17,000 Domains Infected With Credit-card-stealing Code

Thank you Amazon Cloud Services for making it so easy to screw up. Over 17,000 Domains Infected with Code that Steals Card Data.

Magecart. Steals the credit card data you enter when checking out online.

Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

All made possible by people using Amazon’s cloud storage who refuse to think about security.

The more popular domains are on “Alexa’s top 2,000 ranking list.” Because if you’re going to hack into sites, it makes sense to target the popular ones.

One recommended action to prevent unauthorized editing of files in an Amazon S3 bucket is limiting write permissions to trusted users only.

But that would be complicated. I would have to get a list of users I trust, and update it when new people are hired or old people leave, and that is just too complicated. Can’t I just leave access open? Surely no one will notice and try to hack in, will they? </sarcasm>

And besides, the people screwing up aren’t the ones having their credit card data stolen.


It Seems Someone From Hong Kong Is Scanning my Blog

They aren’t doing it with a standard web crawler, because it is too slow for that. It started on June 30th when for a day they went through about 250 pages. Then again on Friday they went through another 300 or so pages. More scanning today.

I don’t pay for access to the full statistics, so it isn’t immediately clear what is going on, but it seems strange. On a normal day, I get no visitors from Hong Kong. I also can’t say how long they are on each page, or even if it is one IP moving programmatically or multiple people or what.

Now I had posting about China on Thursday, so that might explain Friday. But prior to June 30th, I hadn’t mentioned China since May 27.

A review of what passes for support at WordPress, reveals that this is an ongoing thing. Something that has been building for 6 or 8 months anyway. No one from WP seems to be taking it seriously. Not that they are saying in the support forums anyway. So, a mystery…

“Curiouser and curiouser! (Cried Alice.)”

Google: “Like a horror movie villain that just won’t die”

When they first got busted on this, they said, just delete the emails. Google Keeps Gmail Purchase History.

At the time, Google claimed it tracks the info so that Google Assistant can track packages or reorder items, adding that users could simply delete everything by tapping into a purchase and removing the Gmail. However, it only worked if each purchase was deleted individually, which could take hours or even days depending on a person’s purchase history.

Still, Haselton decided to delete everything in his Gmail inbox — more than a decade of information. And it didn’t work.

Even after deleting all those emails, Google still had a record of his purchases.

“Like a horror movie villain that just won’t die,” he wrote, adding that he can “still see receipts for things I bought years ago. Prescriptions, food deliveries, books I bought on Amazon, music I purchased from iTunes, a subscription to Xbox Live I bought from Microsoft — it’s all there. Google continues to show me purchases I’ve made recently, too. I can’t delete anything and I can’t turn it off.”

I still have a Gmail account connected to this blog, though I may dump it as well. But Google is mostly out of my life. It should be out of yours as well.

Your Not-so-smart Home – 2 Billion Records Exposed

Billion with a B. If you think your smart home is making you safe, you might be kidding yourself. Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach.

Orvibo is a Chinese company that makes “smart home” hubs, and outlets, and a bunch of other things. It turns out they have an awful lot of data about their customers, and they made it all public.

The list of data included in the breach is extensive according to the vpnMentor report and includes:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise geolocation
  • IP address
  • Username
  • UserID
  • Family name
  • Family ID
  • Smart device
  • Device that accessed account
  • Scheduling information

The kinds of thing that this lets bad guys do… Access your security camera. Unlock your smart lock. Lock you out of your account.

OK this is a story about data being made public, but why are they logging all of this data? Even if they don’t make it public, this is a lot of data to entrust a company that doesn’t seem to have your security on its radar.

Important Safety Note: Don’t Throw Coins at Jet Engines

It won’t bring you luck. Why Do Chinese People Keep Throwing Coins into Plane Engines?.

There have been several Weibo blogs and articles published that discuss this topic and the most common word to appear in relation to the phenomenon of throwing coins at plane engines is ‘luck’ (祈福).

Apparently people are beginning to think of jet engines as magical wishing wells.

Here’s video that describes the inner workings of a jet engine, starting with a turbojet and working its way through to what you see on modern passenger airliners (and most other places) today, a high-bypass-ratio ducted-fan engine. As you can see, adding a hard-metal, foreign-object is not likely to improve operations.

I don’t particularly like this video, but most of the videos produced by the engine manufacturers (GE, Pratt & Whitney, and CFM) while easy to find, come off sounding like advertising. Which they are, for the most part.

If you are superstitious and are craving a little extra luck before a long flight, do not throw coins into an aircraft engine. Instead, carry a lucky charm, say a prayer, or just rely on good ol’ positive thinking!

New Ransomware Attacks Flaw Patched in October of 2018

I guess some people just refuse to accept the fact that YOU NEED TO UPDATE YOUR DAMN MACHINES. New Ransomware Found Exploiting Former Windows Zero-Day Flaw. At this point, no one feels sorry for you.

Kaspersky labs have detected malware named Sodin, Sodinokibi or REvil. It seems to be fairly sophisticated.

The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection – functionality that is not often seen in ransomware.

“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors,” said Fedor Sinitsyn, a security researcher at Kaspersky.

A lot went into the creation of this encryptor, so you can be sure that it will used far and wide. So far use is concentrated in Asia, but it has been seen in Europe, and both North and South America.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

UPDATE your machines, and keep them updated.

Another Florida City Hit With Ransomware

I missed this story. It certainly didn’t get the coverage of Baltimore, or Atlanta, or even Riviera Beach.

You can expect cities, counties, and other municipal organizations to get hit with similar attacks in the near future. They run their own email-servers. (Because that’s what they’ve always done!) The powers-that-be won’t approve money for stuff like anti-virus, updated software, updated PCs, etc. because “Things work just fine; we don’t need to spend money you crazy IT people screaming about how the Sky is about to fall.” And everything about the organization is public-record, making Spear Phishing as easy as 10 minutes on the city’s website.

First it was Riviera Beach, then it was Lake City, and now it is Key Biscayne. Third Florida city falls victim to ransomware attack.

Both Key Biscayne and Lake City were hit with Ryuk, the final piece of what is known as the “Triple threat attack,” the other two being Emotet and Trickbot malware. It’s uncertain whether the Riviera Beach attack was also based on Ryuk, which was originally linked to the notorious North Korean “Lazarus” hacking group.

Also Georgia’s Judicial Council and Administrative Office of the Courts was hit by the same triple-threat.

So if you can pay (as Lake City did) the hackers, why couldn’t you pay the IT department last month when they asked for money to prevent this? And it isn’t clear to me if Key Biscayne is going to pay or not.