May 30 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that keeps it 💯
Today’s hottest cyber security stories:
90 organisations hit by Capita hack-attack
BrutePrint hack lets scammers brute-force smartphones’ fingerprint lock
Hackers phish with fake .zip domains… as expected 😐
Uh-oh, according to a privacy watchdog, approximately 90 organisations have reported breaches of personal data held by Capita, the outsourcing giant.
In March of this year, Capita experienced a cyber attack, leading to the discovery that a pool of data had been left unsecured online.
As a result, hundreds of thousands of individuals are now being notified that they may have been affected by the hack.
Capita has taken measures to secure the data, as stated by the company.
The Information Commissioner's Office (ICO), the authority responsible for privacy and data protection, has confirmed that around 90 organisations have reached out regarding the Capita breaches.
"We are currently receiving numerous reports from organisations directly impacted by these incidents, and we are actively conducting inquiries," said the ICO.
Capita serves a substantial number of public and private entities, managing the personal information of millions of people.
Many company pension schemes utilise Capita for payment administration, and their client base also includes councils.
Capita faces two main issues: the earlier cyber attack this year and the recent revelation in May that an online repository of files had been left unsecured.
Capita has stated, "We are working closely with specialised advisors and forensic experts to investigate the cyber incident, and we have taken extensive measures to recover and secure the data."
Don’t say it!
According to security researcher Kevin Beaumont, the initial incident, which he believes was a ransomware attack, is significant due to the potential scope of data at risk, posing a threat of fraud to the victims.
Ransomware is fast becoming the scourge of the 2020s. The sooner paying the criminals is outlawed, the better.
A team of researchers has uncovered an affordable method that can be used to forcefully obtain fingerprints from smartphones, bypass user authentication, and take control of the devices.
Known as BrutePrint, this approach circumvents the restrictions implemented to prevent multiple failed biometric authentication attempts by exploiting two zero-day vulnerabilities within the smartphone fingerprint authentication (SFA) framework.
Mine CAMF 💀
These vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), exploit logical flaws in the authentication framework. These flaws stem from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.
As a result, BrutePrint enables a "hardware approach to perform man-in-the-middle (MitM) attacks for fingerprint image hijacking," as explained in the research paper by Yu Chen and Yiling He. BrutePrint acts as an intermediary between the fingerprint sensor and the Trusted Execution Environment (TEE).
The primary objective is to carry out an unlimited number of fingerprint image submissions until a match is found. However, it assumes that the threat actor already has physical access to the targeted device.
Furthermore, the attacker needs to possess a fingerprint database and a setup consisting of a microcontroller board and an auto-clicker to intercept data transmitted by the fingerprint sensor. This entire attack can be executed for as low as $15.
The first vulnerability, CAMF, allows the attacker to manipulate the fault tolerance capabilities of the system by invalidating the checksum of the fingerprint data. Consequently, it grants the attacker unlimited attempts.
On the other hand, MAL exploits a side-channel to infer matches of fingerprint images on the targeted devices, even when they are in lockout mode due to excessive failed login attempts.
Scary prospect, eh? Still, fair play to the researchers. Doing God’s work!
My, oh, my, what a malicious day! Well, don’t say we didn’t warn you, folks! A recently discovered phishing technique called "file archiver in the browser" enables threat actors to mimic file archiver software within a web browser when victims visit a .zip domain.
The method involves simulating a file archiver software, such as WinRAR, within the browser interface, creating a convincing phishing landing page. By utilising a .zip domain, the attackers make their malicious page appear more authentic, enhancing the effectiveness of social engineering campaigns.
Think twice before you click a zip!
In a potential attack scenario, perpetrators could employ this technique to redirect users to a credential harvesting page when they click on a file "contained" within the deceptive ZIP archive.
Another notable application of this technique is the deceptive listing of a non-executable file. When a user attempts to download the file, such as an "invoice.pdf," it initiates the download of an executable file, such as a .exe or any other file format.
Additionally, the search bar in Windows File Explorer can serve as a covert gateway. If a user searches for a non-existent .zip file that matches a legitimate .zip domain, it will open directly in the web browser, further facilitating the deception.
So, don’t come unzipped… Stay safe out there folks!
So long and thanks for reading all the phish!