Go Back

ShadowTalk Update – 1.14.19

January 14, 2019
ShadowTalk Update – 1.14.19

We’ve just released our first Weekly Intelligence Summary episode of ShadowTalk. In this new track, Harrison Van Riper will be interviewing our security analysts to get their take on the top security stories of the week. You can also read their in-depth findings and analysis via the Weekly Intelligence Summary report. Our main story in this episode involves the leak of personal information from several German political parties. We hope you enjoy this new track!

Highlights from the week include: a new data skimming campaign attributed to the threat group “Magecart”, a security researcher’s phishing-campaign tool that can bypass two-factor authentication (2FA) and a ransomware campaign using a fake charity to emotionally blackmail victims.

Far-right hacktivist leaks sensitive data on high-profile Germans

Throughout December 2018, a German hacktivist publicly released sensitive data on German politicians and entertainers, which they allegedly obtained by accessing social media and email accounts using popular passwords. This leak demonstrates the need for good digital hygiene across personal and professional accounts.

OXO International breach pinned on Magecart

In December 2018 United States-based kitchen utensil manufacturer OXO International disclosed three data breaches. The breaches affected customers purchasing goods from the company’s online store during the past two years. One of these attacks, occurring between 8 and 9 June 2017, has been attributed to the Magecart threat group; this was based on the presence of malicious JavaScript code injected into the site, designed to capture customer information. No additional details were available regarding the other two attacks, which occurred between 9 Jun and 28 November 2017, and between 20 July and 16 October 2018.

Modlishka phishing tool bypasses 2FA

A security researcher has developed a phishing tool capable of bypassing 2FA systems. The tool, dubbed Modlishka, works between the user and the target website and allows the user to access legitimate sites while the attacker intercepts any credentials and 2FA codes. A threat actor would then be able to log in using the 2FA key and the stolen credentials. The real-time aspect of Modlishka’s interception process makes it resource intensive, and therefore unlikely to be used in mass phishing campaigns; however, it could be used in targeted attacks. Although there are no reports of it being used in the wild yet, as the use of 2FA grows, threat actors will likely adopt similar tactics in the short- to mid- term future (within six months).

Ransomware uses fake charity to extort victims

The “Cryptomix” ransomware has been observed in a new campaign that uses a fake charity in its ransom demands. After infection and encryption of files, the victim is shown a message that uses stolen information from legitimate crowdfunding sites related to ill children. The message claims that all Bitcoin payments made as part of a ransom will be donated to a fictitious charity. This is the first recorded instance of ransomware exploiting real children in extortion efforts. As ransomware becomes more prevalent, attack campaigns are using additional tactics to ensure payment, such as sextortion scams. Such efforts are likely attempts to capitalize on the victim’s moral and charitable tendencies by convincing them to pay.

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 03 Jan - 10 Jan 2019

To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.