Perpetual IT

Saving money, at least in modest amounts, used to be a very simple business.

The easiest approach – many of us still do it, even in this online age – is the coin jar (or piggy bank, if you’re really old-school).

Instead of frittering away your small change on daily inconsequentials, you dump unused coins in the big glass jar in the corner of the living room, and just before it’s too heavy to pick up and move altogether…

…you drag it down to the bank and are often be pleasantly surprised how much money has accumulated in there.

But that’s a very 1990s approach! Why not put your money into a digital piggy bank, instead?

And, better yet, why not choose a piggy bank that deliberately starts out in debt?

It sounds bizarre – you essentially take out a loan you can’t touch, and clock up your “savings” by paying it off.

At the end of the period – a year, say – you’ve paid off the loan, so you not only get access to your loan capital as your “savings”, but also have a year’s worth of loan repayments that boost your credit rating.

By deliberately racking up debt to save against, your savings end up acting both as credit and as credit history.

That’s the business model of UK company Loqbox, which says it keeps the service free due to the affiliate fees it gets from the banks into which its customers release their funds after paying off a loan:

After making monthly payments for a year, your loan is repaid and you leave LOQBOX with an improved credit score and your money back into a new account for free.

[…]

We get paid by our partner banks for opening a new account for you, which is how we keep LOQBOX free. But if you’d prefer, you can opt for our Flexi Unlock premium add-on and unlock into an existing account for £30.

So far, so good…

…except that there’s a lot riding on you being able to keep up your “savings” payments for the period of the loan.

If you raid the coin jar every now and then (we’ve all done it – it’s part of the game!), the worst that can happen is you end up with nothing saved, or you take longer to fill the jar than you hoped.

But even though you can take an early exit from debt-based savings systems like Loqbox’s, and get back what you you’ve put in so far, you won’t then have finished the loan process in full, as – as the company warns – unlocking early could harm your credit history.

And you can’t just skip payments at will, in the same way that you can go a few weeks without putting coins in the jar, because that really would harm your credit history.

In other words, as well as keeping up your side of the repayments, and taking care of your online account, you’d better hope nothing bad happens to your account data at the other end.

Crooks in the piggy bank

Unfortunately, according to customer tweets and news reports, Loqbox has just suffered a data breach that uncovered enough personal data to make most affected customers uncomfortable, apparently including names, emails, phone numbers, postal addresses and dates of birth.

Additionally, partial bank account and card number details were stolen, too.

UK IT publication The Register claims that this “external attack” got at bank account sort codes plus two digits of the account number, as well as credit card expiry dates plus 10 digits’ worth of the card number.

Fortunately, those numbers don’t identify customers’ accounts or cards precisely enough to let them be abused directly.

Sort codes generally identify the bank and a branch, which crooks could guess at from your home address anyway; UK bank account numbers are usually eight digits long; and credit cards typically have 16 digits.

Also, the 10 card digits stolen apparently include the parts of the number that are often disclosed or can be figured out anyway, namely:

• The first six digits, which identify the financial provider. These digits make up what’s called the BIN, short for Bank Identification Number. A glance at your credit card’s colour or design is often enough to figure out those numbers anyway.
• The last four digits, which are routinely printed on receipts or sent in unencrypted emails. These are pretty much used as semi-public “check digits” to make it easy for you to see which card you used for what transactions.

In short, the breach sounds bad, but not that bad.

There’s no mention of passwords or password hashes being stolen, which almost certainly means that the crooks can’t use the breached data to wander into your Loqbox online account with ease, and there’s no mention of any transactional data or other credit history information being accessed.

What to do?

Loqbox doesn’t seem have any information about the breach on its own website or blog so we’re assuming that affected customers will hear by email.

Note that it doesn’t mean you are entirely off the hook if you haven’t yet heard from Loqbox – breach investigations can take quite some time to complete.

And even if you have heard from Loqbox already, the company may need to contact you again in the future as investigations continue – and you can probably see where the issue that “you might well be expecting an email some time soon” is going.

