Bright Data CEO Or Lenchner discusses how security teams are utilizing public Web data networks to safeguard their organizations from digital risks.

Threat intelligence plays a key role in the safety and security of any organization’s online activity, and it plays a determining factor in upholding the integrity of their internal infrastructure.

But to be able to assess possible threats across the cybersecurity landscape at scale, they need data — and more importantly, public Web data.

This is because Web data helps security operators better understand the vulnerabilities that may be present within their systems, threats that could originate within the networks of outside organizations as well as potential risks that could target their organization across the World Wide Web.

**Public Web Data in Security Research, Intelligence, and Testing**

In practice, this collection of public Web data is used to automate checks that can discover the presence of possible malware, phishing links, different forms of fraud, information leaks, and counterfeiting schemes.

Essentially, it provides security operators with the visibility they need to proficiently detect, address, and prevent real live threats or intrusions from affecting their organizational security, by mapping out the potential security gaps that could target various Web-based systems.

**Web Data Collection Networks**

To obtain this increased visibility, security firms and operators use public Web data collection networks to gather large amounts of information, or Web data, which they then use to identify, monitor, and assess threats in real-time.

The Web data collection networks (IP proxy networks included) provide a risk-free environment to discover how to prevent digital risks from reaching their organization, without sacrificing the integrity of their internal infrastructure.

In order to accomplish this, security operators route requests through Web data collection networks to assess the risk of potentially malicious websites or URLs.

The requests then return information, or Web data. That Web data provides details on how the domain reacted to the request, which then allows the security teams to assess the threat (or lack thereof) and take proper action to mitigate it before it ever reaches their Web-based systems.

Within applications, this method essentially provides a firewall, opening a one-way access to information, considering the manner in which the requests are routed: away from their internal systems — safeguarding their organization’s internal network.

**Security Use Cases:****Scraping for Possible Malware and Phishing Schemes Targeting US Banks**

The security departments of some of the leading US banks use public Web data collection networks to gather information about possible online threat actors and examine malware.

Additionally, they use Web scraping techniques to continually and automatically scan the public domain for potentially malicious websites or links. For example, security teams can automatically identify different phishing sites that attempt to steal sensitive client or company information such as usernames, passwords, or credit card information.

From here, when an email comes into the organization’s network or a website is approached, the security team already knows the risk parameters attached to it.

**Web Scraping for Cybersecurity Firms**

A number of cybersecurity firms use Web data collection in order to assess the risk of different domains for malware and fraud.

They generate or purchase lists of potentially malicious domains, and then route DNS requests to each of these links, servers, or websites to see how they react to the request.

This provides the cybersecurity firms with the ability to approach possibly malicious websites as a “victim” or a real user, and see how the website would target an unsuspecting visitor to properly assess the risk.

**Threat Research and Mitigation**

Threat intelligence firms deploy the use of public Web data collection networks to tap into various sources of information, such as hacker or app forums, public social media channels, blogs, and so on, to identify new leads on various potential threats.

This collection of Web data is foundational to their intelligence insights, which they then share with a wide range of customers looking to bolster their own security operations.

**Key Takeaways**

Overall, integrating with Web data collection networks enhances an organization’s visibility and ability to deal with digital threats across the vast online landscape in real-time.

This is particularly important considering the recent shifts made in remote working, as well as the broadening of online operations, strategies, and services all around, following the onset of the coronavirus, which only further add to the lists of risks or pathways that can disrupt organizational security.

So, while the task set before security teams has become increasingly more difficult, Web data collection networks have essentially transformed this once complicated ordeal into a much more manageable endeavor by providing options for automation — helping them to target more sources of information, in turn identifying more risks, while protecting the integrity of their own internal systems in the grand scheme of things.

**About the Author**

    

Or Lenchner is CEO of Bright Data, a position he has held since July 2018. For the past few years, under his leadership, the company has advanced its product offerings to include first-of-its-kind automated solutions, enabling its over 15,000 customers to collect and receive public data in a matter of minutes. Prior to his career at Bright Data, Lenchner founded and managed several Web-based businesses, developing digital assets and online marketing programs.

Threat Intelligence Through Web Scraping

Epic Games has been fined for violating children's online privacy, banned from using collected data.

The Federal Trade Commission announced it has reached a settlement with Epic Games, the developer behind the wildly popular online game Fortnite, for its violation of the Children's Online Privacy Protection Act (COPPA). The settlement still requires approval from a US federal court.

In addition to paying a $275 million fine, Epic Games received an injunction barring it from utilizing any of the Fortnite data collected outside COPPA rules, according to a statement from the FTC.

