/
Windows 10 is prone to security disasters. Can Microsoft fix the problem?
Read: https://www.zdnet.com/article/microsoft-windows-10-is-a-security-disaster-waiting-to-happen/
US lawmakers reintroduced Online Privacy Act that limits and bind companies collecting and using user data
Read: https://eshoo.house.gov/media/press-releases/eshoo-and-lofgren-reintroduce-sweeping-privacy-legislation
Is “Click to subscribe, call to cancel” coming to an end? According to the FTC, the popular retention technique tricks consumers into subscribing
Read: https://www.niemanlab.org/2021/11/the-end-of-click-to-subscribe-call-to-cancel-one-of-the-news-industrys-favorite-retention-tactics-is-illegal-ftc-says/