Tuesday 9th July 2024

Good morning everyone, and thank you for joining me for the latest installment of Cyber Daily. Today's edition has quite a wide range of stories, covering everything from the rise of selfie-based authentication shaking up online banking, to the persistent threat of the Mekotio banking trojan wreaking havoc in Latin America, there's a lot to unpack. And let's not forget the latest on Shopify, which is denying a data breach while pointing fingers at third-party apps. Let's get started!

Selfie-based Authentication: Convenient or Risky?

The trend of using selfies for online identity verification is gaining traction, especially post-pandemic. Vietnam recently mandated face scans for digital transactions above $400, sparking debates on security and privacy. Critics argue that selfies may not strengthen security, and early issues with apps accepting static photos highlight the concern.

Globally, the method is under scrutiny. US firm Resecurity noted a spike in leaked ID selfies of Singaporeans on the dark web, often sourced from fintech and e-commerce platforms. The crux of the issue lies in the handling of these images, with poor data management leading to potential breaches.

Expert Insights:

• Akif Khan of Gartner and Katie Mitchell of New World Advisors emphasize the growing need for robust digital verification methods, citing anti-money laundering (AML) and know your customer (KYC) protocols.
• Acronis CISO Kevin Reed points out the lack of regulation and mishandling of data as critical vulnerabilities.

Vendors are increasingly using advanced "liveness checks" to verify the authenticity of real-time images, utilising machine learning to detect deepfakes and ensure robust security measures. While the system isn't foolproof, it's a step toward securing digital identity verification in a diverse and inclusive manner.

Mekotio Banking Trojan Threatens Latin American Financial Institutions

A surge in cyber attacks distributing the Mekotio (aka Melcoz) banking trojan is threatening financial institutions across Latin America. According to Trend Micro, this Windows malware has been actively targeting countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal since 2015, aiming to steal banking credentials.

Mekotio Details:

• Mekotio is part of a group of banking trojans alongside Guildma, Javali, and Grandoreiro (dismantled earlier this year).
• The malware uses Delphi programming, fake pop-up windows, and backdoor functionalities to target Spanish- and Portuguese-speaking regions.
• It typically spreads through tax-themed phishing emails that deploy a malicious MSI installer file using an AutoHotKey (AHK) script.

Operational Threats:

• Once installed, Mekotio harvests system data and connects to a command-and-control server to receive instructions.
• It displays fake banking site pop-ups to steal credentials, captures screenshots, logs keystrokes, and steals clipboard data.
• The stolen information allows cybercriminals to access bank accounts and perform fraudulent transactions.

Recent Developments:

• Despite a significant law enforcement operation in July 2021 that saw 16 arrests related to Mekotio and Grandoreiro, the threat persists.
• Trend Micro highlights the trojan's persistence and evolving nature, especially in Latin American countries.

Emerging Threat:

• Mexican cybersecurity firm Scitum has identified a new trojan, Red Mongoose Daemon, which also uses MSI droppers and phishing emails.
• Red Mongoose Daemon targets Brazilian users by spoofing PIX transactions and has advanced capabilities for manipulating windows, remote control, and hijacking clipboards

Shopify Denies Data Breach, Blames Third-Party App

Shopify, the popular e-commerce platform, is denying claims of a data breach after a threat actor began selling customer data allegedly stolen from the company. The seller, known as '888', posted the data on a hacking forum, but Shopify maintains its systems are secure.

Shopify's Statement:

• "Shopify systems have not experienced a security incident," the company told BleepingComputer.
• The data breach reportedly stems from a third-party app, and the app developer plans to notify affected customers.

Details of the Alleged Breach:

• The data samples shared by '888' include Shopify IDs, names, emails, phone numbers, order counts, total spent, and subscription details.
• Shopify has not provided further information about the compromised app.

Threat Actor Background:

• '888' has a history of selling or leaking data from high-profile entities, including Credit Suisse, Shell, Heineken, Accenture India, and UNICEF.
• This raises concerns about the security of third-party apps and the potential risks they pose to major platforms.

Past Incidents:

• In 2020, Shopify revealed that two rogue support team members accessed customer transactional records from about 200 merchants, highlighting past vulnerabilities.