This is the Shared Security Weekly Blaze for September 24, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel!
Show Transcript
This is your Shared Security Weekly Blaze for September 24th 2018 with your host, Tom Eston. In this week’s episode: Mobile phone call scams, Pegasus mobile spyware, and the Newegg data breach.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Raise your hand if you’re sick and tired of receiving scam and fraudulent phone calls on your mobile phone. I’ll assume that all of you are probably raising your hand right about now, myself included. Well not to be the bearer of bad news but according to a recent report, nearly half of the mobile phone calls received in the US next year will be scams. In a report from First Orion, which makes phone call data transparency solutions, notes a dramatic increase in mobile scam calls “from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019”. Many of these calls are using a technique called “Neighborhood Spoofing” which happens when a scammer makes their number look like a real local number, tricking the victim into picking up the call. Since these numbers are typically spoofs of real numbers, sometimes if you call these numbers back, you’ll get a real innocent person; not the scammer who spoofed the number.
While many of us are either manually blocking scam calls through the features on our phones or using a third-party app to screen and block calls, the best way to stop these calls from happening seem to be with the mobile carriers themselves. First Orion seems to be addressing this with an in-network technology called “CallPrinting” that is said to significantly reduce the volume of scam calls. First Orion’s press release states that this technology will be used by one Tier-One US carrier this fall.
In regards to third-party apps, I’ve recently installed an app called “AT&T Call Protect” which seems to work fairly well to block scam calls . This is a free app for AT&T mobile customers. I’d say that it’s slightly reduced the number of scam and robocalls that I’ve received but I find it’s not perfect as blacklisting scam numbers seems to be an endless pursuit. So what are your thoughts? Have any of you used these third-party scam call blocking apps? If so, we would be interested in hearing what you think about how effective these apps are so we can discuss on the podcast. Send us a message on Twitter, Facebook or email and let us know if these apps are helping or hindering your fight against scam calls on your mobile phone.
In a fascinating report released by privacy and security research group Citizen Lab this week shows that a very sophisticated form of mobile spyware, called Pegasus, has been found on Android and Apple iOS phones in 45 countries including the US, UK and Canada. Some of these countries have been known for questionable human rights practices. Citizen Lab researchers point out that Pegasus being installed on devices to conduct cross-border surveillance and may be breaking the law in the US as well as many other countries where Pegasus was found. Pegasus spyware is sold by an Israeli company called the NSO Group and has been used in the past by powerful nation states and governments to target human rights activists and other individuals under surveillance for one reason or another. In this recent research by Citizen Lab they estimate that Pegasus is being used by at least 33 different NSO Group customers.
Back in 2016, one of these individuals targeted with Pegasus was UAE activist Ahmed Mansoor who was able to provide Citizen Lab researchers his iPhone to analyze when he received a very odd and strange link sent to him via a text message. When clicking the link, this particular version of Pegasus launched three zero-day exploits for Ahmed’s particular version of Apple iOS and would have allowed full access to Ahmed’s phone including activating the camera, microphone and sending off all passwords, text messages, and much more. Ahmed is currently serving ten years in UAE prison for his postings about human rights abuse in the UAE. Keep in mind that this was back in 2016, and it’s reported that Pegasus spyware is much more powerful now and most likely is capable of exploiting even the most current versions of Apple iOS and Android phones. Check out our show notes if you’re interested to learn more about the NSO group and its origins.
Of course, there may be lawful uses of Pegasus spyware to either prevent terrorism or as part of criminal investigation for national security. However, when a company starts selling very powerful surveillance spyware to any government willing to pay a very high price, side note: Pegasus is reportedly 8 million dollars for 300 licenses, it can be very disturbing to think of the consequences for everyone’s privacy and security across the world.
Newegg, which is one of the largest online electronic retailers in the US, became the latest victim of yet another customer credit card data breach this past week. The attack on Newegg exposed the credit card information of anyone purchasing products for more than a month between August 14 and September 18 of this year. This latest breach has been linked to the recent series of data breaches tied to the Magecart criminal group, which is to blame for similar credit card breaches of British Airways and Ticketmaster. The Newegg attack was very similar to the British Airways breach in that simple JavaScript code was inserted into the checkout process which would send credit card data over to a Magecart controlled server. Newegg customers would have no idea that their credit card information was being compromised and their order with Newegg would process as normal. No statement has been released yet from Newegg regarding how many customers were affected or what specifically the attack vector was. However, the Magecart criminal group responsible for the attack seems to be targeting large businesses that are processing lots of orders. In the Ticketmaster attack earlier this year it was found that vulnerable third-party code from a chat system, called Inbenta, was to blame.
This latest breach should give all of us a cause for concern when putting our credit card into any third-party site. As we’ve discussed on the show before, card not present fraud, where you provide your credit card details to a merchant over the Internet is the most popular way for attackers to gain access to millions of credit cards very quickly. Using new payment methods like ApplePay, Samsung Pay or Google Pay, is a much more secure way to pay for anything over the web instead of the traditional way of entering in card information into a shopping cart style checkout process. However, not many businesses support these new forms of payment technology and for businesses, there can be a very large cost to integrate new payment systems into legacy systems. Until businesses decide to make the investment, perhaps after they’ve fallen victim to yet another credit card breach, we all need to keep a close eye on our credit card statements and perhaps think of alternative ways to pay for products and services over the web.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
