British Airways (BA) have reported that it suffered a data breach that compromised names, email addresses and credit card information. BA suspect the breach was a result of criminal activity, and have notified the police and relevant authorities.
The NCSC is working with partners to better understand this incident and how it has affected customers, and have published a statement. It has been reported that up to 380,000 customers could have been affected. The incident is thought to have affected some customers who made bookings on the BA website or app between August 21 and September 5, 2018. BA have reported that the compromised data includes names, email addresses and credit card information. You can read BA’s latest information here.
Mobile spyware hacks and breaches
Media sources have reported multiple hacks and a data breach affecting businesses that offer mobile spyware as a service. In the last week TheTruthSpy, Family Orbit and mSpy have all been compromised. The NCSC previously reported on a similar data breach of the TeenSafe app back in May.
Mobile spyware is software that is used to monitor mobile phone use, activity and the location of individuals. It is often used by parents to check on their children; it has also been used by individuals wanting to spy on their current, or former partners and spouses.
The information exposed consisted of account information from those using and paying for the service, as well as the information collected from those individuals being monitored. Mobile spyware apps generally collect similar types of data from the subjects they monitor, often consisting of: call logs, SMS, messages sent by third party apps and services, real time location details and history, photographs stored on the mobile device and audio call recordings. This means a significant amount of personal and sensitive data has been exposed, and could potentially be used for blackmail or criminal activity.
Users of these compromised mobile spyware services should also remain vigilant for any strange activity on bank accounts or credit cards and take measures to protect the users of the devices they may have installed the software on. If you have used the same password for any other accounts, you should change this immediately. Often attackers know that many individuals re-use passwords and so will try to use stolen credentials on multiple sites hoping it will work.
To ensure that no one can access your mobile device without your permission, you should make use of your device’s security features such as pin protection, passwords or a biometric lock. The NCSC has published guidance on keeping mobile devices safe.
Domain abandonment and hijacking
Gabor Szathmari, an independent Australian cyber security researcher has published a blog highlighting the dangers of allowing corporate domain names to expire. Known as domain name abandonment, companies that have merged, been acquired, changed name or gone out of business will often abandon their domain name which is then available for anyone to re-register from domain registrars. Domain name abandonment allows threat actors to gain access to, or reset passwords for online services and profession-specific portals.
In his blog, the researcher purchased six domain names formerly belonging to several Australian law firms. Once the domains were re-registered, all email accounts linked to the domain were configured to forward email to one account controlled by the researcher. The new domain owner then simply sat back and watched emails arrive (25,000 in total).
The researcher used an online service to search for expired domain names linked to Australian law firms (a similar search for expired .co.uk domains containing the word “solicitors” revealed over 4,000 recently expired domains).
The researcher revealed several redacted screenshots of emails showing an abundance of personal details, such as bank statements, supplier invoices, court proceeding transcripts, divorce settlement negotiations and mobile phone billing information. All obtained from simple passive monitoring over three months.
In addition to this, he researched email addresses previously associated with the domains using data breach notification websites. The researcher was then able to identify multiple email addresses belonging to legal professionals and staff and was able to use the domain to register on the breach site to reveal leaked passwords previously associated with the email addresses. He was then able to prove that “legal professionals are guilty of using weak passwords on online services and tend to reuse them across multiple websites”.
Using just valid emails found on the data breach sites, the researcher was able to prove that he could have performed password resets on social network sites, LinkedIn, Facebook and Twitter. He could also have reset the password on file storage site Dropbox. The researcher was able to log into profession-specific web portals – The Australian Commonwealth Courts as well as State, District and Local courts. Finally, the researcher was able to log into the LEAP Practice Management Platform which is commonly used software (in the UK and Australia) for managing legal practices including client files, legal documents, trust accounting and billing. Had he wished, the researcher could have also reset passwords on Paypal and Google. He also attempted to reset passwords on Office 365 but was defeated due to two-factor authentication.
Domain abandonment does not just affect data security: In October 2017, IBM broke its cloud global load balancer and reverse DNS service for 21 hours when it allowed three of its domains to expire.
Domain name abandonment/hijacking is not a well-known security risk to cyber security professionals. Many businesses leave themselves exposed to cyber attacks by allowing their former domain names to expire.
Organisations can protect themselves against domain hijacking in several ways, including:
Setting the domain (and previous domains) to auto-renew each year indefinitely
Locking the domain using a web service to guard against unauthorised domain transfers
Ensuring all domain name contacts have valid contact information
Close, change or remove user accounts that were registered with the business email address (e.g. Dropbox, PayPal, LinkedIn, Facebook)
Enable two-factor authentication (2FA or MFA) where the feature is supported for online services
Use unique and complex passwords