Our tips are therefore:

1. Keep a closer eye than usual on your statements. Simply put, if you see something, say something. (But note #2.)
2. Watch out for emails or calls that know more about you than you might expect. Even without full details of your bank account or payment card, crooks with data from this breach will be in a much more believable position to scam you into thinking they are legitimate. (And see #3.)
3. Never contact Loqbox or any other financial provider using information from an email or a call. Get out your original paperwork (or turn your payment card over) and use contact details from there – that way, you won’t get tricked into talking to an imposter.
4. Speak to your card provider about getting a new number. If your card provider thinks there’s now a risk of fraud on your current card, they’ll probably issue you a new card and cancel the old one.
5. Don’t pick passwords that crooks could guess from your customer data. The more crooks know about you, even if it’s just your birthday and where you live, the more clues they have to guess poorly-chosen passwords. In fact, don’t pick guessable passwords at all – use a password manager if you’re struggling to come up with good passwords yourself.

HOW TO PICK A PROPER PASSWORD

[embedded content]

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

This week we discuss the stalkerware app that spilled bucketloads of ultrapersonal data, a double-whammy ransomware attack on a homeless charity, and an Amazon Prime-themed phishing attack with a skull-and-crossbones twist.

Producer Alice Duckett hosts the show with Sophos experts Paul Ducklin, Greg Iddon and Peter Mackenzie.

Listen now!

Earlier this week, we received a moderately believable Amazon Prime phish via email.

The scam had an Account Locked subject line, with a warning that we wouldn’t be able to buy or sell anything via Amazon’s services until we verified our account.

To add a bit more fear and urgency, the crooks went on to warn us that if we didn’t complete the verification process within 24 hours, then our account would be deactivated, not merely suspended.

The “good” news, of course, is that verifying our account was as easy as clicking a link in the email:

Your Prime Membership Account Has Been Suspended Due To The Following Problems Below:

Invalid Card Number
Your Billing Address Does Not Match Our Records
Unverified Email Address

You will not be able to Buy and Sell on amazon until you have click the link below to confirm your account details before 24hrs of receiving this message.

We will be forced to deactivate your account automatically if you do not verify your identity.

We don’t think that Naked Security readers would fall for this one, for several reasons:

• There are numerous grammatical and spelling mistakes in the message. We think fluent speakers of English would notice these and be suspicious.
• There’s an unreasonable sense of urgency and drama. Amazon almost certainly wouldn’t use words such as “we will be forced to deactivate your account”, and the company wouldn’t need to deactivate your account for failing to respond within a day. (Online services want to keep you as a customer, not to throw you out!)
• The sender doesn’t know who you are. The greeting “Dear Suspended user” looks, and is, peculiar and suspicious.
• There’s no need to click the link in the email. If the email is a scam, the link will be false. But if the email is true, you can simply go to the Amazon site yourself, or use the Amazon app – the online location of Amazon isn’t a secret. Therefore the correct action is never to click, whether you believe the link or not.
• The link the crooks want you to click uses HTTP. Although an HTTPS link would not mean that the page is safe, you should treat all HTTP links as unsafe – even if you trust the website at the other end – because unencrypted web connections can easily be snooped on by other people.

The teachable moment

Nevertheless, we thought we’d follow the phishing link ourselves, just to see how convincing the final result would be – most phishing sites have some sort of “teachable moment” that we can learn from, no matter how smart we think we are already.

Our first steps were simply to check where the link went, rather than downloading the actual content it linked to.

We found that the first hop was to an otherwise-invisible URL on a legitimate business WordPress site that had obviously been hacked and “borrowed” by the crooks to hide their trail.

The main page of the site was still working normally, promoting a PR business with a (rather ironic) tagline in Spanish saying, “It’s the first impression that counts”:

From here the crooks quietly redirected us to a second hacked site, this time a Middle Eastern company selling awnings, canopies and sun-shades:

Once again, the crooks didn’t take us to the front door, but instead pointed us at a usually-invisible URL that even the site operator probably wouldn’t notice unless they carefully went looking for files that shouldn’t be there.

And that’s where we got a surprise!

We don’t know whether the crook who sent us the phishing email made a mistake, and used the wrong URL, or whether a second crook had arrived in the interim and then taken over the hacked server from the original hackers…

…but instead of reaching a page that demanded our Amazon password, which is what we expected, we ended up at the crooks’ very own remote access backdoor:

Pirate skull? Check.

Comic Sans font? Check.

Haxor bragging (including the word haxor)? Check.

Emoticons and needless EXCLAMATION POINTS? Check.

Full remote access with no username or password needed? Check.

In this case, by implanting just one PHP file – a scrambled and obfuscated remote access toolkit – at a known URL they could visit later, the crooks gave themslves an unaudited, unsecured, unlimited remote console to the raw files on the WordPress server.

