Kaspersky blocked 356,000 malware attacks disguised as student textbooks and essays, the Magecart “Inter” toolkit made credit card skimming accessible as a $1,000 commercial service with 24/7 support, Marriott disclosed a second major breach affecting 5.2 million loyalty app guests, and the IRS warned of a wave of COVID-19 stimulus payment scams targeting Americans during the pandemic.
Stories Covered
Malware Disguised as Textbooks: 356,000 Attacks on Students via Fake Educational Downloads
Kaspersky published research documenting malware campaigns targeting students through fake educational content. The data — representing only users running Kaspersky antivirus, so likely a fraction of total exposure — showed 356,000 attacks, 74,000 unique users who attempted to download malware disguised as essays across 233,000 attempts, and 30,000 users who attempted to download malware disguised as textbooks across approximately 122,000 attempts. English textbooks were the most common lure at roughly 2,000 attack attempts, followed by mathematics at 1,200 and literature at 870. The delivery mechanism exploits a fundamental Windows behavior: by default, Windows hides known file extensions. A file named textbook.pdf.exe appears to the user as textbook.pdf — they see what looks like a PDF but double-clicking executes the .exe. Kaspersky identified three primary malware families in this campaign. The most prevalent was StockWorm (worm.win32.stock.a), a worm that spreads itself through email contacts found on the victim machine. The second was win32.agent.ifdx, a downloader trojan that masquerades as a PDF or Word document before pulling down additional payloads like cryptominers. Third was WinLNK.agent.gen, which hides in compressed archives and uses a shortcut file (.lnk) disguised as a document or image to display a decoy file while executing the malicious payload. The lesson is consistent across all three: files downloaded from unofficial sources — piracy sites, random search results for textbooks — carry no verification that the content matches what is advertised.
Magecart “Inter” Toolkit: Credit Card Skimming as a $1,000 Commercial Service With 24/7 Support
PerimeterX researchers published an analysis of the Inter toolkit, a Magecart-family credit card skimmer that has been sold commercially since 2018 and was originally marketed at $1,300 (later approximately $1,000). The toolkit functions as malware-as-a-service for non-technical attackers who have already compromised an e-commerce checkout page — it provides a full control panel, a command-and-control drop zone for collecting stolen card data, geolocation enrichment of victim IP addresses, filtering and export tools for the harvested data, and a code generator for creating loader and skimmer scripts without any programming knowledge. The included obfuscation tooling prevents the skimmer from loading if a browser debugger is detected — meaning security researchers and developers testing with browser developer tools open will not see the skimmer execute, complicating detection. The Caesar obfuscator bundled with the toolkit carries an independent market value of around $100. The developers offered clients a 30/70 revenue split as an alternative to the upfront purchase price, plus 24/7 support. PerimeterX was able to locate a publicly exposed developer staging server with its directory tree visible rather than the application interface, which let them examine the source file structure directly. The researchers also located debugging artifacts left by the developers and made contact with them. The commercialization of attack toolkits like Inter is a significant factor in the expansion of e-commerce credit card skimming — it removes the technical barrier entirely, allowing anyone with access to a compromised checkout to start collecting payment data.
COVID-19 IRS Stimulus Scams: Red Flags and How to Report
As the U.S. government prepared to distribute $1,200 economic impact payments to most American adults under the CARES Act, the IRS issued warnings about a wave of scams exploiting the distribution. The IRS identified several specific red flags: anyone using the term “stimulus check” or “stimulus payment” rather than the official term “economic impact payment,” anyone claiming they can accelerate your payment in exchange for personal information, any request for banking or personally identifiable information to process or expedite a payment, any check arriving with an unusual amount accompanied by instructions to call a number to verify information, or any request to sign over your economic payment to a third party. The IRS does not call, email, or proactively contact taxpayers to collect information needed to process payments. Anyone with direct deposit on file from their 2018 or 2019 tax returns receives payment automatically; all others receive paper checks by mail. Retirees and Social Security recipients receive automatic payments without any required action. Suspected phishing attempts using the IRS name or EFTPS branding should be forwarded to [email protected]. As with all pandemic-era scams, the most effective protection is sharing specific red flag information with older or less technically-oriented family members and friends who are most likely to be targeted.
Marriott’s Second Breach: 5.2 Million Loyalty App Guests Hit After Starwood’s 383 Million-Record Exposure
Marriott disclosed a second major data breach in under two years, this time affecting 5.2 million hotel guests who used the company’s loyalty application. The breach was discovered in late February 2020 and is believed to have begun from mid-January. The attack vector was compromised login credentials belonging to two employees at a franchise property who had backend access to the loyalty app. Data believed to have been accessed includes contact information (names, mailing addresses, email addresses, phone numbers), loyalty account numbers and point balances, personal details (company affiliation, gender, birth month and year), linked airline loyalty program account numbers, and guest preferences such as language and room type. Marriott stated that passwords, PINs, payment card data, passport numbers, national ID numbers, and driver’s license information were not believed to have been taken. The breach follows a significantly larger incident disclosed in November 2018, when Marriott’s acquisition of Starwood Hotels revealed that the Starwood guest reservation system had been compromised for approximately four years, exposing approximately 383 million guest records. Having 5.2 million loyalty program records exposed after a breach of that scale represents a continued security posture failure rather than an isolated incident. Loyalty program credentials are a consistent target because the accounts often contain usable points balances and are linked to other travel accounts and payment methods.
Leave a Reply