Cyber Victor – a leading blog on cyber security

Electronic retailer Newegg has been hacked by Magecart, the same cybercrime group that hacked into British Airways.

Security companies Volexity and RiskIQ have conducted a joint investigation on the hack.

Magecart group managed to hack into the Newegg web site and steal credit card information of all customers who made purchases between August 14 and September 18, 2018.

The hackers were able to inject 15 lines of malicious JavaScript code into the checkout process at Newegg. The code collected data and sent it back to the hackers. They used a domain called neweggstats.com, which they registered just the day before the attack started.

Read more about it here.

According to an announcement made on their web site, personal and payment card information of 380,000 British Airways customers were stolen from users making bookings on its website and app from 22:58 BST August 21, 2018 until 21:45 BST September 5, 2018.

The stolen information included name, address, email address and credit card information; it did not include travel or passport details

The airline confirmed that the breach has been resolved, and its services are now operating normally.

In March 2015, British Airways Executive Club member accounts were hacked, however that wasn’t considered a data breach, because hackers used information available in the underground.

Read more about it here.

A Man-in-the-Disk attack can occur when an Android app stores on the mobile device’ external storage, that is shared by all apps. A malicious app could tamper with files stored on the external storage.

In this case, the Fortnite app installer stored the install file on external storage, and then runs that install file. Another app already installed can observe that, replace the file with its own, and cause any code to run.

Epic Games has released a fix.

Read more about it here.

T-mobile announced on August 24 that on August 20, 2018, hackers accessed certain unauthorized information on their servers. The information included customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid). The incident affected more than 2 million customers, or 3 percent of its 77 million customers.

The hackers were able to exploit an internal API (application programming interface) on its servers that handled personal information. Luckily, the API doesn’t provide financial data or sensitive information.

Affected customers have been contacted by T-Mobile.

Read more about it here and here.

Check Point Research discovered multiple vulnerabilities in the most popular messaging app in the world, WhatsApp, allowing attackers to alter the content of messages sent in both private as well as group chats.

The flaws allow attackers to abuse the “quote” feature in a WhatsApp group conversation, to alter the identity of the sender, to alter the content of members’ reply to a group chat, or to send private messages to one of the group members disguised as a group message.

Check Point was able to discover these flaws by decrypting the communications between the mobile and desktop version of WhatsApp.

The security experts pointed out that the flaws could not be exploited to access the content of end-to-end encrypted messages, because in order to exploit them, the attackers must already be part of group chats.

Read more about it here.

Google stated that it hasn’t had any account takeover from its 85,000 employees for more than a year.

How did they do it ? They deployed a physical security key – a $20 USB gadget. Google employees that wish to login, need to provide their username and password, and insert this USB device into their workstation. This is an example of the use of two-factor authentication. The idea behind a two-factor authentication is that even is thieves were able to phish your password, they still wouldn’t be able to login to your account, unless they also hack or posses the second factor – the USB key device in this case.

Job well done, Google!

Read more about it here.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months

TCM Bank, a subsidiary of ICBA Bancard, issues credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves. TCM announced the a web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018. Exposed data includes names, addresses, dates of birth and Social Security numbers.

The number of affected customers was less than 10,000, which is less than 25% of the applications processed during that time period, and less than 1% of the TCM cardholder base.

The breach was reportedly discovered on July 16, 2018, then fixed the following day.

Read more about it here.

Code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

In October 2017, GitHub introduced the Dependency Graph, a feature that lists all the libraries used by a project, and all the projects that rely on a certain project. The feature supports JavaScript and Ruby. GitHub is now extending this feature to include Python code. This feature allows developers to receive alerts when including certain flawed software libraries in their projects, and provide advice on how to address the issue.

Code scanning is enabled by default on public repositories.

Read more about it here.

As reported July 2, 2018 on Gizmodo, Samsung Messages, the default texting app on Galaxy devices, is erroneously sending pictures stored on the devices to random contacts via SMS. This was reported by several users on current model devices, such as the Galaxy Note 8 and Galaxy S9. Reportedly, this doesn’t leave any evidence of it doing so, which means that people may be unaware that their photos were sent.

The theory is that the bug is caused by interaction between Samsung Messages and recent RCS profile updates that were rolled out by carriers, including T-Mobile.

One workaround is to revoke Samsung Messages’ ability to access storage. Another workaround is to switch to a different texting app, such as Android Messages.

Read more about it here.

The Wi-Fi Alliance introduced on June 25, 2018 WPA3, a new Wi-Fi security standard that will address all known security issues affecting the previous Wi-Fi standards.

WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets.

WPA3 offer two distinct modes of operation: WPA3-Personal and WPA3-Enterprise. WPA3-Personal is more resilient, password-based authentication. WPA3-Enterprise offers the equivalent of 192-bit cryptographic strength.

Read more about it here.