The Month of June in 5 Articles
Each Month Terbium Labs’ Research Team curates news and information from the corners of the internet to summarize the month of June in 5 articles, just for you! Research, happenings, and more related to infosecurity, cybercrime, payment card fraud, automation, and other popular topics are distilled to provide insight each month here on our blog.
Hackers can scrape information that can be used for spear-phishing from your Venmo payments depending on your privacy settings.
WHY DO I CARE?
Venmo’s innate social structure is a treasure trove for phishers. Public payments made on Venmo are even complete with descriptions. In the article, a researcher scraped a public API endpoint and began feeding the information scraped into a MongoDB database to find trends.
Information regarding the user’s cell phone operating system, what they were purchasing, and who they interact with are accessible from this API; all of this information can be used for targeted attacks against users. There have been minor improvements but information can still be scraped via that endpoint API. This is a great example of a product vulnerability putting company information at risk. This is also an example of third-party risk as smaller retailers, freelancers, and service providers use Venmo for payment also. At this point, the best way for these companies protect themselves without dumping Venmo is by changing their privacy settings to private.
This article investigates a vulnerability in a popular payment application that is technically a third-party leak and is a potential source of information for phishers.
Hackers are stealing medical data and selling it on the dark web for various purposes. Both provider and patient data are being utilized for various schemes and pricing is low enough for multiple fraudsters to purchase relatively easily.
WHY DO I CARE?
Hackers are stealing provider data typically used to verify medical professionals such as medical diplomas, medical licenses, and DEA licenses and selling them for as low as $500. Personal health information is being sold for $3.25 or less per record. The stolen information can be used to falsify a medical background or to submit fake claims at the cost of the victim.
The firm investigating found “a vast array of forgeries available and for sale. For between $10 and $120 per record, you can buy fake prescriptions, labels, sales receipts, and stolen healthcare cards.”
This article investigates which PHI data points are used for what after sale on the dark web and why medical data can sell for up to six times as much as PII.
The third-party breach that compromised nearly 12 million Quest Diagnostics patients was also responsible for the compromise of 7.7 million LabCorp customers.
WHY DO I CARE?
Third-party breaches put your data at risk just as much an assault on your systems. AMCA, the collection vendor responsible for the breach, compromised birth dates, addresses, phone numbers, providers, and payment card information. The vulnerabilities of partners and third-parties directly impact the safety of your data and your cybersecurity readiness as a whole.
AMCA, LabCorp, and Quest Diagnostics were expected to be hit with hefty fines from the Department of Health and Human Services at the time of the event. Following the disclosure of the data breach however, multiple class-action lawsuits were filed against Quest Diagnostics, AMCA, and LabCorp. Victims claim that there was an unnecessary delay in informing victims; AMCA has since had to declare bankruptcy
This article looks at the troubling issue of third-party breaches impacting multiple companies simultaneously and the fallout expected, after nearly 20 million patients have had their information compromised.
The Riviera Beach City Council voted unanimously in June to pay $600,000 in ransom to hackers who hijacked its computer system for weeks. The council had already approved almost $1 million to overhaul its hardware but is paying up because they believe they have no choice.
WHY DO I CARE?
Phishing caused this debacle and proper employee training may have been able to thwart this scenario altogether. The infection is thought to have occurred after an employee clicked a link that allowed hackers access to upload the malware. The FBI, Homeland Security, and the U.S. Secret Service are all investigating the attack as it is one of the latest on ransomware attacks hitting cities across the nation.
Ransomware is the fastest growing malware threat for both individuals and organizations. Dozens of U.S. hospitals and cities have been taken hostage, crippling everything from airports to 911 dispatchers.
The Equifax breach continues to be the breach that keeps on giving. Credit Rating Agency based checks underpin identification verification for U.S. agencies but this information has been compromised since 2017.
WHY DO I CARE?
The information stolen during the Equifax security breach is still being used to validate identities by four government agencies. Whoever has the Equifax data could, in theory, use it to validate themselves as a U.S. citizen, opening the door for massive fraud.
“GAO found that the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), the US Postal Service (USPS), and the Department of Veterans Affairs (VA) were still relying on the old CRA (credit reporting agency) databases for online identity verification”
In 2017, The National Institute of Standards and Technology issued guidance recommending the replacement of CRA-based identity proofing with other solutions like validation via SMS or the submission of an image/scan of a physical ID. However, the agencies still using this method of identity proofing say that they have not yet migrated to a new system due to, “high costs and implementation challenges”.
This article introduces the dilemma of budget and implementation against public safety. CRA-based verification systems at the highest level of government are technically compromised as the data they check on is no longer reliable.