Fraud & Cybersecurity
Sept. 13, 2024: Fraud & Cybersecurity Articles
- New Regulation Intensifies Focus on IT Risk Management and Operational Resilience
- Payment Gateway Data Breach Affects 1.7 M Credit Card Owners
- 6 Ways Hackers Sidestep Your Two-Factor Authentication
- Bug Left Some Windows PCs Dangerously Unpatched
New Regulation Intensifies Focus on IT Risk Management and Operational Resilience
Mick Brady, CIO
The Digital Operational Resilience Act puts pressure on IT services and capabilities that reduce risks and vulnerabilities. Here’s how to more easily comply with the regulation.
Digital transformation initiatives, for the most part, offer significant advantages—enhancing efficiency, agility, and innovation across the business. However, these initiatives can also introduce new challenges. As IT landscapes and software delivery processes evolve, the risk of inadvertently creating new vulnerabilities increases. Left unaddressed, these gaps can result in cyberattacks, system outages, and network intrusions.
These risks are particularly critical for financial services institutions, which are now under greater scrutiny with the Digital Operational Resilience Act (DORA). This comprehensive regulation applies to all financial institutions in the European Union (EU), as well as third-party providers of information and communication technology (ICT) services to financial entities. Only small firms are exempt from DORA—those with fewer than 10 employees or less than €2 million on their annual turnover and balance sheets.
A comprehensive regulatory reach
DORA addresses a broad range of ICT risks, including incident response, resilience testing, third-party risk management, and information sharing. To achieve compliance, financial institutions must implement robust controls, submit detailed reports, conduct regular penetration tests, and establish effective third-party risk management strategies, all while adhering to data privacy regulations and other requirements. With dozens of specific rules, DORA’s reach is extensive and far-reaching. Read more
Payment Gateway Data Breach Affects 1.7 M Credit Card Owners
Bill Toulas, Bleeping Computer
Payment gateway provider Slim CD has disclosed a data breach that compromised credit card and personal data belonging to almost 1.7 million individuals.
In the notification sent to impacted clients, the company says that hackers had access to its network for nearly a year, between August 2023 and June 2024.
Slim CD is a provider of payment processing solutions that enables businesses to access electronic and card payments via web-based terminals, mobile, or desktop apps.
The firm first detected suspicious activity on its systems this year on June 15. During the investigation, the company discovered that hackers had gained access to its network since August 17, 2023.
“The investigation identified unauthorized system access between August 17, 2023, and June 15, 2024,” reads the notification to impacted individuals.
However, Slim CD says that the threat actor viewed or obtained access to credit card information this year for two days, between June 14th and 15th
“That access may have enabled an unauthorized actor to view or obtain certain credit card information between June 14, 2024, and June 15, 2024,” Slim CD says in the data breach notification. Read more
6 Ways Hackers Sidestep Your Two-Factor Authentication
Arne Arnold, PC World
To really protect your accounts, you should be aware of 2FA’s vulnerabilities.
Protecting an account with just a username and password is not very smart. Both can be stolen, guessed, or cracked too easily. This is why two-factor authentication (2FA) is recommended for all important access points. It has even been mandatory for online banking for years.
With 2FA, two factors are used to gain access to an account, a network or an application. One factor is a security feature that can come from three categories:
- Knowledge (password, PIN)
- Possession (smartphone, Fido2 stick, etc.)
- Biometrics (fingerprint, facial recognition, etc.)
For 2FA to provide good protection, the two factors used must come from two different categories. If more than two factors are used, this is referred to as multi-factor authentication.
2FA is very secure, but not invulnerable. There are tricks and loopholes that hackers can exploit to take over an account. Read more
Bug Left Some Windows PCs Dangerously Unpatched
Krebs on Security
Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.
By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.
Satnam Narang, senior staff research engineer at Tenable, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited. Read more
Sept. 6, 2024: Fraud & Cybersecurity Articles
- Scammers Draining Cash Directly from ATMs, Emptying Bank Accounts Without Debit Cards in Sophisticated Scheme: Cybersecurity Researchers
- FBI Issues Urgent Ransomware Attack Warning—Do These 3 Things Now
- The Biggest Data Breaches In 2024: 1 Billion Stolen Records And Rising
- ‘Time-Travelling’ Software Could Bankrupt Hackers
Scammers Draining Cash Directly from ATMs, Emptying Bank Accounts Without Debit Cards in Sophisticated Scheme: Cybersecurity Researchers
Mark Emem, The Daily Hodl
Cybersecurity researchers say scammers have found a sophisticated way to drain bank accounts directly from ATMs – without needing a debit card in hand.
Experts at the cybersecurity software firm ESET say they’ve discovered a dangerous and unprecedented type of malware they’re calling NGate. To begin the attack, scammers deploy a phishing technique to embed the malicious software in victims’ mobile devices.
