Here are the top stories of recent weeks:
- Bank Details to Streaming Services, It Is All Available on the Dark Web
- North Korea Is Linked to a Recent Cyberattack on US Enterprises
- TikTok Mobile App on the Verge of Being Banned Due to Surveillance Concerns
- Serious Security Concerns Over Smartwatch Tracker API Vulnerability
- Nearly 100k Customers Exposed in Leaky Database Belonging to Fitness Platform
The dark web is inundated with over 15 billion usernames and passwords to countless services, including banking details, network administrator accounts, antivirus software, streaming services, and more–with many being offered for free. Many breaches lead to the illegal distribution of duplicate files, meaning that accounts are shared multiple times amongst cybercriminals. This makes it increasingly difficult to track stolen data, however, the author asserts that there’s still over five billion ‘unique’ accounts up for sale on the dark web (providing buyers illegal and in many cases, free access to services).
Over the past few years, payment card information has become a high ticket item for malicious actors, scouring the web for innocent customers. A hacker group based in North Korea has been effective in skimming sensitive information from the checkout page of large retailers in the U.S. and Europe. These are known as MageCart attacks and threat actors rely on malicious scripts (web skimmers). The hackers, which have been identified as the Lazarus (Hidden Cobra) group of nation-state hackers, use legitimate websites to exfiltrate the credit card information and camouflage the attack.
TikTok and other Chinese apps are currently under scrutiny by the U.S. government, as they are on the verge of being banned in the country over security and surveillance concerns. U.S. government officials have pressing concerns regarding the potential mismanagement of user data, as the mobile application may have ties to a foreign government. The mobile platform has been under investigation due to allegations claiming that it had been secretly accessing user data from iPhone and iPad clipboards. However, a spokesperson for the social platform stated that it was an inadvertent consequence of a spam filter.
New API vulnerabilities have come to light, pertaining to a smartwatch tracker used in applications including services designed for the support of the elderly and vulnerable. The major security flaw was an unrestricted server-to-server API that could be used to hijack the SETracker service in ways including, changing device passwords, making calls, sending text messages, conducting surveillance, and accessing cameras embedded in devices. The findings were disclosed with the service provider, 3G Electronics, and it promptly fixed the issue.
A Las Vegas-based fitness company, V Shred, that offers workout plans for women and men, has exposed over 99k customers in an unsecured AWS S3 bucket. The firm claims that it has clients in 119 countries, 12 million unique visitors to its website per month, and over 40,000 subscribers to its university program. CSV files appearing to contain the information relating to both trainers and clients remain exposed. This includes IDs, first and last names, email addresses, genders, and client email addresses are included. A V Shred team member, however, denied there was an issue with the exposure of PII.
*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Juan Lugo. Read the original post at: https://www.bitglass.com/blog/bitglass-security-spotlight15-billion-usernames-and-passwords-available-on-dark-web