fulldisclosure logo Full Disclosure mailing list archives

  By Date           By Thread        

Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation (CVE-2020-13162)


From: Red Timmy Security <publications () redtimmy com>
Date: Tue, 16 Jun 2020 18:01:36 +0200


Pulse Secure is recognized among the top 10 Network Access Control (NAC) vendors by global revenue market share. The componay declares that "80% of Fortune 500 trust its VPN products by protecting over 20 million users".

 

At Red Timmy Security we have discovered that Pulse Secure Client for Windows suffers of a local privilege escalation vulnerability in the “PulseSecureService.exe” service. Exploiting this issue allows an attacker to trick “PulseSecureService.exe” into running an arbitrary Microsoft Installer executable (“.msi”) with SYSTEM privileges, granting them administrative rights.

 

The vulnerability lies in the “dsInstallerService” component, which provides non-administrative users the ability to install or update new components using installers provided by Pulse Secure. While “dsInstallerService” performs a signature verification on the content of the installer, it has been found that it’s possible to bypass the check providing the service with a legit Pulse Secure installer and swapping it with a malicious one after the verification

 We have registered CVE-2020-13162 for this vulnerability. 

Full story here: https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-&lt;9-1-6-toctou-privilege-escalation-(cve-2020-13162/

 Disclosure Timeline
-------------------
Vulnerability discovered: April 13th, 2020
Vendor contacted: April 15th, 2020
Vendor's reply: April 17th, 2020
Vendor patch released: May 22nd, 2020
Red Timmy Disclosure: June 16th, 2020 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

  • Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation (CVE-2020-13162) Red Timmy Security (Jun 16)

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow


From: Pietro Oliva <pietroliva () gmail com>
Date: Mon, 15 Jun 2020 21:18:15 +0100


