Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Poorly-maintained E-commerce Sites Infected with Skimmers

Skimmers have increasingly infected online stores, stealing customer credit card details from their web browsers as they enter them for payment processing. In many cases, they are loaded as part of the payment-processing page, typically as third-party libraries that have somehow been included in error by developers, and the problem is exacerbated by the fact that security staff know what is going on on their own systems, but not third-party code on customer browsers.

Now researchers at Jscrambler report on three new threat groups using a new technique to run these attacks. In the first case, the threat actor acquired the expired domain name of a third-party marketing and analytics service called Cockpit, replacing its library with their own malicious code. Using this technique, the attackers were able to compromise over 40 e-commerce sites, exfiltrating credit card details to a C2 server based in Russia. The Cockpit service was shut down in 2014, but the sites had not removed the deprecated libraries - a very basic error.

In the other campaigns, the skimmer code is injected directly, as a fake Google Analytics integration, although the code is similar. In all cases, the site that hosts the Javascript checks the HTTP referrer header value and based on this will either return no script at all (to make analysis more difficult), a default skimmer script, or a site-specific skimmer. It also typically only runs in two specific pages - the order page and the register page. All the campaigns make use of obfuscation techniques and encryption of exfiltrated data to hinder detection and analysis.

Fortuna, Pedro, Pedro Marrucho and David Alves, Defcon Skimming: A new batch of Web Skimming attacks, blog post, 5 November 2022. Available online at https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/.

Four Sydney Men Arrested for Part in $US100 million Online Scam

Four Chinese nationals living in Sydney have been arrested by the Australian Federal Police for their part in an online investments scam that has resulted in over $US100 million in losses world-wide. The arrests follow intelligence supplied by the US Secret Service which led the AFP to set up Operation Wickham to investigate the scam, in cooperation with the NSW Police Force.

The scam started with a range of social engineering techniques to gain the trust of potential victoms via dating sites, employment sites and messaging platforms before mentioning investment opportunities. Once on the hook, victims were directed to a mixture of legitimate and fraudulent applications that deal in foreign exchange and cryptocurrency trading, but which have been manipulated to show a faked positive return on investments. Victims were also directed to a financial investment service which shows manipulated data through a legitimate application in order to encourage further investment while concealing the fact that their money has actually been stolen.

The four men who were arrested will appear in court in January, when police will allege they were used to register Australian companies in order to enhance the legitimacy of the fraud, as well as to launder the proceeds of the crime through Australian bank accounts (with $A22.5 million being restrained by the AFP in 24 bank accounts). Two of the men, aged 19, will be charged with recklessly dealing with proceeds of crime, while two others, aged 24 and 27, who were arrested in late November while trying to leave the country, are alleged to be the Australian 'controllers' of the syndicate.

AFP Media, Four men charged in Sydney for sophisticated cyber scam - world-wide losses expected to top US$100 million, media release, 9 December 2022. Available online at https://www.afp.gov.au/news-media/media-releases/four-men-charged-sydney-sophisticated-cyber-scam-world-wide-losses.

Google Opens Kimono on Android Privacy

Many Android features run continuously, accessing potentially sensitive information. For example, the Now Playing feature of Pixel phones continuously listens, through the microphone, in order to identify the music you can hear. Now, ask yourself how often you hear people say, "We were just alking yesterday about x, and today I'm getting lots of Facebook ads for x - I swear the these machines are listening to us!", and you can begin to understand why many people have concerns about their personal privacy.

As phone brands compete on the level of proactive personalization they provide, they can only offer services like traffic monitoring, giving efficient navigation as long as consumers will make use of such features. To aid in this, Google has released details of, and open-sourced, a key component of the Android privacy architecture, called Private Compute Core. This is a secure and isolated component of the Android OS that allows users to control how, when and where data is processed, both on-phone and by cloud services - for example, the latest phones are sufficiently powerful to perform some translation tasks on the phone itself, without interacting with the cloud.

In particular, Private Compute Core supports federated learning and analytics, which allows training of machine learning models while keeping private data on the phone. In essence, this downloads a training model to a sample set of users' phones; the models train on the data and then return the training results - not the data - back to the cloud. Model testing is performed in a similar, distributed, fashion, and differential privacy is also applied.

Google has now released a white paper describing the Private Compute Core, which controls data privacy for this process, and has also open-sourced the code as a GitHub project.

Kleidermacher, Dave, Dianne Hackborn and Eugenio Marchiori, Trust in transparency: Private Compute Core, blog post, 8 December 2022. Available online at https://security.googleblog.com/2022/12/trust-in-transparency-private-compute.html.

Cisco Warns of VoIP Phone Vulnerability

Ciso has issued a security advisory for its IP PHone 7800 and 8800 series firmware. A vulnerability in the Cisco Discovery Protocol (CDP) code can allow an unauthenticated attacker on the LAN to perform a stack smashing attack, allowing at least a denial of service, if not remote code execution.

There are no workarounds, other than disabling CDP and relying on Link Layer Discovery Protocol (LLDP) to allow the phone to discover its VLAN, nogotiate PoE, etc. - but this is a non-trivial and labour-intensive process. Enterprises which have been diligent in separating VoIP traffic from other data - ideally on a physically-separate network, if not a VLAN - will be much harder to exploit than those which have not, but ultimately the only fix is to obtain and deploy updated firmware which will be released in January.

Cisco, Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability, security advisory, 8 December 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.