Experian API Exposed Credit Scores of Most Americans (again)

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Security Researcher Bill Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

Source: https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

The WordFence Threat Intelligence team discovered and responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites in early February. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary plugins and inject PHP Objects. The third flaw made it possible for authenticated attackers to delete arbitrary posts on a site running the plugin causing a loss of availability.

These are considered severe vulnerabilities. Therefore, we highly recommend updating to the latest patched version available immediately.

Full details at https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.

WordFence strongly recommends deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.

In addition to the privilege escalation vulnerability, WordFence found several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. These could be used by an attacker to inject backdoors or add new administrative user accounts, ultimately leading to complete site compromise.

We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, you should also be using WordFence’s Web Application Firewall, which has rules in place to mitigate attacks.

Source: https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin

Sucuri: Malware Disables Security Plugins to Avoid Detection

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it?

Sucuri recently described an exploit in which hackers gain access to the site and then immediately disable any of a list of well known security plugins which are installed. If you security plugins are turned off, they’re not going to scan your site for malware and they’re not going to email you a warning.

“If a user tries to reactivate one of the disabled security plugins, it will momentarily appear to activate only for the malware to immediately disable it again. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website.”

Ideally your sites are locked down well enough that the hackers can’t gain access in the first place. But keep an eye on your site and if you see any behavior similar to what’s described, contact us and we’ll clean it up.

https://blog.sucuri.net/2020/09/wordpress-malware-disables-security-to-avoid-detection.html

Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers

If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.

Full article: https://thehackernews.com/2020/08/chrome-csp-bypass.html

Stay Alert to New Scams and Tricks

Phishing attackers can play with web addresses in a number of ways to trick you into following the link:

Hiding the link with a link shortener (bit.ly, goo.gl, etc)

Hiding the link under a “Click here” or similar button

Substituting numbers for letters (the number 0 for the letter o, as in “dr0pb0x.com”)

Spelling an existing address incorrectly (Facbook.com instead of Facebook.com)

 

Google: Phishing and malware attacks are evolving

Coronavirus-themed phishing lures are still on the rise, particularly in certain geographic locations – but most are being stopped before they reach your inbox.

Cyber criminals are tailoring coronavirus-related phishing and malware attacks to make them more effective at targeting victims in certain locations around the world, even as attackers continue to distribute millions of malicious spam emails every single day.

Google Cloud has detailed how the past month has seen the emergence of regional hotspots for COVID-19-related cyberattacks, with the UK, India and Brazil all seeing a rise in malware, phishing and spam campaigns looking to exploit fears over the virus.

In each case, the attacks and scams are using regionally relevant lures such as supposed government advice in an effort to reel victims in.

One example targeting people in the UK masquerades as an email from the Small Business Grant fund, a government imitative to help small businesses get through coronavirus. These attacks, which often involve a malicious file or phishing link, are designed to trick the victim into giving up personal information, as well as financial details.

Full article: https://www.zdnet.com/article/google-heres-how-phishing-and-malware-attacks-are-evolving/