Vulnerability title: TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow
Author: Pietro Oliva
CVE: CVE-2020-13224
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected versions: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401, NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401, NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401 Fixed versions: NC200 <= 2.1.11 build 200508, NC210 <= 1.0.11 build 200612, NC220 <= 1.3.2 build 200508, NC230 <= 1.3.2 build 200508, NC250 <= 1.3.2 build 200508, NC260 <= 1.5.4 build_200508, NC450 <= 1.5.5 build 200508 Description:
The issue is located in the httpDelMultiUserRpm method of the ipcamera binary
(Called when deleting multiple users via /delmultiuser.fcgi), where a
comma-delimited list of usernames is passed as an input, and a list of error
codes for each user deletion attempt is returned to the user via HTTP. The list
of error codes returned to the user is temporary stored in a fixed-size stack
buffer, while there in no limit on the number of usernames that the user can
specify. Since the error codes are concatenated in a loop without any boundary
checks until a string terminator has been found in the user-supplied string, a
stack-based buffer overflow can occur if the user provided an input string
with enough commas or usernames. Impact:
Attackers could exploit this vulnerability to remotely crash the ipcamera
process, or remotely execute arbitrary code as root. Exploitation:
An attacker would first need to authenticate to the web interface and make a
request similar to the following to trigger a crash of the ipcamera process: POST /delmultiuser.fcgi HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/x-www-form-urlencoded
Cookie: sess=xxxxx
Content-Length: xxxx Usernames=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&token=xxxxx" Evidence:
The disassembly of affected code from an NC200 camera is shown below: sym.httpDelMultiUserRpm: ; Get pointer to Usernames param from HTTP request ││ 0x0047ee90 lw a0, (env) ││ 0x0047ee94 lw a1, -0x7fe4(gp) ││ 0x0047ee98 nop ││ 0x0047ee9c addiu a1, a1, -0x73b0 ; "Usernames" string ││ 0x0047eea0 lw t9, -sym.httpGetEnv(gp) ││ 0x0047eea4 nop ││ 0x0047eea8 jalr t9 ││ 0x0047eeac nop ; Save the pointer and return error if it is NULL ││ 0x0047eeb0 lw gp, (arg_10h) ││ 0x0047eeb4 sw v0, (arg_usernames) ││ 0x0047eeb8 lw v0, (arg_usernames) ││ 0x0047eebc nop ││┌─< 0x0047eec0 bnez v0, 0x47eed4 │││ 0x0047eec4 nop │││ 0x0047eec8 addiu v0, zero, -1 ┌────< 0x0047eecc b 0x47f0bc ││││ 0x0047eed0 sw v0, (arg_46ch) ; If the pointer is not null, initialize to 0 the error code buffer on the stack │││└─> 0x0047eed4 addiu v0, fp, 0x40 │││ 0x0047eed8 move a0, v0 │││ 0x0047eedc move a1, zero │││ 0x0047eee0 addiu a2, zero, 0x400 │││ 0x0047eee4 lw t9, -sym.imp.memset(gp) │││ 0x0047eee8 nop │││ 0x0047eeec jalr t9 │││ 0x0047eef0 nop │││ 0x0047eef4 lw gp, (arg_10h) ; Copy the arg_usernames pointer to arg_usernames_copy │││ 0x0047eef8 lw v0, (arg_usernames) │││ 0x0047eefc nop │││ 0x0047ef00 sw v0, (arg_usernames_copy) ; Get a pointer to the first occurrence of the comma character and store it │││┌─> 0x0047ef04 lw a0, (arg_usernames_copy) │││╎ 0x0047ef08 addiu a1, zero, 0x2c │││╎ 0x0047ef0c lw t9, -sym.imp.strchr(gp) │││╎ 0x0047ef10 nop │││╎ 0x0047ef14 jalr t9 │││╎ 0x0047ef18 nop │││╎ 0x0047ef1c lw gp, (arg_10h) │││╎ 0x0047ef20 sw v0, (ptr_to_next_comma) ; If the pointer is NULL go and delete the last username in the list │││╎ 0x0047ef24 lw v0, (ptr_to_next_comma) │││╎ 0x0047ef28 nop ┌─────< 0x0047ef2c beqz v0, 0x47efc0 ││││╎ 0x0047ef30 nop ; Replace the comma character with a string terminator and delete the user ││││╎ 0x0047ef34 lw v0, (ptr_to_next_comma) ││││╎ 0x0047ef38 nop ││││╎ 0x0047ef3c sb zero, (v0) ││││╎ 0x0047ef40 lw a0, (arg_usernames_copy) ││││╎ 0x0047ef44 lw t9, -sym.swUMDelUser(gp) ││││╎ 0x0047ef48 nop ││││╎ 0x0047ef4c jalr t9 ││││╎ 0x0047ef50 nop ; Create a string with the error code from swUMDelUser ││││╎ 0x0047ef54 lw gp, (arg_10h) ││││╎ 0x0047ef58 sw v0, (deluser_error_code) ││││╎ 0x0047ef5c addiu v0, fp, 0x448 ││││╎ 0x0047ef60 move a0, v0 ││││╎ 0x0047ef64 lw a1, -0x7fe4(gp) ││││╎ 0x0047ef68 nop ││││╎ 0x0047ef6c addiu a1, a1, -0x73a4 ; '{"errorCode":&d},' ││││╎ 0x0047ef70 lw a2, (deluser_error_code) ││││╎ 0x0047ef74 lw t9, -sym.imp.sprintf(gp) ││││╎ 0x0047ef78 nop ││││╎ 0x0047ef7c jalr t9 ││││╎ 0x0047ef80 nop ; Concatenate the error code string with other error codes on the stack ││││╎ 0x0047ef84 lw gp, (arg_10h) ││││╎ 0x0047ef88 addiu v0, fp, 0x40 ││││╎ 0x0047ef8c addiu v1, fp, 0x448 ││││╎ 0x0047ef90 move a0, v0 ││││╎ 0x0047ef94 move a1, v1 ││││╎ 0x0047ef98 lw t9, -sym.imp.strcat(gp) ; concatenate err code ││││╎ 0x0047ef9c nop ││││╎ 0x0047efa0 jalr t9 ││││╎ 0x0047efa4 nop ; Increase the pointer by one to the next username ││││╎ 0x0047efa8 lw gp, (arg_10h) ││││╎ 0x0047efac lw v0, (ptr_to_next_comma) ││││╎ 0x0047efb0 nop ││││╎ 0x0047efb4 addiu v0, v0, 1 ; Store the updated pointer and skip the last/only username deletion code
┌──────< 0x0047efb8 b 0x47f034
│││││╎ 0x0047efbc sw v0, (arg_usernames_copy) ; Delete the last/only username in the list and concatenate error code
│└─────> 0x0047efc0 lw a0, (arg_usernames_copy)
│ │││╎ 0x0047efc4 lw t9, -sym.swUMDelUser(gp)
│ │││╎ 0x0047efc8 nop
│ │││╎ 0x0047efcc jalr t9
│ │││╎ 0x0047efd0 nop
│ │││╎ 0x0047efd4 lw gp, (arg_10h)
│ │││╎ 0x0047efd8 sw v0, (deluser_error_code)
│ │││╎ 0x0047efdc addiu v0, fp, 0x448
│ │││╎ 0x0047efe0 move a0, v0
│ │││╎ 0x0047efe4 lw a1, -0x7fe4(gp)
│ │││╎ 0x0047efe8 nop
│ │││╎ 0x0047efec addiu a1, a1, -0x73a4 ; '{"errorCode":&d},'
│ │││╎ 0x0047eff0 lw a2, (deluser_error_code)
│ │││╎ 0x0047eff4 lw t9, -sym.imp.sprintf(gp)
│ │││╎ 0x0047eff8 nop
│ │││╎ 0x0047effc jalr t9
│ │││╎ 0x0047f000 nop
│ │││╎ 0x0047f004 lw gp, (arg_10h)
│ │││╎ 0x0047f008 addiu v0, fp, 0x40
│ │││╎ 0x0047f00c addiu v1, fp, 0x448
│ │││╎ 0x0047f010 move a0, v0
│ │││╎ 0x0047f014 move a1, v1
│ │││╎ 0x0047f018 lw t9, -sym.imp.strcat(gp) ; Concatenate err code
│ │││╎ 0x0047f01c nop
│ │││╎ 0x0047f020 jalr t9
│ │││╎ 0x0047f024 nop
│ │││╎ 0x0047f028 lw gp, (arg_10h)
│┌─────< 0x0047f02c b 0x47f04c
│││││╎ 0x0047f030 nop ; Checks if the string terminator has been found.
└──────> 0x0047f034 lw v0, (ptr_to_next_comma) ││││╎ 0x0047f038 nop ; If yes, return the error codes to the user via HTTP
┌──────< 0x0047f03c beqz v0, 0x47f04c ; Otherwise, continue deleting users until the NULL terminator is found.
│││││╎ 0x0047f040 nop
│││││└─< 0x0047f044 b 0x47ef04 Mitigating factors:
There is very limited control over the buffer that will eventually overwrite
the saved return address. The only part of the buffer that can be slightly
controlled is the error code by using existing, non-existing, or invalid
usernames, since error codes can change in content and length. If an attacker
managed to find a way to carefully combine error codes and obtain a valid
address after return address overwrite, arbitrary code execution as root
could be achieved. Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs: https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware Disclosure timeline:
2nd May 2020 - Vulnerability reported to vendor.
19th May 2020 - Patched firmware provided by vendor for verification.
19th May 2020 - Confirmed the vulnerability was fixed.
15th June 2020 - Firmware updates released to the public.
15th June 2020 - Vulnerability details are made public. _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

  • TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow Pietro Oliva (Jun 16)

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

[CVE-2020-12827] MJML <= 4.6.2 mj-include “path” Path Traversal


From: “Julien Ahrens (RCE Security)” <info () rcesecurity com>
Date: Sun, 14 Jun 2020 13:15:49 +0000


RCE Security Advisory
https://www.rcesecurity.com 1. ADVISORY INFORMATION
=======================
Product: MJML
Vendor URL: https://github.com/mjmlio/mjml/
Type: Path Traversal [CWE-22]
Date found: 2020-04-28
Date published: 2020-06-14
CVSSv3 Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)
CVE: CVE-2020-12827 2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security. 3. VERSIONS AFFECTED
====================
MJML <= 4.6.2 As a solution MJML disabled mj-include by default in MJML v4.6.3 by adding the "ignoreIncludes" directive, however, the component could still be explicitly
enabled, making the application vulnerable again. 4. INTRODUCTION
===============
MJML is a markup language created by Mailjet and designed to reduce the pain of
coding a responsive email. Its semantic syntax makes it easy and straightforward
while its rich standard components library fastens your development time and
lightens your email codebase. MJML’s open-source engine takes care of
translating the MJML you wrote into responsive HTML. (from the vendor's homepage) 5. VULNERABILITY DETAILS
========================
MJML offers a component called "mj-include" that allows other external MJML
files to be included into the email template by using its "path" attribute.
(see https://mjml.io/documentation/#mj-include). However MJML does not properly validate the value supplied to the "path"
argument, allowing an attacker to traverse directories or even directly point to
other system files outside of the web server's root directory. However since MJML expects the referenced file to be in the format of a MJML
file, the attack scope is limited to: - Leaking the local server path by pointing to a non-existing MJML file, which
throws an error containing the full path, i.e.:
<mjml><mj-include path='test'/></mjml> - Enumerating local server files by using a true/false approach. Existing server
files return an error, while non-existing do not:
<mjml><mj-include path='/etc/passwd'/></mjml> - Partially reading local binary server files. Pointing path to binary files
throws an error, but the error message does contain a portion of the referenced
file. On this way it is possible to leak parts of i.e. compressed local log
files:
<mjml><mj-include path='/var/log/apt/history.log.1.gz'/></mjml> - Causing denial of service conditions on the application embedding MJML, by
reading i.e. /dev/urandom:
<mjml><mj-include path='/dev/urandom'/></mjml> 6. RISK
=======
The vulnerability can be used by an unauthenticated attacker or authenticated
attacker depending on how MJML is embedded to leak sensitive information about
the server such as local server paths and contents of compressed/binary files
or cause denial of service attacks against the application. 7. SOLUTION
===========
Update MJML to version 4.6.3 and keep "ignoreIncludes" set to false. 8. REPORT TIMELINE
==================
2020-04-28: Discovery of the vulnerability
2020-04-30: Reported the vulnerability to maintainers of MJML
2020-05-05: MJML pushes a fix disabling includes by default.
2020-05-11: CVE requested from MITRE
2020-05-13: MITRE assigns CVE-2020-12827
2020-06-14: Public disclosure. 9. REFERENCES
=============
https://github.com/mjmlio/mjml/commit/30e29ed2cdaec8684d60a6d12ea07b611c765a12 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/ 

