Vodafone’s ho. Mobile admits data breach, 2.5m users impacted

Vodafone Group’s low-cost operator ho. Mobile announced that hackers stole part of its customer database thus obtaining personal user information and SIM technical data.

The stolen database, offered for sale on dark web forums since December 22, has been partially verified and includes sufficient details to carry out SIM-swap attacks, putting at risk about 2.5 million subscribers.

Free SIM card replacement

News of the database being peddled on a hacker forum emerged on December 28 from researcher Bank Security. An initial statement from the mobile operator informed that it had no evidence of illegal access to its systems.

This changed on Monday when the company confirmed the massive breach saying that personal data and SIM-related information had been stolen.

The operator says that the hackers got customers’ name, surname, phone number, email, date and place of birth, nationality, and address. They also have the SIM Integrated Circuit Card Identification Number (ICCID) – a unique number providing the card’s country, home network, and identification.

Combined, these details can be used for SIM-swapping attacks that enable hackers to assign a victim’s phone number to a SIM card in their possession and thus receive the target’s calls and text messages.

Bank Security provides a list of the details present in the database stolen by hackers:

At least one actor may have purchased the database, while several others showed interest.

In a comment on the hacker forum, one user says that the seller asked for $50,000 for the entire database. Even if not sold in bulk, the seller could break it into smaller sets to obtain a profit.

Using the sample data from the seller, several researchers were able to confirm that the database was real by contacting victims.

The mobile operator is now trying to minimize the impact of the breach on customers and is offering them a new SIM card free of charge.

With the risk of a swap still looming, the SIM replacement process requires…


Hackers Don’t Even Have To Hack Users Who Voluntarily Download Apps And Browser Extensions

I previously wrote What Do Hacking And Malware Have To Do With Ad Fraud? Put simply, hackers get malware onto devices not only to collect personal information and steal passwords from real human users. They also use the malware to make money via ad fraud. Monetizing via ad fraud is more efficient and profitable than harvesting passwords for sale on the dark web. The former is a one-step process that yields continuous high-margin profits; the latter is a two-step process, and the hacker is not even sure if there will be buyers for his lists of compromised passwords. In recent years, we’ve seen hackers dump entire datafiles of passwords for free on hacker forums. This suggests they could not even find any buyer for that data, because it is already so prevalent and readily available. So hackers are increasingly using their malware and botnets for digital ad fraud instead – loading ads and website pages in the background to make money.

Note that more and more of the recent botnets are colored green, which means their primary use is ad fraud, as opposed to DDoS (distributed denial of service) attacks, spam, or ransomware.

No Hacking Needed

But hackers may not even need to spend any effort hacking into real humans’ devices. In some cases, unsuspecting humans voluntarily download browser extensions or mobile apps that are already laced with malicious code. The code is designed to load ads in the background even when the app is not in use or the mobile device is not in use. This is ad fraud because the millions of ad impressions are never seen by human users. Today comes yet another story of humans downloading browser extensions that purport to do one thing, but in actuality are designed for committing ad fraud in the background.

ZDNetThree million users installed 28 malicious Chrome or Edge extensions | ZDNet

“The 28 extensions contained code that could perform several malicious operations. Avast said it found code to:

  • redirect user traffic to ads
  • redirect user traffic to phishing sites
  • collect personal data, such as birth dates, email addresses, and active devices
  • collect browsing history
  • download further malware onto a user’s device


Auth0 Launches Adaptive MFA to Increase Security and Reduce Friction for End Users

Press release content from Globe Newswire. The AP news staff was not involved in its creation.

BELLEVUE, Wash., Dec. 15, 2020 (GLOBE NEWSWIRE) — Auth0, the identity platform for application teams, today launched Adaptive Multi-factor Authentication (MFA), a sophisticated security feature that helps reduce the threat of hacks and data breaches. Adaptive MFA is an important addition to Auth0’s expanding security portfolio—which also includes Bot Detection, Breached Password Detection, Brute Force Protection, and Suspicious IP Throttling—and is one of the platform’s most advanced context-based security features.

Adaptive MFA is designed to help companies address the inherent challenges of enabling security while preserving user experience. Unlike traditional MFA, which is triggered upon every login attempt and creates an additional step for the end user, Adaptive MFA only appears when a login is deemed risky. This is calculated by an overall risk score that measures abnormal behavior from known devices, impossible travel, and/or IP reputation. Customers can have the confidence that with Adaptive MFA, their end users are asked for secondary authentication only when behavioral signals don’t conform to usual patterns for a particular user.

For example, for a user who normally signs into their account at the same time every morning in San Francisco from a personal laptop, Adaptive MFA would only present a second factor authenticator if login was attempted outside of the region, usual timeframe, or from a different computer or IP address. Developers can determine how much weight each signal is given to define the risk score that sets off the trigger.

Many companies are reluctant to implement MFA—proven to be an effective defense against account hacking attacks—out of fear of negatively impacting user experience and thus their conversion and retention performance. However, additional friction during the signup, login, or checkout experiences can affect user conversion/retention,…


New Goontact spyware discovered targeting Android and iOS users


Image: Lookout

Security researchers have discovered a new malware strain with spying and surveillance capabilities —also known as spyware— that is currently available in both Android and iOS versions.

Named Goontact, this malware has the ability to collect from infected victims data such as phone identifiers, contacts, SMS messages, photos, and location information.

Detected by mobile security firm Lookout, the Goontact malware is currently distributed via third-party sites promoting free instant messaging apps dedicated to reaching escort services.

The target audience of these sites appears to be limited at the moment to Chinese speaking countries, Korea, and Japan, Lookout said in a report shared today with ZDNet.

Although the malware has yet to reach official Apple and Google app stores, there are signs that users are downloading and side-loading Goontact-infected applications.

Data collected from these apps is sent back to online servers under the Goontact operators’ control. Based on the language used for the admin panels of these servers, Lookout believes the Goontact operation is most likely managed by Chinese-speaking threat actors.

Links suggest connection to past sextortion campaign

Apurva Kumar, Staff Security Intelligence Engineer at Lookout, told ZDNet that the Goontact operation is very similar to sextortion campaign described by Trend Micro in 2018 (PDF).

Although there is no tangible evidence at the moment, Kumar believes that data collected through these apps could later be used to extort victims into paying small ransoms or have their attempts to arrange sexual encounters exposed to friends and contacts.

“We have notified both Google and Apple of this threat and are actively collaborating with them to protect all Android and iOS users from Goontact,” Kumar told ZDNet in an email over the weekend.

“Apple has revoked the enterprise certificates used to sign the apps and, as a result, the apps will stop working on devices,” the Lookout security engineer added.