A Review of the Best News of the Week on Identity Management & Web Fraud

Hackers Convinced Twitter Employee to Help Them Hijack Accounts (VICE, Jul 16 2020)
After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground.

Walmart Sued Under CCPA After Data Breach (Infosecurity Magazine, Jul 16 2020)
Filing alleges customer data is already circulating on dark web

Details of 142 million MGM hotel guests selling for US$2,900 (WeLiveSecurity, Jul 15 2020)
It appears that the July 2019 breach at MGM Resorts affected far more people than initially thought

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Microsoft Halts a Global Fraud Campaign That Targeted CEOs (Wired, Jul 10 2020)
A sophisticated scheme was designed to trick businesses in more than 60 countries into wiring large sums of money to attackers.

A Peek into the Fake Review Marketplace (Schneier on Security, Jul 13 2020)
“A personal account of someone who was paid to buy products on Amazon and leave fake reviews. Fake reviews are one of the problems that everyone knows about, and no one knows what to do about — so we all try to pretend doesn’t exist….”

Email impersonations becoming pervasive, preying on a distracted and dispersed workforce (Help Net Security, Jul 15 2020)
Impersonations have become pervasive, and are by far the most prevalent type of email-based attack ending up in business’s inboxes. This is according to a survey report by GreatHorn. Emphasizing the trend, 48.7% of respondents reported seeing impersonations of people such as colleagues, customers or vendors preying on the sense of urgency of an increasingly distracted and dispersed workforce.

Cofense Detects HMRC #COVID19 Tax Relief Scam (Infosecurity Magazine, Jul 15 2020)
Phishing email targets those whose ability to work has been impacted by the pandemic

How Do CCPA and GDPR Differ? CCPA Requires More Effective Data Management (SC Media, Jul 15 2020)
The enforcement deadline for the California Consumer Privacy Act (CCPA) passed a couple of weeks ago, so for all intents and purposes it’s now in effect. The CCPA was modeled after the European Union’s General Data Protection Regulation (GDPR) that requires companies to share how personal data gets collected and gives consumers the option to…

340 GDPR fines for a total of €158,135,806 issued since May 2018 (Help Net Security, Jul 16 2020)
Since rolling out in May 2018, there have been 340 GDPR fines issued by European data protection authorities. Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine, Privacy Affairs finds. Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organizations that break the …

Using Adversarial Machine Learning, Researchers Look to Foil Facial Recognition (Dark Reading, Jul 09 2020)
For privacy-seeking users, good news: Computer scientists are finding more ways to thwart facial and image recognition. But there’s also bad news: Gains will likely be short-lived.

The Trump Administration Is Attacking Critical Internet Privacy Tools (VICE, Jul 10 2020)
Trump’s cronies are dismantling the organization that helped give birth to open source tools like Signal and Tor. For activists around the world, the results could be disastrous.

NIST Password Guidelines: What You Need to Know (Infosecurity Magazine, Jul 13 2020)
Organizations’ best line of defense hinges on the ability to ensure security at the password layer

Californian Jailed Over Identity Theft Scheme Targeting Military (Infosecurity Magazine, Jul 10 2020)
Scheme that made millions by stealing veterans’ PII lands Californian in federal prison

U.S. universities at risk of back-to-school and Covid-19 email fraud (SC Media, Jul 10 2020)
The top 20 universities based in the U.S. are failing to implement proper DMARC protections and policies, opening the door for fraudsters to spoof their email domains and convincingly impersonate them at a time when students are likely expecting to receive a wealth digital communications related to back-to-school instructions, researchers warn.

Researchers extract personal data from video conference screenshots (Help Net Security, Jul 13 2020)
Video conference users should not post screen images of Zoom and other video conference sessions on social media, according to Ben-Gurion University of the Negev researchers, who easily identified people from public screenshots of video meetings on Zoom, Microsoft Teams and Google Meet.

Millions of Logins from UK Ticket Site for Sale on Dark Web (Infosecurity Magazine, Jul 14 2020)
KELA discovers 4.8 million records on underground site

20% of credential stuffing attacks target media companies (Help Net Security, Jul 16 2020)
The media industry suffered 17 billion credential stuffing attacks between January 2018 and December 2019, according to a report from Akamai. The apparent fourfold increase in attacks is partly attributable to the enhanced visibility into the threat landscape

EE Launches Identity Checker to Help Fight Customer Fraud (Infosecurity Magazine, Jul 16 2020)
Mobile operator’s new platform verifies a customer’s identity in real time

EU Court of Justice Deems Privacy Shield Unlawful (Infosecurity Magazine, Jul 16 2020)
Max Schrem’s challenge to Facebook Ireland sees Privacy Shield deemed invalid

A New Gadget Stops Voice Assistants From Snooping on You (Wired, Jul 16 2020)
Meet LeakyPick, the low-cost audio spy detector for your Amazon Alexa, Google Home, and other network-connected devices.