“Victims downloaded and installed the malware after being deceived into thinking they were communicating with their bank and that their device was compromised. In reality, the victims had unknowingly compromised their own Android devices by previously downloading and installing an app from a link in a deceptive SMS message about a potential tax return…After being installed and opened, NGate displays a fake website that asks for the user’s banking information, which is then sent to the attacker’s server.”
Some of the information the NGate banking malware asks for includes the victim’s date of birth, their banking client ID and the PIN code for their banking card. Once installed and opened, the NGate malware prompts victims to turn on their mobile device’s near-field communication (NFC) feature.
“Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card. What’s happening behind the scenes is that the NFC data from the victim’s bank card is being sent through a server to the attacker’s Android device. Essentially, this allows the attacker to mimic the victim’s bank card on their own device. This means the attacker can now use this copied card data on their Android device to make payments and withdraw money from ATMs that use NFC… This is the first time we have seen Android malware with this capability being used in the wild.”
If the attackers fail to carry out ATM transactions, their fallback plan is to transfer funds from the bank accounts of their victims to other accounts. Read more
FBI Issues Urgent Ransomware Attack Warning—Do These 3 Things Now
Davey Winder, Forbes
Organizations have been warned that a new ransomware gang has been responsible for hundreds of successful cyberattacks since February 2024. In an urgent joint advisory published August 29, the U.S. Federal Bureau of Investigation along with the Cybersecurity and Infrastructure Security Agency confirmed that organizations across almost every conceivable industry sector have been targeted by the RansomHub ransomware-as-a-service actors.
RansomHub Has Absorbed High-Profile Cybercriminals From Other Groups
The joint cybersecurity advisory, AA24-242A, considers the RansomHub ransomware operations to be both efficient and successful, despite only establishing itself in February. Formerly known by names such as Cyclops and Knight, RansomHub appears to have hit the ground running thanks to attracting criminal talent from well-known ransomware groups such as ALPHV and LockBit following law enforcement attention impinged upon their operations.
“Whilst there are rumors that they might be linked,” said Raj Samani, chief scientist at Rapid7, “we have to acknowledge the fact that ALPHV ransomware is written in the Rust language, whereas RansomHub is written in GoLang.” However, Samani added, the rise of RansomHub “also coincided with law enforcement making decryption keys available to keep LockBit at bay. It again shows that once you deal with one criminal enterprise, another will inevitably burst open in the ransomware space.”
The FBI said that RansomHub, which adopts the now-standard double-extortion methodology of encrypting and exfiltrating data, has successfully targeted at least 210 organizations. Victims of the cybercriminals cover industry sectors such as information technology, government services, healthcare, finance, transportation and even emergency services. The group is believed to be responsible for both the UnitedHealth Group ransomware attack and more recently the attack on the oil and gas services company Halliburton. Read more
The Biggest Data Breaches In 2024: 1 Billion Stolen Records And Rising
Zack Whittaker, Tech Crunch
Thanks to UnitedHealth, Snowflake, and AT&T (twice)
We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do.
From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.
Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped.
AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers
For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.
In July, AT&T said cybercriminals had stolen a cache of data that contained phone numbers and call records of “nearly all” of its customers, or around 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn’t stolen directly from AT&T’s systems, but from an account it had with data giant Snowflake (more on that later). Read more
‘Time-Travelling’ Software Could Bankrupt Hackers
Hugh Cameron, Newsweek
A leading technology company says it has created a cutting-edge data storage system that allows users to “go back in time” and retrieve data held hostage by hackers.
Ionir is a cloud-based data services platform, with offices in New York and Tel Aviv, which provides “the new standard of data services and data management for a hybrid and multi-cloud world.”
In an interview with National Security News, Ionir’s Chief Executive Officer Jacob Cherian spoke about the company’s unique way of thwarting “ransomware” attacks, the employment of malware of malicious software by cybercriminals to restrict users’ access to their data unless the attackers’ demands are met.
These types of attacks will cost victims an estimated $265 billion annually by 2031, according to cybercrime research organization Cybersecurity Ventures, with attacks on individuals or organizations occurring every two seconds on average.
Significant damage has already been caused by such methods, including the 2021 Colonial Pipeline attack, which targeted America’s largest pipeline system for refined oil products.
