I have been waiting for this to happen. Any service that normalizes clicking a link in an email and encouraging the user to immediately run an autodownloaded executable is a giant security issue.
> [I]nvestigators have pinpointed a fake Zoom invite opened by one of the fund's cofounders...
By doing so, the hacker was able to install a malicious software program that gave them access to the fund's email system which they used to send off fake invoices [to the fund’s trustees and administrator for the amount of approximately AUD 8 700 000, of which AUD 88 000 was paid.]
Edit: Note that there was a lapse of diligence on the payer’s side as well.
> Following that, a Pakistani national Muhammad Bhatti made 64 (!) withdrawals from one bank where the money was transferred, as well as a small shopping spree, before leaving Australia.
About three discussions on the front page right now are about Apple controlling the Mac platform, but this is one of the upsides. Companies that use only Macs with gatekeeper on have automatic protection against a whole class of cyber security problems.
The program was a Trojan/malware, not actually Zoom:
By doing so, the hacker was able to install a malicious software program that gave them access to the fund's email system which they used to send off fake invoices.
It didn’t, the user did. I assume the fake link led to a page saying “you have to update your zoom” and downloaded malware. The kind of thing new macOS versions try to avoid with the new gatekeeper. Maybe the guy used windows?
The article is light on the details (it's an article that digests the contents of another article - behind a paywall bypassable by having a Google referer), but it doesn't talk about how the hack works. Presumably the fake Zoom invite was a link to a non-Zoom website that promptly popped up a window to download an executable named ZoomUpgrade.exe . The victim clicked "download and run", and ta da, he installed a backdoor.
So, despite me not liking them, Apple would be safer because no one probably bothered to write the backdoor for Macs (maybe that's a market, since rich "hedge fund" folks would prefer bling computers?), and their nanny software would probably have said "No, you can't install this!".
Alternatively the hacker could've written a browser extension, I doubt those have adequate protection...
I'm dubious. If you target an organisation where all or almost all employees have Windows, you don't make a Mac program, but if it's the opposite way around Apple can't do anything about that. I've worked two places now where everybody except me had a Mac.
I think if Apple locks down MacOS enough to actually protect users (not just continue the platform's illusion of superiority) you'll know because ISVs will all say it's impossible to get anything done and abandon the platform.
It's very hard to have a platform that's locked down enough to keep people truly safe as this assumes, while keeping it viable for general purpose third party software from ISVs.
I actually ran into one of the corner cases for this recently. Say you own a Yubico Security Key. With any decent web browser you can use this with WebAuthn or U2F and it's unphishable. But, the Security Key itself is relying on your web browser being honest about the origin.
On an iPhone there is only one web browser, Apple made it, everybody else can only re-skin it a bit. So, no problem, Apple's web browser is honest and any third party software that says "Hi I'm your web browser, I need to sign into google.com" does not work, it isn't your web browser.
On a Windows PC, or a Mac, any program can say it's a web browser, if you're foolish enough to install ZoomUpgrade.exe it can tell your Security Key "I'm a web browser, give me credentials for google.com" and that works, the OS has no way to know if this is or is not a web browser.
Android gives you an interesting middle case. Not only Chrome but also Firefox works. Ah, but only the official Mozilla builds of Firefox. If you build Firefox, name it "Netsharc 1000" and try to install it on your Android, it mysteriously can't do WebAuthn. As well as all those Android permissions you can ask for in the manifest, and the ones you have to ask for explicitly at runtime, there are extra permissions only the platform owner (Google) can grant, and official builds of Firefox have the "I'm really a web browser" permission which allows them to use the Security Key for web sites.
>Alternatively the hacker could've written a browser extension, I doubt those have adequate protection...
I'd bet a lot fewer people install browser extensions than install Zoom. Security isn't about absolute protection but about making things ever more difficult to exploit.
Hedge fund managers and high schoolers/teachers might have slightly different security training, but judging by the number of rubbish extensions and sites with notification permissions that I clear out of Chrome, there are definitely people out there indiscriminately installing browser extensions!
> Companies that use only Macs with gatekeeper on have automatic protection against a whole class of cyber security problems.
So would everyone else if Apple shared their blacklists, or we had collaborative and open lists.
Using this as a reason to recommend taking the corporate OS route is deceiving, as it doesn't address the underlying roots of why antivirus is needed in the first place (systemic Capitalist exploitation, and the Elites privatizing and owning the means of production).
