Forever 21 data breach and Android BadBazaar espionage
Forever 21 data breach impacts half a million individuals, Chinese APT group distributes BadBaazar spyware via trojanized Android messaging apps and the Classiscam scam-as-a-service operation. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Phishing simulations & training
1. Forever 21 suffers data breach; over 500,000 individuals affected
The retailer has informed over 500,000 individuals that a Forever 21 cyberattack compromised their personal information between January and March 2023. The retailer identified the breach on March 20 and disclosed it to the Maine Attorney General. Impacted data includes names, bank accounts, Social Security numbers, birth dates and health plan information. Forever 21 later reported that it had secured the data and found no evidence of misuse, suggesting that the company communicated with the attackers.
2. Chinese APT group using fake Signal and Telegram apps to distribute BadBaazar spyware
Cybersecurity firm ESET recently found that Chinese hacking group GREF uploaded trojanized versions of Signal and Telegram to Google Play and Samsung Galaxy Store. These compromised apps, named 'Signal Plus Messenger' and 'FlyGram,' contain BadBazaar spyware and targeted users in countries like the U.S., Poland and Ukraine. The spyware can steal sensitive information, including call logs and location data. Google has removed the malicious apps, but they remain available on Samsung's Galaxy Store. ESET recommends that Android users only download the official versions of messaging apps.
3. Classiscam scam-as-a-service expands, now targeting 251 brands across 79 countries
Group-IB has reported that the Telegram-based Classiscam operation is causing greater financial damage and broadening its worldwide reach. The criminal platform, which enables fake ads and phishing sites to steal money and payment credentials, has grown to include 393 criminal gangs targeting users in 79 countries. Damages are estimated at $64.5 million, with targeted brands rising from 169 to 251. Classiscam has become more automated, using Telegram bots for rapid phishing site creation. Its main targets are European countries, with UK users losing the highest average amount per scam.
4. Sourcegraph suffers data breach following accidental leakage of admin access token
Sourcegraph, a code search platform, reported a data breach due to an accidentally leaked admin access token. Discovered on August 30, the breach led to unauthorized admin dashboard access and a spike in API usage. Although the malicious user could have accessed some user emails and license keys, customer code and data were not compromised. Sourcegraph has since revoked the user's access and implemented additional security measures. The platform also clarified that that breach did not extend to customer code or data, which are stored in separate, isolated environments.
5. Infamous Chisel mobile malware targeting Ukrainian military Android handsets
Five Eyes intelligence alliance disclosed details of "Infamous Chisel," a mobile malware targeting the Ukrainian military's Android devices. Attributed to Russian state-sponsored actor Sandworm, the malware enables unauthorized access and data theft. The Ukrainian Security Service (SBU) had previously detected unsuccessful attempts to compromise their networks. The malware is part of a larger cyber campaign by Russian forces against Ukraine, including another Kremlin-backed hacking group called Gamaredon, which is escalating attacks to harvest sensitive military data.
Phishing simulations & training