Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

bug notice

Click to enlarge

The mail reads as follows:


Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.

Now, this is the part of a breach/bug mail where you tend to say “Oh no, not again” and take a deep breath. Then you see how much of your personal information winged its way to the attacker.

Oh no, not again

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn’t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.

The email continues:

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you’re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have  no interest in the upfront preview titles, you can temporarily pause your subscription for a month.

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.

Security advice from Humble Bundle

Let’s go back to the email at this point:

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.

As a reminder, here are some tips to keep your account private and safe:

  • Don’t share your password, personal details, or payment information with anyone. We will NEVER ask for information like that.
  • Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others.
  • Enable Two-factor authentication (2FA) so that even if someone gets your password, they won’t be able to access your account. You can enable2FA by following these instructions.

We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future.

Good advice, but what’s the threat?

One could guess that the big risk here, then, is the potential for spear phishing. They could exploit this by sending mails to subscribers that their subscription is about to time out, or claim problems with stored card details. Throw in a splash of colour text regarding your subscription “currently being paused,” and it’s all going to look convincing.

Phishing is a major danger online, and we should do everything we can to thwart it. While the information exposed here isn’t as bad as it tends to be, it can still cause major headaches. Be on the lookout for dubious Humble mails, especially if they mention subscriptions. It’ll help to keep your bundle of joy from becoming a bundle of misery.

The post Humble Bundle alerts customers to subscription reveal bug appeared first on Malwarebytes Labs.

Subject: Invoice. The cause of 6 out of 10 of the most effective phishing campaigns in 2018

Subject: Invoice. The cause of 6 out of 10 of the most effective phishing campaigns in 2018

The digital security consultancy, Cofense, has recently published a report about the state of phishing attacks throughout this year. The report, State of Phishing Defense 2018, has gathered data from more than 135 million simulated phishing emails that were sent to a sample of 1,400 companies all over the world. Subsequently, this data was correlated with information about real attacks, gathered by Cofense’s Phishing Defense Center (PDC). After analyzing all this information, the findings uncovered are extremely revealing.

Attachments are one of the most frequent types of phishing.

The first fact highlighted by the report is that, on average, one in every ten emails are reported as being malicious, though this varies from month to month: January is the month with the lowest incidence, with 7%, while July has the highest incidence, at 13%. As we will see when we discuss another of the conclusions of the report, this seasonal fluctuation is no coincidence.

By sectors, utilities, and law firms and legal consultancies are the most affected, with 20% and 19% of emails reported as malicious respectively, while in technology and financial services, the ratio was just 7%. Despite all of this, and as the report highlights, a lower number of attacks does not imply a lower risk: a single isolated case can cause million dollar losses for companies.

Another notable conclusion stems from an analysis of the types of phishing: emails containing malicious files continue to be one of the favorite phishing categories. This way, cyberattackers seek to evade the URL scanner that many cybersecurity solutions use as a defensive barrier to detect phishing. However, the most surprising data in the study comes from an analysis of the subject of phishing emails.

The danger of “invoices”

Sorting emails according to the subject gives us a staggering ranking: 6 of the 10 most effective phishing campaigns in 2018 contained the word ‘invoice’ in the subject. What’s more, the remaining words are also related to financial activities in companies: ‘remittance’ or ‘payment’. For this reason, June and July, which are the end of the financial year for many companies with an international presence, mean an upturn in the amount of attacks compared to other months. For the same reason, employees in the financial department of organizations are the group most vulnerable to this kind of attack.

Top ten phishing campaigns subject
Source: Cofense, State of Phishing Defense 2018.

Prevention and awareness

As we explained in a previous article, phishing continues to be common because deceiving people using so called social engineering is a much easier task for cyberattackers than trying to circumvent firewalls and cybersecurity solutions that protect inboxes. In this sense, it is fundamental to work on preventing employees from falling prey to these tricks, especially employees that belong to the company’s financial services.  This is why we have several recommendations for measures that must be implemented.

A first logical step is for employees to learn how to identify suspicious phishing emails that contain attachments. Many of these emails contain names and images taken from real companies that may be providers to the organization. However, they usually contain a few suspicious elements too:

  • A domain name used by the sender that doesn’t entirely coincide with the domain of the company that is sending the invoice.
  • A different language from that usually used by the organization to communicate with the providers.
  • Serious spelling or grammar mistakes, product of the use of machine translation programs when writing the email.

In this context, employees should carry out phishing simulations so that, with practice, they learn how to identify these emails quickly based on these patterns.

Secondly, prudence is key. As such, it is vital that employees bear in mind that they must not open any attachment until they are absolutely sure that this email is from a real sender, and that it is safe. If it doesn’t show any of the signs of phishing listed above, but doubts still linger, it is better to check the company’s billing system or to ask the rest of the team: are there pending invoices or payments? What is the status of the relationship with this possible provider? And, when in doubt about a possible risk, it is always best to alert the company’s security team.

Finally, it is a very good idea for the company to have an advanced cybersecurity solution that provides 360º monitoring.  In this sense, Panda Adaptive Defense is able to detect all possible threats beforehand, and perform a complete scan of all emails and attachments in real time as soon as they reach the company’s inbox. This real time visibility allows any possible phishing attempt to be stopped dead, keeping the company completely safe.

The post Subject: Invoice. The cause of 6 out of 10 of the most effective phishing campaigns in 2018 appeared first on Panda Security Mediacenter.