Security breach at trading platform Robinhood sparks phishing fears
Social engineering attack exposes email addresses of five million investors US trading platform Robinhood Markets has admitted that client data has been stolen by crooks who tricked a customer support employee.
The social engineering attack allowed miscreants to access customer support systems where they took data including the names of two million customers and more extensive data on a small number of customers.
In a statement issued on Monday (November 8), Robinhood Markets sought to play down fears by stating that it hasn’t come across any evidence that any financially sensitive information was exposed by the breach.
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the firm said.
Robinhood’s ongoing investigation have revealed that for a small subset of its customers – around 310 – their name, date of birth, and zip code, was exposed. In addition, 10 customers had “more extensive account details” revealed.
The financial services firm is in the process of contacting those most affected directly.
The exposed email addresses make it likely that Robinhood customers will find themselves targeted with follow-up phishing attacks seeking to hoodwink potential marks into handing over more sensitive information, so extra vigilance is strongly recommended.
Ken Westin, director of security strategy at threat intel firm Cybereason, commented: “Minimally impacted consumer info can still be leveraged for secondary phishing attacks to gain access to accounts, making it critically important for their customers to be vigilant while regularly checking their accounts for any signs of fraud.”
Social engineering
Robinhood Markets said that after detecting the intrusion, the as-yet-unidentified crooks attempted to obtain an extortionate payment.
The financial services firm rebuffed this request and called in help from incident response experts and the police.
“We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm,” Robinhood Markets said.
Third-party security firms said the incident highlighted the importance of employee training as well as technical countermeasures such as multi-factor authentication to sensitive systems and least privileged access.
Chris Deverill, UK director at Orange Cyberdefense, commented: “The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness.”
Cybereason’s Westin added: “The breach appears to be the result of social engineering of a single customer support employee and a reminder that humans are oftentimes the weakest link in the ecosystem. To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data.
Security breach at trading platform Robinhood sparks phishing fears | The Daily Swig (portswigger.net)
Four Reasons Why Application Security is an Enabler for All Businesses
Despite the growing evidence of the criticality of application security, many businesses continue to remain unaware and unsure of its benefits. Since it is often discussed in terms of security breaches, legal costs, non-compliance and regulatory fines, the business opportunities that app security offers are often overlooked. As a result, businesses tend to view web app security as merely an overhead cost or as a matter of compliance. In reality, however, it is an enabler for businesses of all kinds and sizes.
The article I found this week, “Hoax Email Blast Abused Poor Coding in FBI Website” was provided by KrebsonSecurity. A statement from the Federal Bureau of Investigation (FBI) on Nov 14, 2021 confirmed that a software misconfiguration let unknown parties send thousands of legit-looking emails from its servers and internet address. The Twitter account that claims responsibility for the attack revealed that they gained access to the FBI’s email system by leveraging the Law Enforcement Enterprise Portal (LEEP) that allowed anyone to apply for an account with helpful step-by-step instructions for registering. The actor said they were able to send themselves an email from the FBI’s Criminal Justice Information Services division by a simple script change; more specifically, by editing the request sent to their browser and changing the text in the message’s “Subject” field and “Text Content” fields. In an interview with KrebsonSecurity, the alleged actor claims they conducted the hack to “point out a glaring vulnerability in the FBI’s system.” They go on to say that they could have “1000% used this to send more legit looking emails, trick companies into handing over data etc.,” and “this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
The security vulnerabilities in Intel chips have a CVSS vulnerability severity rating of 7.1 (out of 10 points). This vulnerability will have a serious impact. It will allow cybercriminals to extract the encryption key of the device and access information.
The vulnerabilities also help extract the root encryption keys used in Intel Platform Trust Technology and Enhanced Privacy ID Technology, but these technologies are used to protect digital content from illegal copying. For example, many Amazon e-book models use Intel EPID-based digital rights management protection. However, this vulnerability allows an intruder to extract the root EPID key from the device (e-book), and then, in the case of destroying Intel’s EPID technology, download electronic materials in the form of files from the supplier, copy and distribute the electronic materials. Also, vulnerabilities may allow cyber attackers to conduct targeted attacks throughout the supply chain. For example, employees of Intel processor-based equipment vendors can extract Intel CSME firmware keys and deploy spyware that cannot be detected by security software.
Oluwaseun Soyomokun says
Security breach at trading platform Robinhood sparks phishing fears
Social engineering attack exposes email addresses of five million investors US trading platform Robinhood Markets has admitted that client data has been stolen by crooks who tricked a customer support employee.
