Search This Blog

Showing posts with label Financial Data. Show all posts

Countering Financial Data Leak in the Era of Digital Payments

 

Over the past five years, there has been a huge surge in the usage of financial services technologies and with that, the risk of a financial data breach has also increased. Multiple financial services technologies use screen scraping to access the private banking data of consumers.

 Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TTP). The TTP then sends a software robot to the bank’s app or website to log in on behalf of the user and access data.

“The way consumers traditionally connect to their bank accounts is facilitated through screen scraping, where providers require internet banking login information,” explained Joe Pettersson, Chief Technology Officer at Banked. 

One safer alternative to screen scraping is APIs, which let two systems work together. Here are the three benefits of using API: 

Easier for developers 

APIs come with inbuilt documentation, which helps developers code between two systems with a common language. So, they don’t have to learn the details of a full fraud prevention engine’s code, they only need to look at the documentation to understand exactly how quickly they can access certain functions. Once again, this saves time and effort for the whole IT team and helps in making the fraud system more cost-effective. 

Good for Scaling

 Regardless of how efficient a person is, there’s simply no way to review all the user data manually. This is where APIs play an important role by offering fast queries and responses for hundreds of thousands of user logins, transactions, or signups. 

Automates everything 

Because APIs are linked to web apps, there’s no need to regularly tweak them or wait for IT updates. All the fixes and improvements are made from the server side, so individuals can focus on their business instead. It’s not only cheaper in terms of IT resources, but also much more efficient and faster.

Conclusion 

To mitigate fraud risk, propagating knowledge and awareness of new payment technologies, channels, and products, and the risks involved — to both customers and employees — is a crucial part of a fraud prevention strategy. Embedding the fraud management process into overall customer engagement and experience should be the first step forward.

10K Victims Infested via Google Play 2FA App Loaded with Banking Trojan

 

The Vultur trojan obtains bank credentials but then requests authorization to inflict even more damage later. 

A fraudulent two-factor authentication (2FA) software has been deleted from Google Play after being available for more than two weeks — but not before it was downloaded more than 10,000 times. The Vultur stealer malware, which targets and swoops down on financial information, is put into the app, which is completely functioning as a 2FA authenticator. 

Researchers at Pradeo warn users who have the malicious app, just named "2FA Authenticator," to delete it straight away since they are still at risk — both from banking-login theft and other assaults made possible by the app's broad over permissions. 

Using open-source Aegis authentication code combined with malicious add-ons, the threat actors constructed an operable and convincing app to mask the malware dropper. According to a Pradeo analysis issued, this enabled it to proliferate unnoticed via Google Play. 

“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added. 

The Vultur banking trojan is installed once the software is downloaded, and it harvests financial and banking data from the affected smartphone, among other things. The Vultur remote access trojan (RAT) malware, initially discovered by ThreatFabric investigators in March, was the first of its type to employ keylogging and screen recording as its main approach for stealing banking data, allowing the organisation to systematize and expand the process of stealing credentials. 

“The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” ThreatFabric said at the time. 

According to the Pradeo team, the fake 2FA authenticator also requests device rights that aren't shown in the Google Play profile. The attackers can use those tricksy, enhanced privileges to do things like access user location data so attacks can be aimed at specific regions, disable device lock and password security, download third-party apps, and take control of the device even if the app is shut down, according to the report. 

Once the device is fully hacked, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information,” the report said. 

Pradeo discovered another sneaky tactic used by the malicious 2FA by acquiring the SYSTEM ALERT WINDOW permission, which allows the application to modify the interfaces of other mobile apps. 

"Very few apps should use this permission; these windows are intended for system-level interaction with the OS," Google stated. 

Despite the fact that the researchers reported their disclosure to Google Play, the malicious 2FA Authenticator app loaded with the banking malware remained accessible for 15 days, according to the Pradeo team.

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.

Cyber Attacks Are A Threat To The Energy Sector

 

According to a senior industry source, concern over cyber-attacks on power plants and electricity grids is "off the scale" in the UK energy sector. It just takes one component to fail for the entire chain to be disrupted, resulting in a cascade effect that affects our daily life. 

As winter approaches, the supply chain that serves the UK's crucial demand for gas and power is experiencing a broad energy crisis. The global gas crisis, the UK's electricity system, has already forced numerous elderly nuclear power facilities to take unplanned maintenance outages, while persistent energy shortages are expected to force further industry shutdowns. 

"The United Kingdom stands out in terms of cyber threats. Our energy system's cyber threats are over the charts," Steve Holliday stated. The UK parliament is reeling from a "sustained and aggressive" cyber-attack that has rendered MPs' email inaccessible.

So, why is the energy sector a target for cyber-attacks and why is it vulnerable? 

Any effect on the energy sector can have far-reaching consequences for entire towns and even countries. An attack on a power plant or a pipeline can result in widespread blackouts, disrupting transportation, heating, and other important economic functions. According to Mohammed AlMohtadi, the chief information security officer at Abu Dhabi's Injazat, the risk in the energy business derives from the usage of old industrial control systems that haven't been modernized in years and aren't properly linked across systems. 

So, how can big energy and utility businesses fall victim to cyber-attacks? 

Typically, ransomware attacks are used to steal commercial secrets, confidential data, and intellectual property. "The energy sector is classified as vital infrastructure. The nation's financial and physical infrastructure might be crippled if it is infiltrated," warned Avinash Advani, founder, and CEO of CyberKnight, a Dubai-based cybersecurity firm. Potential targets include oil and gas infrastructure, nuclear power plants, electricity grids, water corporations, and utility companies that provide power, water, and sewage treatment to the population. 

The Covid-19 epidemic has revealed the dark side of the energy sector. As more people work from home to stop the spread of the coronavirus, they unknowingly expose a company to cyber-attacks. The energy business should not underestimate groups who target facilities, given the devastating consequences of cyber attacks, they should focus on reinforcing their cybersecurity technology to guarantee that their firewall is safe and that any outdated, archaic computer systems and software they are employing are adequately protected.

Anubis Trojan Targeted 400 Banks’ Customers

 

A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by fr.orange.serviceapp, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

Watch out for Christmas 2021 Credential Stuffing Attacks!

 

As per Arkose Labs' research, there were over two billion credential stuffing attacks (2,831,028,247) in the last 12 months, with the number increasing exponentially between October 2020 to September 2021. 

This form of online fraud has increased by 98 percent over the previous year, and it is projected to spike during the Christmas shopping season. Credential stuffing attacks in 2021 accounted for 5% of all web traffic in the first half of 2021. 

Credential stuffing is the most recent cyber-attack technique used by online criminals to obtain unauthorized access to users' financial and personal accounts. Cybercriminals take control of real user accounts and monetize them in a variety of ways. These include draining money from compromised accounts, collecting and reselling personal information, selling databases of the known verified username and password combinations, and exploiting compromised accounts to launder money obtained from other illegal sources. People who reuse the same username/password combination across various sites are frequently targeted by cybercriminals. 

The anti-fraud community has highlighted credential stuffing as an increasing problem in recent years. However, due to the jump in internet activity in the pandemic and the growth of online purchasing, it has risen in recent months. Credential stuffing increased 56 percent during the Christmas and New Year shopping season last year, according to research analysts, with forecasts that the same period in 2021 will witness up to eight million attacks on consumers every day. 

The Arkose Labs network detected and blocked 285 million credential stuffing assaults in the first half of 2021, with spikes of up to 80 million in a single week. In just one week, one intensively targeted social media organization experienced 1.5 million credential stuffing attacks. 

Kevin Gosschalk, CEO at Arkose Labs stated, “The global e-commerce landscape is more connected than ever before and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well-known attack tactics, such as ransomware, as THE cyber attack to watch out for.” 

“Fraudsters are compelled to this type of cybercrime as the low barrier to entry makes it easy to deploy and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.” 

Other key information 

According to the research team's newest findings, 
  • The top attacked industries by sector include gaming, digital and social media, and financial services. 
  • Credential stuffing assaults accounted for over half of all attacks aimed at the gaming industry. 
  • The United Kingdom was also named as one of the top three regions that carried out the most credential stuffing attacks against the rest of the world. 
  • Alongside, Asia and North America, both demonstrated massive amounts of fraudulent activity emanating from their respective regions.
  • During the first half of 2021, mobile-based attacks accounted for approximately one-quarter of all attacks.

Diebold Nixdorf ATM Bugs Allowed Attackers to Alter Firmware & Steal Cash

 

Security researchers at Positive Technologies have disclosed information on several vulnerabilities in Diebold Nixdorf ATMs that could have permitted an intruder to change the system's firmware and take cash. 

The vulnerabilities, known as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs' CMD-V5 and RM3/CRS dispensers – one in each device – and were patched a few years ago. In 2016, Diebold acquired Wincor Nixdorf, and the two firms eventually merged. 

During research approved by the vendor, Positive Technologies found that, while the ATMs had a range of security mechanisms in place to combat blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually easy to get past them.

The researchers found out the command encryption between the ATM computer and the cash dispenser, bypassed it, swapped the ATM firmware with an older version, and abused the flaws to direct the device to distribute cash. 

While encryption is utilized to protect against blackbox attacks, the researchers observed that an attacker might steal the encryption keys and then spoof their own firmware to load on the compromised ATM. The researchers were able to determine the elements involved in the check process in the code responsible for confirming the firmware signature and in the firmware, particularly the public key and the signed data itself. 

Positive Technologies explained, “As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length.” 

An attacker requires to discover a means to transmit orders to the dispenser and define the amount of money in each cassette before withdrawing money from the ATM. Diebold Nixdorf, which published fixes for these vulnerabilities in 2019, suggests activating physical authentication when an operator conducts firmware installation to further prevent unauthorised access. The firm warned earlier this year that jackpotting assaults against RM3-based Cineo systems in Europe were on the surge.

Mekotio Banking Trojan Resurfaces with Tweaked Code

 

On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."

CDSL Suffered a Data Breach, Exposing the Details of 43.9 Million Investors

 

According to cyber security consultancy company CyberX9, a vulnerability at a CDSL subsidiary, CDSL Ventures Limited (CVL), exposed personal and financial data of over 4 crore Indian investors twice in ten days. CDSL Ventures Ltd is a KYC registering agency independently registered with the Securities and Exchange Board of India (SEBI), and Central Depository Services (India) Limited (CDSL) is a SEBI registered depository. 

CVL has taken swift action, according to CDSL, and the vulnerability has now been mitigated. According to CyberX9, the vulnerability was disclosed to CDSL on October 19, and the securities depository took roughly 7 days to address it, despite the fact that it could have been fixed instantly.

The vulnerability, according to CyberX9, a Chandigarh-based consultancy firm, was not very difficult, and it was detected for the second time by the firm. “CDSL was exposing extremely sensitive personal and financial data of about 43.9 million ( about 4.39 crore) investors in India. The data being exposed belonged to those who did their market securities KYC. In India, you have to go through a KYC process for investing in securities like stocks, mutual funds, bonds,” it said.

The information exposed by CDSL, according to the Chandigarh-based cyber security start-up, could be a virtual gold mine for phishers and scammers engaged in the so-called business of e-mail compromise, who frequently impersonate brokers, banks, and businesses in an attempt to dupe individuals and businesses into transferring funds to fraudsters. 

“We verified the fix before publication and it was no longer exploitable. Later, on October 29th, our research team got to work again and within a couple of minutes they found an easy and complete bypass for the fix that CDSL implemented to patch the earlier reported vulnerability. CERT-In and NCIIPC also accepted our vulnerability report,” CyberX9 said on its blog. According to CyberX9, the exposed data includes the investor's name, phone number, email address, PAN, salary range, father's name, and date of birth.

Phishers and scammers would have an unending supply of compelling scamming templates for calls and emails if they had access to CDSL KYC data. According to CyberX9, a database like this would provide fraudsters with a constant stream of new investors undergoing KYC, allowing them to target them. Financial fraud, identity theft, and exposing people to things like extortion, targeted assaults on people, and so on can all result from sensitive personal and financial data being exposed to large groups of people.

Ransomware Ranzy Locker Infected at Least 30 US Organizations

 

The FBI announced on Monday that the Ranzy Locker ransomware has infected at least 30 US firms across a variety of industries this year. “Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” reads the flash alert. 

The flash alert was issued in collaboration with CISA and is intended to provide information to security professionals to aid in the detection and prevention of ransomware attacks. The majority of Ranzy Locker victims who reported intrusions told the FBI that the attackers broke into their networks by brute-forcing RDP credentials. 

Others have recently revealed that the attackers utilized credentials acquired in phishing operations or targeted insecure Microsoft Exchange servers.

Ranzy Locker operators will steal unencrypted documents while within a victim's network before encrypting systems on their victims' corporate networks, a method utilized by most other ransomware gangs. These exfiltrated files, which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records, are used as leverage to force victims to pay a ransom in order to regain access to their files and prevent the data from being leaked online. 

In several cases, the gang used a double model of extortion, threatening victims with leaking stolen data if they did not pay the ransom. Indicators of compromise (IOCs) connected with Ranzy Locker operations and Yara rules to identify the threat are also included in the flash warning. 

Victims will get a 'Locked by Ranzy Locker' notice and a live chat screen to negotiate with the threat actors when they visit the group's Tor payment site. The ransomware operators also offer their victims to decrypt three files for free as part of this "service" to demonstrate that the decryptor can restore their files. 

Implement regular backups of all data to be stored as air-gapped, password-protected copies offline, implement network segmentation so that no machine on your network is accessible from any other machine, install and regularly update antivirus software on all hosts, and enable real-time detection, and install updates/patches to operating systems, software, and firmware as soon as updates/patches become available, are some of the recommended mitigations that were included in the alert.

FBI: Fake Government Websites Used to Steal Private & Financial Data

 

The FBI has alerted the public in the United States that threat actors are proactively capturing sensitive financial and personal information from innocent victims via phoney and fraudulent unemployment benefit websites. 

Websites used in these assaults are built to seem just like official government platforms in order to deceive victims into giving over their information, infecting them with malware, and claiming unemployment benefits on their behalf. 

The federal law enforcement agency stated in a public service announcement published on Internet Crime Complaint Center's site, "These spoofed websites imitate the appearance of and can be easily mistaken for legitimate websites offering unemployment benefits. The fake websites prompt victims to enter sensitive personal and financial information. Cyber actors use this information to redirect unemployment benefits, harvest user credentials, collect personally identifiable information, and infect victim's devices with malware.” 

"In addition to a loss of benefits, victims of this activity can suffer a range of additional consequences, including ransomware infection and identity theft." 

As per the FBI, 385 domains were detected, with eight of them spoofing government sites related to official unemployment benefits platforms. Domain and status are listed below:
  • employ-nv[.]xyz:  Active 
  • employ-wiscon[.]xyz: Inactive 
  • gov2go[.]xyz : Active 
  • illiform-gov[.]xyz : Active 
  • mary-landgov[.]xyz : Active 
  • Marylandgov[.]xyz: Inactive 
  • newstate-nm[.]xyz:  Active 
  • Newstatenm[.]xyz: Inactive 
There is also a possibility that the data obtained through these fake sites will end up in the hands of identity fraudsters, who would use it in different benefit fraud schemes. The US Federal Trade Commission (FTC) reported in February 2021 that the overall number of identity theft reports doubled in 2020 compared to 2019, with 1.4 million reports in a single year. 

The FTC stated, "2020’s biggest surge in identity theft reports to the FTC related to the nationwide dip in employment. After the government expanded unemployment benefits to people left jobless by the pandemic, cybercriminals filed unemployment claims using other people’s personal information." 

For example, the FTC received 394,280 reports of government benefits fraud attempts last year, the majority of which were connected to unemployment benefit identity theft fraud, compared to 12,900 reported in 2019. 

The Internal Revenue Service (IRS) also issued taxpayer guidelines in January on recognizing theft activities involving unemployment payments. The US federal revenue service stated, "The Internal Revenue Service today urged taxpayers who receive Forms 1099-G for unemployment benefits they did not actually get because of identity theft to contact their appropriate state agency for a corrected form." 

"Additionally, if taxpayers are concerned that their personal information has been stolen and they want to protect their identity when filing their federal tax return, they can request an Identity Protection Pin (IP PIN) from the IRS." 

The FBI also offered some advice on how to safeguard yourself against identity theft in the release and a few are listed below: 
  • To identify limitations, the spelling of web addresses should be verified. 
  • Check that the website you're visiting has an SSL certificate. 
  • Software upgrades are required; 
  • It is recommended that two-factor authentication be utilized. 
  • Avoid phishing emails at all costs.

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”