Weekly cyber news update

From the NCSC Weekly threat reports

Twitter apologises following misuse of user details

The ‘unintentional’ use of user email addresses and phone numbers for targeted advertising has prompted an apology from Twitter.

To create a Twitter account, users must provide a valid email address and phone number, which help with account security. However, Twitter disables accounts without phone numbers even if that user isn’t using a phone number-reliant form of two-factor authentication (2FA) protection (such as a verification code sent in a text message).

2FA provides a way of 'double checking' that you really are the person you are claiming to be when you're using online services, such as banking, email or, in this case, social media.

There are better forms of 2FA than the SMS-based approach, such as authenticator apps and back-up codes, but any 2FA is much better than no 2FA at all.


Thousands of retailers affected by hack

Retailers, including the official Sesame Street store, have been targeted by a hack that can steal credit card details.

Malicious code known as JavaScript Cookie has been found in e-commerce software provided by Volusion. The code is designed to copy details of credit cards from customers which can then be used by cyber criminals. This method, also known as ‘web skimming’, can be hard to spot, but a researcher at security firm Check Point had noticed the issue when browsing the Sesame Street online store.

Users who may be worried about their credit card details following these reports can follow similar advice issued by the NCSC when Ticketmaster UK were affected by malicious software on a product hosted by a third-party supplier.


Wired reports

Apple iTunes Bug Actively Exploited in BitPaymer/iEncrypt Campaign

Attackers exploit an “unquoted path” flaw in the Bonjour updater in iTunes for Windows to deliver ransomware attacks.

Cybercriminals are actively targeting a vulnerability in the Windows version of Apple iTunes to deliver BitPaymer/iEncrypt ransomware. It’s a new attack pattern that is difficult to detect, security researchers revealed.

Researchers from Morphisec Labs in August identified the abuse of the flaw, which exists in the Bonjour updater that comes packaged with iTunes for Windows, to deliver ransomware in an attack on an unidentified enterprise in the automotive industry.

Morphisec immediately disclosed the attack to Apple, which has recently patched the flaw in an iCloud for Windows update.


The Register reports 

Ye olde Blue Screen of Death is back – this time, a bad Symantec update is to blame

Symantec has acknowledged an issue with an update to its Endpoint Protection Client that causes a Windows kernel exception after users this morning came down with a mild case of Blue Screen of Death.

A Reg reader who got in touch about the problem confirmed "multiple" businesses running Symantec were getting hit with the BSOD stick.

The solution, presuming you can persuade Windows to boot successfully, is either to run a further update to get release R62 of the bad Intrusion Protection signature, or roll back to an earlier one.

Symantec advised they had learned of the SEP issue on Tuesday and immediately issued an update to resolve it.