The SecuriTea News - Issue #17

Each week The SecuriTEA Report brings you the latest Cybersecurity News. Receive even more information by signing up for our newsletter. Here's what's new for this week:

Disney Account Hack Or Bad User Password Management?

Disney + launched recently and if you are like my mom, chances are you have already watched Aladdin several times. Soon after its release, and a couple of server capacity blunders, users started complaining that their account information had been stolen, and reports found that thousands of accounts had indeed been compromised. Disney, though, said it found no signs of a security breach. If these thousands of valid passwords weren't stolen from Disney servers, how did they make their way onto the dark web so quickly? It is more than likely due to subscribers reusing the same password for other accounts, on their Disney + account giving attacks free rein to log in, change the password and take over their accounts. An investigation by ZDNet showed that the account details available on underground forums include username, password, subscription type, and expiration date. This situation emphasizes the importance of good password hygiene and to NEVER, EVER, and I mean EVER reuse passwords across different accounts. I know it is hard to keep up with the many passwords because everyone wants you to sign up but it is imperative to not make it easy for attackers to hit their jackpot. Invest in a password manager (like 1password) to store all of your passwords.

Those Black Friday Deals Aren't The Only Thing Looking To Be Stolen.

'Tis the season for grabbing the latest tv or holiday deals for Black Friday but shoppers aren't the only people looking for a steal. The holiday season is prime time for hackers to trick users and steal as much information as possible to turn a profit. It has been reported that more than 100,000 look-alike domains (aka URLs, such as www.google.com) have been registered to trick holiday shoppers into clicking on the fake site. So, for example, say you wanted to go to www.iWantThatNewGucci.com to buy the latest item but were in a rush and typed in www.iWantThatNeewGucci.com instead. The misspelled website will look exactly like the old one and will trick you into entering your credit card information there instead of the legitimate site and bam, payday has arrived for the attackers while you don't receive any of your "purchased" items. It's no mistake why this occurs during the holiday season - according to Business Insider, 2018 holiday e-commerce sales were responsible for $126 billion in sales, a 16.5 percent increase from the $108.2 billion generated in 2017. Increased consumer spending will significantly increase cyberattacks as bad actors also prepare to profit from the holiday season. **ALWAYS double-check the website you are entering credit card information on. If possible, pay through third-party's, like Paypal, so they can investigate and stop fraud payments preemptively. And lastly, never ever ever ever click on random, insecure links to purchase items from.**

Google & Samsung Flaw Allows Attackers To Remotely Spy via Camera App.

It has been confirmed by Google that a flaw exists that allows an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. It has the potential to affect hundreds of thousands of users and is their biggest flaw found to date. A research team at Checkmarx, a security firm, found several vulnerabilities in the Google camera app that were initiated by issues allowing an attacker to bypass user permissions settings. “Our team found a way of manipulating specific actions and intents,” Erez Yalon, director of security research at Checkmarx said, “making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung’s Camera app.” There is a myriad of ways for this technique to work (and which this article goes into more detail). Disclosure at the moment is still being worked out by Google and Samsung but the issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners so go patch your phone people.

Macy's Latest Company To Find Credit Card Scam on Website.

Magecart is the name of a notorious credit-card skimmer software that can be injected onto an unsuspecting website in the hopes of getting shoppers to enter their credit card information. The way a web skimmer works is that it is injected, by hackers, into targeted websites (in this case Macy's website) and is designed to steal data entered into online payment forms on e-commerce websites. When a visitor goes to that website, the skimmer will then scoop up personal details entered on the site. It is an attack commonly used and has been found on two Macy.com websites. According to a data breach notice sent to customers, “an unauthorized third party added unauthorized computer code” to Macys.com on Oct. 7. The code, which was discovered and removed on Oct. 15, was collecting customers’ first and last names, addresses, phone numbers and email addresses, payment card information (including number, security code, and expiration dates). “There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name. Nonetheless, you should remain vigilant for incidents of financial fraud and identify theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer,” said Macy’s in its data breach notice.

Google Ups The Ante to $1 Million Dollars.

Google is willing to award up to $1.5 million to hackers who can successfully hack its Titan M security chip on the company’s Pixel devices as part of an expansion of its Android bug-bounty program unveiled this week. For those not familiar with bug bounty programs they are a way for companies to encourage white-hat hacking (aka ethical hacking), meaning they want someone to break into their devices so that way they can fix it quickly before a malicious hacker (aka black-hat hacker) figure it out first and exploits their products to hurt consumers. The company revealed increased payouts to its Android Security Rewards in a blog post Thursday. Google already has paid out more than $4 million in 1,800 reports to those who’ve identified vulnerabilities on the platform, it said. The expansion of the program focuses mainly on Google’s own technology rather than the greater ecosystem, with the company offering a significant prize for hackers to test the security of its Titan security chip on forthcoming versions of Android. So if you are interested in following the path of hacking to make money, bounty programs are a good place to head into.

And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News. Follow us on social media for daily news.