I’ve got a slightly different weekend update than usual, today. Neither of these are related to specific stories I posted yesterday, they’re all stories that I came across later in the day Friday that should be shared fairly quickly. The first one is not just your typical phishing attack story, though:
Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited The tl;dr version: this particular hack involves the hackers sending emails from a hacked account, to people in that account’s contact list. So it starts with you getting an email from someone you already know. But it’s much more clever than that! They take text from previous messages that person has sent, and it isn’t random. They find messages where the person has sent attachments, and they construct the new message from it. So if it’s someone you know, the phrasing of the subject and the text sound like something that person would write. The attachment in the new message is merely a screen capture, and it hides a link to their fake Google login in page. So you click on the attachment from a friend, and you’re told to view the attachment you need to log in to Google, and they get your username and password. And within seconds, they’re going through your account and sending more hacked messages to your friends.
They’ve even constructed the login page so that if you take the precaution of looking at the address bar in your browser before you start to sign in, you see “https:accounts.google.com” so you think you’re at the real Google. You’re not.
Once they’ve got your password, they can read all your email and do other things to your account.
The linked article has screenshots and advice for how to recognize this kind of attack, as well as steps for what you can do to see if you’ve already been hacked. Check it out!
And this one is less about hackers: Security backdoor found in end-to-end encryption system used in WhatsApp. The Guardian reports that security experts have found that since buying WhatsApp, Facebook has added a back door. In updates, Facebook denies that his is a backdoor to government agencies and claim they will fight any attempts from governments to access accounts.
Which is meaningless.
The existence of the backdoor means that when Facebook loses that fight (because of court orders, for instance) that the backdoor will be used to read the supposedly secure communications. The original design of WhatsApp and similar end-to-end services didn’t have a backdoor because if one exists, it will be exploited eventually. Also, Facebook’s description of the service currently lies and says that they can never read the messages. With the backdoor there, yes they can.
While we’re on the subject of cyber security: Cellebrite, a Major Dealer of Hacking Tools, Has Itself Been Hacked. This is one of the companies that makes tools that allow people to hack your phone. After indulging in a moment of schadenfreude that these hackers have been hacked, we then have to worry about what is in that 900GB of data that was stolen from them. Since the dump “contains what appears to be evidence files from seized mobile phones” among other things, who knows whose personal information has been stolen. Supposedly Cellebrite only sells their tools to law enforcement agencies and the like, but it has been previously shown that those agencies include some very shady regimes. And in the case of their mobile hacking devices, those things could be resold or stolen from those agencies and be in anyone’s hands.
And let’s do one more: E-Sports Entertainment Association hacked; profiles of 1.5 million customers exposed. The leaked data includes real names, phone numbers, and birthdates. Very useful for identity theft. Not much you can do about it once the information has been stolen.
ETA: Several people are questioning the Guardian story about Whatsapp: The backdoor that never was, and how to improve your security with WhatsApp. The argument seems to be that while there is a security problem, it isn’t technically a backdoor. The article I linked has information on things you can do to avoid your Whatsapp messages being compromised. I’m going to leave it to the security experts to argue this out.