Application Security Weekly Review, Week 6 2019
A vulnerability in e-ticketing systems used by major airlines, malvertising campaign targeting premium publishers, abuse of a long-standing feature in Google Gmail, and more.
Our latest roundup highlights the most interesting cybersecurity headlines of this week, including a vulnerability in e-ticketing systems used by major airlines, malvertising campaign targeting premium publishers, abuse of a long-standing feature in Google Gmail, and more.
Multiple major airlines jeopardise customer personal information
E-ticketing systems used by at least eight major airlines, including Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, suffer from a lax security that could put customers personally identifiable data (PII) at risk being accessed and modified by hackers. According to a report from cybersecurity firm Wandera, the root cause of the problem lies in the use of unencrypted check-in links sent to passengers via email.
Customer information is embedded in the links, allowing passengers to access check-in page without needing to enter their username and password. Lack of encryption could give malicious actors on the same Wi-Fi network an opportunity to hijack the link request and gain access to person’s check-in page and a large amount of data, including name, address, Passport and ID numbers, booking references, flight times and more. Furthermore, hackers could print or modify the boarding pass and tamper with seats.
The researchers informed affected companies about their findings several weeks ago, but the problem still remains unfixed.
Alexa 500 sites targeted by a large-scale malvertising campaign
Hackers has been targeting premium publishers with malicious ads that look like legitimate advertisement for well-known retailers, the researchers from The Media Trust revealed. According to a report, cybercriminals targeted 44 adtech vendors with the purpose of attacking the millions of customers who visit 49 premium publisher sites ranked among the Alexa 500 sites. Researchers detected and analyzed more than half a million attacks and found that victims didn’t even need to click on any of the ads – users visiting site were redirected to malicious content prompting them to enter their username and password.
The most interesting part is that the group behind the attack had designed an adaptive campaign launching different attack with alternative supply chain routes when one malware and supply chain route was identified and disrupted.
Scammers are abusing the “dot account” feature in Google Gmail for online fraud
Cybercriminals are taking advantage of a legitimate Gmail feature to file fake tax returns, unemployment benefits, to bypass trial periods for online services and more. The feature in question is so called “dot account” feature which essentially ignores the placements of the dots in email addresses. Users have been using this trick for a long time to create trial accounts without making new Gmail ids.
Recently researchers from Agari spotted a cybercriminal group that exploited this feature to trick unsuspecting Netflix users into adding card details to scammers' accounts. This kind of scams only affecting the Gmail users because other email providers don’t allow the same name to be used with different dot placements. Websites like Netflix, Amazon, eBay and others treat each dotted email address as a separate account, which could create all sorts of problems.
According to the researchers, a number of cybercriminal groups have been using this technique to create multiple accounts on websites and centralise their fraudulent activity within a single Gmail account without the constant need to monitor different accounts.
IcedID banking trojan now attacking online retailers
Hackers behind the IcedID banking trojan had set their sights on online retailers and now are using the malware to steal payment card credentials from e-commerce sites. According to an IBM Security’s report, attacks began in November 2018 and instead of stealing customer banking information, IcedID is used for gathering credentials and payment card data from victims. This data then used to make purchases with the victim’s payment cards. Initially, trojan targeted banks, payment card providers etc., but now it seems that its creators decided to brunch out in search of heftier bounties.
Hackers infect Linux servers with SpeakUp backdoor via a vulnerability in ThinkPHP framework
Linux servers in China were hit by wave of attacks distributing a new backdoor trojan named SpeakUp, which is used to deploy Monero cryptocurrency miners on compromised systems. Mainly hackers are using an exploit for the ThinkPHP framework, but their arsenal contains another six exploits for various software, including JBoss Enterprise, Oracle WebLogic, and Apache ActiveMQ.
The new backdoor comes with the built-in Python script which is used for lateral movement through the local network. According to the researchers at Check Point, malicious campaign has started around three weeks ago and since then the group behind the attacks has made roughly 107 Monero coins.