GFI Top Cyber Stories for March 2019

With so much cybersecurity news flying around, it is hard to keep track of the more important stories that emerged. Here is the GFI Security round-up of three pertinent cybersecurity stories of March 2019.

Citrix breach leaks 6TB of data

In early March, collaboration and cloud giant Citrix Systems announced a major security breach, having apparently been informed by the FBI that their networks had been compromised by “international cyber criminals”.

According to threat intel firm Resecurity, the hackers made off with more than 6TB of internal “business documents”, including emails and files. It’s not yet clear exactly what they got hold of, or indeed what they plan to use it for, but Resecurity claim the group behind the attack, which they identify as “IRIDIUM”, is linked to the Iranian state.

The hack was apparently achieved using “password spraying” – working through a list of common passwords in a standard brute-force fashion, but trying each of them against a list of known user IDs in turn to avoid raising alarms or tripping lock-out mechanisms. Once a login was achieved, further lists of potential users could be gleaned from internal access lists, until an account with higher privileges could be hijacked.

In a follow-up to their announcement, Citrix noted that they’d tightened up their security and forced password changes across their user base to flush the intruders out. They also stated that there was “no indication” that any of their products or services had been compromised.

Citrix claim that they “focus on a single driving principle: making the world’s apps and data secure and easy to access”. Perhaps they need to focus a little more on keeping their own security standards up to scratch, and a bit less on the easy access.

Most Android security apps found to be virtually useless

An in-depth review of 250 Android anti-malware apps available on the Google Play Store found that almost 2 in 3 provided little or no protection.

The study, performed by respected Austrian security testing outfit AV-Comparatives, was released on March 12th and revealed some shocking truths about the quality of app-filtering on the Play Store, with many of the apps tested showing clear signs of deceptive and even scammy behaviour.

Of the 250 apps tested, only 80 managed to detect more than 30% of the 2000 widespread Android malware samples tested against in a realistic scenario. Less than 10% managed to spot all the threats, with the high performers, unsurprisingly, mostly provided by well-known security brands.

Many of the apps were found to have implemented a very basic whitelisting system, essentially ignoring any package which included in its title one of a list of major brand names, such as Facebook, Twitter or Google itself, and marking anything else as a threat – in some cases, this included the app itself, as the developers hadn’t bothered to add their own name to the whitelist. As the researchers pointed out, this makes it extremely easy to bypass the protection by simply tweaking the package name.

The testers noted that more than 30 of the apps tested had already been dropped from the Play Store, and expressed a hope that the rest of the “dubious and ineffective” ones would also be removed soon.

Android users need reliable malware protection – as highlighted by the emergence in late March of a new Android trojan targeting over 100 banking apps – but are probably best off picking tools from established and respectable security firms, rather than the raft of fly-by-night scammers.

 

Office Depot and Support.com pay $35 million for faking security check-ups

Towards the end of March two major US companies settled a case brought against them by the Federal Trade Commission, accusing them of tricking customers into believing their computers were infected with malware.

Staff at Office Depot, and later at subsidiary OfficeMax, had routinely made use of software called “PC Health Check” to analyse systems brought in for check-ups. The software was provided by Support.com.

Between 2009 and 2016, the FTC stated, the software would automatically report malware symptoms, and at times even infections, even if it found no evidence to support this. The outcome of the “Health Check” was pre-determined when the Office Depot employee running the scan checked any of four checkboxes indicating that the customer had concerns, including general issues like slowness, crashes or unexpected popups.

Armed with the alarming outcome of the free check-up, staff would proceed to up-sell the customer a repair service, often costing upwards of $300 and generally carried out remotely by Support.com. The FTC’s court papers claim that the companies “bilked” customers out of “tens of millions of dollars” using the technique.

The scam apparently came to light after a whistleblower reported it to a Seattle TV station in 2016, but the FTC reports that Office Depot employees were complaining about the deceptive practice at least as early as 2012.

The settlement costs, of $10 million for Support.com and $25 million for Office Depot, don’t look that large against the $11 billion in annual sales reported by the Office Depot group. We can only hope that the accompanying agreement will refrain from scamming customers, and the knowledge that the FTC has an eye on them, will keep users a little safer.