Monthly Cloud Security Roundup: Facebook’s FTC Charges, iOS Malvertising Attacks, and More
Each month, we’ll bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss Facebook’s FTC charges, iOS malvertising attacks, Chipotle customers’ account hacks, and more.
This month, an ongoing investigation by the FTC into Facebook’s privacy policies and security concerns is expected to cost the company anywhere from $3 to 5 billion in charges – a potential new record for the United States. After 87 million Facebook accounts were accessed during the Cambridge Analytica scandal, which erupted in 2018, Facebook found themselves in hot water for mishandling user data. The fine for privacy violations from the FTC would only be a fraction of the company’s $56 billion annual revenue.
The #1 CRM in the world recently purchased their nonprofit Salesforce.org branch for $300 million. From its creation, Salesforce.org was a separate company that provided heavy discounts on Salesforce software to educational and nonprofit organizations. With the purchase, Salesforce.org changes from a public-benefit corporation to an entity of Salesforce.com. The move has sparked a debate among analysts, with some claiming the buy-out shows Salesforce’s desire to increase profit margins, while others believe it was done to streamline the executive teams and create stronger cohesion across the company. Salesforce has stated that they will direct the $300 million towards their Salesforce.com Foundation, where it will be used for charitable causes.
After finding themselves victim to multiple data breaches between 2013 and 2016, Yahoo! is now facing the consequences. The earliest attack impacted three billion users, with the compromised information including personal information such as email addresses, passwords, and addresses. U.S. district attorney, Judge Lucy Koh, has not yet approved the settlement offer. Earlier this year, she rejected a different rendition of the settlement in an effort to emphasize consumer benefits.
In 2018, the FBI’s Internet Crime Complaint Center (IC3) received almost 352,000 cybercrime complaints, which totaled around $2.7 billion in losses. Some of the most common crimes last year were non-payment/delivery scams, extortion, personal data breaches, phishing, and email account compromise. In response to these internet security concerns, the FBI has created campaigns such as the Recovery Asset Team and the Domestic Financial Fraud Kill Chain to prevent attacks and help victims recover.
An alumnus of The College of St. Rose in Albany, New York vandalized equipment with a USB killer device in an attempt to exact revenge. A USB killer is an ordinary USB drive that has been modified to include a capacitor that discharges electricity into USB ports when inserted, frying the host device. The perpetrator used the USB killer on more than 60 computers, monitors, and digital podiums throughout the school. The attack cost the university $51,109 in equipment replacement costs and $7,362 in employee time for investigation and remediation. The culprit is currently facing up to 10 years in prison and a maximum of $250,000 in fines in addition to reimbursing the school for their expenses.
Recent years have seen Chipotle facing criticism from customers for health concerns, but the most recent complaints aren’t in regard to the food.
Customers are reporting that their accounts have been hacked after seeing fraudulent charges on their debit and credit cards, some for hundreds of dollars. Chipotle is laying the blame on credential stuffing – when hackers acquire passwords from breached sites and use them to force their way into other accounts. However, many affected individuals claim to have unique passwords for their Chipotle accounts, which indicates that the restaurant chain may have indeed been breached.
Spokesperson Laurie Schalow has assured consumers the company is “monitoring any possible account security issues,” but remains firm that Chipotle has not sustained a data breach. The lack of two-factor authentication on the app doesn’t bode well for its security measures. When asked about their lack of two-factor authentication – which, if credential stuffing is to blame, could have prevented unauthorized account access – Schalow said only, “We don’t discuss our security strategies.”
Malvertising – malicious advertising – has affected half a billion Apple iOS users thanks to the eGobbler gang, a notorious cybercrime group. This incident was focused on American iPhone and iPad users, which exploited an unpatched Google Chrome bug, although some Safari users appear to be at risk as well. The session-hijacking cybercriminals then used the security exploit to insert malvertising. Session hijacking works by suddenly redirecting web users to another page, where a non-closable pop-up arises. Many times, the pop-ups appear to be from well-known brands but are actually payloads in disguise. A payload is part of a virus that performs a malicious action. Keylogging, auto downloads, and cryptocurrency mining are all examples of payloads in cyber-hacking.
To protect iOS devices from malvertising attacks, be diligent when updating operating systems, installing antivirus tools, and when encountering suspicious websites or advertisements.