In other words, the crooks have set things up so they can sidestep the WordPress administration console entirely: they don’t need a password; they won’t get logged by the WordPress system; and they can add and modify files that WordPress wouldn’t normally allow, essentially allowing them to hide content such as phishing pages and malware downloads in plain sight.

Worse still, because their access isn’t mediated by the WordPress administration tools, they can also snoop around on the site where even a WordPress administrator might not be able to go, and upload or edit files that WordPress itself would probably prevent.

What to do?

In the end, this turned into a website insecurity story rather than a phishing alert, and it’s a good reminder of several important facts:

• No website is unimportant to the crooks. Cybercrime isn’t just about million-dollar ransomware attacks on giant corporations. Your website has real value to the criminals, even if it’s just as a jumping-off point for them to enable further crimes.
• If your site gets hacked, you’ll probably end up blocklisted. Once the crooks start using your website to host malicious content, you are likely to end up getting blocked or filtered by security products and the major browsers. This could dissuade or even prevent customers from reaching you. So even if the crooks don’t infect your business, they are very likely to affect it.
• Patches and updates are vital. We don’t know how the crooks got access in this case, but a common entry vector to WordPress sites is via plugins that have security holes that you or your hosting provider forgot to patch. WordPress can keep itself up-to-date, but you also need to keep all the other parts of your system, especially your WordPress plugins, up-to-date as well.

You could also consider investing in a network firewall with web filtering capabilities – web protection isn’t just for users inside your network browsing to the outside.

Security products such as the Sophos XG firewall can also guard you from rogue probes and connections from the outside, adding an extra layer of defence against crooks trying to break in.

Lastly, if you are running your own website, whether it’s on a server that belongs to you or via a cloud service at a hosting company, make sure you pick proper passwords, and turn on 2FA for added login protection if you can.

Remember that crooks who get your password and login just once could leave behind a backdoor, like the one shown here, that gives them unfettered, unaudited and almost undetectable access from then on, even if you change your password.

By the way, if you ever do find yourself wandering in through a crook’s backdoor, like we did here, resist the urge, no matter how tempting, to take a look around “for the sake of research” – you could attract the sort of attention you don’t want.

Latest Naked Security podcast

The US Department of Homeland Security (DHS) on Tuesday said that an infection by an unidentified ransomware strain forced the shutdown of a natural-gas pipeline for two days.

Fortunately, nothing blew up. The attacker never got control of the facility’s operations, the human-machine interfaces (HMIs) that read and control the facility’s operations were successfully yanked offline, and a geographically separate central control was able to keep an eye on operations, though it wasn’t instrumental in controlling them.

Where this all went down is a mystery.

The alert, issued by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), didn’t say where the affected natural gas compression facility is located. It instead stuck to summarizing the attack and provided technical guidance for other critical infrastructure operators so they can gird themselves against similar attacks.

The alert did get fairly specific with the infection vector, though: whoever the attacker was, they launched a successful spearphishing attack, which enabled them to gain initial access to the facility’s IT network before pivoting to its operational technology (OT) network.

OT networks are where hardware and software for monitoring and/or controlling physical devices, processes and events reside. Some examples are SCADA industrial control systems, programmable logic controllers (PLCs), and HMIs.

After the attacker(s) got their hands on both the IT and OT networks, they deployed what CISA called “commodity” ransomware, encrypting data on both networks. Staff lost access to HMIs, data historians and polling servers. Data historians – sometimes referred to as process or operational historians – are used in several industries, and they do what you might expect: record and retrieve production and process data by time and store the information in a time series database.

Although humans partially lost their view of some low-level OT devices, the attack didn’t affect PLCs, and hence, the facility never lost control of operations. From the alert:

At no time did the threat actor obtain the ability to control or manipulate operations.

CISA’s alert also noted that, although the victimized facility’s emergency response plan didn’t specifically take cyberattacks into consideration, a decision was made to implement what DHS called a “deliberate and controlled shutdown” of operations. That shutdown lasted about two days. It also affected other compression facilities that were linked to the victimized site, the advisory said:

Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.

As a result, “the entire pipeline asset” had to be shut down for two days, not just the victimized compression facility.

Why, in this day and age, when ransomware and other malware attacks are running amok, would cyberattacks have been left out of a utility company’s emergency response plan? CISA said in its advisory that the victimized facility pointed to a gap in cybersecurity knowledge being a mitigating factor: it’s at the heart of the facility’s failure to “adequately incorporate cybersecurity into emergency response planning.”

