It’s Thursday again - time to hold our noses as we dive once more into the week’s cyber security slip-ups.
This week there’s one clever phishing campaign, one utterly terrible one, and one big data breach at the world’s biggest domain hosting company.
GoDaddy, GoingDaddy, GoneDaddy: Domain Registry Service Suffers Colossal Data Breach
GoDaddy has seen 28,000 of its registered accounts compromised following revelations of an outside breach. Adding insult to injury, this unauthorised access took place as far back as October 2019, leaving the accounts exposed for over half a year before the discovery was made earlier this week.
Since revealing the breach, GoDaddy has blocked the person responsible from further login attempts and reset all passwords across the affected accounts. Demetrius Comes, GoDaddy’s CISO & VP of Engineering (and the unlucky messenger of the whole sorry situation), has assured customers that information stored within customer accounts “was not accessible by this threat actor”. He also claims that there is no evidence of any files being deleted, added or otherwise amended. A copy of the company’s email alerts is viewable here.
This is an embarrassing situation, not least for a domain hosting company who likely takes site security very seriously. Common speculation is that the company’s SSH servers were made vulnerable to brute force attacks, and were possibly further compromised by a successful phishing campaign against the company last month. Regardless, if GoDaddy is your website hosting provider of choice, it might be prudent to change some login details and enable Two Factor Authentication, if you haven’t already.
This EE Phishing Email is a Great Idea with Terrible Execution
While we’re loathe to label any phishing email as a ‘great idea’, this recent example at least gets a few things right. First of all, it adopts the guise of one of the UK’s leading telecom companies, securing itself a wider target market and potentially, a greater ‘hit’ rate with victims. Second, the campaign is tightly targeted, going out to executives at top UK businesses - because you might as well target the wealthy in the pursuit of banking details, right? Finally, the phishing email links to an HTTPS secured website. Once a rarity among phishing sites, which typically went no further than the outdated HTTP protocol, HTTPS domains are seeing widespread use with cyber criminals, who are adapting to a security-conscious public.
Or perhaps not, as this email demonstrates. For you see, there’s some mistakes in here that we wouldn’t even call ‘schoolboy errors’, for fear of alienating our already-meagre schoolboy demographic. First of all, there’s the content of the email itself (viewable here, with thanks to TechRadar). The very first line is as vague as it gets, suggesting the scammers daren’t commit to any narrative lest the recipient pick holes in it. An email that doesn’t actually explain why the company needs your bank details is… less than professional. Meanwhile, the email address doesn’t come from anywhere even resembling EE’s official domain; it seems to come from a lady called Monique in the Netherlands, though we appreciate the frankly adorable attempt at legitimacy by putting “EE” in the ‘From’ header.
All in all: poor effort, 2/10, F-Minus, see me. Nonetheless, be on the lookout for this email if you’re in a high-level job role; people do still fall for these scams, and if the embarrassment of doing so doesn’t sting them, the pinching of their bank details certainly will.
Teams Still Being Picked on by Bigger, Meaner Internet Users
Teams continues to be the software of choice among remote workers – which is why it’s just as popular with cyber criminals the world over.
In a recently discovered phishing campaign, criminals are making convincing use of Microsoft’s branding, format and texts to impersonate automated messages. The emails innocuously suggest that users have unread messages in Teams, and are near-indistinguishable from Teams’ own email notifications. The technique is almost ingenious, preying more on the users’ own sense of commitment, than the fear, say, that their account has been compromised.
Clicking the link redirects the victim to a dodgy Office 365 login page; again, this is convincingly recreated and near indistinguishable from the same page many of us see every day. From here, all it takes is for the victim to enter their login details for the crims on the other end to lap it all up.
It sure beats this week’s other phishing attempt, that’s for sure, and it demonstrates just how ruthless we need to be when answering unexpected emails. The team behind this discovery, Abnormal Security, does note a major tell-tale sign in their recently published report, however:
“In one of the attacks, the sender email originates from a recently registered domain, “sharepointonline-irs.com”, which is not associated to either Microsoft or the IRS.”
There may yet be other suspect email addresses left uncovered in these emails – so familiarise yourself with Microsoft’s own, legitimate URLs and make sure you’re not clicking on something far less savoury should one of these pollute your inbox. Otherwise, treat any unexpected emails with caution; if you really do have unread Teams messages, the best place to check is the Teams client itself.
These are the Droid Updates You’re Looking For
Okay, so we’re a little late on the Star Wars puns this week.
Google has released the latest update to its Android operating systems, scrubbing away three critical security vulnerabilities including a Remote Code Execution exploit. The bulletin explains:
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process”.
Translated to Normal Speaking Person, this essentially means that hackers could remotely exploit files in the phone’s system to gain full control over a device. The good news is that no examples of this being exploited in the wild have been reported, suggesting the boffins at Google spotted this vulnerability before any malicious actors could.
The full security bulletin, detailing all other critical fixes, can be found right here. Time to update those devices, folks.
And that’s another week of threats wrapped up. Join us next week for more of the latest rumblings from the grisly world of cyber crime.
Threat Thursdays in your inbox
Better yet, why not sign up for our weekly newsletter? Just pop your email address in the box on the right ➡️ of this page and we’ll be sure to drop all the latest security news into your inbox every Thursday!