"As our complaint notes, Epic used privacy-invasive default settings that harmed young Fortnite players," FTC Chair Lina M. Khan said in the announcement. "Protecting the public, and especially children and teens, from online privacy invasions is a top priority for the Commission, and this enforcement action makes clear to businesses that the FTC is cracking down on these unlawful practices."

This isn't Epic Games' first security snafu. In 2019, a vulnerability in its online platform could have threatened data belonging to players of Fortnite.

Fortnite, created by Epic Games, has more than 80 million players and is responsible for nearly half of the video game developer's estimated value of $5 billion to $8 billion.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Fortnite Developer Epic Games Slapped With $275M Penalty

A fully functional SentinelOne client is actually a Trojan horse that hides malicious code within; it was found lurking in the Python Package Index repository ecosystem.

In the latest supply chain attack, an unknown threat actor has created a malicious Python package that appears to be a software development kit (SDK) for a well-known security client from SentinelOne. 

According to an advisory from cybersecurity firm ReversingLabs issued on Monday, the package, dubbed SentinelSneak, appears to be a "fully functional SentinelOne client" and is currently under development with frequent updates appearing on the Python Package Index (PyPI), the main repository for Python code. 

SentinelSneak does not attempt malicious actions when it is installed, but it waits for its function to be called by another program, researchers noted. As such, the attack highlights attackers' focus on the software supply chain as a way to inject compromised code into targeted systems as a beachhead for further attacks. So far, those further attacks have likely not happened, researchers said. 

"A cursory glance at the source of this package would have easily missed the malicious functionality injected in the otherwise legitimate SDK code," says Tomislav Pericin, chief software architect at ReversingLabs.

The attack also demonstrates a common way to attack the supply chain: Use a variant of typosquatting to create malicious packages that bear names similar to well-known open source components. Often called dependency confusion, the technique is an example of one used against the Node Package Manager (npm) ecosystem for JavaScript programs in an attack dubbed "IconBurst," according to research published in July. 

In another typosquatting attack, a threat group uploaded at least 29 clones of popular software packages to PyPI.

"The SentinelOne imposter package is just the latest threat to leverage the PyPI repository and underscores the growing threat to software supply chains, as malicious actors use strategies like 'typosquatting' to exploit developer confusion and push malicious code into development pipelines and legitimate applications," ReversingLabs stated in its advisory.

While code repositories of all kinds are under attack, overall, the npm ecosystem has suffered more malicious attention than the Python Package Index. In 2022, 1,493 malicious packages have been uploaded to PyPI, a drop of nearly 60% from the 3,685 malicious uploads detected by ReversingLabs in 2021, the company stated.

**Fooling the Unwary**

In the latest effort, the fake SentinelOne 1.2.1 package raises many red flags, the advisory stated. The suspicious behaviors include the execution of files, the creation of new processes, and communicating with external servers using their IP address rather than a domain name.

ReversingLabs stressed that the client has no connection to SentinelOne, besides using the security firm's name. The PyPI package appears to be an SDK that helps simplify programmatic access to the client.

"It could be that malicious actors are attempting to draft on SentinelOne’s strong brand recognition and reputation, leading PyPI users to believe that they have deployed SentinelOne's security solution, without taking the — necessary — step of becoming a SentinelOne customer," ReversingLabs stated in its advisory. "This PyPI package is intended to serve as an SDK to abstract the access to SentinelOne’s APIs and make programmatic consumption of the APIs simpler."

In a statement to Dark Reading, SentinelOne reiterated that the package is fake: "SentinelOne is not involved with the recent malicious Python package leveraging our name. Attackers will put any name on their campaigns that they think may help them deceive their intended targets, however this package is not affiliated with SentinelOne in any way. Our customers are secure, we have not seen any evidence of compromise due to this campaign, and PyPI has removed the package."

**Attackers See Developers as Another Vector**

The attack also shows that developers are becoming an increasing target of attackers, who see them as a weak point in targeted companies' defenses, as well as a potential way to infect those companies' customers. 

In September, for example, attackers used stolen credentials and a development Slack channel to compromise game developer Rockstar Games and gain access to sensitive data, including assets for the developer's flagship Grand Theft Auto franchise.

For that reason, companies should help their developers understand which software components could pose a risk, Pericin says.

"Developers should put new project dependencies under a higher degree of scrutiny before opting to install them," he says. "Given that the malware only activates when used, not when installed, a developer might have even built a new app on top of this malicious SDK without noticing anything odd."

In the case of SentinelSneak, the threat actor behind the Trojan horse published five additional packages, using variations on the SentinelOne name. The variations appear to be tests and did not have a key file that encapsulated much of the malicious functionality.

