Cybersecurity news headlines (September 1-15)

Keeping up with cybersecurity news can be a challenge. To help you stay informed about what’s going on, twice a month, we will compile the biggest cybersecurity news stories into one report. Here you will find information about data breaches, widespread attacks, malware, and everything else related to cybersecurity.The first two weeks of September have been pretty calm, and we haven’t seen any major cybersecurity incidents. However, we do have a couple of headlines to report. Google allegedly made a secret deal with MasterCard and paid millions of dollars for a stockpile of MasterCard transactions. A top app has been removed from Mac App Store after it was found to collect browsing history, which was later sent to a server in China. Some of Trend Micro apps were removed from the App Store after they too were reported to collect browser history.

Secret deal between Google and MasterCard

Media company Bloomberg has reported that a secret deal between Google and MasterCard allows select Google advertisers to get insight on user purchases. Reportedly, the advertisers have access to a new tool that allows them to track whether ads they ran online led to purchases in physical stores in the US. For example, if you clicked on an ad for something and later bought the item in a physical store with MasterCard, the advertiser whose ad you clicked on would be given a report listing the transaction.

In the secret deal, of which the majority of MasterCard holders were not aware of, Google allegedly paid millions of dollars for a stockpile of MasterCard transactions. Bloomberg reports that four unidentified people with insight on the deal have said that the agreement had been reached after a four-year negotiation, which resulted in all US MasterCard transactions being encrypted and sent to Google. The new tool, Store Sales Measurement, is being tested by select advertisers at the current moment.

Both MasterCard and Google have denied the reports, with MasterCard claiming to not provide any personal information to third-parties, and Google saying they do not have access to any personal information from its partners’ credit and debit cards.

Google has also reminded users that it is possible to opt out of ad tracking via “Web and App Activity”.

Customer data theft in British Airways

Airline British Airways have reported a theft of customer data from its website and mobile app. According to the airline, the personal and financial information of customers who made bookings from August 21 to September 5 via their website or mobile app had been stolen. 380,000 payment cards are believed to have been stolen. However, the airline did reassure that no travel or passport details were among the stolen data.

Affected customers are being informed about the data theft, and anyone who believes their information may have been compromised are encouraged to contact their banks and card providers.

If you believe you may have been affected because you made a booking or paid to change to your booking with a credit or debit card on ba.com or the mobile app between 22:58 BST August 21 2018 until 21:45 BST September 5 2018, we recommend you contact your bank or credit card provider and follow their advice,” British Airways said in a statement.

All affected customers are being contacted, and authorities have been informed. The airline company will also be offering a 12-month credit card monitoring service to any affected customers. Normal operations have been restored as well.

Trend Micro apps removed from Apple’s App Store for collecting browser history

Multiple apps by IT security company Trend Micro have been removed from Mac App Store after reports indicated that the apps were collecting browser history. The apps in question are well-known and high ranked on the App Store, with thousands of positive reviews. They include Dr Antivirus, Dr Cleaner and Dr Unarchiver.

Trend Micro acknowledged some parts of the issue and have apologized for uploading copies of users’ browser history. However, the company said that their apps only collected and uploaded small snapshots of browser history on a one-time basis, covering only 24 hours prior to installation. According to the company, the reason for the collection of history is security-related, to investigate whether the user has recently encountered adware or similar threats. However, this has not convinced security specialists.

While technically, the apps did state that history would be collected in their EULA, it was still a bad move on the company’s part since everyone is well aware that users do not read it. Especially since the products were ranked high on the App Store and were developed by a well-known, thus trusted company.

Trend Micro assures users that the feature that collects browser history has now been removed from the apps in question. The apps remain unavailable on the App Store at the time of writing. It is also currently unknown whether the apps were pulled by Apple or Trend Micro themselves.

It is likely that a simple apology is not going to be enough for disappointed users, and the company will have to work harder to get the trust back.

Top Mac anti-adware app stole browsing history

One of the most highly-rated apps on Apple App Store has been removed after reports came in that it was collecting user data and sending it to a server in China without explicit consent from users. The app in question, Adware Doctor, is designed to prevent malware and malicious files from infecting Mac computers and may have been purchased for $4.99.

Security researcher Patrick Wardle explained that the app creates a password protected archive history.zip, which contains browser history from Google Chrome, Mozilla Firefox and Safari. The file is sent to a server that seems to be based in China.

At no point does Adware Doctor ask to exfiltrate your browser history. And its access to this very private data is clearly based on deceiving the user,” Wardle explains.

He notes that the app disregards the App Store’s rules and policies on data collection, as guidelines clearly state that apps must obtain user consent before they can collect user or usage data. The guidelines further state that apps must not attempt to deceive or force users to give consent for unnecessary data access. Since Adware Doctor did not ask for user permission at any point, it is in violation of App Store rules and Guidelines. Apps found to be violating store rules can be removed from the store, but it has been noted that the app was reported over a month ago and has only been removed recently.

Many users believe that downloading apps from the App Store is much safer than the alternatives, but this incident has renewed doubts about whether companies can actually keep their app stores malware-free. Both Apple and Google reassure users that they carefully check apps before they are allowed on App Store and Google Play respectively, but numerous malicious apps still slip past the checks.

If there is one thing users can learn from this is that even the most reputable apps can turn out to be harmful.

MEGA.nz Chrome extension hijacked to steal passwords and cryptocurrency private keys

The official Chrome extension for the MEGA.nz file sharing service was revealed to had been compromised with malicious code that could have stolen usernames, passwords and private keys for cryptocurrency accounts.

The malicious code was found in version 3.39.4 of the Chrome MEGA.nz extension, which was released on September 4^th as a supposed update. It soon became apparent that the malicious code was aiming to collect sensitive information when users visit sites such as Google, Amazon, GitHub, Microsoft, MyMonero and others. It would collect usernames, passwords, and even private keys if the user visited a cryptocurrency website. According to reports, the malicious extension would then send the collected information to a server hosted in Ukraine.

A MEGA.nz later revealed that the malicious v3.39.4 version was uploaded onto Chrome Web Store on September 4, 2018, at 14.30 UTC. Four hours later, a clean version was uploaded onto the Chrome Web Store, but was removed by Google an hour later.

about the incident, MEGA.nz reassure users that only those who had the extension installed at the time of the incident and had accepted the additional permission were affected. Those who freshly installed the malicious version were also affected.

Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications,” the company goes on to say.

Those who accessed https://mega.nz without using the extension have not been affected.