Kmart, David Jones among the latest cyber attack victims

It’s been a tumultuous few weeks on the cybersecurity front with the revelation that both Kmart and David Jones have been hacked, as well as the resurgence of threats including Stagefright mobile malware and the Carbanak banking attack campaign.

David Jones has announced that it has discovered that an attacker exploited a website vulnerability to extract customer information.

The breach potentially exposed customers’ names, email addresses, delivery and billing addresses, phone numbers and purchasing histories, but no credit card or other payment details, financial information or passwords.

David Jones announced that it has reported the breach to the Office of the Australian Information Commissioner (OAIC) and the AFP. The company discovered the attack on 25 September.

Days later, Kmart revealed it had detected an external privacy breach of its customer online product order system.

As with the David Jones hack, the Kmart breach involved names, email addresses and other identifying information, but no payment details.

Kmart said it is taking urgent access to address the breach, noting that only a selection of customers who have shopped online have been affected and those customers impacted have been notified.

The company has taken action to stop any further information from being accessed and has contacted IT forensic investigators, as well as the OAIC and the AFP.

Overseas, the IT world is buzzing about the hack of popular crowdfunding website Patreon. Attackers stole and published 15 GB of personal data, including donation records, passwords, email addresses and mailing addresses.

Patreon was breached through a debug version of the site that was visible to the public, Patreon CEO Jack Conte said in a statement. The company has shut down the server and moved all non-production servers behind a firewall in response.

US telecom operator T-Mobile USA meanwhile disclosed that personal information on as many as 15 million users or applicants have been stolen in yet another attack. The hack compromised the server operated by credit broker Experian to store customer T-Mobile’s details.

Information with a black market value of up to US$300 million ($420.8 million) has been exposed, including names and addresses. Identification numbers including driver’s licence, passport and social security numbers have also been compromised.

Besides the real-world attacks, the threat landscape has also become more hazardous in the last few weeks. Zimperium Mobile Threat Protection warned that it has discovered two new Stagefright vulnerabilities in the Android mobile operating system.

Stagefright 2.0 relates to a pair of vulnerabilities when previewing or playing infected MP3 or MP4 files, the first of which affects every device since Android 1.0. The vulnerability could potentially enable remote code execution on all Android devices.

Heimdal Security partner and security specialist Peter Kruse meanwhile warned it has discovered a variant of the Carbanak malware which targets financial institutions. The first version of Carbanak was used to steal an estimated $1 billion from 100 financial institutions worldwide before it was made public, according to Kaspersky Lab analysis.

The latest variant is digitally signed, injects itself into the svchost.exe process to hide its presence and uses plugins to perform its task. The new variant includes new geographic targets, uses a new proprietary protocol and implements the use of random files and a predefined IP address.

Image courtesy of Cliffano Subagio under CC