  By Date           By Thread  

Current thread:

  • [CVE-2020-12827] MJML <= 4.6.2 mj-include “path” Path Traversal Julien Ahrens (RCE Security) (Jun 16)

Follow me for more information.

Oracle's E-Business Suite (EBS)

If your business operations and security of sensitive data rely on Oracle’s E-Business Suite (EBS), make sure you recently updated and are running the latest available version of the software.

In a report released by enterprise cybersecurity firm Onapsis and shared with The Hacker News, the firm today disclosed technical details for vulnerabilities it reported in Oracle’s E-Business Suite (EBS), an integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations.

The two vulnerabilities, dubbed “BigDebIT” and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. But the company said an estimated 50 percent of Oracle EBS customers have not deployed the patches to date.

The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud.

According to the researchers, “an unauthenticated hacker could perform an automated exploit on the General Ledger module to extract assets from a company (such as cash) and modify accounting tables, without leaving a trace.”

Oracle EBS software hacking

“Successful exploitation of this vulnerability would allow an attacker to steal financial data and cause delays in any financial reporting related to the company’s compliance processes,” it added.

It’s worth noting that the BigDebIT attack vectors add to the already reported PAYDAY vulnerabilities in EBS discovered by Onapsis three years ago, following which Oracle released a series of patches as late as April 2019.

Targeting General Ledger for Financial Fraud

Tracked as CVE-2020-2586 and CVE-2020-2587, the new flaws reside in its Oracle Human Resources Management System (HRMS) in a component called Hierarchy Diagrammer that enables users to create organization and position hierarchies associated with an enterprise. Together, they can be exploited even if EBS customers have deployed patches released in April 2019.

“The difference is that with these patches, it is confirmed that even with the systems up to date are vulnerable to these attacks, and therefore need to prioritize the installation of January’s CPU,” the company had stated in a note posted back in January.

One consequence of these bugs, if left unpatched, is the possibility of financial fraud and confidential information theft by attacking a firm’s accounting systems.

Oracle General Ledger is an automated financial processing software that acts as a repository of accounting information and is offered as part of E-Business Suite, the company’s integrated suite of applications — spanning enterprise resource planning (ERP), supply chain management (SCM), and customer relationship management (CRM) — that users can implement into their own businesses.

General Ledger is also used to generate corporate financial reports as well as carry out audits to ensure compliance with the SOX Act of 2002.

An attacker could break this trust by exploiting the flaws to modify critical reports in the ledger, including fraudulently manipulating transactions on a firm’s balance sheets.

“For example, an attacker could modify the Trial Balance Report, which summarizes accounting balances in a given period, virtually unnoticed, resulting in inaccurately reported results flowing undetected into the financial statements. This could result in inaccurately filed or reported financial results,” Onapsis said.

The Importance of Patching Critical Software

Given the financial risk involved, it is highly recommended that companies using Oracle EBS run an immediate assessment to ensure they are not exposed to these vulnerabilities, and apply the patches to fix them.

“Organizations need to be aware that current GRC tools and other traditional security methods (firewalls, access controls, SoD and others) would be ineffective against preventing this type of attack on vulnerable Oracle EBS systems,” the researchers cautioned.

“If organizations have internet-facing Oracle EBS systems, the potential threat likelihood would be significantly magnified. Organizations under attack will be unaware of the attack and not know the extent of the damage until evidence is found by a very extensive internal or external audit.”

Follow me for more information.

Recorded future express

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

Drowning in alerts from many different sources and systems? Spending too much valuable time researching potential threats and vulnerabilities?

