Lama Security Breach, AT&T Security Lawsuit, Russian Card Theft - Cybersecurity News [April 01, 2024]
We’re back with the latest cybersecurity scoop of the week. We’re here with the SurveyLama security incident, why AT&T is facing class action lawsuits, Russians charging individuals behind a 7-year card skimming campaign, how India freed 250 nationals being forced into cybercrime, and the latest JSOutProx malware strain that can steal your card details so you can avoid these threats.
SurveyLama Security Incident Exposes 4.4 Million Users’ Information
HIBP (Have I Been Pwned) has warned that SurveyLama was the victim of a data breach in February this year.
SurveyLama is a survey platform owned by Globe Media that rewards users for completing surveys. Troy Hunt, the creator of HIBP, got information about a data breach hitting the platform where the birth dates, email addresses, IP (Internet Protocol) addresses, names, passwords, contact numbers, and residential addresses were leaked.
The news was confirmed by SurveyLama, which said that the information of 4,426,879 people was leaked in the data breach. If you’re a user of the platform and have received an email, it means your data was leaked as well. The platform’s passwords were stored as salted SHA-1, bcrypt, or argon2 hashes, so they’re not available as strings to the threat actor and it might take them a while to decrypt them.
It’s best to change your passwords on SurveyLama and on other platforms if you reuse them. The data set has yet to be posted anywhere on the Internet as of now, but threat actors could use it for phishing, extortion, and identity theft.
AT&T Faces Legal Action Following Security Breach Impacting 73 Million Customers
AT&T is facing class-action lawsuits following a data breach that left the data of 73 million customers exposed.
Ten lawsuits have been filed against the organization as it failed to protect the personal information of its customers, which was stolen in a data breach. The threat actors made away with names, residential addresses, phone numbers, birth dates, SSNs (Social Security Numbers), and email addresses of their former and current customers.
The threat actor group Shiny Hunters, breached the organization and attempted to sell the data in 2021. On 17 March 2024, Major Nelson, another threat actor, leaked stolen customer data on a hacking forum. AT&T carried out an internal investigation, highlighting that the stolen data has information about 7.6 million current and nearly 65.4 million former customers. They also shared that the leaked data is from 2019.
If that is true, AT&T let threat actors roam around with their customers’ crucial data for nearly three years, and the lawsuits are justified.
Russian Authorities Indict Individuals for Stealing 160,000 Credit Cards
The Prosecutor General Office of Russia indicted six individuals who were part of a hacking group and were using malware to steal credit card information.
The threat actors were using card skimming and stealing payment information from foreign online stores using malicious code that would capture the inputs on order checkout pages. Once they captured the information, they sent it to money mules who made unauthorized purchases or sold the information to threat actors on the dark web.
The six suspects (Denis Priymachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev) have been involved in card skimming scams since 2017 and have made away with over 160,000 cards to date.
The suspects will be sent to the Soviet District Court in Ryazan, where their penalty will be decided. If you frequently shop online, it’s best to use digital payment methods and monitor all card statements so you can identify misuse early on.
India Frees 250 Nationals from Cambodian Cybercrime Syndicate’s Control
This week, the Indian government rescued 250 citizens who were duped in Cambodia and forced into cybercrime.
The government shared how the people were tricked into going to Cambodia for job opportunities but were forced into committing cybercrimes. Many nationals informed India’s Embassy in the Southeast Asian country, after which the government worked with Cambodian authorities to locate these individuals and bring them back.
The government announced that it had saved 250 citizens, 75 of whom had been in the last three months. The individuals who were saved shared how they were lured in with data entry jobs but were forced into carrying out scams by Chinese and Malaysian scammers and had to live in horrific conditions.
They were forced to create fake social media profiles and use them to defraud Indian nationals and were even assigned daily quotes. If they could not meet the quotas, the threat actors isolated them and did not give them food.
Investigations are still ongoing, and the government is working to locate and repatriate more victims.
Visa Alerts on Updated JsOutProx Malware Strain Aimed at Financial Institutions
Visa has warned about a new JsOutProx malware being delivered via phishing campaigns that are targeted at financial institutions.
Visa’s PDF (Payment Fraud Disruption) sent security alerts to all card issuers about this new RAT (Remote Access Trojan) campaign that is targeting the Middle East, South Asia, and Africa. JsOutProx is a RAT with a hidden JavaScript backdoor that allows threat actors to run shell commands, download malware, capture screenshots, and execute files.
Resecurity shared a report on the workings of the phishing operation where the threat actors send fake financial notifications to targets via email that contain ZIP archived .js files. Once the victim executes this file, it downloads the malicious payload.
The second stage of the malware allows the threat actors to avoid detection, alter network proxy settings, steal clipboard content, extract Outlook contacts, steal OTPs (One Time Passwords), modify the registry for deep system access, and maintain persistence. The threat actors can also exfiltrate data from the infected system to the threat actors. All of these are the new capabilities of the updated strain of JsOutProx.
The attacks look like the work of the Solar Spider threat actor but there’s no solid proof as of yet. It’s best to keep an eye out on such emails and avoid opening the files. You should make it a practice to verify unsolicited or urgent payments via the official website or contact the financial institution. Furthermore, deploy top-notch phishing protection solutions and enhance your phishing awareness training programs.