13 December 2019

IRM Weekly Cybersecurity Roundup: UK charities warned of a spike in fraud

Want the IRM weekly cybersecurity roundup sent straight to your inbox? Sign up to our newsletter. 

UK charities warned of a spike in cyber fraud

The UK government has issued a warning to UK charities after a spike in cyber fraud reports.

Scammers have been using phishing emails to request changes in employee bank details. This process allows them to then impersonate the employee and access the account as required. The Charity Commission urges all UK charities to be on the lookout for emails received by their finance department, HR or staff members with access to employee bank details.

The Charity Commission also advises charities to think twice about how they handle sensitive information. Those targeted my mandate fraud are being advised to report the incident to Action Fraud. You can read more here.

1&1 hit with GDPR fine of €9.6 million

Internet service provider and hosting company, 1&1, has been fined almost €10 million by Germany’s GDPR watchdog.

The fine is one of the largest fines under the European GDPR legislation. It comes after the company was found not to have taken sufficient measures in its call centres to prevent unauthorised parties from accessing customer data.


It was found that anyone could obtain personal information of 1&1 customers by simply providing a name and date of birth to the customer care department.

This violates GDPR legislation by failing to take appropriate technical and organisational measures to protect the handling of personal data.

The German data protection agency determined that, although the number of affected customers was small, a fine was necessary because 1&1’s entire customer base was at risk. You can read more here.

Biometric data ring launched to counter data theft

Kaspersky has teamed up with Swedish designer Benjamin Waye to release a biometric data ring in order to counter data theft risk.

Password-harvesting rose in 2019 and fingerprints are now commonly used, as they cannot be forged as easily as a signature, or stolen as easily as passwords.

Biometric details, including fingerprints, can still sometimes be stolen. For example, earlier this year when Biostar had a data breach, more than one million fingerprints and other sensitive data was exposed online.

The biometric ring is the first prototype which uses a proxy fingerprint for devices such as mobile phones and car keys.

It is still at a concept stage, says Vladimir Dashchenko, Head of ICS CERT Vulnerability Research team at Kaspersky.

“This artificial fingerprint can be used in cases when you are not made to provide your real fingerprint. So you can use it to enter the office building for example. In case your data is compromised, you can be sure that your real digital identity is safe.” You can read more here.

Google Chrome and Windows flaw used in attack on Korean Website

Zero-day vulnerabilities in Google Chrome and Microsoft Windows were used to download and install malware onto Windows computers that visited a Korean news portal.

The zero-day vulnerability – dubbed Operation WizardOpium – was discovered by a cybersecurity consultancy last month after actively being used in online attacks.

Google chrome and Windows vulnerabilities

Attackers injected a JavaScript tag into the Korean Language news site to execute malicious scripts in visitor browsers.

These loaded scripts would exploit a zero-day in Google Chrome that allowed attackers to download and install malware on compromised Windows systems. The malware would then download further payloads onto the affected machine from the attacker’s command and control server.

After disclosing the vulnerability to Google, it was assigned CVE-2019-13720 and fixed in the new Chrome update. The vulnerability was also reported to Microsoft and patched on Wednesday. You can read more here.

Quick-fire Updates:

Over one billion email and text passwords leaked online: 2.7 billion email addresses and over one billion text passwords have been leaked online by an unnamed party. You can read more here.

Compromise on Linux, Android and MaxOS exposed: A flaw that affects most Unix-based operations system may allow attack to bypass VPN security. You can read more here.

Amazon Blink cameras reported to house several vulnerabilities: The amazon cameras “Blink” have been found to house three vulnerabilities, one that is said to be a concern to consumers. You can read more here.

If you have any questions about this week’s roundup, or want to understand how you can improve your cybersecurity strategy, get in touch with IRM.