Mobile Phone Reseller Faces Data Breach

This week we hear about Carphone Warhouse's data breach, and a looming threat for business traveler's computers while being used in a hotel.

Breach

Mobile Phone Reseller Faces Data Breach 

On August 8, 2015 Carphone Warehouse reported the possible compromise of customers’ personal information as a result of a cyber attack that occurred on August 5. Initial reports indicate that personal information including name, address, email address, date of birth and bank details of up to 2.4 million customers may have been accessed. Additionally, encrypted credit card information of up to 90,000 customers may have been compromised.

The part of the company affected operates the websites OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk.  It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

At least one online media report suggests that the data theft took place during a DDOS attack. The three websites sit at a common IP Address and share that address with approximately 70 other domain names. Though not confirmed, it is quite possible that this was the source of the vulnerability.

To minimize impact, customers have been advised via email and the Carphone Warehouse website to change passwords and monitor financial accounts for suspicious activity. However, consumers have been discussing the inability to access the affected websites and take remediation steps due to account lockdown and website availability.

 References: Carphone Warehouse Website | Telegraph | BBC

Mitigation Strategies:

  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information.
  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Netflow traffic may also reveal large data transfers and data leakage

Malware

Darkhotel Group Leverages Hacking Team Exploit

Those who regularly use hotel and other free Wi-Fi networks should take note of current malicious behavior in this area. The aptly named “Darkhotel” group recently took advantage of material made available by the “Hacking Team” compromise. 

“Darkhotel” installs malware onto business travelers’ computers by hacking hotel Wi-Fi networks. The bad actor, believed to be Korean, has also used P2P torrents and highly-customized spear phishing to deliver malware to victims. At the beginning of July, the group started leveraging a zero-day whose existence came to light following the breach suffered by the Italian spyware company “Hacking Team.”

Recent techniques involve innocuous email attachments containing .rar files, and in turn, contain .scr and .jpg files. These files appear harmless but are initiating hidden activity and installing backdoor and downloader malware in the background. The group seems to be targeting new victims from North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique, Germany, and in the United States within certain industry sectors. 

References: Security Week | CSO Online | Wired

Mitigation Strategies:

  • Log Review is needed to review system logs daily for malicious activity.
  • Threat Manager provides the method to detect malicious activity on the network.

Top 20 IP Addresses

82.221.128.206 115.231.218.41 – NEW
95.141.31.17 – NEW 118.244.216.37
104.243.129.210 122.224.54.104
91.121.179.219 204.232.241.139 – NEW
176.9.11.7 – NEW 45.58.124.18 – NEW
222.186.21.41 – NEW 81.169.144.135 – NEW
103.232.8.2 – NEW 123.57.77.111 – NEW
108.59.8.142 – NEW 91.219.236.194 – NEW
122.176.78.98 – NEW 134.249.55.157 – NEW
46.17.57.54 – NEW 176.10.98.132 – NEW