~this week in security~

a cybersecurity newsletter by @zackwhittaker

volume 4, issue 39
View this email in your browser

~ ~


Fraudsters cloned company director's voice in $35M bank heist
Forbes ($): Last year, a bank manager got a call to authorize a set of $35 million in bank transfers ahead of a company's acquisition. There was just one major problem: the voice on the other end of the phone, which the bank manager recognized, wasn't the company director. It was an AI deep fake voice designed to sound like him. Court documents unearthed by Forbes dig into the case. It's been done before (though not always as successfully), but not on a scale this big. Arguably, a system that allows a massive bank transfer with just a person's voice match should probably have better authentication. Still, it's particularly creepy, and likely a case we'll see arise again.
Background: Wall Street Journal ($) | More: @lorenzofb | @anthony

How Coinbase phishers steal one-time passwords
Krebs on Security: Multi-factor authentication bypasses are rare, but not unheard of (which is why some prefer hardware security keys). One new phishing campaign was able to trick users into giving over their app-based one-time passwords to allow malicious hackers to access their cryptocurrency accounts. Hundreds of victims ended up falling for the scam. It comes just a few weeks after Coinbase alerted 6,000 customers to a flaw that was used to steal their funds.
More: @briankrebs | @lukasstefanko

Missouri teachers’ Social Security numbers at risk on state agency's website
St. Louis Post-Dispatch: The story started out as a SSN leak by a Missouri state agency — and then things got weird. Missouri governor Mike Parson accused the journalist who found the exposed data of being a hacker and vowed to prosecute him. The journalist's alleged "crime" (read: it isn't) is a "multi-step process" of right-clicking and hitting "view source" on the HTML of a state webpage. Whether the governor's claim is a diversionary tactic or simply the default response of a panicked politician who wouldn't know how to take responsibility even if it slapped him in the face, shooting the messenger isn't going to help Missouri recover from this embarrassing stuff-up. The chances of this reporter facing actual conviction is slim, since doing so would effectively rule The Internet™ illegal in Missouri (good luck with that). This wasn't about politics, it's about abuse of power. Suffice to say, there was a lot of support for the reporter from the security community, summed up in one concise tweet.
More: TechCrunch | New York Times ($) | @GovParsonMO
Swift on Security tweet in response to Missouri governor Mike Parson: "Shut the fuck up"
Microsoft: Iran-linked hackers target U.S. defense tech companies
Bleeping Computer: Iranian-linked hackers are targeting Office 365 users and Israeli defense tech companies in a mass password brute-forcing attack, funneled through a complex web of proxies to evade detection. Microsoft, which discovered the actors, said the government-backed group is still emerging, but appears to support "the national interests of the Islamic Republic of Iran," and is a group to watch. Microsoft published IOCs, and also time windows of activity, which ties in quite nicely with the Iranian working week (Saturday to Thursday). There's also a new post from Google's Threat Analysis Group (TAG) this week on Iran. Google's TAG said it tracks more than 270 targeted or government-backed attacker groups in over 50 countries on any given day.
More: Microsoft | Google TAG

Biden administration holds multi-nation meeting on ransomware threat
Washington Post ($): So, about the government's ransomware response, a little late and a little lackluster. Still, this week the Biden administration led a group of 30 countries — not Russia, guess why? — for a two-day summit on how not to get hacked. Russia and the U.S. are still in their own separate talks, but given Russia has given safe haven to many ransomware groups, it wasn't allowed to sit at the table. It comes in the same week that the FBI and CISA warned of further ransomware risks on the water supply network. As for outcomes, well, more more a statement really — the countries said they will do more to disrupt ransomware networks, strengthen cybersecurity, and regulate illicit finance. Hopefully they've been doing that already?
More: The Daily Beast | Cyberscoop | @nakashimae | @shanvav tweets
~ ~
Thanks for reading this newsletter! If you can, please spare $1/month (or more for mugs and stickers!) to help cover the costs of putting this newsletter together each week, through Patreon. You can also donate one-time: PayPal or Venmo.
~ ~


Researchers find Android phones still track you, even when you opt out
Gizmodo: A new paper from Trinity College, Dublin found Android phones still track you [PDF], in large part because of system apps that are bundled with phones by default ("bloatware"), but incessantly ping back device data to manufacturers, developers, and sometimes third parties. The research shows you can't opt out for most of it, even if you wanted to. Google's says this is simply "how modern smartphones work." It's a bit rich to say that when they're the ones... making the phones? But, turns out, if you swap in free and open source equivalents that users can download without needing a Google account, virtually no information is sent back. Who would've guessed?