For years, DHS has been warning that enemy nations have been ready to disrupt US energy utilities.

In 2018, DHS’s chief of industrial-control-system analysis, Jonathan Homer, got specific. He said that between 2016 and 2018, Russian hackers snared “hundreds of victims” in the utilities and equipment sectors, to the point where “they could have thrown switches” in a way that could have caused power blackouts. Similarly to the recently announced natural-gas compression facility attack, those compromises also started with phishing attacks, according to Homer. He added that the attackers had, at the time, been sophisticated enough to even jump air-gapped networks.

Although we don’t know which malware strain was involved in this week’s advisory, Ars Technica notes that it comes two weeks after researchers from industrial cybersecurity firm Dragos reported that a ransomware strain known as EKANS had tampered with industrial control systems used by gas facilities and other critical infrastructure.

Dragos reported that EKANS, a ransomware that emerged in December 2019, is pretty straightforward, as ransomware goes: it encrypts, it displays a ransom note. But beyond that, it’s been tailored to cripple industrial control systems in particular. From Dragos’s writeup:

EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations. While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space.

ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.

Mind you, we don’t know if EKANS was used in this recent incident at the natural-gas pipeline. What we do know: ransomware exists to specifically target such crucial infrastructure facilities, and operators should be aware of the risks that entails.

Again, CISA’s advisory provides guidance for critical infrastructure operators. Here’s additional guidance for the rest of us:

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

For more advice, please check out our END OF RANSOMWARE page.

Latest Naked Security podcast

Recognize anybody you know?

No, likely not. No thanks to the leaky photo app they dribbled out of for that, though. After coming across thousands of photos seeping out of an unsecured S3 storage bucket belonging to a photo app called PhotoSquared, security researchers at vpnMentor blurred a few.

They also blurred a sample from a host of other personally identifiable information (PII) they came across during their ongoing web mapping project, which has led to the discovery of a steady stream of databases that have lacked even the most basic of security measures.

In this case, as they wrote up in a report published this week, the researchers came across photos uploaded to the app for editing and printing; PDF orders and receipts; US Postal Service shipping labels for delivery of printed photos; and users’ full names, home/delivery addresses and the order value in USD.

PhotoSquared, a US-based app available on iOS and Android, is small but popular: it has over 100,000 customer entries just in the database that the researchers stumbled upon.

Customer impact and legal ramifications

vpnMentor suggested that PhotoSquared might find itself in legal hot water over this breach. vpnMentor’s Noam Rotem and Ran Locar note that PhotoSquared’s failure to lock down its cloud storage has put customers at risk of identity theft, financial or credit card fraud, malware attacks, or phishing campaigns launched with the USPS or PhotoSquared postage data arming phishers with the PII they need to sound all that much more convincing.

A breach of this kind of data could also lead to burglary, they said:

By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.

Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.

The legal hot water that may await could be found in California, vpnMentor suggests, given its newly enacted California Consumer Privacy Act (CCPA), with the law’s new, strict rules about corporate data leaks.

Securing an open S3 bucket

PhotoSquared, for its part, could have secured its servers, say Rotem and Locar, implemented proper access rules, and not left a system that doesn’t require authentication lying around open to the internet.

As it was, the database was set up with no password and no encryption.

From vpnMentor’s report:

Our team was able to access this bucket because it was completely unsecured and unencrypted.

The leaky PhotoSquared app is just the most recent story (one in a long chain) about misconfigured cloud storage buckets. Last week, it was JailCore, a cloud-based app meant to manage correctional facilities that turned out to be spilling PII about inmates and jail staff.

The Who’s Who list of organizations that have misconfigured their Amazon S3 buckets and thereby inadvertently regurgitated their private data across the world just keeps getting longer. Besides JailCore last week and PhotoSquared this week, that list contains Dow Jones; a bipartisan duo including the Democratic National Committee (DNC) and the Republican National Committee (RNC); and Time Warner Cable – to name just a few.

Plug those buckets!

Your organization doesn’t have to wind up on that Who’s Who list. There’s help out there for organizations that can take a deep breath, step away from their servers, and plunge in to learn how to better secure them: Amazon has an FAQ that advises customers how to secure S3 buckets and keep them private.

In the case of PhotoSquared, vpnMentor suggested that the quickest way to patch its pockmarked bucket is to:

• Make it private and add authentication protocols.
• Follow AWS access and authentication best practices.
• Add more layers of protection to the S3 bucket to further restrict who can access it from every point of entry.