« Back to Blog

This Week in Security: A Song of Phishing and Passwords

By Cylance Research and Intelligence Team

Phishing for Developers

Hackers are targeting Chrome extension developers with phishing attacks to hijack control over their extensions in the Chrome Webstore. The phishing attacks are very well crafted to display a replica of the real Google login page and use new domains to bypass Google’s Safe Browsing blacklist.

After gaining control of the extension, the hackers insert malicious code into the browser extensions. These hijacked extensions are then distributed to unsuspecting users via the auto-update mechanism in Google Chrome and insert affiliate advertisements into webpages.

In the past, attackers would deploy banking trojans which would install malicious browser extensions to steal financial credentials. It’s not a far cry to believe they will eventually hijack browser extensions on the Chrome web store to start stealing credentials to financial institutions in order to initiate outbound external transfers to an offshore bank account.

If you’re an extension developer, protect yourself by:

•   Requiring two-factor authentication on your developer account

•   Manually navigate to sites the e-mails purport to originate from, don’t click on links

•   Use a unique password for your developer account

Google Chrome users should be cautious about which extensions are installed.

A New Mortgage Backed Security Problem

Business e-mail compromise doesn’t just target businesses, as a Washington, D.C. couple learned when they were scammed out of $1.5 million when purchasing a home.

It’s been almost a decade since the great recession caused by mortgage-backed securities (MBS) and now we have a mortgage backed cybersecurity problem.

Scammers have targeted their phishing and social engineering skills to target home buyers in the process of closing on their homes. The scammers hack into the title company (or real estate agent) and send out settlement statements, which contain the final payment amount and a bank account to wire the final payment to. The scammers change the bank account number to an account under their own control and, as a result, the money is wired directly to their account.

Protect yourself by:

•   Verify messages with your personal point of contact via known phone number

•   Never trust an e-mail when it comes to financial transactions

•   Never trust phone numbers or links in an e-mail or from search engine results

Your Password Policy Has Expired

If you’re tired of changing your password every 90 days with some nonsensical combination of letters, numbers, and symbols, you are not alone. Bill Burr, the author of the original 8-page guide on how to create secure passwords (creatively called the NIST SP800-63 Appendix A) regrets codifying those arcane rules.

Bill’s recommendations for password rules would spread far and wide, from federal agencies to your local financial institution. There was a lack of real world empirical password data when Bill developed those infamous password rules, which relied on a whitepaper from the mid-1980s.

NIST has updated their guidelines earlier this year in SP800-63B, removing the complex composition rules (one upper case letter, one lower case letter, one number, and one special character) in favor of increasing password lengths and blacklisting known passwords. Troy Hunt, security developer and creator of haveibeenpwned.com, has graciously released 320 million passwords that have been collated from various database breaches.

Protect yourself by using a password manager to generate long unique passwords, and enable two-factor authentication (2FA) where available.

About the Cylance Research and Intelligence Team

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats. 

Tags: