Hacks, Hackers, and Phishers

Canary. Photo by 4028mdk09.



US State Department

Those are just a few of the most recent reported stories about breaches of data these last couple weeks.

Amazon has had two breaches of customer data in the last two months. This most recent one occurred the Wednesday before Thanksgiving, due to a “technical error,” Gizmodo reported, which had “inadvertently exposed [customers] email addresses.”

We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Customer Service

Gizmodo; Nov 21

According to Gizmodo, last Thursday, Tom’s Guide reported it “viewed email and chat correspondence between Amazon and customers who claim they were offered Amazon gift cared of between $5 and $100.” One customer reportedly told Tom’s Guide that “some users” who had complained about their data being breached were offered money.

In October, customers were on the receiving end of an “automated email distributed” informing them “an Amazon employee was fired for sharing customer email addresses with an unknown seller.”

We are writing to let you know that your email address was disclosed by an Amazon employee to a third-party seller on our website in violation of our policies. As a result, the employee has been terminated and we are supporting law enforcement in their prosecution. The third-party seller has been blocked from selling on our website. No other information related to your account was shared.
This is not a result of anything you have done, and there is no need for you to take any action.
Thank you,
Amazon Customer Service

Gizmodo; Oct 5

Gizmodo reported via the Wall Street Journal Amazon employees, “in some cases in exchange for bribes,” “through intermediaries” [were] offering internal data to help merchants increase their sales on the website,” and were being investigated. Neither employees nor the merchant were identified by Amazon’s spokesperson, but did say the merchant “has been booted from the platform.”

Friday, news hit the globe after a Marriott SEC filing about a “megabreach” of data at the hotel group of Marriott International and that “the records of 500 million customers” had been compromised within their Starwood network, “going all the way back to 2014, Gizmodo reported.

Marriott bought the Starwood brand, which includes the brands “W Hotels, Sheraton, Le Méridien, and Four Points by Sheraton,” in 2016.

The list of data points hackers was able to access include, “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

Marriott explained that it first learned about the breach on September 8 when a security tool alerted administrator that someone was attempting to gain unauthorized access to its Starwood reservation system in the United States. Here’s Marriott’s explanation of what happened next:

“Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”


By Friday afternoon it was reported the “private keys,” something needed to “decrypt payment card information” may have been stored “alongside the information itself in an unencrypted format – which if true, constitutes a major lapse in accepted key management procedures.”

“The strongest unsurprisingly” reaction to the “jaw-dropping” Marriott breach “came from the U.S. Senate’s leading privacy advocate, Democrat Ron Wyden of Oregon.”

“If history is any guide, this megabreach will be like the others that came before it—the company will apologize, proclaim that it values its customers’ privacy, and then offer useless credit monitoring to the millions of Americans impacted by this years-long breach,” he said in an email to Gizmodo.

“Clearly the current status quo isn’t working—the Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information,” said Wyden, adding: “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously.”

In early November, Wyden introduced a draft of legislation, though it has not been formally introduced, called the Consumer Data Protection Act, that would “impose fines of up to $5 million on executives of companies with annual revenue of $1 billion or greater. Executives found to have intentionally misled the FTC could face up to 20 years in prison.”

Bloomberg reported the cybersecurity experts FireEye and CloudStrike – whose businesses are to protect its clients against cyber threats as well as a cyber forensics division for clients who call them in after getting hit to figure out what happened – discovered “phishing activity at more than 20 of [their] clients across multiple industries” by hackers who used phishing emails masked as US State Department spokeswoman Heather Nauert and her deputy Susan Stevenson “to target hundreds of staffers in U.S. defense and law-enforcement agencies.”

“The attack probably originated with the Russian intelligence-linked group known variously as APT29 and Cozy Bear. The firms aren’t certain who, exactly, is responsible, but elements of the attack including its scope, targets and tactics were similar to the group’s previous activity. The same group infamously hacked into the Democratic National Committee during a broader Russian effort to assist Donald Trump’s campaign during the 2016 election.”

Read the full FireEye blog post incident report.

On November 14, 2018, FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries.

The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails. The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official’s personal drive, and used a legitimate Department of State form as a decoy. This information could be obtained via publicly available data, and there is no indication that the Department of State network was involved in this campaign. The attacker used unique links in each phishing email and the links that FireEye observed were used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy document and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic.

Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016. This blog post explores those technical breadcrumbs and the possible intentions of this activity.


About the opinions in this article…

Any opinions expressed in this article are the opinions of the author and do not necessarily reflect the opinions of this website or of the other authors/contributors who write for it.