ReversingLabs reported the incident to the PyPI security team on Dec. 15, the company said. SentinelOne was notified the next day.

"We've caught this malicious package very early," the company said. "There's no indication that anybody has yet been affected by this malware."

  
_Story was updated to include a statement from SentinelOne._

Malicious Python Trojan Impersonates SentinelOne Security Client

Recession fears notwithstanding, cybersecurity skills — both credentialed and noncredentialed — continue to attract higher pay and more job security.

Company executives continue to voice concerns that a recession is likely in 2023, but cybersecurity professionals — along with IT workers and developers with cybersecurity knowledge — appear well-positioned to weather an economic downturn, according to technology-job experts.

Overall, professional certifications have provided declining salary premiums since 2018, but information security certifications continue to command significantly above-average pay premiums, according to an analysis of more than 4,000 employers in the US and Canada by Foote Partners LLC. Cybersecurity-related skills — such as AWS Certified Security, GIAC Certified Incident Handler, and Okta Certified Developer — make up more than half of the "winner" skills, those that have attracted the most pay and have gained the most in market value.

Noncertified security skills — such as cryptography, DevSecOps, and risk analytics — also attract high premiums, says Bill Reynolds, research director at Foote Partners.

"Obviously, security skills and certs are still commanding cash premiums beyond salary at the 4,057 employers \[we surveyed\] in the US and Canada," he says. "That’s a pretty large sample for a survey, so it’s quite meaningful."

**Positioned to Withstand Recession?**

The robustness of the cybersecurity job market comes as company executives continue to worry about a recession in 2023. The vast majority of company executives (83%) expect a recession in 2023 — as do 82% of investors, according to another online survey — and about half of organizations are pre-emptively cutting expenses. In many cases, that means layoffs. In the cybersecurity industry, nearly a score of companies have cut workers in the last three months, according to tracking site Layoffs.fyi.

The fears of a downturn have even affected the valuations of startup companies in the cybersecurity industry.

Because of the difficulty in hiring and retaining knowledgeable cybersecurity workers, however, layoffs will likely come from less-technical groups, leaving knowledgeable cybersecurity workers. In fact, the majority of companies (60%) still planned to increase the head count of their IT departments as of July 2022, according to the _IT Spending and Staffing Benchmarks 2022/2023_ report published by Computer Economics.

"Expected growth is modest, but this is an indication that IT organizations cannot simply rely on increased efficiency from the cloud and virtualization for growth," the report stated. "Some hiring will still need to be done."

**Cybersecurity Skills Fetch a Premium**

Overall, cybersecurity workers remain in demand, with 770,000 positions currently unfilled, compared with a cybersecurity workforce of 1.1 million — a 69% shortfall in workers, according to data from the CyberSeek project. The gap between supply and demand is much greater than the 7.4% for the Businesses and Professional Services industry and the 6.9% gap in the Information sector, according to the US Bureau of Labor Statistics.

Workers with specific cybersecurity skills will continue to see opportunities, according to Foote Partners 2022 Tech Compensation Survey Reports. Ten of the 17 skills listed on the firm's IT Winners list, which includes skills that command an above-average premium and which have seen those premiums accelerate in the past few months, are security-related. The same criteria for noncertified IT skills show that 10 of 39 are security-related.

GIAC Certified Forensics Analyst (GCFA), InfoSys Security Engineering Professional, and Okta Certified Developers each have an average pay premium of 12% over base pay, according to Foote's data. For noncertification-based skills, security auditing, cryptography, and identity and access management each had an 18% premium over base pay.

What else is important? Soft skills, says Foote's Reynolds. A worker's ability to collaborate, deal with stress, manage time, have passion for the work, ability to listen, and include others all matter a great deal, he says.

These are "things that have nothing to do with certifications and this appears to be gaining in importance," he says.

**Avoid "Alphabet Soup" of Certifications**

Workers should take care to not collect certifications, as hiring managers and recruiters are wary of an alphabet soup of certifications on applicants' resumes, according to a recent Axios brief.

Foote's Reynolds agrees. Just because workers with a particular certificate get a pay premium isn't the right reason to get the certificate.

"It's like the argument of whether a college degree is mandatory for job consideration," he says. "Just because you have a college degree doesn't mean you're qualified for a particular job. It's more about what you've done with that college degree on the job. Tangible, measurable experience matters a lot."

Security Skills Command Premiums in Tight Market

Leading global education provider engages with Bugcrowd Security Researchers to identify threats.

**SYDNEY** **and** **SAN FRANCISCO****,** **Dec. 19, 2022** **/PRNewswire/ --** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that Navitas, one of the world's leading global education providers, has launched a private bug bounty program with Bugcrowd to identify and resolve security vulnerabilities.

