The Month in Hacks: July 2018 | TeleSign

Bluetooth hack affects millions, cryptocurrency mined using Coinhive URL shortener, and Google fulfills its mission to make the web a more secure place. It’s all this and more in The Month in Hacks.

Millions of Major Vendor Devices Affected by Bluetooth Hack

Security researchers discovered a new Bluetooth hack, tracked as CVE-2018-5383, that could allow an attacker who is in physical proximity and specifically targeting two Bluetooth devices that are going through a pairing procedure to intercept, decrypt and inject device messages. This highly critical vulnerability may occur during the Diffie-Hellman key exchange between the two devices due to insufficient validation of elliptic curve parameters.

Bluetooth specifications recommended devices that support these features use public key validation that is exchanged during the pairing process, but not all vendors were implementing this. To address the vulnerability, the Bluetooth Special Interest Group (SIG) updated the specification making it mandatory for public key validation to be implemented during the pairing process. Patches for this security vulnerability have been released by Apple and Intel.

Hacked Sites Used to Secretly Mine Cryptocurrency Using Abused Coinhive URL Shortener

Cybercriminals have come up with another scheme to mine cryptocurrency without directly injecting hacked sites with Coinhive JavaScript. Instead, they are using Coinhive’s “URL shortener,” resulting in a large number of legitimate websites being hacked to load these short URLs unknowingly, inside an invisible HTML iFrame that forces the browser into mining cryptocurrencies for the attackers. It happens at the moment before the user is redirected to the original URL.

Researchers also found cybercriminals tricking victims into downloading malicious cryptocurrency mining malware, by disguising it as legitimate software and injecting hyperlinks to other hacked websites.

Using a browser extension specifically designed to block mining services from using your computer resources and protect yourself from the illegal in-browser cryptocurrency mining.

All Non-HTTPS Websites Marked ‘Not Secure’ With the Release of Chrome 68

On July 24th, Google announced they were rolling out changes to mark all sites not encrypted with HTTPS as “not secure” fulfilling its mission to make the web a more secure place and their warning two years ago that this was in the works. ‘Not Secure,’ means your connection doesn’t have an SSL Certificate to encrypt the connection between your computer and the website server, so card information and passwords are in plain text, allowing attackers to intercept this data.

The vast majority of sites receiving traffic in Google Chrome already use HTTPS as do the vast majority of the top 100 websites on the Internet. A secure site improves search rankings, increases website security and speed and improves credibility with consumers. Plus, the Not Secure warning will scare off a lot of your website visitors. So, if you haven’t already, it’s time to migrate your website to HTTPS, even if you don’t handle sensitive data.

DomainFactory Advises All Users to Change Passwords Following Hack

DomainFactory, owned by GoDaddy and one of the largest German web hosting providers, confirmed a data breach where customers’ personal and financial data had been compromised and asked all users to update their passwords. The investigation into the breach was triggered by a note posted on the DomainFactory support forum by an unknown attacker who breached servers to obtain data about someone who apparently owes him a very large debt.

DomainFactory said the attacker did not show any intention of selling or leaking the captured data, though “a data feed of certain customer information, accessed by the attacker, was left open to external third parties after a system transition”.  Users are advised to update other logins where the same password is used and to monitor bank statements for unauthorized transactions.

Security Breach at Timehop Exposes Data for 21 Million Users

In July, a major security breach at Timehop –a popular social media memory app –reportedly compromised 21 million users’ personal details. Of the affected customers, 4.7 million had a phone number attached to their account. According to the company, an access credential on its cloud computing account – which had not been secured by multifactor authentication — was compromised, causing the breach. The company has now taken steps to implement multifactor authentication to secure the accounts and authorization process. The company recommends its users – who had phone numbers attached to their account – take additional security measures by contacting their telecom provider to ensure that their number is secure from the threat of illegal porting.

Thousands of Accounts Compromised in Typeform Breach

Typeform, a Spanish online survey company, suffered a security breach which affected thousands of customer accounts. Attackers downloaded a ‘partial backup’ of its customer data, causing the breach. Businesses use Typeform software to conduct online customer survey and quizzes. The company informed the affected account holders via email. Some of the affected customers like The Tasmanian Electoral Commission, British prestige brand Fortnum & Mason, digital bank Monzo, and food maker Birdseye have issued their own alerts regarding the breach. Businesses affected by the breach should keep an eye on phishing scams that could misuse personal details compromised in the incident.

Dixon’s Carphone Breach Is Bigger than Expected

June’s ‘Month in Hacks’ mentioned the major data breach at Dixons Carphone — a European electronics and telecommunications retailer – impacting 5.9 million customers’ bank card details along with 1.2 million personal records. The impact is far worse than first reported, with ten million customer records being compromised during the breach. Hackers attempted to compromise one of the card processing systems of Currys PC World and Dixons Travel outlets, thereby exposing customer card details and personal details such as name, physical address or email address.

GET STARTED WITH TELESIGN

Integrate our products seamlessly into your user experience.
TALK TO AN EXPERT