Cyber Victor – a leading blog on cyber security

On March 29, 2018, Under Armour announced that about 150 million accounts on its popular health app MyFitnessPal were hacked in February 2018. The affected data includes usernames, e-mail addresses, and hashed passwords. The company doesn’t collect Social Security numbers or driver’s license information, and credit card data is collected and stored separately. The company recommended that all users change their passwords.

For most users, the company uses the hash function “bcrypt” to convert all passwords into a hard-to-crack hash. However, some of the users had their password hashed using a less secure hash function called “SHA-1”.

The company recommended that all users change their passwords.

The root cause for the data breach wasn’t immediately disclosed.

Read more about it here.

15 year old security researcher Saleem Rashid discovered a flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.

The root cause is that the Ledger devices use a secure processor chip and a non-secure microcontroller chip. An attacker could compromise the insecure processor.

Ledger released a patch on March 6, 2018 to address vulnerability, and Eric Larchevêque, Ledger’s CEO, stated that the company hadn’t received any reports of hackers actually accessing the crypto keys.

Read more about it here.

On February 28, 2018, popular source code hosting web site GitHub was hit by the largest-ever distributed denial of service (DDoS) attack, that peaked at 1.35 Tbps. The attack abused servers running Memcached, an open source distributed memory object caching system. The attack was an amplification attack, where the attacker sends a request of a few bytes to the target server, causing the server to respond with a much larger response, up to 51,200 times larger.

The Github website is protected by the anti-DDoS service provided Akamai.

Read more about it here.

A recently discovered PayPal issue allows anyone to reveal the last four digits of the payment method, the account balance and recent transactions. This vulnerability was reported to PayPal’s bug bounty program, where it was classified as being out of scope. The issue still exists as of February 25, 2018.

All the attacker needs to know is the e-mail address and phone number linked to the account. The attacker would then visit the Forgot Password page on PayPal’s web site, and enter the e-mail address of the target account. The web site would offer to confirm the credit card number linked to the account, while presenting the credit card type and the last 2 digits of the credit card number. The attacker would then call the customer service number, and try to guess via the interactive voice response system the last four digits of the credit card number. Having the last two digits already at hand, this leaves only 100 combinations to try.

Once the correct combination of the last four digits has been found, the attacker would use the interactive voice response system to retrieve the account balance and the recent transactions.

Read more about it here.

According to a report published in February 2018 by security giant McAfee, the global cost of cybercrime jumped from $500 billion in 2014 to $600 billion, representing about 0.8 of the global GDP.

The cost of cybercrime is distributed among all the countries of the world, no one country is spared.

The jump is mainly caused by increased number of online users from low income countries with weak cybersecurity, quick adoption of new technology and growing sophistication by cybercriminals, the growth of Cybercrime as a Service, and an expanding number of cybercrime centers in certain countries.

Read more about it here.

Researchers found an unprotected Amazon S3 bucket, containing personal information and scanned documents of 119,000 customers of Bongo International. The company was bought in 2014 by Fedex, was rebranded as Fedex Cross-Border International, and shut down in April 2017. The exposed documents included scanned passports, driver licenses, national ID cards, utility bills, medical indurance cards and credit cards that customers used to verify their identity with the Fedex division.

Fedex has eventually removed the S3 bucket

Read more about it here.

In September 2017, Equifax suffered a massive data breach. Cyber criminals stole personal records of 145 million residents of the US, Canada and the UK. That included names, social security numbers, birth dates, home addresses, credit score dispute forms, and for some users also the credit card numbers and driver license numbers.

A document recently submitted by Equifax to the US Senate Banking Committee reveals attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.

Equifax noted that the additional exposed information relates to a small number of people.

Read more about it here.

The Australian government launched on January 31, 2018 an investigation into the loss of thousands of classified documents. The documents were in locked drawers and were sold with two second-hand filing cabinets.

The buyer, who hasn’t been identified, drilled the locks and found the documents. The ABC obtained some of the documents, and began publishing parts of the files this week, revealing some embarrassing facts about the Australian government.

Read more about it here.

Two men have been arrested and another remains on the run, after they were indicted on January 30, 2018 for trying to “jackpot” an ATM, so the machine would give out cash.

ATM manufacturers Diebold Nixdorf and NCR Corp. have said these attacks have occurred in the U.S., but did not detail whom they have targeted and how much money was dispensed.

ATM jackpotting, also known as “logical attacks,” simply means that cyber thieves physically install malware onto ATMs, giving them control over how much money gets dispensed at any given time.

Read more about it here.

Russian authorities discovered a fraudulent scheme involving dozens of gas station employees, who installed malicious software programs on electronic gas pumps, to cheat customers. The scam skimmed 3 to 7 percent of every gallon sold into a separate tank, as it was being pumped. Russian Federal Security Service (FSB) arrested hacker Denis Zayev in Stavropol, Russia.

Read more about it here.