Puma victim of a cyberattack, a QuickBooks scam, an API warning, and more
Welcome to Cyber Security Today. It’s Wednesday, February 9th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Sportswear brand Puma has acknowledged its North American operations were hit by a data breach in December. According to a notice filed with the State of Maine, names, Social Security numbers and other personal information of 6,632 people was stolen. According to the Bleeping Computer news service, the breach followed a ransomware attack that hit the cloud-based Kronos workforce management service, used by a number of companies for tracking employee attendance. I reported on this attack on Kronos’ parent company, UKG, in December.
An application programming interface, or API, is a piece of software code that helps companies to open their data to other applications. APIs are increasingly an invisible part of the way people use the internet. However, if not written properly an API can open a hole for hackers. The latest example comes from researchers at Pen Test Partners. They found a vulnerability in the API used in the website of delivery service DPD Group for tracking parcels. The site creates a map for an authorized customer showing where a parcel is. However, a skilled hacker could leverage the vulnerability by typing in a postal code and ultimately figure out a recipient’s address. The hole has been fixed. But the lesson to application developers is principles of cybersecurity have to be obeyed when creating APIs.
Does your company use QuickBooks for its accounting? If so, be warned that crooks are taking advantage of one of its optional features. It allows firms to send customers invoices via email. According to research from cybersecurity company KnowB4, crooks are sending invoice emails that appear to come from a legitimate partner or supplier using QuickBooks. Victims who click on the ‘Review and Pay’ button end up sending money to the scammer. Worse, the payment request can require that the payee use the ACH (automated clearing house) method, which requires the payee to input their bank account details. So, if the victim falls for the scam, the criminal now has their bank account information. Employees who get an unexpected QuickBooks-generated email invoice should check the email header to see if it originated from QuickBooks’ parent intuit.com. If it didn’t, it’s a fake. Another option is to contact the purported vendor using a trusted alternate method to verify before paying.
Finally, Valentine’s Day is a few days away. This is a time when people using online dating apps should watch for scams and doxing, say researchers at Kaspersky. Doxing is the term to describe the blackmailing of people by publishing private information or intimate photos of victims. Don’t tie your social media account to a dating app profile. That gives anyone a lot of information about you. Use and in-app chat rather than give out your phone number until you are sure who you are communicating with. Be wary if your online match asks you to install an app on your phone or visit a certain website. Crooks also set up fake websites that mimic real dating apps.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.