This past week, the Indonesian National Police held a joint press conference with Interpol to announce the outcome of Operation Night Fury. This effort ultimately led to the arrest of three suspects responsible for a wave of Magecart attacks. It is alleged that these actors were behind several hundred (and possibly more) attacks on e-commerce sites, spanning the globe. The suspects were arrested in December and could face up to 10 years in prison. According to intelligence gathered, the criminals ran a multi-stage operation. At first they would compromise the e-commerce site to syphon off credit card data and personal details. They would then turn around and use the ill-gotten funds to purchase various goods before cashing-out by reselling the goods on local (Indonesian) sites.
Magecart attacks have been traced back to at least 2016 and have hit a number of high-traffic e-commerce sites. Some of these include Ticketmaster, NewEgg, British Airways, and MyPillow.com, so seeing these actors brought down is great win in the ongoing battle for e-commerce security.
Emotet has not slowed down this year. As usual, we are finding that their social-engineering tactics and lures are as timely as ever. Some of the latest campaigns to come to light are taking advantage of the fears and uncertainties surrounding the latest coronavirus outbreak. Phishing and malspam campaigns which masquerade as official notifications from public sources about the health scare are being used to entice targets into downloading Emotet trojans. We have observed several versions of this campaign, all tailored to different locations, languages or dialects. They all basically entice the user into opening malicious attachments which appear to be official notices or information from health officials. During this time of uncertainty surrounding the outbreak of coronavirus, these lures are proving to be particularly successful.
The actors behind these campaigns show no restraint or tact when it comes to preying on the fear of the public. Be careful when opening email attachments (or don’t) and ensure that you are protected by an Active EDR solution that is able to protect against this and all other Emotet campaigns.
By now we are all (hopefully) aware of the reason that popular social media platforms and apps are “free”. These services don’t ask for payment because they monetize your personal details and behavior patterns in return. That data is then worth large amounts of money to interested buyers. That being said, the last entity you would expect to meddle in this practice would be your security or AV vendor. Enter AVAST…
This week it was unveiled that the free anti-virus product AVAST was using its browser extension component to harvest user data. Their “Jumpshot” division would then sell this data to interested buyers. When news broke of this practice, AVAST stated that the information had been fully “de-identified” and therefore should not be of concern. To quote them directly:
“The data is fully de-identified and aggregated and cannot be used to personally identify or target you,”
However, a joint investigation by PCMag and Vice/Motherboard found that large collections of data can in fact be matched to individuals. According to VICE, some big-name companies are listed as buyers of the data scraped by “Jumpshot”, including Microsoft, Pepsi, Google and Home Depot. Even more troubling is that reportedly, most of AVAST’s user base had no idea that this practice was occurring.
The revelations about AVAST and Jumpshot’s practices have been long coming. In December of 2019, Senator Ron Wyden publicly investigated the company and specifically went after them on their troubling practices. Also, in December 2019, Mozilla removed AVAST products from their extension portal due to invasive practices. Others have followed suit.
Note: AVAST issued a press release on January 30, stating that they will be “winding down” the Jumpshot subsidiary.
At the end of the day, you get what you pay for. But at the same time, the folks giving you free stuff usually want something in return. We all need to take time to become painfully aware of and familiar with how our data is being “ingested” during our day-to-day travels on the information superhighway. We don’t all like to take the time to understand that, but it is critical, and for the sake of privacy, an unfortunate necessity.