AT&T Takes Heat for iPad Who’s-Who List Leak

The email addresses and device IDs of more than 100,000 owners of 3G-enabled iPads have been exposed in a security breach, according to wireless provider AT&T.

Victims apparently include at least one member of the U.S. President Barack Obama’s cabinet, heads of large corporations and other prominent people.

AT&T has since shut down the feature thought to be responsible for the leak.

Cracking the iPad Owner’s Data

The breach was apparently discovered by a group of security advisers that calls itself “Goatse Security.”

Goatse obtained iPad owners’ emails through a script on AT&T’s website that was accessible over the Internet. An iPad owner would provide an ICC-ID — an identification number for the device — in an HTTP request to the site. The site would then return the email address associated with that ICC-ID number.

That gave the hackers the email addresses of iPad owners whose ICC-IDs they had identified.

An ICC-ID is an integrated circuit card identifier. It identifies a subscriber identity module (SIM) card in a mobile telephony device. Owners of these devices can change their devices by removing the SIM card from their existing device and putting it into another.

The ICC-ID includes an issuer identification number, a major industry identifier, a country code, an issuer identifier, and an individual account identification number.

Testing that information lets one know who owns the device and which country the owner is in.

Goatse’s experts managed to guess a large number of ICC-IDs by looking at known iPad 3G ICC-IDs. Some of these were in pictures of the iPad posted by owners on the Internet. The experts then wrote a PHP script to automate the harvesting of data.

Goatse reportedly shared the script with third parties and notified AT&T of the breach, though AT&T has denied it had been notified by the group. Goatse did not respond to requests for comment by press time.

Reaching for the Sky

Some of the iPad’s earliest adopters include high-profile individuals in positions of power who presumably would want their personal email addresses kept private. Victims of the breach include White House Chief of Staff Rahm Emmanuel, as well as staffers in the U.S. Senate and other major government departments, according to a post on the blog Gawker.

Others apparently work for the Defense Advanced Research Projects Agency (DARPA) and other major branches of the United States’ armed services. Other victims include top executives of The New York Times and Dow Jones; high-level staff at Google, Amazon and Microsoft; and staff at financial industry companies like Goldman Sachs and JP Morgan.

There are at least 114,000 victims in the United States alone, Gawker reported.

Could Apple be partly responsible for the breach because it requires iPad owners to provide their email addresses in order to get service?

No, David Harley, director of malware intelligence at ESET, told the E-Commerce Times. “AT&T is hardly a mom-and-pop operation, and it wasn’t unreasonable for Apple to expect professionalism and expertise from the partnership with AT&T.”

Apple did not respond to requests for comment by press time.

AT&T Clamps Down

AT&T has shut off the feature that provided iPad owners’ email addresses in response to HTTP requests.

“We have essentially turned off the feature that provided the email addresses,” AT&T spokesperson Mark Siegel told the E-Commerce Times.

He disputed reports that Goatse had notified AT&T of the breach.

“The person or group who discovered this gap did not contact AT&T,” Siegel said. “AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC-IDs.”

AT&T is still investigating the breach and will inform all customers whose email addresses and ICC-IDs may have been breached.

All Sizzle, No Steak?

The breach is a tempest in a teacup, Carl Howe, director of anywhere research at the Yankee Group, told the E-Commerce Times.

“People can find out your email address. Who knew?” Howe said. “Most people are sending their email addresses to hundreds of people every day and don’t worry about security.”

“Activation and registration that requires an email address is very common in the software industry,” ESET’s Harley pointed out. “Its use in terms of the iPad is entirely consistent with Apple’s security model which is, in many ways, very effective.”

Hackers won’t get much out of the information gleaned from the attack, Howe said.

“You can’t do anything with the iPad serial number, it’s not terribly useful to anyone else other than A&T,” Howe remarked. “The hackers have the serial numbers of iPads and their owners’ email addresses, and that’s all,” he said.

“It’s a design flaw, certainly, but its impact is mostly in terms of bad public relations,” ESET’s Harley said. “It’s mostly AT&T’s bad luck that it was picked up by a group that saw an easy way to get some publicity. It seems to me that the risk has been somewhat overstated.”

The real impact of the hack will be inconvenience for iPad owners, Howe said.

“AT&T were trying to make it easier to buy services by automatically filling in users’ email addresses when they ordered, say, an iPad app,” Howe explained. “Now you’ll have to type in your email address when you order something for the iPad on AT&T’s website.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Cybercrime

LinuxInsider Channels

Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022

New research from Atlas VPN shows that cloud-native exploits on major cloud service providers (CSPs) declined during the first four months of 2022.

Cloud-native exploits dropped by 25%, from 71 exploits in the first four months of 2021 to 53 exploits in the first four months of this year, Atlas researcher Ruta Cizinauskaite told the E-Commerce Times.

Although those numbers may seem small, they are significant, maintained Paolo Passeri, a cyber intelligence principal at Netskope, a Security Service Edge provider in Santa Clara, Calif., and author of the Hackmageddon blog, from where Atlas obtained the data for its report.

“This is only the so-called tip of the iceberg, that is, campaigns that have been unearthed and disclosed by security researchers,” he told the E-Commerce Times.

One of the most targeted CSPs during the period was Amazon Web Services (AWS), Cizinauskaite wrote in the report released June 8. “[AWS] suffered the most cloud-native exploits among cloud service providers as of April 2022,” she reported. “In total, it experienced 10 cloud-native exploits accounting for nearly a fifth (18.9%) of all such events in the first four months of this year.”

She explained that cloud-native threats refer to cyber events that exploit the cloud in one or more stages of the “kill chain,” a cybersecurity model that identifies the typical steps taken by hackers during a cyberattack.

Tool for Mischief

For hackers, Amazon — which, with a third of the CSP market, is top dog — is a robust battleground where an attacker can never run out of targets, Alon Gal, co-founder and CTO of Hudson Rock, a threat intelligence company in Tel Aviv, Israel, told the E-Commerce Times.

AWS is also a flexible tool that can be used for multiple purposes, Passeri added. For example, AWS can be used to host a malicious payload delivered during an attack, as a command-and-control center for malware or to provide the infrastructure to exfiltrate data, he explained.

“As trust in cloud service providers has increased, so has the attraction for cybercriminals that target selected external services with sophisticated yet expected techniques,” Gal observed.

“Once a playbook for a technique is developed,” he continued, “it usually results in a quick win for them across multiple companies.”

Tempting Targets

David Vincent, vice president of product strategies at Appsian Security, an ERP security application provider in Dallas, explained that more and more organizations are moving their critical business systems into the cloud for obvious advantages.

“As long as these business systems contain valuable targets such as data and personally identifiable information or enable financial transactions, like payments, that criminals want access to, these cloud solutions will continue to be targeted by malicious actors,” he told the E-Commerce Times.

With 60% of corporate data stored in the cloud, CSPs have become a target for hackers, Passeri added.

“Besides,” he continued, “a compromised cloud account can provide the attackers multiple tools to make their attacks more evasive.” For example, they can provide a platform to host malicious content, such as AWS, OneDrive or Google Drive. They can also provide an embedded email service, such as Exchange or Gmail, to deliver malicious content that evades web security gateways.

Fishers of Bytes

The report noted that trailing behind AWS in the targeted department were five services each with five exploits: Microsoft OneDrive, Discord, Dropbox, Google Drive, and GitHub.

Other services had a thinner slice of the exploit pie: Pastebin (5.7%); Microsoft 365 and Azure (3.8%); and Adobe Creative Cloud, Blogger, Google Docs, Google Firebase, Google Forms, MediaFire, and Microsoft Teams (1.9%).

 

A majority of the exploits (64.8%), the report found, were aimed at delivering a malware strain or a phishing page.

Other exploits used the CSPs to set up a command and control infrastructure for malignant activities elsewhere (18.5%) and for stealing data or launching other attacks (16.7%).

“Successful hackers are like fishermen, they have different lures in the tackle box to attack a victim’s weakness, and they often must change the lure or use multiple lures because the victims become informed and won’t bite,” Vincent explained.

Exploiting CSP Infrastructure

Passeri explained that malware delivered to CSPs is not designed to compromise their systems but to use their infrastructure since it is considered trusted by the victims and organizations that use it.

In addition, he continued, the CSPs offer a flexible platform that is resilient and simplifies hosting. For example, there is no need to allocate an IP space and register a domain.

Advantages to hackers using a CSP’s infrastructure cited by Passeri include:

  • It is considered trusted by the victim because they see a legitimate domain and in the case of a phishing page, a webpage hosted on a cloud service with a legitimate certificate.
  • In some cases it is considered trusted by organizations because too many of them consider the CSP infrastructure trusted, so they end up whitelisting the corresponding traffic, meaning that the security controls normally enforced on the traditional web traffic are not applied.
  • It is resilient because if the malicious content is taken down, the attackers can spin up a new instance instantaneously.
  • Traditional web security technologies are blind to the context, that is, they do not recognize if, for example, a connection to AWS is heading to a legitimate corporate instance, or to a rogue instance controlled by the attackers.

Info-Stealers

One form of malware distributed through CSPs is information-stealing software. “Info-stealers are a quick win for hackers, as they are able to capture all the sensitive data from a compromised computer in a matter of seconds while leaving almost no traces behind,” Gal said.

“They can then use data like corporate credentials and cookies that were captured by the stealer to cause significant data breaches and ransomware attacks,” he added.

While hackers are willing to use CSP infrastructure for nefarious ends, they’re less inclined to attack that infrastructure itself. “Most exploits from CSPs are a result of misconfigured public internet-facing resources, like AWS S3 buckets,” explained Carmit Yadin, CEO and founder of DeviceTotal, a risk management company in Tel Aviv, Israel.

“Malicious actors target these misconfigurations rather than looking for a vulnerability in the CSP’s infrastructure,” he told the E-Commerce Times. “CSPs often maintain a more secure infrastructure than their customers can manage alone.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Security

Looking for Love Online? Advice To Protect Your Wallet

Cybersecurity awareness is not just a necessity for businesses and internet-facing organizations. Consumers, especially lonely hearts experiencing life’s so-called golden years, are prime targets for romance scams and fraud assaults.

Research shows that romance scams are at an all-time high. Even younger folks who share too much about their affairs of the heart on dating sites and social media could become ripe targets for love scams and fraud.

The FBI defines romance scams as situations in which a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim. Romance scammers are experts at seeming to be genuine, caring, and believable.

These con artists lurk on most dating and social media sites. They are eager to take advantage of the lonely who now fill cyberspace, warns AARP. Seeking romantic bliss online can have a major financial downside, noted a recent AARP advisory for consumers over the age of 50.

Three in 10 U.S. adults have used a dating website or app, notes a Pew Research Center report called Project Might. That includes one in five Americans ages 50 to 64. Clearly, some people looking for romance online put themselves in easy reach of cyber-romance thieves.

Targeting Seniors

Social media is prime hunting grounds for romance fraudsters. Phony suitors in growing numbers reach out to potential victims they spot on Facebook or Instagram, according to the Federal Trade Commission. Complaints about romance scams the FTC fielded jumped from 11,235 cases in 2016 to 52,593 in 2020.

Reported losses topped $300 million, a nearly fourfold increase over the same period. It seems the older the romance target, the heavier the financial toll, according to the FTC. The median individual loss from a romance scam for people 70 and over was $9,475 compared to $2,500 across all age groups.

Another danger with romance scams is that they can lead the victim into potentially criminal actions as well. International criminal gangs use dating sites to recruit unwitting “money mules” to launder ill-gotten funds through their bank accounts or other means.

For example, the FBI in September 2021 reported a rising trend of romance fraudsters enticing their sweetheart targets to make fraudulent cryptocurrency investments.

Romance scams cost Americans almost $350 million last year, according to Edvardas Garbenis, cybersecurity researcher and publisher at Atlas VPN. The drastic social changes imposed since the pandemic may be a major cause.

“Telling people to avoid online dating in times of isolation is not going to work. However, all of us can do our best to educate ourselves and others about the dangers that lurk online,” he told TechNewsWorld.

Covid Made Me Do It

Last year was one of the loneliest years for many people. For those who have been monitoring their emotional health, it might be obvious why there is a rise in romantic scams, Garbenis said.

“People did not get used to being alone during 2020. On the contrary, people report that 2021 was even worse than 2020 in terms of their well-being,” he observed.

A recent government telephone survey of 11,000 Medicare members disclosed that 40 percent reported feeling less socially connected to family and friends than they did in November 2020. Those results lay the foundation for the alarming uptick in romance scams. Impersonators found the pandemic to be a treat, according to Garbenis.

“They have a legitimate excuse as to why they cannot meet up in person, at least for now. This allowed fraudsters to carry out romance scams on a larger scale than ever before,” he said.

Fighting Back

Garbenis is driven with a mission to scan the ever-evolving cybercrime landscape to inform the public, including his VPN subscribers, about the latest online threats.

That led him to post a blog on the AtlasVPN website in late January to alert customers. AtlasVPN extracted data from an FTC report. That information is quite hidden if one does not know where the FTC stores it, he explained.

AtlasVPN analyzed the FTC data and posted its own summary of the worsening threat to those seeking love online. That post focused on findings that heartbroken and lonely victims lost upwards of $343 million in the first three quarters of 2021, noted Garbenis. So far, no data for Q4 of last year is available.

TechNewsWorld reviewed several alerts and reports by the FBI, Pew Research Center, and AARP providing similar statistics and warnings. Financial losses from these sources through last year lacked more current figures beyond the third quarter of 2021.

“Based on the information that we do have, it is safe to assume that romance scams caused somewhere around $500 million in damages throughout the entire year,” Garbenis said.

In 2020, impersonators swindled $268 million from victims of all age groups. In Q1-Q3 2021, monetary damages exceeded $342 million, representing a 27.7 percent growth, he reiterated.

Factoring Figures

In the FTC’s chart below, “Losses to romances scams by age,” it’s clear to see that in six out of seven age groups, the money lost to romance scams surpasses those of 2020. That money amount holds even though the first three quarters of 2021 are compared to the entire 2020, observed Garbenis.

Chart: Losses to romance scams by age from 2020 to Q3 2021

Perhaps the most surprising finding is that people aged 60 to 69 lost significantly more money than all other groups in 2020 and 2021. This was the case in 2019, as well, he noted.

Romance scam losses among individuals aged 60 and over climbed from roughly $84 million in 2019 to around $139 million in 2020. The 60-to-69 and 70-to-79 age groups were hit the heaviest, accounting for $129 million of the total reported losses in 2020.

Cumulative losses of $129 million in 2020 and $145 million in Q1-Q3 2021 also mean that romance scams were the most financially damaging fraud category for seniors, he offered from the research data.

Younger Americans are not immune to romantic impersonators, either. People aged 20 to 59 lost $130 million in 2020 and $187 million in Q1-Q3 2021. That growth was 44 percent even without the data on losses in Q4.

In short, all age groups are struggling with impersonator scams on dating sites or other social media platforms.

How a VPN Can Help

Building relationships online is a convenient way to stay connected. Perhaps the best takeaway from the data is to keep your heart open but your wallet closed at least until you meet your newfound flame in person.

VPNs or virtual private networks can offer an increased measure of avoiding scams, suggested Garbenis. The added cyber safety provided by connecting to dating sites with a VPN is supported by a few good reasons, according to Garbenis.

“First, it changes your IP address. This allows people to access dating sites that might not be available in their country,” he told TechNewsWorld.

For example, many Arab countries have strict internet restrictions that block any sites that go against Islamic values. So if they deem a dating website to be against it, UAE citizens, for example, are out of luck.

“That is why the UAE has the largest VPN adoption rate globally. Other Arab countries are also at the top of the list,” he said.

Moreover, using a VPN is very important when accessing dating sites on public Wi-Fi. That is by far the easiest way for hackers to steal your login information, Garbenis added.

“Public Wi-Fi’s have terrible security in this regard, and a VPN connection completely solves the problem. Having your dating profile stolen could have embarrassing consequences if one is not careful, among other things,” he said.

Tips for Avoiding Romance Scams

The FBI offers advice to avoid being duped by swindlers who use the illusion of affection and trust to manipulate or steal from their victims. Remember:

  • Scammers use details you share on social media and dating sites to better understand and target you;
  • Go slowly and ask lots of questions;
  • Use online searches to see if the person’s photo and profile have been used elsewhere;
  • Beware if the individual quickly asks you to leave a dating service or social media site to communicate directly;
  • Beware of attempts to isolate you from friends and family or requests to send inappropriate photos or financial information that could later be used to extort you;
  • Be suspicious of promises to meet in person that are always canceled with various excuses;
  • Never send money to anyone you have only communicated with online or by phone.
Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security