Navitas delivers educational programs to 60,000 aspirational students each year across its network of 92 colleges and campuses in 24 countries around the world. Under the bug bounty program, dozens of Bugcrowd security researchers will test Navitas' web applications for security risks on an ongoing basis. Ethical hackers who identify and remediate any valid threats will receive a bug bounty financial reward of up to AUD $3,700 (USD $2,500), depending on the severity of the uncovered threat.

Gavin Ryan, Global Head of Information Security for Navitas, selected the Bugcrowd crowdsourced security solution based on its proven track record of being able to scale, reduce costs and risks through a continuous testing process, along with the extensive global reach of its researcher team. 

"At Navitas we take the security of our data and applications extremely seriously and are always seeking innovative ways to protect the private information of our students and staff from continuous and fast-changing cyber threats," said Gavin Ryan. "We are pleased to partner with Bugcrowd to take advantage of its extensive network of trained security researchers who can help us find and resolve online vulnerabilities before attacks occur. Only a month into the program, we are already realising the benefits of a bug bounty program and plan to extended it to include agile continuous security testing across selected non production environments" 

Bugcrowd's ability to deliver a fast return on investment through crowdsourced bug bounties, rather than undertaking lengthy and costly consulting engagements, was one of the biggest contributing factors in its selection. The solution's continuous assurance model was also better positioned to safeguard Navitas' global attack surface, which had made traditional penetration testing less tenable and less effective for ongoing application security assurance.

"Bugcrowd is excited to work with Navitas in assisting to protect both their data and applications with a comprehensive bug bounty strategy and a non production testing strategy," said Nick McKenzie, Chief Information and Security Officer at Bugcrowd. "Our extensive global crowdsourced security team has the ability to scale for Navitas's requirements, provide critical protections around the clock, and through the introduction of non-production testing regimes will help the Navitas business deliver at a higher digital velocity. We are happy that both control outcomes and the economics of the program's delivery (vs other testing regimes) have exceeded expectations."

"Bugcrowd" and the "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

SOURCE Bugcrowd

Bugcrowd Launches Bug Bounty Program for Australian-Based Navitas

Risk is no longer a single entity, but rather an interconnected web of resources, assets, and users.

Within the first few hours of the FTX implosion, investors and crypto bulls were working through the Kübler-Ross model's five stages of grief: denial, anger, bargaining, depression, and acceptance. As more details came out about the inner workings of FTX, I realized that truth really is stranger than fiction.

The 30-year-old founder of FTX, Sam Bankman-Fried, was known simply as SBF — a single moniker that put him in the company of Madonna or LeBron. His firm seemingly came out of nowhere to establish itself as the de facto standard for crypto exchanges. The firm and the founder were surrounded by all the trappings of success and legitimacy — a fawning press, famous and powerful friends, and sycophantic politicians.

Who would ever suspect fraud with such a veneer of respectability? The obvious comparison was Theranos and its CEO, Elizabeth Holmes. When stories emerged that FTX's potential losses totaled $50 billion, comparisons to another fraudster — Bernie Madoff — emerged.

However, there is one huge difference between SBF and Madoff: Madoff was a singular figure orchestrating a massive Ponzi scheme. The funds that came to Madoff didn't go into other investments. In fact, they didn’t go into any investments. They were used to keep existing clients happy while new clients were brought in. All of the risk for Madoff clients was represented in Madoff himself.

In the case of FTX, SBF lent Alameda Capital — the firm's in-house investing arm — more than $8 billion in client funds. It is patently illegal to mix client funds in an exchange with outside investments. Most shocking of all is what SBF and Alameda were doing with that money. They thew the money into more than 400 different investments in the emerging crypto market, from failing exchanges to worthless coins. Investors who parked their money, and their crypto, at the FTX exchange had no idea the risks they were facing.

**Know Your Attack Surface**

The threat surface for FTX clients wasn't just about protecting their FTX passwords or hoping the exchange wouldn't get hacked like the Mt. Gox bitcoin exchange and so many others did. Instead, their portfolios were at risk of implosions over assets and investments they had never heard of.

That is the definition of risk: having your hard-earned money and investments merged with a toxic mix of super-risky sludge. That’s a helpless place to be.

After more than 20 years in cybersecurity, it is difficult not to think about risk exposure and threat management in a case like this. Security teams are dealing with something much more akin to SBF than Madoff. There is no singular threat facing an enterprise today. Instead, it is a constellation of assets, devices, data, clouds, applications, vulnerabilities, attacks, and defenses.

