News in brief: Yahoo ‘was spear-phished’; McDonald’s Twitter hijacked; Samsung moots face recognition for payments

Your daily round-up of some of the other stories in the news

Yahoo hack ‘probably the result of spear-phishing’

Spear-phishing emails to a “semi-privileged” Yahoo employee were probably the Achilles heel that led to the exposure of half a billion users’ details, the FBI told reporters in a follow-up briefing to the unsealing of the indictment against four men alleged to be behind the 2014 attack.

Malcolm Palmore of the FBI told Ars Technica that spear-phishing “was the likely avenue of infiltration” that led to the gang stealing the credentials of an “unsuspecting employee”, allowing them access to Yahoo’s internal networks.

Once inside the network, the four hackers discovered a tool that meant they could forge cookies for user accounts so that they could access them without changing the passwords.

The piece from Ars is a fascinating read, reporting that the hackers went after prominent Russian journalists, employees of a Russian security company and Russian and US government officials. It notes that the FBI believes the hack possibly goes back to the Kremlin, though agent John Bennett told reporters that they were unsure how far up the Russian chain the hack went.

McDonald’s Twitter account ‘compromised’

Just a day after many Twitter users’ accounts were compromised by hackers who exploited the access of a third-party app to post ugly swastika-splattered tweets in support of Turkish president  Recep Erdoğan, the official Twitter account of the McDonald’s burger chain was apparently hijacked and used to post an abusive tweet to Donald Trump, the US president.

The tweet was deleted not long after its appearance, and McDonald’s subsequently tweeted that Twitter had notified them that the account had been “compromised”, and added: “We deleted the tweet, secured our account and are now investigating this.”

Samsung to use face recognition for payments

Samsung’s next flagship mobile phone, the S8, will apparently feature facial-recognition technology to authenticate mobile payments via the South Korean manufacturer’s own Samsung Pay app, Bloomberg reported on Thursday.

It’s increasingly difficult for mobile phones to stand out in a crowded marketplace in which the devices are in many ways largely the same, and observers expect security features to be one way that device manufacturers seek to differentiate their phones.

Samsung is also up against the reputation-shredding experience of having to withdraw its previous flagship device, the Note 7, after only a matter of weeks, when the device’s batteries turned out to be behind the phones bursting into flames.

At Naked Security we like close attention to improving security, so we’ll be keeping an eye on how Samsung’s plans to add facial recognition to its payment services. Samsung is said to be working with banks to help them roll out facial recognition systems, too.

Catch up with all of today’s stories on Naked Security