Threats Without Borders - Issue 113
Matt's Newsletter, Week ending January 15, 2023
One of the many unfortunate legacies of Covid is the QR Code menus at restaurants. I understand why they were necessary during the peak of the pandemic but it's maddening that some restauranteurs are still using them.
I refuse to scan QR Codes and always make the server bring me a physical menu. Hesitant servers quickly change their mind after I launch into an impromptu lesson on the dangers of QR Codes through an attack technique called QRishing. I’m sure their change of heart isn't because of a sudden security catharsis brought on by my evangelism, but an urgent move of pacification.
QRishing is a form of phishing that uses QR codes to trick users into providing sensitive information or downloading malware. The scam works by creating a fake QR code that looks similar to a legitimate one but redirects the user to a malicious website or app. Once the user scans the code, they are prompted to enter personal information such as passwords or credit card numbers, which can then be used for identity theft or financial fraud.
Another danger of QR codes is that they can be used to spread malware. Hackers can create malicious QR codes that, when scanned, download malware onto the user's device. This malware can then be used to steal personal information or take control of the device.
How easy is it to print stickers with malicious QR codes and stick them to the table flyers at your favorite restaurant?
Speaking of the malicious use of QR Codes, this enterprising young criminal in Santa Cruz, California, recreated the city's parking tickets and stuck them on vehicles along popular beach parking spots. The problem, of course, was the tickets contained a “Quick Payment” QR Code which directed the alleged parking violators to a website not controlled by the city of Santa Cruz.
Luckily, quick action by law enforcement ended the scam before the perpetrator received any payments.
Sometimes you must have a bit of admiration for the cleverness of a criminal.
First things first
The Pennsylvania Department of Human Services issued a warning to those receiving supplemental state benefits of a scam seeking to compromise their accounts. The victims are receiving a text message advising their EBT card is about to expire and they need to respond to keep the card active. Those who responded to the message have been tricked into giving away their login credentials and password.
My first response was how rotten are you be to stealing from the poor? But then it occurred to me that these scoundrels must know who is enrolled in the program first. First things first…does the state have a compromised database? Or a malicious insider selling access? Maybe a Tw/oB reader who works for the Commonwealth should start asking some questions. https://www.media.pa.gov/Pages/DHS_details.aspx?newsid=888
JPMorgan Chase paid 175 million dollars for a company thinking it had 4.3 million users. Turns out, oddly enough, the company only had 300,000 users. Due diligence does matter, Hmph. Chase has now filed a lawsuit agains the previous owners of the company alleging they created “millions” of fictitious accounts. How do you do just spin up four million fake accounts? Sounds like Chase is learning a hard lesson in “buyer beware”. https://nypost.com/2023/01/12/jpmorgan-claims-charlie-javice-duped-bank-into-buying-175m-startup-suit/
Dad has finally stepped in
Much like a a parent who lets his kids struggle through some adversity before finally stepping in, so has Amazon in the move to make S3 buckets encrypted by default. Company after company has suffered data loss and breach due to improperly secured S3 storage databases. See LastPass. Amazon has finally had enough and announced the decision is no longer in the hands of the children and all S3 objects will be encrypted by default. In fact, you have to work to remove the encryption protections. https://aws.amazon.com/about-aws/whats-new/2023/01/amazon-s3-automatically-encrypts-new-objects/
CISA Year In Review
The Cybersecurity & Infrastructure Security Agency is one of the few departments of the federal government that actually does its job. And does it seemingly very well. The organization released its 2022 Year In Review report and its worth a few minutes to read it. https://www.cisa.gov/sites/default/files/publications/CISA-YearInReview_v1_508.pdf
Department of Interior’s passwords…
Suck. Alternatively phrased, the Interior’s passwords are inferior. Auditors with the Office of Inspector General (OIG) created a simple password cracking rig and ran it against the password hashes of the department’s employees. The OIG reported that within 90 minutes the rig cracked 14,000 passwords and cracked another 4200 over the course of the test. Many of these passwords belonged to senior leadership of the agency and others with elevated security privileges. https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/
The Wall Street Journal investigated why recently laid-off workers are being flooded with fake job offers. https://www.wsj.com/articles/laid-off-workers-are-flooded-with-fake-job-offers-11673387875?mod=djemalertNEWS
Ransomware completely shuts down a Pennsylvania small business and forces the lay off of 500 workers. https://www.pennlive.com/news/2023/01/more-than-500-laid-off-after-virus-disables-computers-at-pa-wood-cabinet-plant.html
Cofense measures an 800% increase in the abuse of Telegram bots to run phishing campaigns. https://cofense.com/blog/cofense-intelligence-strategic-analysis/
HoHum. Another password manager gets pwnd. https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
The greatest exif tool of all time - read, write, and edit the meta information of a file. https://exiftool.org/
Instagram video downloader (that seems to work) - https://indown.io/
Anti-Money Laundering/Transnational Crime Program Advisor - U.S. Department of State (Contractor) https://phe.tbe.taleo.net/phe02/ats/careers/requisition.jsp?org=CELESTAR&cws=1&rid=3216&source=Internet+-+Indeed
Don’t fall victim to Extension Neglect. https://www.lesswrong.com/posts/svjC22YAkcydMoS4Q/an-example-and-discussion-of-extension-neglect
Thank You For reading. Welcome new subscribers! For those who just browsed in - hopefully you stick around.
From the numbers, a large portion of subscribers never received last weeks edition. I know that it got dropped by Yahoo mail for sure. You can always go back to the main page of the Newsletter and find all of the previous issues. Hint: There’s been one every week for the past 112 weeks.
“Fools have no interest in understanding, they only want to air their own opinions” - Proverbs 18-2. (Or any regular reader of the Tw/oB newsletter).
Thanks for reading Threats Without Borders! Subscribe for free to receive new posts and support my work.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.