[Security Weekly] American Payroll Association Hit by Magecart Attack, Sensitive Information Leaked

1st Week of September 2020


1. American Payroll Association hit by Magecart attack, sensitive information leaked

The American Payroll Association (APA), an association of HR and accounting professionals responsible for processing company payrolls, disclosed a serious data breach incident that affected its 21,000 members as well as other customers.

In mid-July, APA discovered a Magecart-style skimming malware installed into the login form of its website and the checkout form of its online shop. APA later traced unusual activities on its website all the way back to May, and found that the threat actors likely exploited a vulnerability in its content management system.

As stated in a data breach notification to its members and customers, APA suggested that the Magecart skimmers may have extracted their usernames and passwords, full names, dates of birth, and credit card numbers, expiration dates, and CVV2s. With the login credentials, the attackers could have also logged into the accounts to obtain each user’s email address, job title, job role, primary job functions, company size and name, as well as the payroll software used at work. Profile photos of some members were also exposed.

APA has provided 12 months of credit monitoring service and $1 million of identity theft insurance to its members.

A web application firewall (WAF) like WAPPLES can effectively protect the web applications and forms from all types of web attacks, including SQL injections and Magecart skimmers. To learn more about WAPPLES, click here.

Sources: Infosecurity, Bleeping Computer


2. Norwegian parliament suffers cyberattack on its email system

The parliament of Norway (Stortinget) disclosed a cyberattack incident that had breached its internal email system. 

According to Stortinget’s press release on September 1, the threat actors gained access to the hosting database of its email system and stole information from the email accounts of elected members (stortingsrepresentant) as well as other employees.

The specific scale and impact of the attack await further confirmation. In the meantime, the email service has been shut down to prevent any further spread. Stortinget has started notifying the impacted members and employees.

The Norwegian National Security Authority (NSA) is currently investigating who is behind the attack.

Sources: ZDNet, Infosecurity


3. Personal data of New South Wales drivers exposed online

On August 28, tens of thousands of driver’s licences issued by the Australian state of New South Wales were found exposed online.

The incident was revealed by a Ukrainian security consultant, who found a misconfigured AWS S3 cloud storage bucket that contained a total of 108,535 scanned image files of the front and back of 54,000 driver’s licences, as well as corresponding tolling notices.

Transport for NSW claimed that the database did not belong to them and that it never kept image records of tolling notices. While the department was working with cybersecurity experts to investigate the origin of the leak, NSW Privacy Commissioner suggested that the database was likely linked to a private business that collected driver’s licence information.

It is not clear whether the files had been viewed by any threat actors prior to the discovery. An NSW driver’s licence contains personally identifiable information (PII) such as full name, photo, date of birth, and ID number. Such information could be easily used for phishing attacks and identity thefts.

Sources: ABC, IT News


4. Warner Music Group reveals skimming attack on its online stores

Warner Music Group, one of the world’s big three music recording companies, disclosed having fallen victim to a Magecart-style website skimming attack.

Through a notice of data breach sent to the Attorney General of California, Warner Music revealed that they had found a number of credit card skimmers installed in its online shops. These activities began on April 25 until August 5 when the company discovered them.

All the affected websites were hosted by a third-party service provider. Warner Music warned its customers that all information entered into the billing and payment forms during these three-and-a-half months could have been collected by the threat actors. This could include their full names, email addresses, billing and shipping addresses, phone numbers, credit card numbers, CVV2s, and expiration dates.

These personal and financial data could be used by criminals for identity theft and financial fraud. Hence, Warner music is offering a year of identity protection service for those affected.

Warner Music has not disclosed which specific websites were affected. In the meantime, victims are notified by the company directly.

Sources: ZDNet, Bleeping Computer


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security