AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/20/2023

Bank of America starts restoring missing Zelle transactions 

Bank of America has started to restore missing Zelle transactions that suddenly disappeared from customers’ bank accounts this morning, causing some to dip into negative balances. The outage began at approximately 7 AM ET today, with BoA customers suddenly finding their account balances had decreased after recent Zelle transactions disappeared. This led to reports on DownDetectorReddit, and Twitter from hundreds of customers missing their Zelle transactions. 


More Ransomware Victims Are Refusing to Pay Hackers 

Ransomware cyber-gangs made about $456.8 million in 2022. It sounds like a lot of money until you compare it to the record estimated profits from 2021: $765 million. All told, hackers managed to extort 40% less from their victims this past year, vs. the year before, according to a new report from Chainalysis published Thursday. But that drop in profit doesn’t mean the number of ransomware attacks—in which bad actors demand payment in exchange for stolen and encrypted data—is down by the same proportion, the analysis notes. “Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay.” 


Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack 

PayPal is sending out breach notification letters to nearly 35,000 customers after a December 6 credential stuffing attack allowed hackers to access names, addresses, Social Security Numbers, individual tax identification numbers and dates of birth. The company reported the breach, which occurred from December 6 to December 8, to Maine’s Attorney General. On December 20, PayPal confirmed that hackers used credential stuffing attacks to gain access to personal data and financial information. credential stuffing attack is when hackers take username and password combinations leaked through data breaches and attempt to use them at other online services, hoping that some people reused credentials across different sites. 


T-Mobile hacked to steal data of 37 million accounts in API data breach 

T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs). An API is a software interface or mechanism commonly used by applications or computers to communicate with each other. Many online web services use APIs so that their online apps or external partners can retrieve internal data as long as they pass the right authentication tokens. 


Hacker group incorporates DNS hijacking into its malicious website campaign 

Researchers have uncovered a malicious Android app that can tamper with the wireless router the infected phone is connected to and force the router to send all network devices to malicious sites. The malicious app, found by Kaspersky, uses a technique known as DNS (Domain Name System) hijacking. Once the app is installed, it connects to the router and attempts to log in to its administrative account by using default or commonly used credentials, such as admin:admin. When successful, the app then changes the DNS server to a malicious one controlled by the attackers. From then on, devices on the network can be directed to imposter sites that mimic legitimate ones but spread malware or log user credentials or other sensitive information. 


Phishers Use Blank Images to Disguise Malicious Attachments 

Security researchers have spotted another innovative technique phishing actors are using to bypass traditional security filters – this time using blank images. The email in question was detected by Check Point business Avanan, and arrived as a legitimate-looking DocuSign message. Although the link in the email body will take the user directly to a regular DocuSign page, the HTML attachment at the bottom was more suspect. The HTML file in question contained an SVG image encoded with Base64. “At the core, this is an empty image with active content inside. In fact, there’s JavaScript inside the image. This redirects automatically to the malicious URL,” said Avanan. 

Related Posts