Email Security News Round-Up [July 2022]

Data theft is an issue that big and small organizations face every day.

People and companies lose sensitive data, protected health information, personally identifiable information, intellectual property, governmental and industry information, and much more.

July was like any other month—with cybercrime making headlines and millions of dollars in losses due to data theft.

Check out July’s top news stories in our round-up below.


Fake Job Interviews Caused $620 Million Steal from Axie Infinity

The non-fungible token-based online video game Axie Infinity lost $620 million in crypto after hackers implemented a simple phishing scam and social engineering tactics.

The trouble started when one game developer received a fake job offer from North Korean hackers via LinkedIn. 

One senior engineer responded to the fake job offer and unknowingly downloaded an infectious PDF file onto a company computer. 

The cybercriminals were then able to infiltrate the game’s Ethereum-linked sidechain, corrupt four token validators and one Axie DAO validator, and steal $620 million in cryptocurrency. 

Two notorious groups: Lazarus and APT38, have been identified as the culprits.


70,000 Email Addresses of Mental Health App Users Exposed 

While reverse engineering several mental health apps, security researcher Maia Arson Crimew discovered a vulnerability in the Feelyou mental health app, owned by Japan-based company Bajji.

The vulnerability exposed 78,000 users’ email addresses across more than 170 countries.

However, Bajji founder Noritaka Kobayashi stated that the app doesn’t collect the personal information of its users, like names, phone numbers, credit card info, etc.

Feelyou later announced that the vulnerability had been patched.


One Billion Chinese Citizens’ Data for Sale Online

A threat actor identified as ChinaDan announced the sale of over 23 terabytes (TB) of stolen data for nearly $195,000.

The cybercriminal claims the data stems from the Shanghai National Police database, including one billion Chinese national residents’ names, addresses, national ID numbers, etc.

Binance CEO Changpeng Zhao tweeted that the company’s threat intelligence team found the records for sale on the dark web.

The alleged cause of the breach was a government developer who accidentally wrote a tech blog on CSDN and included the credentials.


Blockchain-Based Platform Audius Loses $6 Million in Tokens Due to Smart Contract Bug

The decentralized music streaming platform Audius lost $6 million worth of AUDIO tokens on Saturday, July 23rd. Cybercriminals exploited a smart contract vulnerability, allowing them to pass proposals without unilateral voting. 

This, in turn, enabled the transfer of 18 million $AUDIO worth $6 million from Audius’ community pool to the hackers’ wallet. The malicious actors sold the tokens on Uniswap for $1.08 million.

The attackers somehow managed to change the platform’s control dynamics as well. The vulnerability has been live since October 2020, when the smart contracts were initially deployed.

Audius stated that it would take critical steps to enhance the incident response time and plans on implementing elevated automated tools to detect any suspicious activity.


Final Thoughts

From phishing scams and app vulnerabilities to national database breaches and smart contract exploits, cybercriminals are always looking for ways to make money. 

July was no exception.

Big or small, organizations must enhance cybersecurity awareness and implement effective measures to protect their customers and data.

SPF Record Syntax: Structure and Components

SPF Record Syntax: Structure and Components

Understanding what SPF is and bringing it into use is important for technology-driven businesses...

Read More
What is a DKIM Record?

What is a DKIM Record?

What is a DKIM record? That's a question we see everywhere these days. Emails...

Read More
What is an SPF Record?

What is an SPF Record?

What if you realize a threat actor is misusing your domain name to send...

Read More