Last month’s top cybersecurity stories – August 2018

With so much cybersecurity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI Software round-up of the three top cyber security stories of August 2018.

Fortnite app comes to Android, bringing multiple security worries

Wildly popular shoot-em-up game, Fortnite, finally came to Android this month, after amassing a huge user base for its iPhone, console and PC variants. But the release was far from standard and brought with it a barrage of security headaches.

First of all, the game’s developers Epic Games decided to dodge the standard mode of publication via the official Google Play store, citing the 30% tax imposed by Google. Instead, they opted to release and host the game themselves, a move which required users to unblock non-official sources from installing code on their devices.

This block is imposed for security reasons as well as to keep Google’s income healthy, and many security watchers warned that failure to re-enable the block after installing the game could leave many users vulnerable to malware.

There have been some suggestions that Epic, partly owned by Chinese giant Tencent, has dodged the “store tax” as part of an effort to push the game harder in China, where Google’s services are banned; Tencent operates its own Android app stores. Dodging the play store has been estimated to cost Google $50 million in revenues this year alone.

While this row was going on, the tension between Epic and Google escalated further, after vulnerabilities in the app were shown to open devices up to further exploitation – hackers could leverage the flaws to install malicious code instead of standard updates. Epic quickly produced a patch but requested Google not to release details for 90 days, to give their users time to install the fix.

Under Google’s guidelines, all flaws should be disclosed after 90 days or after the release of a patch, whichever comes earlier, so they went ahead and published details despite Epic’s request. Epic responded with harsh words for Google, accusing them of putting their financial interests ahead of their users’ security.

The row looks likely to continue.

$13 million cashed out after a hack at India’s Cosmos Bank

A cyber attack on Cosmos Bank, one of India’s largest co-operative banks, led to losses of $13 million over the weekend of August 10-13, much of the money cashed out in a massive global ATM withdrawal operation.

The hackers are thought to have penetrated and disrupted the bank’s IT systems, blocking access to the machines providing payment approvals and redirecting traffic to a spoofed proxy server under their control.

This allowed them to make ATM transactions without the bank flagging any suspicious activity, in a carefully co-ordinated blitz of withdrawals. During a 2-hour timeframe on a Saturday close to 15,000 separate withdrawals were made in countries all around the world, netting over $11 million.

Although it’s thought that only 450 separate cloned debit cards were used, withdrawal limits which would normally have prevented such epic losses were bypassed by the use of the cloned approval server.

In a second stage of the attack, the hackers infiltrated the bank’s SWIFT payment systems and set up transfers worth $2 million to a trading account at Hong Kong’s Hang Seng Bank.

The planning of the worldwide ATM spree apparently drew some attention from law enforcement. An alert issued by the FBI warning of an impending major cashing-out operation, victim unknown, was leaked to security watcher Brian Krebs, who published details on August 12th. By that time, of course, the withdrawals were already complete.

The bank insists no customer accounts were affected by the incident.

T-Mobile hack leaks data on 2 million users

No monthly roundup would be complete without news of yet another massive data breach, and this time it’s mobile giant T-Mobile’s turn to apologize to customers for revealing personal data on up to 2 million users in the US.

The breach was spotted by IT staff at the firm on Monday, August 20th, and authorities were notified “promptly” after the unauthorized access was terminated. Customers were informed that their data might have been exposed on the following Thursday, with an SMS sent to everyone thought to be affected linking back to a more detailed summary on T-Mobile’s main website. Users of the MetroPCS brand were also impacted by the leak.

Data revealed included “one or more of the following: name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid)”.

While the company’s prompt public notification has earned it some praise, it has been criticised for stating in its notices that passwords were not affected. The statement apparently makes this quite clear: “None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised”, it reads.

However, Motherboard reports that hashed passwords were indeed included in the haul; while T-Mobile’s spokespeople have argued that the hashing means they were not “compromised”, it’s far from certain that hashing is sufficiently secure to prevent decryption by determined crooks with powerful enough systems to perform brute force attacks on them.

Regardless, the leak of names, postal and email addresses and phone numbers is more than enough for scammers to get to work on. As Wired notes, phone numbers are relied on by many services for proof of identity, mainly through sending of “secure” codes as a second authentication factor.

Cryptocurrency entrepreneur Michael Terpin can certainly attest to this – he issued a $224 million lawsuit this month against another cell phone provider, AT&T, for twice allowing crooks to have his phone number redirected elsewhere, and using the security codes to access his accounts and steal over $23 million in the digital currency.