Security Newsletter

21 January 2019

Hackers infect e-commerce sites by compromising their advertising partner

Magecart strikes again, one of the most notorious hacking groups specializes in stealing credit card details from poorly-secured e-commerce websites. According to security researchers from RiskIQ and Trend Micro, cybercriminals of a new subgroup of Magecart, labeled as "Magecart Group 12," recently successfully compromised nearly 277 e-commerce websites by using supply-chain attacks.

Magecart is the same group of digital credit card skimmers which made headlines last year for carrying out attacks against some big businesses including Ticketmaster, British Airways, and Newegg. Typically, the Magecart hackers compromise e-commerce sites and insert malicious JavaScript code into their checkout pages that silently captures payment information of customers making purchasing on the sites and then send it to the attacker's remote server.

The third-party library targeted by Magecart Group 12 is by a French online advertising company, called Adverline, whose service is being used by hundreds of European e-commerce websites to display ads.

 

Bug in Fortnite Authentication Left Accounts Open to Take Over

A weakness in Epic Games' authentication process for the highly popular Fortnite left gamers' accounts exposed to take over risks. An attacker could have stolen login tokens by just tricking the victim into clicking a link.

The combination of an unvalidated subdomain and cross-site scripting (XSS) in another allowed security researchers to bypass the protections implemented by the single sign-on (SSO) access control mechanism used for logging into Fortnite.

Epic Games fixed the issues in early December and did not say if they were exploited before that. Fortnite enjoys mad popularity, with at least 78 million monthly players, while statistics point to around 200 million registered users. Its players are often targeted for the V-Bucks - short for Vindertech Bucks or Vinderbucks in their accounts, an in-game currency that can be used to get cosmetic items for your character or to give it a competitive advantage through weaponry.Since real money is involved, criminals often use Fortnite to launder their proceedings by getting V-Bucks with stolen credit cards. The in-game currency is then sold at a discount price. At the moment, 1,000 V-Bucks cost $10.

 

Data Breach Collection Contains 773 Million Unique Emails

On Thursday, Australian information security expert Troy Hunt warned that a collection of email address and passwords combinations that's currently in circulation contains 2.7 billion rows. He says the massive collection of breached data, called "Collection #1," appears to have been compiled from a hodgepodge of sources, and contains 773 million unique email addresses.

The name for the collection comes from the name of the root folder storing all of the data, which is contained in more than 12,000 files and totals 87 GB of data. Hunt says he was alerted to the existence of the collection, which was available via the MEGA file-sharing service - it's been removed - and which has since been shared on at least one hacking forum.

One likely use for all of this data is for credential-stuffing attacks, which is the practice of taking username/password combinations and trying them out on other websites to see where they work. If an individual reuses the same email address and password combination on multiple sites, so can attackers. Last week, for example, many people suspected that streaming service Spotify had suffered a breach, because of lists of "Spotify" usernames and passwords that were being published to text-sharing sites such as Pastebin.

Hunt says the obvious takeaway from the Collection #1 data breach is that everyone should be using a different password for every different site or service they use. That way, if it gets breached - and they get a notification that their username/password combo was pwned - they need only change that one password. "If you're in this breach and not already using a dedicated password manager, the best thing you can do right now is go out and get one"

 

More #News

 

#Patch Time!

 

#Tech and #Tools

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.