Hackers strike computers at a Fresno health network. Whose information was stolen?
The Fresno Bee: United Health Centers, which operates close to two dozen health clinics across Fresno and surrounding areas, was hit with a ransomware attack in August, forcing a shutdown of its network. A ransomware group called Vice Society claimed responsibility, according to But months on, despite patients concerned about the attack, UHC still hasn't notified people, nor has the incident been reported to the U.S. government's Department of Health and Human Services, per @PogoWasRight, who runs In another alarming incident, following the reporting of a breach at Calgary-based Homewood Health (which denied a breach despite ample evidence of a breach!), appears to be using legal threats to accuse the reporter of conspiracy and extortion, simply for doing journalism.
Dissent Doe tweet: "Homewood Health resorts to threats and a court order."
This is the White House's plan to protect employees from getting phished
Motherboard: The White House is pushing ahead with plans to roll out hardware security keys, which are far more resistant to phishing than SMS or app-codes. It's part of the federal government's zero-trust strategy, which is to essentially trust nobody trying to access the network and forcing users (and apps, systems, etc.) to be verified before granting access. It's nice to see the government actually taking on its own advice, since all other federal agencies must also adopt these same guidelines too.

Twitter suspends two accounts used by DPRK hackers to catfish security researchers
The Record: Remember when Google's TAG warned that North Korean hackers were trying to catfish security researchers? (Psst... they never stopped.) Twitter just suspended two more accounts of North Korean catfishers — @lagal1990 and @shiftrows13 — who tried to lure hackers and researchers to malicious sites with malware embedded.
~ ~


DuckDuckGo says it's received zero warrants since 2008
DuckDuckGo: Here's a stat you don't see very often. Privacy-friendly search engine DuckDuckGo, which doesn't store search histories, has received zero search warrants "of any kind" since it was founded in 2008. The number comes after a keyword warrant story from last week. By comparison, Google received... well let's just say quite a lot.

Some of Verizon’s Visible cell network customers say they’ve been hacked
The Verge: Credential stuffing strikes again as customers of Visible, the smaller cell network that's owned by Verizon, say their accounts were compromised and phones bought using their saved payment methods. In a statement posted on Reddit (for some reason) Visible said it was not breached but that it was as a result of password reuse across accounts. Which is fair... until you realize Visible doesn't have a setting for two-factor authentication (to make it far tougher for this kind of attack to succeed) — which also happens to be the top comment in response.
Statement from Visible on Reddit: "We’re currently investigating an incident where information on a small number of member accounts was changed without their authorization."
Acer confirms it was hacked (again)
ZDNet: Malicious hackers breached Acer's systems in India, claiming to have taken 60 gigabytes of stolen customer, corporate and financial information. Acer confirmed the breach, calling it "isolated," but it comes just months after it was hit by the REvil ransomware in March. The Desorden Group is alleged to be behind the attack, also targeted the Malaysian servers of food and shopping delivery giant ABX Express.

Thingiverse data leak affects 228,000 subscribers
Data Breach Today: Thingiverse, a website dedicated to sharing user-created digital design files, has leaked a 36 gigabyte backup with 228,000 unique email addresses and other personal information, per @troyhunt, who has a great tweet thread on the situation. The data is already circulating widely on a well-known hacking forum. Worse, Thingiverse wasn't responding to Hunt's messages, but eventually got a response from Makerbot.
~ ~


With the news done, let's get on with the good stuff.

@RepMaxineWaters wins this week's "most ominous tweet" award. Will we ever find out who hacked her Twitter, or did Waters "take care" of the situation already? 👀
Rep. Maxine Waters' tweet: "I have been hacked and my Twitter account has been erased. I know who has done this. I will take care of this. M Waters."
And on a slightly lighter note, congratulations to @DAlperovitch and @RidT for the opening of the new Alperovitch Institute for Cybersecurity Studies at Johns Hopkins, which provides master's and PhD programs in the cybersecurity policy space.
Got some good news from the week? Get in touch:
~ ~


Meet this week's cyber cat dog. This is Pepper, whose owner tells me can often be found scolding everyone for their terrible security posture. Well, someone has to, you're doing good work Pepper. Thanks so much to her human Markus S. for the submission!
Keep sending in your cyber cats (and your other fluffy non-feline friends). You can send them in with their name and photo by email here
~ ~


And that's it for now. A big thanks for reading (as always!) If you have any feedback, please drop it in the suggestion box or feel free to reach out directly at Be well!