This forced a six-day shutdown of the pipeline as the company attempted to fix the impacted computer systems, and caused President Joe Biden to declare a state of emergency in 17 states, during which regulations for drivers carrying gasoline and other fuels were relaxed in order to combat the resulting fuel shortages across the country. Read more
Aug. 29, 2024: Fraud & Cybersecurity Articles
- New Password Hacking Warning for Gmail, Facebook, and Amazon Users
- National Public Data Published Its Own Passwords
- Related Reading: How You Can Protect Yourself Against Inevitable Data Breaches
- Ransomware Gang Targets Google Chrome Users in Surprise New Threat Twist
- Major Backdoor in Millions of RFID Cards Allows Instant Cloning
New Password Hacking Warning for Gmail, Facebook, and Amazon Users
Davey Winder, Forbes
Updated 08/29 with details of a phishing campaign that’s using particularly hard-to-detect attack methodologies.
New threat analysis from researchers at Kaspersky has revealed a dramatic rise in the number of password-stealing attacks targeting Amazon, Facebook and, most of all, Google users. Here’s what you need to know.
Amazon, Facebook And Gmail Are A Magnet For Password Hackers
It should come as no surprise that the likes of Gmail, Facebook, and Amazon account credentials are so sought after by malicious hackers. After all, such accounts can be used to complete the cybercrime triumvirate of data theft, malware distribution and credit card fraud respectively. Google accounts, in particular, are something of a skeleton key that can unlock a treasure trove of other account credentials and personal information to commit fraud. Just think about the information that is contained in your Gmail inbox, and the chances are high that you have one given how popular the web-based free email service is. And that’s before you consider how many organizations still send password change requests and second-factor authentication links to your email account.
Kaspersky analyzed a total of 25 of the biggest and most popular global brands in order to determine those that are targeted more by cybercriminals when it comes to phishing attacks. The researchers found, Kaspersky said, that there were around 26 million attempts to access malicious sites masquerading as any one of these brands in the first half of 2024 alone. That represents an increase of approximately 40% increase from the same period in 2023.
Phishing Attacks Against Google Increased By 243%
Sitting at the top of the phishing target pile, for all the reasons already mentioned, was Google. When it comes to attempting to steal credentials such as passwords, Google remains a firm favorite on the cybercriminal attack radar. Kaspersky said it had seen a 243% increase in attack attempts for the first six months of 2024, with some 4 million such attempts blocked by Kaspersky security solutions during this period. Read more
National Public Data Published Its Own Passwords
Krebs on Security
New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).
NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.
Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.
A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.
- Related Reading: How You Can Protect Yourself Against Inevitable Data Breaches
Ransomware Gang Targets Google Chrome Users in Surprise New Threat Twist
Davey Winder, Forbes
Updated 08/27 with additional ransomware threat information from Sophos X-Ops
Qilin, the Russia-linked cybercrime group thought to be behind the June attacks that caused chaos at a number of U.K. hospitals in June, has now been caught stealing credentials stored within Google Chrome browsers in a surprise new twist to the ransomware attack threat.
Although ransomware is not only a long-established but also increasingly costly threat to organizations, Qilin is a relatively new player in the nasty cybercrime game. Running a Ransomware-as-a-Service criminal operation, Qilin is known to date back only as far as October 2022. Researchers from the Sophos X-Ops team have now analyzed a recent attack by the Qilin operators and discovered a new and unusual tactic which they describe as providing “a bonus multiplier for the chaos already inherent in ransomware situations.” That tactic being the simultaneous theft of credentials from Google Chrome browsers found on a subset of the victim network’s endpoints, extending the potential reach of the attack beyond the original target.
The Sophos X-Ops Team Qilin Attack Analysis
The attack that the Sophos researchers analyzed took place in July 2024, after the London hospitals incident, but the victim has not been named. What we do know is that Qilin used compromised credentials to access a VPN portal that was not protected by the use of multi-factor authentication. It is highly likely that these credentials were obtained by way of an initial access broker, a threat actor who seeks such methods of access to ransomware groups through dark marketplaces. There was a period of no activity following the initial access of 18 days, which strengthens the initial access broker supply theory. Read more
Major Backdoor in Millions of RFID Cards Allows Instant Cloning
Ryan Naraine, Security Week
A significant backdoor in contactless cards made by China-based Shanghai Fudan Microelectronics allows instantaneous cloning of RFID cards used to open office doors and hotel rooms around the world.
French security services firm Quarkslab has made an eye-popping discovery: a significant backdoor in millions of contactless cards made by Shanghai Fudan Microelectronics Group, a leading chip manufacturer in China.
The backdoor, documented in a research paper by Quarkslab researcher Philippe Teuwen, allows the instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world. Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, Teuwen explained in the paper (PDF).
Teuwen said he discovered the backdoor while conducting security experiments on the MIFARE Classic card family that is widely deployed in public transportation and the hospitality industry. The MIFARE Classic card family, originally launched in 1994 by Philips (now NXP Semiconductors), are widely used and have been subjected to numerous attacks over the years.