You need Recorded Future Express, a new browser extension from the experts at Recorded Future that delivers elite security intelligence at zero cost.

Recorded Future Express Express gives you up-to-the-minute security intelligence from the world’s largest commercial collection platform — directly within the web tools and webpages you already use – including SIEMs, vulnerability scans, malware analysis reports, security blogs, emails, and more.

With this, you can instantly prioritize alerts, incidents, and vulnerabilities based on real-time risk scores.

While there are many ways Express can enhance your security program, here are three examples:

  • Quickly pinpoint high-risk SIEM alerts, discount false positives, and speed time to judgment.
  • Focus patching efforts on the vulnerabilities that present real risk to your organization.
  • Enhance malware analysis to drive fast action to mitigate risk.

Recorded Future Express

Install Recorded Future Expresss for free today to accelerate your investigations and make better, faster decisions.

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Follow me for more information.

On March 20th, the Claire’s accessories retail chain beloved by young girls around the world made the sensible decision to close all of its physical stores in response to the Coronavirus Covid-19 pandemic.

Anyone wanting to purchase costume jewellery, make-up, or hair accessories would have to not take a trip to the shopping mall, but instead visit Claire’s online store instead.

A nuisance, for sure.  But also an opportunity if you were a malicious hacker.

As security researcher Willem de Groot of Sansec reports, within 24 hours of Claire’s bricks-and-mortar stores closing for business, someone had registered the domain claires-assets.com.

This domain was then used, the following month, to exfiltrate information entered on the checkout pages of Claire’s online store and its sister brand Icing.

Hackers managed to gain write-access to Claire’s website, and inject an otherwise legitimate piece of JavaScript used by the site with additional code which skimmed customer and full payment details from online purchasers as soon as they tried to “checkout.”

Attacks like this are, unfortunately, not uncommon.  Most notoriously, malicious code known as Magecart has been used to steal sensitive information from unsuspecting internet users.

What’s so dangerous about a Magecart attack is that it doesn’t matter if a company does not store all of your credit card payment details (such as your CVV security code). Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption to extract sensitive information.

Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.

Companies whose customers have been impacted by past Magecart attacks include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.

Often these attacks are orchestrated through “supply-chain” attacks, where the hackers poison a third-party script used by a website and therefore don’t need to breach the website’s own defences to steal from customers as they shop.

However, in the case of Claire’s it appears that the hackers did actually gain access to the online store’s infrastructure.

This raises some interesting questions.

Firstly, how did the hackers gain access to the website in order to plant their malicious code?  Did they exploit a vulnerability on the website, was a member of staff phished, or was this part of a wider exploitation of Claire’s infrastructure?

The next obvious follow-up question is what has Claire’s done to ensure that a similar breach doesn’t happen again?

In a statement the firm says that upon being notified by Sansec of the security breach, it removed the offending code.

“On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.”

It’s good to see action has been taken, and that customers will be notified, but what should not be ignored is that some online stores have been haunted by repeat infections.  Research produced by Willem de Groot, for instance, has warned in the past that 20% of Magecart-compromised merchants find their internet stores reinfected within days.

And finally, what is to be made of the four weeks or so between the registration of the domain claires-assets.com and the launch of the hackers’ web-skimming attack against customers or Claire’s.

All the evidence points to a determined effort by the hackers to find a weakness at Claire’s that could be exploited to plant the code.  It seems to me that criminals knew that with the closure of its shopping mall stores, there would be an increase in online purchases… and were hellbent on taking advantage of the retail lockdown to fill their pockets.

Some retailers in some countries are beginning to take tentative steps out of lockdown, opening their doors again to shoppers.  They would be wise not to continue to watch their websites carefully for web-skimming attacks like the one which hit Claire’s.

Follow me for more information.

Please, don’t throw cocounts at me.

Earlier this month I had the pleasure of sitting down with Lisa Forte, a celebrated public speaker and expert on the topic of cybersecurity and social engineering, for a video chat.

Lisa runs a YouTube channel called “Rebooting”, where she’s interviewing interesting people. Somehow I sneaked onto the show too.

  • Take a peek inside my podcast pleasure palace, nicknamed “GCHQ”.
  • Hear my family’s reaction to my career.
  • Tales of some of the viruses from yesteryear that caught my attention.
  • My “feud” with female virus writer Gigabyte.
  • Blogging ethics and regrets.
  • Cyber attacks that shook the IT industry.
  • Tribal thinking
  • Death threats
  • Much much more…

…all on this episode of “Rebooting” with Lisa Forte, with special guest yours truly.

Enjoy!

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Product categories

Post

June 2020
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930 
X