The social engineering attack allowed miscreants to access customer support systems where they took data including the names of two million customers and more extensive data on a small number of customers.
In a statement issued on Monday (November 8), Robinhood Markets sought to play down fears by stating that it hasn’t come across any evidence that any financially sensitive information was exposed by the breach.
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the firm said.
Robinhood’s ongoing investigation have revealed that for a small subset of its customers – around 310 – their name, date of birth, and zip code, was exposed. In addition, 10 customers had “more extensive account details” revealed.
The financial services firm is in the process of contacting those most affected directly.
The exposed email addresses make it likely that Robinhood customers will find themselves targeted with follow-up phishing attacks seeking to hoodwink potential marks into handing over more sensitive information, so extra vigilance is strongly recommended.
Ken Westin, director of security strategy at threat intel firm Cybereason, commented: “Minimally impacted consumer info can still be leveraged for secondary phishing attacks to gain access to accounts, making it critically important for their customers to be vigilant while regularly checking their accounts for any signs of fraud.”
Social engineering
Robinhood Markets said that after detecting the intrusion, the as-yet-unidentified crooks attempted to obtain an extortionate payment.
The financial services firm rebuffed this request and called in help from incident response experts and the police.
“We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm,” Robinhood Markets said.
Third-party security firms said the incident highlighted the importance of employee training as well as technical countermeasures such as multi-factor authentication to sensitive systems and least privileged access.
Chris Deverill, UK director at Orange Cyberdefense, commented: “The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness.”
Cybereason’s Westin added: “The breach appears to be the result of social engineering of a single customer support employee and a reminder that humans are oftentimes the weakest link in the ecosystem. To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data.
Security breach at trading platform Robinhood sparks phishing fears | The Daily Swig (portswigger.net)
Shubham Patil says
Four Reasons Why Application Security is an Enabler for All Businesses
Despite the growing evidence of the criticality of application security, many businesses continue to remain unaware and unsure of its benefits. Since it is often discussed in terms of security breaches, legal costs, non-compliance and regulatory fines, the business opportunities that app security offers are often overlooked. As a result, businesses tend to view web app security as merely an overhead cost or as a matter of compliance. In reality, however, it is an enabler for businesses of all kinds and sizes.
Link: https://www.infosecurity-magazine.com/blogs/four-reasons-app-security-enabler/
Elizabeth Gutierrez says
The article I found this week, “Hoax Email Blast Abused Poor Coding in FBI Website” was provided by KrebsonSecurity. A statement from the Federal Bureau of Investigation (FBI) on Nov 14, 2021 confirmed that a software misconfiguration let unknown parties send thousands of legit-looking emails from its servers and internet address. The Twitter account that claims responsibility for the attack revealed that they gained access to the FBI’s email system by leveraging the Law Enforcement Enterprise Portal (LEEP) that allowed anyone to apply for an account with helpful step-by-step instructions for registering. The actor said they were able to send themselves an email from the FBI’s Criminal Justice Information Services division by a simple script change; more specifically, by editing the request sent to their browser and changing the text in the message’s “Subject” field and “Text Content” fields. In an interview with KrebsonSecurity, the alleged actor claims they conducted the hack to “point out a glaring vulnerability in the FBI’s system.” They go on to say that they could have “1000% used this to send more legit looking emails, trick companies into handing over data etc.,” and “this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
Link to article: https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/
Yangyuan Lin says
High-Severity Intel Processor Bug Exposes Encryption Keys
The security vulnerabilities in Intel chips have a CVSS vulnerability severity rating of 7.1 (out of 10 points). This vulnerability will have a serious impact. It will allow cybercriminals to extract the encryption key of the device and access information.
The vulnerabilities also help extract the root encryption keys used in Intel Platform Trust Technology and Enhanced Privacy ID Technology, but these technologies are used to protect digital content from illegal copying. For example, many Amazon e-book models use Intel EPID-based digital rights management protection. However, this vulnerability allows an intruder to extract the root EPID key from the device (e-book), and then, in the case of destroying Intel’s EPID technology, download electronic materials in the form of files from the supplier, copy and distribute the electronic materials. Also, vulnerabilities may allow cyber attackers to conduct targeted attacks throughout the supply chain. For example, employees of Intel processor-based equipment vendors can extract Intel CSME firmware keys and deploy spyware that cannot be detected by security software.
Link: https://threatpost.com/intel-processor-bug-encryption-keys/176355/