Three charged in U.S. email scam, French police arrest COVID hacker and an app developer makes a security mistake.
Welcome to Cyber Security Today. It’s Monday, October 11th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com. To Canadian listeners, Happy Thanksgiving and thanks for tuning in on a holiday.
Three American residents – including an insider who worked at two U.S. banks – have been charged with running a money-laundering scheme involving a business email compromise scam. According to the Bleeping Computer news service, one man who worked for the Bank of America and TD Bank between 2015 and 2018 allegedly opened several bank accounts and falsified bank book entries under the scheme. The indictment alleges the three men hacked into the email systems of companies in a number of countries. After learning how a company worked, phony emails were sent to an employee for a payment that mirrored a real transaction that was due. But instead of sending money to the intended company it allegedly went into accounts controlled by the gang. One of the techniques the gang allegedly used was creating email accounts with email addresses similar to the ones victims were expecting. The case is another example of how employees with the authority to make financial payments have to be extra vigilant in screening emails.
Police in France arrested a 22-year-old resident for allegedly stealing and posting the names, birth dates and COVID-19 test results last month of 1.4 million people. He allegedly did it by breaking into the file-sharing server of a Paris hospital network. The French news site Sunday Journal said the breach was the accused’s way of protesting the obligation to show proof of vaccination certificates to access events, stores and restaurants.
IT security professionals know that one way cyber attackers sneak into victims’ computers is by abusing Microsoft Office’s ability to run commands through macros. That’s why – hopefully – all organizations turn off the ability to automatically run macros contained in a link in an email. According to the news site The Record, Microsoft is going one step further. Starting at the end of this month it will disable a feature in Microsoft 365’s Excel spreadsheet called Excel 4.0 macros. This capability, also known as XML macros, dates back to 1992. It was replaced by VBA macros. The problem is recently attackers have picked up on the XML macro vulnerability and are hacking into systems by sending victims infected Excel spreadsheets with malicious XML macros. Microsoft is finally meeting this challenge disabling XML macros – but only for those using the Microsoft 365 cloud-based service. IT departments can manually disable Excel’s ability to automatically run macros.
Finally, software developers continue to avoid security best practices with their applications. The latest example is a craft brewery in Scotland called BrewDog which created a mobile app for 200,000 shareholders to log into the company’s website. Unfortunately, all app users had the same hard-coded digital bearer token for logging in. That meant once logged in any user could access any other user’s account, including their personal information. The discovery was made by a security firm called Pen Test Partners. It said hard-coded tokens should only be provided after successful authentication. Before being fixed an attacker could have brute forced the customer IDs and download the entire database of customers. What the app’s developers should have done, says Pen Test Partners, is put the app through a thorough security review before it was released a year and a half ago.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.