Check out my latest column in CSO that recaps a theme running through last week’s VB2021 conference, how shape-shifting threat actors complicate attack attribution.

Researchers at CheckPoint discovered that an attacker could leave NFT marketplace OpenSea account owners with an empty cryptocurrency balance by luring them to click on malicious NFT art.

The simple attack method involved creating an NFT with a malicious payload and waiting for a victim to take the bait and view it. Check Point researchers informed OpenSea of their findings on September 26. After collaborating with CheckPoint, OpenSea came up with a solution in less than an hour from the responsible disclosure. (Ionut Ilascu / Bleeping Computer)

Related: ZDNet Security, The Verge, Security News | Tech Times, ZDNet Security, Spyware news, VentureBeat, CyberNews, Engadget, The Hacker News, Check Point, Threatpost

In a threat analysis report, Apple said that its iOS devices are locked into the App Store for security reasons because this allows its security teams to scan applications for malicious content before they reach users.

Apple issued the report against a backdrop of an antitrust investigation in the EU into Apple’s anti-competitive practices, including Apple’s requirement that app developers use its proprietary App Store for app installations and payments. (Catalin Cimpanu / The Record)

Related: MacRumors, iMore, 9to5Mac, ZDNet, MacDailyNews, Apple, Security News | Tech Times, The Verge, Times of India, iClarified, Computerworld Security, Slashdot, Asia One Digital, The Register

U.S. wireless carrier Visible, owned by Verizon, admitted that threat actors were able to access usernames or passwords from outside sources and exploit that information to log in to Visible accounts in what is known as a credential stuffing attack.

Visible said it has deployed tools to mitigate the issue and told customers that if they use the same username and password across multiple accounts, they should update those details. (Duncan Riley / Silicon Angle)

Related: PhoneArena, SlashGear » security, AndroidHeadlines.com, Bleeping Computer, The Record, Reddit

Visible @Visible

We're aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we initiated a review & deployed tools to mitigate the issue, enabling additional controls to further protect our members.🧵

October 13th 2021

4 Retweets32 Likes

Research by Alex Holden, founder of cybersecurity firm Hold Security, discovered that phishers are trying to sign up for new cryptocurrency exchange Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

One now-defunct phishing domain at issue, coinbase.com.password-reset[.]com, was successful at targeting Italian Coinbase users. (Brian Krebs / Krebs on Security)

Related: Slashdot

Fraudsters duped a bank manager in the United Arab Emirates as part of an elaborate scam that used “deep voice” technology to clone a bank director’s speech to authorize around $35 million in fraudulent transfers.

The U.A.E believes it was an elaborate scheme that sent the funds to bank accounts across the globe. It involved at least 17 individuals. (Thomas Brewster / Forbes)

Lukasz Olejnik @lukOlejnik

Deepfake technology used in fraud? “fraudsters had used “deep voice” technology to clone the director’s speech” forbes.com/sites/thomasbr…

October 14th 2021

6 Retweets16 Likes

Thomas Brewster @iblametom

The only other time we’ve seen voice cloning used in a cybercrime was in 2019 and only $200k was stolen. $35m is huge. This was a well-orchestrated heist, according to the court doc, and involved at least 17 people, Dubai investigators believe.

Thomas Brewster @iblametom

SCOOP - And a wild one… Fraudsters used “deep voice” tech - as in deep fake for speech - to clone a company director’s voice. They then convinced a bank manager to send $35 million to various accounts across the world. AI-powered cybercrime is big. https://t.co/4MERyCOG9g

October 14th 2021

19 Retweets27 Likes

Taiwanese computer giant Acer confirmed that its after-sales service systems in India were recently breached in what the company called "an isolated attack."

A threat actor has already claimed the attack on a popular hacker forum, saying they stole more than 60GB of files and databases from Acer's servers. The allegedly stolen data include client, corporate, and financial data and login details belonging to Acer retailers and distributors from India. (Sergiu Gatlan / Bleeping Computer)

Related: Hindustan Times, channelnews, The Record

Broadcom's Symantec Threat Hunter Team discovered a new ransomware strain, dubbed Yanluowang ransomware, used in highly targeted attacks against enterprise entities.

Yanluowang will stop hypervisor virtual machines, end all processes harvested by the precursor tool (including SQL and Veeam), encrypt files, and appends the .yanluowang extension. It also drops a ransom note named README.txt that warns its victims not to reach out to law enforcement or ask ransomware negotiation firms for help. (Sergiu Gatlan / Bleeping Computer)

Related: Security Affairs, Broadcom

Share Metacurity

The University of Sunderland in the UK has admitted that a suspected cyberattack has caused “extensive IT issues” that have led to online classes being halted and staff facing difficulties accessing email.

Students are urged to continue to attend on-campus classes and contingency measures are being put in place to support remote learning. (Ross Robertson / Sunderland Echo)

Related: Silicon UK, Infosecurity Magazine, Computing.co.uk

The Office of the Australian Information Commissioner (OAIC) has found that convenience store chain 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent.

From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, installed in 700 stores, captured customers' facial images at two points during the survey-taking process. The facial images uploaded to a server as algorithmic representations, or "faceprints,” that were then compared with other faceprints to exclude responses that 7-Eleven believed may not be genuine. 7-Eleven has been ordered to cease collecting facial images and faceprints as part of the customer feedback mechanism and destroy all the faceprints it collected. (Campbell Kwan / ZDNet)

Related: Security News | Tech Times, iTnews - Security

Thingiverse, a website dedicated to sharing user-created digital design files, has reportedly leaked a 36GB backup file containing 228,000 unique email addresses and other personally identifiable information.

Troy Hunt, the Have I Been Pwned data breach notification service creator, cites this data set's circulation on a popular hacking forum. (Mihir Bagwe / Data Breach Today)

Have I Been Pwned @haveibeenpwned

New breach: Thingiverse had 228k unique email addresses exposed in an Oct 2020 DB backup found circulating last week. Data included usernames, IPs, DoBs and unsalted SHA-1 or bcrypt password hashes. 83% of addresses were already in @haveibeenpwned. More: Thingiverse Data Leak Affects 228,000 SubscribersThingiverse, a popular website dedicated to sharing user-created digital design files, has reportedly leaked a 36GB backup file that contains 2.5 million uniquedatabreachtoday.com

October 14th 2021

217 Retweets243 Likes

Cybersecurity-as-a-service start-up Black Kite has raised $22 million in series B funding round.

Volition Capital led the round with participation from existing investors Moore Strategic Ventures, Glasswing Ventures, and Data Point Capital. (Kyle Wiggers / Venture Beat)

Related: MSSP Alert, Venture Capital Journal, Boston Globe, FinSMEs

Photo by Brian Wangenheim on Unsplash