Happy belated Labor Day. We hope you’re staying safe and off to a good start this month. This first week of September had no shortage of cybersecurity news and incidents. Let’s dive in and look at some of the more interesting scenarios that showed up over the last seven days.

Web Skimming is the New Card Skimmer

This past week, a major music recording company announced that a number of their e-commerce sites were victims of “web skimming” or “Magecart” attacks. This type of attack is very similar to the old card skimmer technique, except the hardware is replaced with malware, and the card reader – substituted it with the third-party tool used to get the payment information. Once the victim inputs their data in the system to pay for their purchase, they have all the personal data and payment info from that particular user.

According to the letter filed by the California Attorney General’s office, the attack took place between April 25, 2020 and  August 5, 2020. If the compromised payment form was used, the information the attackers acquired included name, email address, telephone number, billing address, shipping address, and payment card details (card

number, CVC/CVV, and expiration date). So, pretty much everything the attacker would need to start doing damage to your bank accounts and identity. However, people who used PayPal were not affected by this.

The company has yet to disclose the actual e-commerce sites affected, making it difficult for consumers to understand what purchase might have exposed their information. In the letter, the corporation does offer 100% free credit monitoring for the next 12 months through Kroll if you are on the list of potential consumers. Check out the letter for more information on what happened and what you need to know.

Virtual Schooling Learns about DDOS

School is back… virtually…well sort of. While some students and teachers are back in their classrooms, much of the country has embarked on virtual schooling. The K12 arena is finding out what business and government has been fighting for years…cyberattacks, which can and will happen. 

Miami-Dade County found out firsthand what the new normal looks like when students become your insider threat. Using an online service, one of their students managed to implement eight Dedicated Denial of Service or DDOS Attacks against the school district’s online learning platform. This resulted in the school’s learning platform – shutting down for the first few days of school. Luckily for the school, they could fall back on their other technologies to continue learning until the issue was resolved. However, the student is looking at felony computer use in an attempt to defraud and misdemeanor interference with an educational institution. Goes to show, a couple of days off of school is not always worth it.

Read the news article here

Non-Profit Takes a Big Financial Hit

Nothing compares to the feeling of losing money, especially when it is a lot of money. One non-profit, the Jewish Federation of Greater Washington, disclosed that they lost $7.5 million from an endowment fund scattered into international accounts. Currently, the FBI is investigating the attack and has no comment for anyone at this time.

From what is known and released at this time, it appears that the attack was discovered back on August 4 by a security contractor for the organization. Specifically, the contractor saw suspicious activity in a user’s email account. Still, according to preliminary reports, it looks as though the attacker had access to the systems before August. Due to the organization calling for a stoppage on using personal computers, the employee may have been using a personal device when the compromise happened.

The Maryland-based organization said that other agency funds were untouched, and they are currently investigating the loss. This alarming theft comes at a time when many workers are home and operating in unknown environments. Home networks are unidentified to most security teams, and finding the best way to quickly and efficiently secure remote employees is becoming more of a challenge than some expected. To read about managing some of these aspects with remote workers, check out our white paper: Managing an Expanded Security Perimeter: The New “Normal.”

Read the news article here.

More Skimmers More Problems

American Payroll Association  (APA) announced that they were victims of a skimmer attack that had malware strategically placed at the web login and checkout portions of their website. Attackers could do this by first exploiting a vulnerability in the organization’s content management system. 

According to the notification letter, the information that could be exposed is, “First and Last Names; Email Address; Job Title and Job Role; Primary Job Function and to whom you “Report”; Gender; Date of Birth; Address (either business or personal), including country, province or state, city, and postal code; Company name and size; Employee Industry; Payroll Software used at Workplace; Time and Attendance software used at work. In addition, some accounts include profile photos and social media username information.” That is quite a bit of data that could be easily used in social engineering scams.

APA has removed the exploit and taken steps to prevent similar activities, including increasing patching frequency, adding antivirus on the servers, and checking the code on changes since January. APA is offering 12 months of free credit monitoring and $1 million in identity theft insurance for those who may have been affected. 

Final Words

There were other attacks and activities last week to start the month of September. These were just the most notable to me and the current state of the world. As we watch the incidents happening all over, it is best to take a “watch and learn” approach, and not forget our essentials. We have to remember patching is not an if, but a when and how often. If we are opening a web portal up to the internet, we should have backup options and protections in place. Finally, if your organization relies on a remote workforce, personal computers are usually not the appropriate choice. 

Security is an action. We get out what we put into it.

Contributing Authors

Kyle Merrick, Cybersecurity Solutions Marketer, GuidePoint Security