Potential Hurricane Scams Among Latest Fraud News and Leak Warnings

Potential Hurricane Dorian scams are at the forefront of a number of recent cybersecurity-related news items, which also include fraudsters taking advantage of new European authentication measures, leaks at the cosmetics firm Yves Rocher and more Facebook data-related exposures.

The Cybersecurity and Infrastructure Security Agency warned users to remain vigilant for malicious cyberactivity targeting Hurricane Dorian disaster victims and potential donors.

“Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites,” said the agency in a Wednesday news release. 

CISA suggested users exercise caution in handling any email with a hurricane-related subject line, attachment or hyperlink. In addition, users should be wary of social media pleas, texts or door-to-door solicitations relating to severe weather events.

A related warning stems from fraudsters exploiting the European-based Strong Customer Authentication online security checks with phishing attacks and fraudulent multifactor authentication process messages. Javvad Malik, security awareness advocate, KnowBe4, said, “Cybercriminals are quick to jump on any event to launch phishing campaigns.” In some cases, hackers will piggy-back on another data breach, posing as a financial institution seeking information from customers who may have been affected. 

Malik suggested there are often tell-tale signs of a phishing email, and users should look out for the email address the mail has come from, hover over links to see where they are going, and look out for spelling, grammar, and the tone of the email.”

Meanwhile cosmetics giant Yves Rocher issued an alert that a major data leak exposed the personal data of 2.5 million Canadian customers and sensitive internal company information. Researchers with vpnMentor said they discovered an unprotected Elasticsearch server owned by Aliznet, which provides consulting services to large businesses, including IBM, Salesforce, Sephora and Louboutin. The personal data included full names, phone numbers, email addresses, birthdates and mail codes. In addition, researchers could view records of more than 6 million customer orders. 

According to George Wrenn, CEO/founder of CyberSaint Security: “Managing the extensive supply chains that global enterprises rely on today can be a cumbersome process, especially with legacy GRC (governance, risk, and compliance) tools or spreadsheets. From a purchaser perspective, businesses need to be aware and increasingly diligent when it comes to sourcing a vendor, especially when dealing with the sensitive information that we see in this case.”

Yet another Facebook-related incident centered around an exposed server containing more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of U.K.-based users and more than 50 million records on users in Vietnam.

TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. “We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account,” TechCrunch said. 

“Misconfigurations have been the reason behind several data leaks this year, including incidents affecting Orvibo, Tech Data and ApexSMS. Companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of attack vectors to detect vulnerabilities,” Jonathan Bensen, chief information security officer at Balbix, said. He added, “Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once. The key to thwarting future instances of data exposure is to leverage security tools that employ artificial intelligence and machine learning to observe and analyze the entire network in real time.”

Erich Kron, security awareness advocate, KnowBe4, also commented: “This is an unfortunate situation where, although the issue that led to a previous data breach was fixed, the impact of the issue has continued to cause serious problems.” Kron explained, “Because people often share very personal information on social media platforms, scammers can use the breach data to gain a wealth of information about the person and use that for scams.” 

From Pankaj Parekh, chief product and strategy officer at SecurityFirst: “It seems this data is over a year old, probably scraped before Facebook clamped down on access to users’ phone numbers, but as we know once data is on the internet it can last forever. Users, having done nothing wrong to compromise their security, can now be subject to targeted robocalls, or worse. And they can’t recover by something as simple as changing their password – they would have to redo their Facebook account or get a different phone number – both very unappealing actions.”

Jonathan Deveaux, head of enterprise data protection at comforte AG, said, “Password protection is basic security, and relatively simple to leave in place.” Deveaux noted that to some hackers, passwords are just hindrances and can bypass them if they are determined enough. “The main risk of the phone number exposure incident is the potential of spam calls, which are a huge nuisance today. The bigger fear is what other unprotected sensitive data exists, which may be subject to the same decisions, but possibly posing a larger risk to end-users? The more sensitive data a company has, the more critical it is to protect the data.” 

“The exposure of this database puts millions of Facebook users at risk of spam, harassment, and SIM swap fraud,” Paul Bischoff, privacy advocate for Comparitech, said. “The lattermost could allow an attacker to hijack a user’s account by bypassing two-factor authentication. By moving an existing phone number to a new SIM card, an attacker will receive the PIN number sent to the user’s phone via SMS when logging in.”

Colin Bastable, CEO of security awareness training company Lucy Security, suggested, “Think hard before giving your phone number to any social networking business – they are in the business of aggregating and monetizing consumer data.” He added, “collectively Big Tech has an atrocious record of securing data. We have just learned about Google running secret web pages to aggregate and sell consumer data for targeted advertising. There is no altruistic purpose in requesting or holding consumer data – everything is for sale.”