Overview:

• Phish Tale of the Week
• Online Retailer PandaBuy Suffers Data Breach Affecting Over 1.3 Million Customers
• 2.8 Million Affected by Ransomware Attack on Massachusetts Health Insurer
• How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as the USPS and informing you that action needs to be taken regarding your package’s delivery. The message politely explains that “USPS” is holding our package that we ordered at “the warehouse,” and that we just need to confirm our address in order to get it delivered. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this smishing link:

1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “Within the next 12 hours” and “Please confirm.” Phishing and smishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like USPS typically will use a simple, standardized domain as their website. For example, USPS’s official website is simply “usps.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “uspz.usspaob.top,” it’s very obvious that this text is an attempt at a smish.

General Recommendations:

A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
2. Verify that the sender is actually from the company sending the message.
3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
4. Do not give out personal or company information over the internet.
5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

Online Retailer PandaBuy Suffers Data Breach Affecting Over 1.3 Million Customers

In a recent security incident, over 1.3 million customers of PandaBuy, a popular online shopping platform facilitating purchases from Chinese e-commerce giants like Tmall, Taobao, and JD.com, have had their data compromised. This breach was reportedly the work of two cybercriminals, known as ‘Sanggiero’ and ‘IntelBoker’, who exploited several critical vulnerabilities in PandaBuy’s API and other areas of its infrastructure.

The attackers claim to have accessed a vast array of personal data, including user IDs, full names, contact details, login IPs, order information, and addresses, among other sensitive information. This cache of data was then advertised on BreachForums, a notorious online marketplace for stolen data, where it’s available for purchase via cryptocurrency.

According to Have I Been Pwned, a service that aggregates data breaches, the actual number of affected PandaBuy accounts is 1,348,407. This figure was confirmed after Troy Hunt, the founder of HIBP, conducted tests on the leaked email addresses, debunking the attackers’ inflated claim of 3 million compromised accounts.

Amidst attempts to manage the fallout, PandaBuy has remained silent on the issue. There have been unverified reports of the company trying to suppress discussions related to the breach on social media platforms like Discord and Reddit. However, a company representative on Discord acknowledged a past security incident, claiming that the leaked data was outdated and had been addressed by their security team.

Customers of PandaBuy are advised to change their passwords immediately and to exercise caution with unsolicited communications, as they might be targeted for scams. The leaked user data is now listed on Have I Been Pwned, allowing affected individuals to verify if they were impacted by the breach.

Steps to Protect Your Data Following the PandaBuy Breach

In light of this recent data breach, it’s critical for individuals to take proactive steps to safeguard their personal information and minimize potential risks. Here are essential actions to consider:

1. Password Update: Immediately change your PandaBuy password. Opt for a strong, unique password that combines letters, numbers, and symbols. It’s also advisable to update passwords on other sites where you may have used the same or similar credentials.
2. Enable Two-Factor Authentication (2FA): If PandaBuy or any other platform you use supports 2FA, enable it. This adds an extra layer of security by requiring a second form of verification beyond just your password.
3. Monitor Your Accounts: Keep an eye on your PandaBuy account and any related financial accounts for unusual activity. Early detection of suspicious activity can prevent further damage.
4. Be Skeptical of Unsolicited Contacts: Be cautious with emails, messages, or phone calls received from unknown sources, especially if they request personal information. Phishers may exploit the breach to trick victims into divulging sensitive information.
5. Check for Exposure: Use services like Have I Been Pwned to check if your email or other personal information has been compromised in this or other breaches. This can help you understand your exposure and take specific actions, such as changing passwords on affected accounts.
6. Stay Informed: Follow updates from PandaBuy and security experts regarding the breach. Staying informed helps you to react promptly to new advisories or recommendations.
7. Consider a Credit Freeze or Monitoring: If you’re concerned about identity theft, consider placing a freeze on your credit reports or signing up for credit monitoring services. This can help protect your credit score from fraudulent attempts.

Taking these steps can significantly reduce the risk of further damage following the PandaBuy data breach and enhance your overall digital security posture.

To read more about this article, click here.

2.8 Million Affected by Ransomware Attack on Massachusetts Health Insurer

Following the April 2023 ransomware attack on Point32Health, which impacted systems associated with the Harvard Pilgrim Health Care brand, there have been significant developments. The breach, which occurred between March 28, 2023, and April 17, 2023, resulted in the exfiltration of files containing sensitive personal and protected health information (PHI) for over 2.5 million individuals. The compromised data included names, addresses, phone numbers, birthdates, health insurance account information, Social Security numbers, provider taxpayer ID numbers, and clinical information​.

In response to the breach, Point32Health has undertaken several security enhancement measures, such as reviewing and improving user access protocols, implementing enhanced vulnerability scanning, identifying and prioritizing IT security improvements, and deploying a new Endpoint Detection and Response (EDR) security solution. Additionally, a comprehensive password reset for all administrative accounts was performed.

The incident has triggered multiple class-action lawsuits against Harvard Pilgrim Health Care and Point32Health. These lawsuits allege that the insurer failed to implement reasonable cybersecurity measures to protect the confidentiality of members’ information, putting them at imminent risk of harm, including the ongoing risk of identity theft and fraud​. One specific lawsuit cites negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment, highlighting the significant impact this breach has had on affected individuals.

Despite the severity of the breach, Harvard Pilgrim has reported no known instances of the stolen information being misused. In response to the incident, over 2.55 million individuals were initially notified in May 2023, with the US Department of Health and Human Services being informed of the breach’s scope. A recent update filed with the Maine Attorney General’s Office has revised the estimated number of affected individuals to over 2.86 million.

As a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services for 2 years. Despite these measures, there have been reports from individuals experiencing unauthorized activities, such as the opening of fraudulent accounts, underscoring the importance of affected members utilizing the offered protection services,

Point32Health is in the process of recovering from the attack and expects to bring the affected systems back online in the coming weeks, with ongoing efforts to enhance their cybersecurity posture to prevent future incidents.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.