QR Code Scams | Q1 Cyber Attack Stats | Google Passkeys | Former Uber CISO Sentenced
In this episode of GRXcerpts:
Alarming new QR code scams
Cyber attack stats for Q1
Google’s passkey announcement
Former Uber CISO Joseph Sullivan sentenced
New QR Code Scams
QR codes…we saw them gain new life and usage during the pandemic, and now cyber criminals are exploiting them in alarming and innovative ways.
Most recently, an elderly woman in Singapore received a QR code on her boba tea cup offering a free drink for completing a brief survey. We see loyalty surveys all the time, but little did she know that the survey she downloaded took over her phone, accessed her Internet banking account, and siphoned $20,000 from her account overnight.
Consumers beware: this scam is subtle and extremely harmful. The malware associated with the QR code first asks the user to grant access to the phone’s microphone, camera, and Android Accessibility Service, an app that helps users with special needs and controls the phone screen. The scammer then passively monitors the victim’s mobile banking app usage noting login credentials used during the day. Then, later at night, when malicious activity is likely to go unnoticed, the scammer strikes, wiping out the victim's bank account.
Similar scams have been reported in the UK and the US, with threat actors using bogus parking ploys. Local governments have warned citizens to avoid using QR codes attached to parking meters that appear to be quick pay options but are really malicious attempts to gather payment information. Additionally, thieves in San Francisco have been issuing fake parking tickets to unsuspecting victims. The ticket appears to be from the San Francisco city government and contains a QR code to make a payment online, which then takes users to a city government copycat website and steals their bank account information. So, if you received a parking ticket while at the RSA conference, you might think twice before scanning that QR code to pay.
Cyber Attacks Increase in Q1 2023
According to Check Point’s latest research report, 2023 is off to a rough start, with Q1 experiencing an uptick in cyber attacks. Globally, cyber attacks rose 7% compared to the same period last year. It’s estimated that each firm now faces an average of over 1200 attacks per week, 1 in 31 organizations worldwide have experienced a ransomware attack, 560,000 new pieces of malware are detected every day, and there are now more than 1 billion malware programs circulating. Emerging technologies, such as AI and machine learning, 5G, the Internet of Things, and quantum, are creating more exploitable gaps, contributing to the increased malicious activity. Additionally, ChatGPT has enabled less-skilled threat actors to hone their skills and effortlessly launch cyber attacks.
Google has announced the ability to create and use passkeys for personal accounts, saying goodbye to 2-step verification sign-ins. Passkeys work on all major platforms and browsers, and are a more convenient and safer alternative to passwords, allowing users to log on with a fingerprint, facial recognition, or local PIN. Additionally, passkeys help protect against users revealing credentials during phishing attempts or bad actors obtaining passwords exposed in a breach. Only a few websites and apps currently support passkeys, but this is rapidly changing. Apple and Microsoft are moving towards passkeys for their platforms, and the US Federal government is expected to fully transition to passkeys by the end of 2024.
Former Uber CISO Sentenced
And finally, we close with an update on Joseph Sullivan, the former CISO at Uber Technologies, who was found guilty of criminal obstruction following a 2016 data breach. Seven years ago, hackers infiltrated Uber’s network through a technology vulnerability, stole approximately 57 million customer records and 600,000 driver's license numbers, then demanded a ransom payment. Instead of reporting the incident to the FTC, Sullivan’s team paid the hackers $100,000 in Bitcoin to keep the incident quiet, then falsified details about the breach. While the Federal government recommended 15 months in prison for Sullivan’s actions, a district judge ruled otherwise, sentencing Sullivan to three years probation, 200 hours of community service, and a $50,000 fine. The Judge cited Mr. Sullivan’s character and the unusual nature of the case as the reasons for his leniency, although the case also comes with a warning to other CISOs. Beaches happen; you are not to blame; however, how you respond matters. Take the high road; act morally and ethically, and it goes without saying, always within the bounds of the law.
All information is current as of May 8, 2023. Subscribe to receive future episodes as they are released.
Get Cyber Risk Intel delivered to your inbox each week: