Perpetual IT

Amtrak, the national rail service for the US, has suffered a data breach that may have exposed some customers’ logins and other personally identifiable information (PII), the service has disclosed.

The state-backed transportation company, which is also known as the National Railroad Passenger Corporation, says that a third party got unauthorized access to some Amtrak Guest Rewards accounts on the evening of 16 April. The rewards program enables customers to earn points – by spending on travel, hotels, car rentals and more – that they can then apply to Amtrak purchases.

Amtrak revealed the breach on Friday in a regulatory filing – namely, a sample letter to consumers about the breach – with the Office of the Vermont Attorney General.

The service said that it determined that the intruder used compromised usernames and passwords to access some reward accounts and that they may have also viewed customers’ personal information. However, the attacker didn’t access financial data, be it credit card information or Social Security taxpayer IDs.

Amtrak said that its security team immediately investigated the issue, stitching up the hole and blocking the unauthorized access within a few hours. Its security team also reset passwords on potentially affected accounts and pulled in outside cybersecurity expertise in order to ensure that the incident was in fact contained. Amtrak says it also implemented “additional safeguards to protect customers,” but it didn’t give any detail on what its new safeguards are.

To help protect customers from identity theft, Amtrak is offering consumers a free year of fraud monitoring from Experian. That’s all well and good, but do note that such a service only flags suspicious activity after it happens, not before.

Nor do such monitoring services work to prevent phishing attempts that exploit any PII attackers get their hands on. This should be of particular concern to the organizations whose employees travel via Amtrak: as of October 2018, phishing was cited as the most commonly used method in attacks, according to organizations surveyed for IDG’s 2018 US State of Cybercrime report.

Amtrak says that it hasn’t yet seen any indication of customers’ PII having been misused, but advised consumers to keep an eye out for fraud and ID theft by regularly reviewing their financial statements.

We don’t know how the attacker got hold of Amtrak Guest Reward usernames and passwords. It’s quite possible that Amtrak wasn’t breached itself but that its customers reused their logins across multiple sites/services/accounts, one or more of which may have been breached. Lists of breached credentials are regularly listed for sale on the dark web. After a crook hacks them or buys them, the credentials can then be plugged into automated spray-and-pray attack tools: a way to quickly plug logins into wherever else they might gain access, be it social media accounts or your bank account.

We’ve said it before, and we’ll keep saying it: password reuse is truly a bad idea!

Researchers have publicised a critical security flaw in Android which could be used by attackers to “assume the identity” of legitimate apps in order to carry out on-device phishing attacks.

Discovered by Norwegian company Promon, the bug is called ‘StrandHogg 2.0’, the name denoting that this is an “evil twin” follow up to a similar flaw of the same name made public by the company last year.

Strandhogg is, apparently, the old Norse word for the Viking tactic of sailing up to coastal towns and plundering them, which isn’t a bad description of what the bug might be capable of if it were used in a real attack.

Promon doesn’t delve into the inner workings of the flaw in huge detail but malware exploiting it would be able to overlay a malicious version of any app over the real app, capturing all logins as they are entered by an oblivious user.

Users tap on the icon of the correct app and think they are logging into their email, say, when in fact they are really logging into an interface controlled by an attacker.

Attackers need to know which apps they are targeting in advance but can phish multiple apps in one attack without the need for rooting, admin privileges or special permissions, Promon said.

Promon claims the code used in the attack would be obfuscated enough that it could slip past Google Play’s security layers as well as on-device security apps, making it hard to detect.

Because this attack is so hard to spot, and can steal almost anything on a device (GPS data, images, logins, SMS messages and emails, phone logs, etc.) there’s a chance it might be interesting to nation state hackers as well as criminals out for profit.

Promon predicts that attackers will look to utilise both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways.

Who is affected?

Anyone running Android versions 8.0, 8.1 and 9.0 – the only Android version not affected by Strandhogg 2.0 is version 10, currently installed on only a small proportion of smartphones.

Reported to Google last December, the company patched what is now identified as CVE-2020-0096 in the recent May Android update.

It’s not clear how effective mitigations might be which puts a premium on patching this flaw. Unfortunately, the only smartphones that have definitely received this are Google’s own Pixel devices.

If your Android smartphone is made by a third party, patches for Android 8 and 9 could turn up any time from now to several months down the line (potentially vulnerable versions before 8 and 9 no longer receive patches at all).

Users can check their update status via Settings > About phone and looking for the month mentioned in the patch level (May 2020 being the latest). From version 10, the same information is found under Settings > Security.

More likely, the last patch will be anything from two to six months ago. The good news is that, unlike StrandHogg 1.0, there’s no evidence hackers have ever discovered or exploited this weakness.

The risk posed by this right now is probably low. What its existence emphasises is the urgency of improving the patching of Android devices, including the tricky and still-to-be-solved issue of what happens when non-Google devices stop receiving updates after two years.

