Roundup Here's a catch-up of security news beyond everything else we've covered.
Nearly 300 million Facebook profiles scraped, dumped online
Once again a huge number of Facebook users have had their details lifted from their profiles, a fact that came to light when security researchers were scanning for open databases online.
Germany-based researcher Bob Diachenko and UK security shop Comparitech found an Elasticsearch cluster online containing the unique Facebook IDs, phone numbers, full names, and other metadata of 267,140,436 users of the antisocial, predominantly in America.
The database has now been taken down, though Diachenko noted that the information was advertised on hacker forums. He suspects it was collected by Vietnamese operators. Facebook data isn't very valuable in and of itself, usually about $3 per account, but Diachenko noted that this kind of material is red meat for phishers and SMS scammers.
If you've brought groceries from the US chain Wawa in the past nine months you might want to check your bank statements: the biz has admitted card-sniffing malware has been on its payment systems since early March.
Discovered on December 10, the software nasty fed credit and debit card numbers, expiration dates, and cardholder names on payment cards, from in-store checkouts and gas pumps to crooks. The store's ATMs were unaffected, it seems.
"I apologize deeply to all of you, our friends and neighbors, for this incident," said CEO Chris Gheysens this week. "You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously."
Those affected by the infection will get the now-traditional one year of credit monitoring from Equifax (so long as you're a US citizen with a social security number) and won't be liable for false charges on their cards.
Tracking President Trump
The scale of the cellphone-location data market was on show this week when the New York Times obtained a three-year-old database of 50 billion phone location pings for more than 12 million Americans.
The journalists analyzing the data found one phone that appeared to belong to a Secret Service agent on President Trump's team, and showed the course of the agent's progress during a trip to the commander-in-chief's Mar-a-Lago resort, then to a golf course where Trump was playing golf with the Japanese prime minister.
The NYT team were able to track other phones into Congress, the Pentagon, and many other sensitive areas. By following where the phones spent the night, they could also get a good idea of a target's home address and when they were out.
The case highlights the egregious way in which telcos in the US are profiting from selling off location data to almost anyone with the money. The telco-friendly FCC chairman Ajit Pai promised to look into the matter 18 months ago but so far appears to have done nothing.
“We want our people to understand,” a senior Defense Department official told the Times. “They should make no assumptions about anonymity. You are not anonymous on this planet at this point in our existence. Everyone is trackable, traceable, discoverable to some degree.”
Like Greta Thunberg? Then get infected
The Emotet malware is doing the rounds again, this time by exploiting the popularity of climate activist Greta Thunberg.
According to security shop Proofpoint a spam campaign this week was pushed out across Europe and Asia aimed at installing the banking trojan in as many computers as it could find. The malware is contained in a faux Word document and the emails are typically headed with the subject "Support Greta".
Interestingly the campaign is heavily focused on .edu domains used by educational institutions and their pupils. Given Thunberg's popularity with youngsters who will have to deal with adverse climate change, rather than the older generation that helped cause it, the operators know their targets well.
Mac malware surges
So much for the "Macs don't get malware" argument.
MalwareBytes says it saw a significant bump in detections of macOS malware this year. In total, the antivirus maker says Mac infections accounted for 16 per cent of all malware it detected this year.
"Perhaps 16 percent doesn’t sound impressive, but when you consider the number of devices on which these threats were detected, the results become extremely interesting," notes MalwareBytes.
"Although the total number of Mac threats is smaller than the total number of PC threats, so is the total number of Macs. Considering that our Mac user base is about 1/12 the size of our Windows user base, that 16 percent figure becomes more significant."
Microsoft patches SharePoint bug
SharePoint admins will want to be sure they test out and install this out-of-band patch from Microsoft before clocking out for the holidays.
Redmond has cleaned up CVE-2019-1491, an information disclosure flaw in SharePoint Server that would potentially allow an attacker to read arbitrary files. While it's not a massive security risk, the bug is significant enough that it could not wait to January's Patch Tuesday.
Trustwave posts instructions for DIY Magecart scans
In case you find yourself doing some last-minute Christmas shopping and want to be sure you're not stumbling onto websites with card-swiping Magecart code, the team at Trustwave has posted these instructions for checking sites against possible infections.
It's not the most practical, though the process could allow you to spot a malicious script before it swipes your bank card details.
Visa security team dissects gas pump malware
It turns out card skimmers aren't the only game in town when it comes to compromising gas pumps.
Visa has issued a security alert on three different gas pump malware infections. Unlike the physical skimmers that are affixed over the card readers and keypads, these attacks are entirely software-based and are installed over networks, like traditional point-of-sale malware infections.
The report notes a number of security mishaps that allowed hackers to exploit systems, including defective chip readers, disabled encryption, and embedded systems that don't comply with PCI standards. ®