Weekly Threat Report - 6th December 2019
Website ‘free giveaway’ steals login credentials
Cyber security researchers have uncovered a fake ‘free giveaway’ website that tricks users into revealing their login credentials. Cyber criminals posted links to a phishing website in the comments section of the legitimate Steam website, encouraging users to visit a convincing – but fake – page that contained free downloadable content for the platform. In order to download the content, users were instructed to log in to the fake site using their Steam credentials. While the screen looks like a legitimate Steam login page, any usernames and passwords that users entered were sent to the attackers instead. Phishing scams such as this are a particularly devious method used by cyber criminals to steal sensitive information, and it can be a worrying time for victims. The NCSC has produced guidance for spotting and dealing with phishing emails, as well as step-by-step guidance to recovering an online account. Using Password Managers can also help prevent this kind of attack.
Millions exposed after data breach
A US mass text service provider has unintentionally leaked the data and personal information of millions of customers.
True Dialog, which specialise in mass text messaging and SMS marketing, had inadvertently left their Oracle Marketing Cloud database without protection, exposing 604GB – the equivalent of one billion entries – of sensitive information.
The breach exposed the email addresses, full names and phone numbers of recipients, as well as the content of messages.
True Dialog resolved the issue a day after being alerted to it by cyber security researchers.
Large stores of data are a tempting target for attackers. The NCSC has published advice to businesses on how to adequately protect such information and how to protect against the phishing threat following data breaches. Whilst this particular story does not involve AWS, this NCSC blog post does discuss similar issues.
Anyone concerned about the security of their online accounts should follow the guidance in ‘Top tips for staying secure online’.