Security Updates 17th October 2019

The latest news finds the Cookie ‘Monster’ attacking Sesame Street’s Online Webstore, FIFA 20 has had a major user data breach, spoofing emails are becoming more and more elaborate and costing companies millions, and more …

Cookie Monster Malware Attacks Sesame Street Online Store

Thousands of online retailers – including Sesame Street’s online webstore – was found to be hacked by malware called Cookie ‘Monster’. The code was discovered buried within shopping cart software created by Volusion which is used by tens of thousands of web platform retailers worldwide.

Volusion themselves started that the issue of the malicious code was dealt “within a few hours of notification”. However, any public statements came after the malware was made public. The code was only discovered when a cyber-security specialist was on the Sesame Street webstore shopping for kids toys.

According to the BBC:

“Marcel Afrahim, a researcher at security firm Check Point, noticed the malicious code when he was browsing on the Sesame Street Live store.

In a blog, he wrote: ‘The compromise is not only unique to Sesame Street Store, and most likely any e-commerce website hosted on Volusion is probably running malicious code and posting the credit card info of the consumers to the outsider domain.’

He added that he had contacted Volusion but ‘it had not been responsive to take down down the malicious code.’ “

FIFA 20 Online Registration Data Exposure Breach

Electronic Arts, the video game giant behind the FIFA footballing video game series, has announced that personal information of other gamers was exposed during the registration period for the FIFA 20 Global Series event.

Those affected the most were live streamers of the event and they experienced disproportionate amounts of personal information being breached during this exposure event.

EA Sports announced:

“EA Sports, which publishes the game, apologised for the mistake.

Player privacy and security are of the utmost importance to us, and we deeply apologise that our players encountered this issue today”.

The error meant some players’ email addresses and birth dates were exposed to other gamers filling in the registration form.

The problem affected about 1,600 people, EA Sports said.

The company said it had found the “root cause” and was confident that players would not see the same mistake again.

Spoof Business Emails Costing Big & Small Business Billions Worldwide

A new and sophisticated spoof emailing fraud is growing fast. CEO spoof emailing has caused companies to lose millions.

One example saw a company finance officer get an email from his boss asking him to pay $8m dollars to a client to finalise a known acquisition. The email was sent from the boss’s actual email account and everyone in the company knew about the acquisition – it all seemed legitimate.

However, the company being acquired rang up and asked why it hadn’t been paid. The money had been sent, but not the company that was being acquired. Hackers had made off with millions before anyone knew what had happened.

Emails can be hacked. However, these attacks are not elaborate. They just require social engineering and short-term trickery to mask illegal activity.

However, individual hackers are now moving towards lower level employees with budgetary responsibility.

According to the BBC:

“The traditional targets for BEC attack are the “C-suite” figures of major companies, such as chief executive officers or chief finance officers.

But recently, criminals have been going for lower-hanging fruit.

The trend has also been noticed by cyber-security company Cofense.

In some cases, employees’ emails are spoofed, and the attacker asks the human-resources departments to send a victim’s wages to a new bank account.

A smaller but much wider reward system will be a deliberate attempt to fly below the radar to target financial processes that are likely to have weaker controls, yet still produce attractive returns,” said Dave Mount, from Cofense.”

High Tech Gadgets Vulnerable to Domestic Hack Attacks

Experts researching Internet of Things devices argue that many new gadgets that are literally designed to make people safer are actually putting them in danger of being watched by hackers.

A Buckinghamshire security specialist, Ken Munro, was allowed to hack a Bedfordshire family’s IoT device network.

According to the BBC:

“A Bedfordshire family allowed their devices to be infiltrated by Buckinghamshire cyber security expert Ken Munro to demonstrate just how easily their privacy could be compromised.

Brian Green, 68, bought a tracker designed for older people, but the team was able to listen to his private conversations.

Mr Green said: “The last thing I would have thought of is how vulnerable it makes people, when you actually are buying it to make people less vulnerable.”

In another case, the family’s “pet cam” was hacked, enabling Mr Munro and his team to spy on them at home.

Mr Munro said: “Two of the cameras we looked at, the plastic moulds are identical, yet one’s fairly secure and one’s really not very secure at all. How are you supposed to know?”

US Retailer Announces Investigation Results into EPOS Malware Attack

Hy-Vee, a major mid-market US grocery store chain, has announced the results of a two-month investigation into a malware attack that infected the company’s EPOS network.

According to Supermarket News:

“Hy-Vee said yesterday that the probe, assisted by leading cybersecurity firms, identified malware infecting POS devices at certain Hy-Vee fuel pumps, drive-through coffee shops and restaurants. The latter included Hy-Vee Market Grille, Hy-Vee Market Grille Express and Hy-Vee owned-and-operated Wahlburgers locations, as well as the cafeteria at the grocer’s West Des Moines, Iowa, headquarters.

Hy-Vee didn’t provide an estimate of the number of customers who might have been affected by the breach. However, the company noted that payment card transactions weren’t impacted at front-end checkout lanes, inside convenience stores, pharmacies and clinics, customer service counters, wine and spirits locations and floral departments. All other foodservice areas that use point-to-point encryption technology and transactions processed via Aisles Online also weren’t affected by the malware.”