Security teams' biggest weakness is that they are being asked to secure what they can neither see nor control. Where is our critical data? Who is accessing it, and who needs access? Every day in cybersecurity, the landscape of what needs to be protected changes. Applications are updated. Data is stored or in transit among multiple clouds. Users change. Every day represents new challenges.

Security starts with visibility. That’s why discovery is all the rage these days. From the cloud to data to external assets, security teams are digging into discovery tools that help them understand exactly what they have to secure, where it is, and who is accessing it. There is an urgent need to understand the connections among users, partners, devices, and applications. The FTX crypto investment scenario I've described could just as easily be interconnected enterprise resources, and internal and external users.

I feel terrible for anyone caught up in this FTX mess. For cybersecurity professionals, it is yet another reminder that it is not just the resources and employees of your organization that impact security; it is a web of connections that grows every day. We live in the age of discovery for a reason.

Rethinking Risk After the FTX Debacle

Revived levels of holiday spending have caught the eye of threat actors who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

As the holiday season barrels to a conclusion, malicious actors are attempting to take advantage of harried consumers by ramping up the volume of spam and phishing attacks in the form of unsolicited emails and email-based threats — and businesses stand to suffer.  

A report from Bitdefender Antispam Lab found the volume of Christmas-themed spam has increased consistently since Nov. 27, with spikes in unsolicited correspondence observed between Dec. 6 and Dec. 9.

Scammers are employing the tried-and-true tactics of bogus surveys, online holiday dating opportunities, adult content offers, and discount shopping for designer goods.

Major corporations, including Netflix and Lowes, have been among the spoof subjects, enticing consumers with exclusive offers and cash giveaways — the catch being they must first enter credit card numbers or banking information, of course.

A recent study found more than a third of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result.

Alina Bizga, security analyst at Bitdefender, explains that threat actors are savvy when it comes to targeting. The holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities.

"They update their tactics, and lures, and take note of consumer behaviors, timing their social engineering attacks to catch users off guard and steal sensitive personal data and money or compromise their devices and financial accounts," she says.

**Ramifications for Legitimate Businesses**

Bizga adds that when threat actors mimic a legitimate business to trick consumers into giving out their personal information or money, organizations may also suffer financial losses and reputational damages.

"Scams leveraging popular trade names that are proliferated via large-scale spam campaigns can impact both consumers and employees, and organizations need to have a clear action plan to minimize potential damages in the aftermath of a phishing scam," she says.

This includes identifying fraudulent communications, gathering information on the scope of the attacks, and notifying consumers and law enforcement.

Sam Curry, Cybereason chief security officer, says the annual glut of seasonal spam makes legitimate marketing for businesses much harder.

"When the bad guys try to look like legitimate marketing, legitimate marketing becomes less trusted and tolerated," he says. "If your email queue goes up to 200 junk emails a day, and you get tired of hitting delete 170 times, then you're more likely to hit delete on the buried legitimate marketing content than not."

For retailers, the fight against spam and phishing is twofold: protecting the customer and protecting the organization.

Curry points out now is the time when many retailers go into the black.

"They may make more in a few days than in some months in the rest of the year, which is why they freeze IT and changes and focus on servicing customers at scale," he says.

That means any hiccups now are even more painful as a result.

"In security, we measure risk in terms of likelihood and impact, and during the holiday season, impact goes up dramatically," he says. "That in turn changes the responses and contingencies of businesses, making them more likely to pay a ransom or to take drastic measures to fix issues and problems."

**Threat Actors Look for Quick, Easy Wins**

Bizga says that although cybercriminals are regularly adapting their tactics, techniques, and procedures (TTPs), the most common attack vectors seen throughout the holiday season include phishing, exploiting vulnerabilities and human error and misconfigurations.

"In addition, supply chain attacks can exploit access of third parties such as suppliers, distributors, or contractors to their ecosystem," she notes. "For example, breaching a small supplier may result in access to their much larger customer or entire customer base."

Michael DeBolt, chief intelligence officer at Intel 471, says cyber threat actors are always looking for quick and easy wins that result in considerable profit with a low degree of risk and effort.

"The end-of-year holiday period presents a unique window of opportunity for threat actors to increase illicit profits due to the surge in online activity as retailers and consumers transact goods and services, log into online accounts, ship and receive products, and more," he says.

**Keeping Alert Across the Organization**

DeBolt says retail organizations need to be aware of the latest spam and phishing campaigns targeting their customers.

Armed with this information, organizations can employ directed awareness campaigns warning customers of potential threats and how to avoid them.

He notes that security and fraud teams can take mitigating measures by adjusting controls within the environment to defend against account takeover (ATO) attacks.

