Hackers breach Volusion and start collecting card details from thousands of sites


  • Hackers have breached Volusion, a provider of cloud-hosted online stores, and are collecting personal card details from thousands of sites.
  • The hackers are delivering malicious code that records and steals the payment card details entered by users in online forms. More than 6,500 stores have been compromised, but the number could be around 20,000. Similar attacks followed over the summer, and in most, hackers targeted misconfigured Amazon Web Services accounts. The Volusion incident that’s currently underway is the first one traced back to Google Cloud.

*Source: ZDnet, October 08, 2019


Chinese Hackers Use New Cryptojacking Tactics to Evade Detection


  • Chinese cybercrime group Rocke, known for operating multiple large-scale malicious crypto-mining campaigns, are using new crypto-jacking tactics to evade detection.
  • The financially motivated threat group, Rocke, was first spotted in April 2018 by Cisco Talos researchers while exploiting unpatched Apache Struts, Oracle WebLogic, and Adobe ColdFusion servers, and dropping crypto-mining malware from attacker-controlled Gitee and GitLab repositories. The hackers have now switched to new Tactics, Techniques, and Procedures (TTPs), including new C2 infrastructure and updated malware to evade detection.

*Source: Bleepingcomputer, October 10, 2019

Malware That Spits Cash Out of ATMs Has Spread Across the World


  • A malware called “Cutlet Maker” that is designed to make ATMs eject all of the money inside it; first noticed in Germany has now spread across the world.
  • A joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR) has uncovered details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros. Jackpotting is a technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, no stolen credit card required. Hackers typically install the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.

*Source: Vice, October 15, 2019

Student tracking, secret scores: How college admissions offices rank prospects before they apply


  • The University of Wisconsin-Stout installed tracking software on its school website which reveals personal data such as web-browsing habits and financial history to “learn” more about prospective students.
  • Colleges are collecting more data about prospective students than ever before. The Post shows that at least 44 public and private universities in the United States work with outside consulting companies to collect and analyze data on prospective students, by tracking their Web activity or formulating predictive scores to measure each student’s likelihood of enrolling. The practices may raise a hidden barrier to a college education for underprivileged students.

*Source: Washingtonpost, October 15, 2019

Sextortion botnet spreads 30,000 emails an hour


  • A “sextortion” botnet is making use of a network of more than 450k hijacked computers to send aggressive emails, researchers have warned.
  • The emails threaten to release compromising photographs of the recipient unless $800 (£628) is paid in Bitcoin. And they contain personal information – such as the recipient’s password – probably gathered from existing data breaches, to specifically target more than 27 million potential victims at a rate of 30,000 per hour. While analysis suggests a small fraction of targets have fallen for the ploy, one expert said such botnets still offered a great “return on investment” for cyber-criminals.

*Source: BBC, October 16, 2019

Sweden’s first GDPR fine sets the regulatory tone


  • Secondary school fined £16,000 for breaching General Data Protection Regulation, signaling the attitude of Sweden’s Data Protection Authority.
  • Secondary school Anderstorpsskolan in Skellefteå, used face recognition technology in a time-limited test to identify students attending classes. The school carried out the test for a few weeks, tracking 22 students. The regulator found the school’s board to have violated GDPR law. The DPA ruled that biometrics is sensitive personal data, and it was not enough that the students’ parents had given their consent for the exercise.

*Source: ComputerWeekly, October 16 2019