Currently, nobody knows, a flawed approach whose long-term risks grow larger with every passing Android version.

Latest Naked Security podcast

This week we discuss a customer who went to Subway for a sandwich and left with a stalker, whether there’s a demon in your printer and the things you should patch now.

I host the show this week with Sophos experts Mark Stockley, Paul Ducklin and Greg Iddon.

Listen now!

Another day of lockdown…

…another “package delivery notification” scam.

Here’s another reminder to think before you click, even if it adds a few seconds to your day to review what the offending email is asking you to do.

We’d like to think that you’d easily spot that this one is bogus – we’ll explain why in the article – but we can equally well see why it might seem harmless enough to click through.

Many scams of this sort that we’ve written about before rely on squeezing you to act, luring you to click, or a bit of both.

For example, delivery scams often entice you by telling you what cool “item” is on its way, such as a mobile phone that someone is sending you as a gift.

At the same time, they pressurise you to act quickly by warning you that delivery will be delayed or even cancelled if you don’t pay a necessary fee to release the article from storage.

To avoid sounding greedy, and to imply that they’re not fraudsters, the amount to pay is often very modest, such as $1, which doesn’t sound like the sort of money a scammer would ask for if they were in it for the cash.

That’s because they aren’t in it for the money up front – indeed, they never intend to bill you at all, because it’s your personal data that they’re after instead.

This time, the crooks are following a much more relaxed formula that doesn’t say much more than, “Hey, here’s how to track your delivery,” which is the sort of message you might reasonably expect when you order something, or when someone orders something for you:

Incoming Package Notification!

This it to notify you that you have an incoming shipment registered in your email [REDACTED]. Please follow the URL below to track your shipment.

And that’s all there is to the email.

OK, so the exclamation point after the word “Notification” probably wouldn’t be there in a genuine notification – it’s a notification, after all, not a warning or an alert.

More importantly, however, hovering over the link wouldn’t show you a website name you’ve never heard of (this scam used a hacked webserver belonging to a construction company in Bahrain, as it happens).

If you click through just to see what this is all about, you’ll see a similarly simple web page:

As unexceptionable and as unscammy as the page itself looks, the address bar is a fortunate giveaway that this is a scam.

The URL (which we’ve masked out here) wasn’t on a lookalike or soundalike domain name, so it looked completely different to any website you might expect for a DHL server.

Also, there’s no padlock, because the URL started with http:// (insecure) rather than https:// (session encrypted).

Ironically, the web service used by the company whose website was hacked did support HTTPS, and the site had a valid HTTPS certificate, but the crooks neglected to take advantage of the encrypted connection.

As we’ve said before, the presence of an HTTPS certificate doesn’t mean you can trust the site and its content, just that your connection can’t easily be snooped on.

But the absence of an HTTPS certificate on legitimate sites is so unusual these days that you should take it as an immediate warning sign that all is not well.

Of course, if you don’t spot the warning signs and you do put in your password, the data doesn’t go to DHL but straight to the crooks, who are likely to try out your password not only on your real DHL account but on any other account they can think of that you might have. (That’s why you never use the same password on more than one site!)

What to do?

• Don’t be fooled just because you’re expecting a delivery. The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
• Treat delivery messages as notifications only and ignore the links. It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
• Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
• Use a third-party security product on your phone. Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
• Change passwords at once that you put into sites you later realised were bogus. The sooner you change your current password, the less time the crooks have to try and use it. If you get as far as a “pay page” where you enter payment card data and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)

Latest Naked Security podcast

Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.

Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.

Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.

Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:

Yeah, they have been, for the majority. Actioned my reports within 24 hours.

New rules

Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:

We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.

The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.

It said that developers must comply with the policy after 27 August 2020. After that point, apps violating the rules “may be taken down and disabled”.

The problem, according to Dan Finlay, the lead developer at crypto wallet company MetaMask, is that Google allows phishing ads that point to fake extensions. Initially talking about shortcomings in the company’s manual extension review process, he said:

MEANWHILE, Google _keeps on approving phishers_. The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review. FURTHERMORE they are all allowed to buy premium Google ad space at the top of search results.

— Dan Finlay (@danfinlay) May 5, 2020

Finlay said that he reported the problem, sending trademark notices and bug reports, but that Google didn’t reply. What he’d really like to see is the ability to block other extensions or ads from using MetaMask’s name.

Denley agreed. He told us:

The official MetaMask extension has over 1,000,000 users – you’d assume Google would have some sort of plan to tackle any potential fake extensions with the Metamask branding.

Weirdly, while Google has been quick to take down most fake cryptocurrency wallet extensions, at the time of writing (7am BST) one of the fake MetaMask extensions was still up. Its listing reports 380 users.

The best advice:

• Install as few extensions as possible and, despite the above, only from official web stores.
• Check the reviews and feedback from others who’ve installed the extension.
• Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
• Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Latest Naked Security podcast