"The same malware spam campaigns that target consumers can be used to target employees within organizations as well," he adds.

An infected machine belonging to an employee can include login information to remote network accesses or credentials to sensitive data storage, which can lead to theft of company information or as a foothold for a ransomware deployment into the company’s network.

"Perhaps the most important takeaway is that information security needs to be practiced and understood across the entire organization, not just \[by\] the network defenders," he says.

In the fight against spam and holiday season phishing, retailers need to give their customers proper information and channels through which they can report suspicious correspondence sent in their name.

Bizga says businesses should also establish seasonal awareness campaigns to inform consumers about any ongoing spam/phishing campaigns and notify the applicable domain name registrar to report fraudulent activity.

"Additional remedial efforts should include notifying law enforcement and legal bodies that can assist with legal actions and advise against malicious actors," she says.

**The Perils of Losing Customer Trust**

Patrick Harr, CEO at SlashNext, explains that bad actors leverage the brand recognition of major retailers and other businesses to lure their victims into a false sense of security.

"When a victim realizes they have been duped, it can cause them to lose trust in the brand, even though they of course had nothing to do with the actual scam," he says. "As we all know, losing consumer trust can lead to significant decreases in revenue," Harr says.

He advises retailers to deploy a strong brand protection service that checks for brand impersonation instances.

Once a scam or impersonation has been identified, a request must be filed, along with evidence to prove that it is illegitimate.

"This can take quite some time, however, so retailers should adopt an automated service that is continuously scanning and reporting these impersonations," Harr says. "It won't stop impersonations altogether, but companies that fight back make themselves less of a target for future impersonations."

Holiday Spam, Phishing Campaigns Challenge Retailers

Microsoft-owned GitHub is taking steps to secure the open source software ecosystem by rolling out security features to protect code repositories.

GitHub is making secrets scanning available for all public repositories and requiring all developers to enable two-factor authentication (2FA) for their accounts. The secrets scanning service will be available to all users by the end of January, and mandatory 2FA will be in place by the end of 2023, GitHub said.

**Scanning for Secrets**

The secret scanning service alerts developers when secrets such as application tokens and user credentials are exposed in code. Up until now, the service was available to paid enterprise users (via GitHub Advanced Security). The new policy will provide the service for free to all public GitHub repositories.

The service to scan for secrets helped identify 1.7 million potential secrets exposed in public repositories in 2022, GitHub said.

While the scanner can recognize over 200 known token formats, the option to define custom regex patterns is also available. 

“You can define custom patterns at the repository, organization, and enterprise levels. ... With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern,” the company said.

Developers will be able to find this option in their repository settings under Code security and analysis, where there is a section called Vulnerability alerts, and a Security tab. All secrets found by the service will be displayed in the same section, along with suggested ways to remediate the exposures.

**2FA For All**

The company has been talking about making 2FA mandatory across the platform, and the requirement will begin rolling out in March. Users will receive reminders 45 days prior to when they have to turn on 2FA, and their accounts will be blocked if 2FA is still not enabled seven days after the deadline, the company said.

Users required to enable 2FA include those who publish GitHub or OAuth apps or package, those who create a release, enterprise and organization administrators, and those who contribute code to other repositories.

“We’ll assess the outcomes of the rollout after each group–observing user success rates for 2FA onboarding, rates of account lockout and recovery, and our support ticket volume. This data will enable us to adjust our approach and more appropriately size and schedule remaining groups as needed to ensure a positive experience for developers, and support workloads GitHub can sustain,” GitHub announced.

GitHub Expands Secret Scanning, 2FA Across Platform

The 2022 FIFA Men's World Cup final in Qatar will be the most-watched sporting event in history — but will cybercriminals score a hat trick off its state-of-the-art digital footprint?

As Argentina and France prepare to face off in Doha for the final of the 2022 FIFA Men's World Cup, stadium staff and tournament organizers likely have more on their minds than whether Lionel Messi or Kylian Mbappe will claim the title of top goal-scorer. The event represents a vast cyberattack surface for both FIFA and the host nation of Qatar, security experts say — and ahead of the tournament's grand finale, cyber threats from all corners remain very clear and present.

According to FIFA, 2022 will end up being the most-watched tournament in history, followed by literally billions around the globe. On-the-ground numbers are impressive, too: Stadium Lusail, where the final will be played, is the biggest stadium in Qatar and has a capacity of the 88,966 spectators. Ticket sales for the World Cup have topped 3 million for an unprecedented 1.2 million visitors, which is equivalent to nearly half of Qatar's population.

That's a juicy target for not only financially motivated threat actors and hacktivists but also nation-state groups, who more often than not can get the ball in the back of the intelligence-gathering net when they want to.

