Weekly podcast: Personalised phishing, Android Trojan, free pizza, and the Panama Papers

This week, we examine a phishing scam that includes recipients’ home addresses, an Android Trojan that’s been downloaded 3.2 million times, a vulnerability in Domino’s pizza ordering app, and the big story of the moment: the data breach at Mossack Fonseca.

Want the audio only version? Click here.

Hello and welcome to the IT Governance podcast for Friday, 8th April. Here are this week’s stories…

The apparent increase in ransomware attacks continues. The BBC reports that thousands of people have received phishing emails that purportedly come from a debt collection agency working on behalf of legitimate UK firms – including waxed cotton manufacturer British Millerain Co Ltd and Manchester shelving firm Greenoaks. The emails state that money is owed, and include the recipients’ home addresses to further lend legitimacy to their claim. Clicking on the enclosed link, however, installs Cryptolocker – a form of malware that encrypts users’ computer files until a fee is paid for a decryption key.

Among the scam emails’ recipients were a reporter and producer for the Radio 4 consumer programme You and Yours. UCL computer science research fellow Dr Steven Murdoch told the programme: “Most likely it was a retailer or other internet site that had been hacked into and the database stolen, it then could have been sold or passed through several different people and then eventually it got to the person who sent out these emails.” If you receive such an email, delete it – and don’t click on the link.

Russian security firm Dr Web – which you’ll remember was firebombed last year by cyber criminals who took exception to their ATM malware being blocked – has reported that an advertising spyware trojan (Android.Spy.277.origin) infecting more than 100 fake apps in the Google Play Store, has been downloaded more than 3.2 million times. The infected apps include “utilities, photo editing and animated wallpaper apps, graphical shells, and other programs”, most of which don’t do what they claim to, instead gathering user information – including email addresses, phone numbers and IMEI identifiers – which is transmitted to a remote server. Google has begun removing the malicious apps.

More app security news, this time from consultant Paul Price: apparently, a flaw in Domino’s pizza ordering app meant that hungry hackers could have enjoyed free food simply by altering the status of a payment in the payment gateway, DashCash. The app was processing payments client-side with no checks in place, rather than server-side, which meant that peckish punters could have entered fake card details, intercepted the response from DashCash, and changed the value from DECLINED to ACCEPTED. They’d then just have to wait for their pizza to be delivered. Domino’s has now resolved the issue.

Finally, Panamanian law firm Mossack Fonseca has said that the data breach that released the 11.5 million documents known as the ‘Panama Papers’ was the result of a hack and that the perpetrators are in Europe. Ramon Fonseca told The Associated Press, “I can’t say more because the case is already under investigation”. We’ll be following this story on our blog and will let you know when more details emerge – as they undoubtedly will.

Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.