Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
A Looming Deadline for eCommerce
In This Issue:
- Magento is reaching end-of-life next summer
- Gone phishing in accounting
- What not to do, part 8,991,062
Magento Is Reaching End-Of-Life Next Summer)
Between 200,000 and 240,000 Magento online stores will reach EOL next year. The most widely-used version of Magento (software used to create e-commerce sites) will be out of support next summer. As such, it will no longer be receiving security fixes. Online stores are already an attractive target to hackers, and the number of payment card skimming operations is on the rise. Once the security fixes stop, any site still running Magento 1.x is going to be as full of viruses as a supervillain's bioweapons lab.
You might think this is not applicable to you—if so, you might want to double-check that assumption. The article states that "Magento is, by far, today's most popular technology for hosting an online store."
Countermeasure:
There's a version 2 of Magento. Actually, there has been for some time. People have avoided upgrading, not because there’s anything wrong with the version, but because this kind of migration is disruptive and a right royal pain.
Time to stop procrastinating. If you're one of the thousands of companies using the old version of Magento, you have between now and next summer to plan and execute your upgrade. Otherwise you face the public relations nightmare of telling customers that their payment cards have been stolen, with a side order of regulatory compliance issues.
Gone Phishing in Accounting
It would not be a good week to be this guy: Nikkei worker tricked into transferring $29 million into scammer’s bank account.
Don't be too quick to blame the accounting staff, though. These scammers are really, really good at what they do. And this kind of scam is becoming increasingly popular. Accounting Scams Continue to Bilk Businesses.
Countermeasure:
Read Florida city sends $742K to fraudsters as it bites the BEC hook. This article has a list of steps to take to prevent this type of fraud. The short version: business processes are a critical part of defending against this sort of attack. Before making changes to an account, check and double-check that the changes are authorized. Preferably in person.
What Not To Do, Part 8,991,062
Baffled by bogus charges on your Amazon account? It may be the work of a crook's phantom gadget. What not to do: fail to detect or respond to a breach in progress, despite multiple customers reporting the fraud directly to you.
Men paid $100K by Uber to hush up hack plead guilty to extortion scheme. What not to do: 1) Pay a hacker to keep quiet about the breach. 2) Just don't tell customers that a bunch of their information was stolen.
Countermeasure:
1) If multiple people report that you have a data breach, investigate. Do not sweep this under the rug. Make sure anyone doing customer support has a clear process to follow if a customer says you are under attack.
2) Don't hush up a breach. In a lot of places it is now illegal to do so. Even if you dodge that bullet, you'll probably face civil suits from customers.
Podcast of the Week
You shouldn't pay a ransom; it just encourages more extortion. No, wait, you should pay a ransom, because what if your backups somehow got infected? But it's like negotiating with terrorists. You definitely should never pay a ransom. Except for when you should.
Response to ransomware is a contentious topic. Here's some more information to add to your decision matrix: Smashing Security #151: Frankly, Sometimes Paying the Ransom Is a Good Idea.
Resource of the Week
Does your organization obsess over metrics? Cybersecurity is a notoriously difficult thing to measure. Sure, your defenses make you safer, but by how much? Could you put a dollar figure on it?
Resources for Measuring Cybersecurity. This is a place to start if you’ve been tasked with gathering data.
One of the few things that is measurable is the cost of a breach. The latest research on that is here: How data breaches affect stock market share prices. Spoiler alert: the guy was dead the entire time. Okay, wrong movie. Spoiler alert: prices go down.
Podcast of the Week
Mozilla says ISPs are lying to Congress about encrypted DNS
Some background:
- ISPs lied to Congress to spread confusion about encrypted DNS, Mozilla says
- DNS-over-HTTPS (DoH) FAQs Mozilla says ISPs are lying to Congress about encrypted DNS
Video of the Week
A Warning About Viruses From Weird Al. How often is anti-phishing training funny?
Quick Links
- NordVPN users’ passwords exposed in mass credential-stuffing attacks. "Readers who are NordVPN users should visit Have I Been Pwned and check to see if their email address is contained in any of the lists. If it is, they should change their passwords immediately."
- An inside look at WP-VCD, today's largest WordPress hacking operation. "The WP-VCD gang does not use vulnerabilities to break into sites and install backdoors. Instead, they rely on webmasters infecting themselves by downloading and installing pirated (nulled) themes and plugins for their WordPress sites."
- NCR Barred Mint, QuickBooks from Banking Platform During Account Takeover Storm
- This is how Google Analytics is abused by phishing scammers
- Siemens PLC Feature Can Be Exploited for Evil - and for Good
- Actively exploited bug in fully updated Firefox is sending users into a tizzy
- Tech-support scammers used data stolen by Trend Micro employee