**Smart Stadiums & the Digital Pitch**

The risks come from a few different places: social engineering efforts against fans and visitors being the most well known. What's less well known is the fact that Qatar has leaned in hard to the smart stadium concept, connecting its eight World Cup venues into one connected digital space.

A partnership between Johnson Controls' OpenBlue digital platform and Microsoft Azure, for instance, has enabled an artificial intelligence-based approach to physical security and operations, gathering data from edge devices and systems to identify when a security or safety issue has the potential to affect fans and players, or how crowd size and weather changes might affect energy efficiency and playing conditions.

Each stadium also has a 3D digital twin, an interactive digital model that provides live information on safety, comfort, and sustainability to a team of command center experts.

"With major sporting events becoming increasingly digitized, the attack surface for threat actors has also increased," a recent ZeroFox report on World Cup threats noted. "Qatar has constructed eight state-of-the-art 'smart stadiums' specifically for the World Cup, meaning sophisticated threat actors will almost certainly aim to compromise networks by exploiting vulnerabilities within interconnected stadium systems, including operational technology and Internet of Things (IoT) devices."

This raises the possibility of denial-of-service attacks or disruption on the order of the Olympic Destroyer threat, which took aim (largely unsuccessfully) at the Winter Games in Pyeongchang in 2018.

While it's not known what specific cyber defenses this first-of-its-kind footprint has in place, Qatar brought in a team of cybersecurity experts for a summit in March, and it has been working closely with Interpol's Project Stadia to enhance its security posture. So far, so good — but it's not over yet.

**Mobile Privacy Concerns**

Also, notably, there is a pair of mobile apps that everyone 18 and above entering Qatar for the World Cup is required to download, named Ehteraz and Hayya. Ehteraz is a COVID-19 tracking app, while Hayya is an app used for World Cup game tickets and accessing the Qatar metro system to move between stadiums.

At issue is the fact that Ehteraz has an extensive list of required permissions so that it can monitor locations and proximity to other app users; it can capture data from the device, automatically exfiltrate data from a user's phone, disable a lock screen, make calls from the phone, and access location services.

The Hayya app, meanwhile, is able to "access almost all personal information on a phone," according to ZeroFox, and can tap into location services and network connections between a phone and other networks.

Both apps potentially offer riches to cybercriminals. "When threat actors look to exploit an app, the end goal is to steal information that would be profitable — login credentials, personally identifiable information, email, credit cards, etc. — so that they can either sell it to actors who know how to further exploit or use the credentials and check to see if they can steal money or crypto from the victim accounts," says Adam Darrah, senior director of Dark Ops Collections at ZeroFox.

However, more shadowy risks also apply; the apps, with their broad set of access to personal data, are a perfect vector for espionage and creating fan chaos.

"When a nation-state or a motivated hacktivist group has you in their sights, they will find a way in," Darrah says. "All nations view an event such as the World Cup as a way to gather intelligence."

Regarding the COVID-19 contact tracing app for instance, the ZeroFox report noted, "Critics fear downloading the app could give the Qatari government access to privileged or sensitive content on a user’s phone. This is particularly notable if the user is breaking a Qatari law. It could also give Qatari authorities access to proprietary information contained on a company phone."

The firm recommended not installing the app on any phone with access to sensitive information, as a precaution.

**Facial Recognition at the World Cup**

Another wrinkle in the threat landscape for the World Cup is the vast facial-recognition footprint that Qatar has stood up in order to help respond to any threats of bodily harm to visitors and staff. Tensions famously run high at football (aka soccer) matches, but beyond run-of-the-mill hooliganism, some tourney-watchers are concerned that there could be a serious physical security incident.

To help thwart such a situation, the country has installed more than 15,000 cameras with facial recognition technology stationed throughout the eight stadiums and along roads and transportation infrastructure in Doha.

The benefits to physical security are myriad, of course. "Say a fan places a suspicious package close to a stadium entrance. When security personnel are alerted to this threat, staff can retroactively use facial recognition to trace the suspect's steps, determine where they are going next, and possibly pick them out in a crowd if needed," Terry Schulenberg, vice president of business development at CyberLink, tells Dark Reading. "The technology can even alert staff when a bad actor enters their area. Facial recognition will provide staff with the information they need."

However, critics have raised privacy concerns, a well-worn issue when it comes to facial recognition. After all, the population can't "opt in" to being scanned; the potential for surveillance by the Qatari government or advanced persistent threats (APTs) is there; and, it's unclear how the system handles the biometric data it collects.

