SIM swapping gang targeting celebrities arrested
Eight men were arrested by the UK National Crime Agency in the past week across England and Scotland as part of a coordinated crackdown against the group. This group targeted well-known sports stars, musicians, and influencers, tricking mobile operators to change the victims phone number to a new SIM they controlled, resetting passwords and bypassing two-factor authentication on accounts. Europol said the gang stole more than $100 million worth of cryptocurrency using this method.
Researcher demonstrates the vulnerability of open source to supply chain attacks
Security researcher Alex Birsan was able to breach 35 major companies’ internal systems using a novel software supply chain attack on open source repositories. Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber were among the companies demonstrated as vulnerable. Birsan uploaded malware to several open source repositories including PyPI, npm, and RubyGems, which were then downstreamed to the companies. Birsan noticed that a manifest file for an internal npm package had private packages listed. The researcher created identically named packages that contained malware to the public npm repository, with the public package always taking priority. Birsan disclosed the packages he added to GitHub were for security research and has been paid over $130,000 in bug bounties for the research.
Google study looks at high-risk victims of email attacks
A new study by Google and Stanford looked at 1.2 billion malicious emails blocked by Google over the past five months to determine who was most at risk for these types of exploits. The study found users with data leaked by a third-party previously were 5-times more likely to be targeted for phishing and malware in email. Australian users were also twice as likely as Americans to be the targets of attacks, while users aged 55 to 64 were 1.6 times more likely to be targeted than those 18-24. Users accessing Gmail across both desktop and mobile devices were more likely to be targeted as well. Using two-factor authentication showed only a “nominal difference” in the mitigation of risk.
Facebook stops showing Messenger link previews in the EU
Security researchers Talal Haj Bakry and Tommy Mysk noted the recent change. This seems to indicate that something collected through the link previews violated the EU’s ePrivacy Directive, with the researchers suspecting it violated provisions around limiting personal data access only to those authorized personnel for legal purposes, the need to inform users of the risks of a data breach, and the need to gain user consent having been provided with “clear and comprehensive information” about how data is collected. These researches previously found back in October that Facebook Messenger downloaded the entire contents of any link to its servers, regardless of size, when it generated a preview.
Thanks to our episode sponsor Altitude Networks
TikTok divestment indefinitely suspended
The Wall Street Journal’s sources say the US plan to have ByteDance divest TikTok’s North American operations to a group including Oracle and Walmart have been indefinitely suspended. White House spokespeople have said the administration is developing a comprehensive approach to risks posed by Chinese apps. A formal response to TikTok’s court challenge against the executive order against it is due February 18. A separate order restricting transactions with eight Chinese companies, including Alipay is set to take effect next week as well.
Cyberpunk 2077 developer hit with ransomware
The game developer CD Projekt Red disclosed it suffered a ransomware attack, with the threat actors pledging to release allegedly obtained source code for Cyberpunk 2077, Witcher 3, Gwent, and an “unreleased version of Witcher 3” if a ransom is not paid. Bleeping Computer reports that the ransomware group named HelloKitty was behind the attack, a group active since at least November 2020. The developer said while some data was encrypted, it had adequate backups, and that will not negotiate with the attackers. The developer does not believe any personal data of players or service users has been compromised.
Twitter clarifies about its ban on Trump
In a recent interview, Twitter Chief Financial Officer Ned Segal was asked how the platform would handle the account of former President Trump in the long term, specifically if he ran for office again. Segal said, “our policies are designed to make sure that people are not inciting violence, and if anybody does that, we have to remove them from the service and our policies don’t allow people to come back.”
Google expands election security efforts
In a blog post, the company said it will offer free training to state and federal campaigns in all 50 states, as part of an expansion of its work with the Defending Digital Campaigns nonprofit group. These efforts will also include nonpartisan virtual cybersecurity trainings for state and federal campaigns across the country, as well as setting up a “help desk” to answer security-related questions by campaigns. During the 2020 campaign, Google provided free two-factor authentication keys to more than 140 federal campaigns.