Security vulnerabilities that allow “card-only” attacks (attacks that require access to a card but not the corresponding card reader) are of particular concern as they may enable attackers to clone cards, or to read and write their content, just by having physical proximity for a few minutes. Over the years, new versions of the MIFARE Classic family fixed the different types of attacks documented by security researchers. Read more
Aug. 23, 2024: Fraud & Cybersecurity Articles
- Ransomware Gang Deploys New Malware to Kill Security Software
- The Facts About Continuous Penetration Testing and Why It’s Important
- Has My PC Been Hacked? 5 Ways to Detect Virus Attacks, Step-By-Step
- FBI Takes Down Ransomware Gang That Hacked Dozens of Companies
Ransomware Gang Deploys New Malware to Kill Security Software
Sergiu Gatlan, Bleeping Computer
RansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks.
Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system.
This technique is very popular among various threat actors, ranging from financially motivated ransomware gangs to state-backed hacking groups.
“During the incident in May, the threat actors – we estimate with moderate confidence that this tool is being used by multiple attackers — attempted to use EDRKillShifter to terminate Sophos protection on the targeted computer, but the tool failed,” said Sophos threat researcher Andreas Klopsch.
“They then attempted to run the ransomware executable on the machine they controlled, but that also failed when the endpoint agent’s CryptoGuard feature was triggered.”
While investigating, Sophos discovered two different samples, both with proof-of-concept exploits available on GitHub: one exploiting a vulnerable driver known as RentDrv2 and another exploiting a driver called ThreatFireMonitor, a component of a deprecated system-monitoring package.
Sophos also found that EDRKillShifter can deliver various driver payloads based on the attackers’ needs and that the malware’s language property suggests it was compiled on a computer with Russian localization. Read more
The Facts About Continuous Penetration Testing and Why It’s Important
The Hacker News
What is Continuous Attack Surface Penetration Testing or CASPT?
Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization’s digital assets to identify and mitigate security vulnerabilities. CASPT is designed for enterprises with an evolving attack surface where periodic pentesting is no longer sufficient. Unlike traditional penetration testing, which is often performed annually or semi-annually, CASPT is an ongoing process that integrates directly into the software development lifecycle (SDLC), ensuring that vulnerabilities are discovered and addressed in real-time or near-real-time.
CASPT is a proactive security measure designed to stay ahead of potential attackers by continuously evaluating the security posture of an organization. It enables security teams to identify critical entry points that could be exploited by attackers, validate the effectiveness of existing security controls, and ensure that any newly introduced code or infrastructure changes do not introduce new vulnerabilities. Users can run baseline tests to share changes or new updates across assets and associated vulnerabilities providing a roadmap for pentesting teams as soon as changes are detected.
What Continuous Attack Surface Penetration Testing is Not
While CASPT shares similarities with traditional penetration testing, there are distinct differences:
Not a One-Time Assessment: Traditional penetration testing is typically a one-time assessment conducted periodically. CASPT, however, is an ongoing process, with tests running continuously or on a frequent, scheduled basis. Read more
Has My PC Been Hacked? 5 Ways to Detect Virus Attacks, Step-By-Step
Arne Arnold, PC World
If a ransom note suddenly appears on your PC screen, your PC has been hacked. But computer attacks are not always so drastic and clear-cut.
For the less obvious cases, you’ll need a finer sense and the right know-how. A quick solution is running a quick scan with your antivirus program of choice. If the tool detects a pest, then the matter is taken care of. But sometimes the antivirus program doesn’t always locate the malicious code… and yet Windows behaves strangely. This is where you need to take a closer look at the symptoms.
1. Program and system react slowly
Symptom: The system suddenly runs in a sluggish manner. Programs boot up at a snail’s pace. CPU utilization (see below in the Investigation section) is at 100 percent.
Harmless causes: There are several harmless causes for a CPU utilization of 100 percent. Usually, a legitimate program is just working through a computationally intensive task. This can be the compression of a video or a complex image management task. On older PCs, even the playback of HD videos leads to high CPU load.
A second harmless possibility is a Windows 10 bug, which is already several years old. The Windows 10 task manager shows a load of 100 percent, although the CPU isn’t working that much. A third (but not so harmless) cause is bugs in programs or even in a Windows tool that claims the maximum CPU power for itself. Read more
FBI Takes Down Ransomware Gang That Hacked Dozens of Companies
Zack Whittaker, Tech Crunch
The FBI said Monday it seized the servers of a ransomware and extortion gang called Radar (aka Dispossessor).
At the time of writing, Radar’s website features a message from law enforcement, reading: “This website has been seized.” It’s a rare win for the FBI, which along with global law enforcement agencies has struggled to contain and curtail the rising threat from ransomware.
In a statement from the FBI’s Cleveland, Ohio, field office, the feds said they seized the gang’s domains and servers located in the United Kingdom and Germany. