Cybersecurity trends that marked November 2023
In our November 2023 report, we take a closer look at the cybersecurity trends that marked November 2023 including new revelations surrounding the Okta security breach, the proliferation and risks posed by 'identity wallets' and more.
Phishing and Malware trends and statistics
Newly registered domains
Confirmed new phishing domains
New potential similar domains
During the month of November, FYEO discovered a total of 1.68 (Million) newly registered top level domains of which 9081 were considered similar domains that are likely squatting domains (e.g when someone registers a domain name that is similar to a well-known brand or organization with the intention of using it for malicious purposes such as phishing attacks).
A further 3325 domains out of the newly registered domain were identified as actively serving fake websites and content related to phishing and 3.7K (Thousand) were identified as serving malware related files and content.
Data leaks and credentials statistics
Reported leaked credentials
Reported leak sources
FYEO indexed sources
FYEO indexed credentials
November also saw 20 security incidents that resulted in the compromise of more than 16M (Million) records. In the recent security incident involving Redcliffe Labs, a cybersecurity expert, Jeremiah Fowler, has brought to light a significant data breach. This incident saw over 12 million patient records exposed due to the lack of password protection on their database. The exposed data included medical diagnostic scans, test results, and potentially sensitive medical records, which underscores the urgent need for robust security measures and the safeguarding of sensitive medical information. This incident serves as a stark reminder of the ongoing cyber threats to healthcare providers and the critical importance of securing patient data. During the month, FYEO indexed and gathered a total of 28.5 (Million) leaked credentials from a total of 17 sources that were gathered through open sources and public releases. In regards to FYEO’s collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
Okta's Extended Security Incident: Breach Expands to Customer Support Users
In a follow-up to the earlier Okta security breach, it has been revealed that the incident, initially reported to impact less than 1% of its 18,000+ customers, has now widened in scope. The breach, which occurred in late September 2023 and allowed unauthorized access to Okta's customer support case management system, not only compromised sensitive files associated with 134 customers but also resulted in the theft of names and email addresses for nearly all of its customer support users.
Okta clarified that the breach affected all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, excluding those in the FedRamp High and DoD IL4 environments, which utilize a separate support system not accessed by the threat actor. Additionally, the Auth0/CIC support case management system remained unaffected.
For the majority of users, approximately 97%, only their full name and email address were exposed. However, about 3% of Okta customer support accounts had additional data fields, such as last login, username, phone number, SAML federation ID, company name, job role, user type, date of last password change or reset, exposed.
Okta emphasized that a significant number of exposed accounts belong to Okta administrators, urging them to be vigilant against targeted phishing attacks. The company stressed the importance of Okta administrators having multi-factor authentication (MFA) enrolled to secure both the customer support system and access to their Okta admin console(s).
The intrusion was attributed to an employee who saved credentials for a service account in Okta's customer support infrastructure to their personal Google account. Okta acknowledged the lack of MFA on the compromised service account but highlighted that six percent of its customers persist in operating dangerous practices, such as using Okta administrator accounts without MFA protection.
Ars Technica's Dan Goodin criticized Okta for not implementing adequate access controls and suggested measures, such as IP address limitations and regular rotation of access tokens, to enhance security for service accounts. The responsibility for these precautions was emphasized as the duty of senior personnel within Okta.
As the investigation continues, Okta remains committed to informing affected customers, providing guidance, and implementing necessary security measures to address the extended impact of the security incident.
Navigating the Risks: Unpacking the Potential Threats to Your Digital Identity Wallet
In recent times, the emergence of identity wallets has sparked a digital revolution known as the "wallet wars." These wallets, envisioned within the self-sovereign identity movement, aim to digitize traditional identifying documents, offering convenience and privacy control. However, with this evolution comes an inevitable target for cybercriminals, raising questions about the safety of identity wallets compared to the vulnerabilities seen in mobile banking apps. Mobile banking apps have become a prime target for cyber threats, with a 100% increase in mobile banking trojans in 2022 alone. The popularity of mobile banking is evident, with 87% of customers using banking apps monthly. Similarly, identity wallets, serving as apps storing vital personal information and credentials, are gaining traction, especially as governments explore their use for accessing services. As the usage of identity wallets expands, the likelihood of cybercriminals shifting their focus to exploit potential vulnerabilities increases. To mitigate these threats, lessons can be drawn from how mobile banking apps handle trojans. Techniques such as biometric authentication, mobile app shielding, end-to-end encryption, auto-updates, and even blockchain integration are considered, but each has its limitations and challenges. The risk extends beyond just data compromise; a trojan compromising an identity wallet could have far-reaching consequences. For instance, if an eIDAS identity wallet, mandated for accessing major online platforms and performing KYC checks for bank accounts, falls victim to a trojan, the potential fallout could extend to various connected online accounts. While the convenience of identity wallets is undeniable, developers must prioritize security measures to protect users from potential threats. The evolving landscape has prompted industry players, including Google, Microsoft, and Meta, to form the App Defense Alliance, aiming to establish industry standards for app security. As we embrace the era of digital identity wallets, ensuring robust security measures becomes paramount, acknowledging the inherent trade-offs in the pursuit of a safer digital future.
At FYEO we are working on a truly decentralized solution to combat this problem. Currently in closed beta, FYEO Identity is a decentralized password manager that uses public/private key technology to help keep your credentials secure from bad actors with a real-time Identity monitoring system built in that leverages FYEO's breach database of over 27 billion leaked emails and passwords. Your keys, your data, for your eyes only! Join our closed beta.
And If you are currently using a wallet let them know about FYEO's Dynamic Wallet testing to ensure they are handling your credentials safely and securely.