"It would benefit them not to store faces in the cameras, workstations, or servers," Schulenberg says. "Rather, they could use software that identifies hundreds of vectors on a subject's face — such as the distance between the eyebrows — convert them into an encrypted file, send this file to a workstation or server, and compare its values with those of previously recorded subjects or those enrolled in a database. If it's being used, this more airtight facial recognition model will help security operators process camera feed data more quickly and securely."

If Qatar is not storing full images of attendees' faces, any unlikely leak of facial recognition data would be unreadable without access to the specific software Qatar is using, he stresses. 

**Thwarting Social Engineering Threats**

And finally, utterly predictably, phishers and scammers have been drawn to the event, using World Cup-themed lures, malicious mobile apps, and bogus ticketing websites to harvest data and steal funds from unsuspecting fans. In fact, Kaspersky said this week that its researchers have seen fake tickets being sold for as much as $4,000 a pop.

Group-IB's Digital Risk Protection team recently said it has detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the world's largest sporting event. The researchers also uncovered more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

Patrick Harr, CEO at SlashNext, notes that FIFA and any World Cup host nation can take action to protect aficionados of the beautiful game from social engineering.

"FIFA could ensure its security program includes brand impersonation identification, remediation, and a takedown service," he says. "With this type of security control, FIFA could safeguard their millions of fans, so they don’t accidentally engage with malicious content while following the news on their favorite teams."

Eyal Benishti, founder and CEO at Ironscales, notes that FIFA also should be focusing on raising awareness, sounding a loud drumbeat to fans.

"They should be told to avoid clicking on links behind QR codes, stay away from SMS messages asking to validate or verify, and to go directly to the official FIFA domain only, to interact and purchase tickets," he says. "Send out clear communication to the future guests on the guidelines, what to expect and what to be on the lookout for."

He also pointed out that World Cup employees have also been targeted throughout the tournament, bringing up another layer of responsibility for organizers.

"For the FIFA organization and businesses of Qatar, focus on what you can control, like making sure your internal employees are educated and aware of the probability of fake emails and fake support requests that will spike," he says. "If they receive requests that seem out of place, always validate with the sender via phone or alternate communicate method. Be extra cautious and ensure the proper communication and education are taking place for your employees."

**Cybersecurity Lessons to Be Learned**

Qatar's World Cup hosting duties may be coming to a close, and hopefully without a major cyberattack marring the experience, but there are lessons to be learned when it comes to implementing good security for such a sprawling endeavor. 

Whether it's an attack on infrastructure, privacy concerns, or the phishing glut that has surrounded the tournament, the time is now to be thinking about risk mitigation for future events, like the upcoming 2023 FIFA Women's World Cup next summer.

Researchers say that it's especially crucial to conduct an assessment once all is said and done, ideally using threat intelligence and data from this winter's event — given that it's likely that many of the pioneering technologies that Qatar put in place for the tourney will be tapped for future tournaments. For instance, stadiums across the US, which is a co-host of the 2026 FIFA Men's World Cup, are already using facial recognition tools for staff and fan entry, ticket verification, and contactless payments.

"An event the size and scale of a World Cup represents rich pickings for the criminally inclined, with millions of visitors seen as millions of potential victims," Rob Fitzsimons, field application engineer at Telesoft Technologies, said in a recent column. "It is the responsibility of the host nation to ensure the safety and security of its guests — both physically and digitally."

He added, "Indeed, a continuous flow of real-time threat intelligence in advance of and throughout the tournament \[provides\] a greater understanding of the potential threats, and enables security professionals to better defend against them. Recognizing where vulnerabilities lie, and addressing these accordingly, will allow better protection of mobile networks, and help protect against targeted attacks … and, by monitoring and controlling the flow of information across these networks, it's possible to reduce the likelihood of more widescale attacks."

Cyber Threats Loom as 5B People Prepare to Watch World Cup Final

Patched several months ago, researcher reports how they used Spring Boot to sneak past Akamai's firewall and remotely execute code.

Akamai's Web application firewall (WAF) is intended to fend off potential attacks like distributed denial-of-service (DDoS), but a researcher discovered a way to bypass its protections by using complex payloads to confuse its rules.

The researcher, known as Peter H., along with Usman Mansha, said Akamai has since patched against the vulnerability, which was not assigned a CVE number. In the write-up, Peter H. explained how he used a vulnerable version of Spring Boot to bypass WAF protections.

"We ended up able to bypass Akamai WAF and achieve Remote Code Execution (P1) using Spring Expression Language injection on an application running Spring Boot," the GitHub explanation of the Akamai WAF RCE find explained. "This was the 2nd RCE via SSTI we found on this program, after the 1st one, the program implemented a WAF which we were able to bypass in a different part of the application."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading