I spy another mSpy breach: Millions more stalkerware buyers exposed
Also: Velops routers love plaintext; everything is a dark pattern; Internet Explorer rises from the grave, and more
Infosec in brief Commercial spyware maker mSpy has been breached – again – and millions of purchasers can be identified from the spilled records.
mSpy showed up on Have I Been Pwned on July 11, with the site revealing hacktivists were responsible for the theft of millions of Zendesk support tickets from buyers unable to use the software.
mSpy is commercially marketed for applications including allowing parents and partners to spy on their family members. Available as a smartphone app, it is generally termed a "stalkerware" app.
"Comprising 142GB of user data and support tickets along with 176GB of more than half a million attachments, the data contained 2.4M unique email addresses, IP addresses names and photos," the mSpy entry on Have I Been Pwned reads. The site attachments included screen grabs of financial transactions, photos of credit cards and even some nude selfies.
Several folks included in the breach list have been contacted and the legitimacy of their data verified, it's been reported elsewhere.
mSpy was previously breached in 2015, with some 400,000 users' data published on the dark web – messages, payment details, account credentials, photos and more were dumped online. The company was breached again in 2018, resulting in several million more customer records being exposed.
mSpy is not the only stalkerware company to suffer a data breach: LetMeSpy was hit so hard in 2023 it shut down, and the same fate befell pcTattletale, which closed up shop earlier this year after a similar experience.
Critical vulnerabilities: You've already heard the worst of it
Last week may have included Patch Tuesday, but other nasties emerged over the last seven days.
The US Cybersecurity and Infrastructure Security Agency warned of many vulnerabilities patched in OT stuff – the worst of which a CVSS 10.0 in license management server software made by an outfit called PTC.
Believe it or not, the web interface for PTC's Creo Elements Direct License Server can be used by anyone to do pretty much whatever they want. It's being tracked as CVE-2024-6071.
Vel-oops: Linksys routers sending plain-text data to Amazon
One would expect a $170 Wi-Fi mesh router to be smart enough not to transmit SSIDs, passwords, and session access tokens in plain text across the planet – but here we are.
According to consumer advocates at Belgian nonprofit Test Aankoop, Linksys Velop Pro Wi-Fi 6E and 7 series routers are doing just that, and were spotted sending all that information in plain text from routers in Belgium all the way to AWS servers in the United States.
Those session tokens are particularly concerning, said Test Aankoop, because they could easily be exploited with a man-in-the-middle attack.
Best update that SSID and password ASAP if you own one of the offending routers, and while you're doing that why not update your router firmware, too?
Dark patterns … dark patterns everywhere
An international review of "dark patterns" that manipulate consumers into giving up data and privacy in apps and on websites has found what you probably can already guess: they're everywhere.
"Nearly 76 percent of the sites and apps examined as part of the review employed at least one possible dark pattern, and nearly 67 percent used multiple possible dark patterns," the FTC warned after concluding a review with its buddies at the International Consumer Protection and Enforcement Network and the Global Privacy Enforcement Network.
The trio reviewed 642 websites and apps in multiple languages, finding that two patterns dominated. Sneaking practices, the FTC asserts, involves withholding essential information until late in the process, while interface interference can be seen when choices are framed in a way that steers buyers.
The report didn't determine whether any of the patterns uncovered rose to the level of illegality, so it's unlikely prosecution will follow.
Malware necromancers resurrect IE in novel attack
When we reported a vulnerability in Windows MSHTML patched last week was under active exploit, we didn't know it was going to be a novel trick to do it, but according to Checkpoint that's precisely the case.
The flaw being exploited – a spoofing vulnerability that gives the attacker code execution capabilities on the victim's machine – is being attacked by raising Internet Explorer from its residence in the bowels of Windows and using its less-than-secure nature to install a malicious HTML application.
Even worse than exploiting IE to do its dirty work is the fact Checkpoint said it's found the thing as far back as early 2023 – so it's been out there for a while.
Akira Ransomware group targets Latin American airlines
Security researchers from Blackberry are warning of a potential new target for ransomware actor Akira: Latin American airlines.
Blackberry reported this week a threat actor armed with Akira ransomware (it's sold as a service) broke into systems at an unnamed airline, stole a bunch of data, and ransomed systems. It wasn't stated in Blackberry's report if a ransom was paid.
The researchers said the unusual targeting of the attack "highlights the group's willingness to target other regions, if any organization neglects to patch disclosed exploits utilized by the actor."
That said, it's worth noting how the breach happened: "Internal software was also critically out-of-date, leaving major vulnerabilities that were exploited by the threat actor once the perimeter was breached," noted Blackberry.
Please just patch your systems. We'd hate to have to write about what happens if you don't. ®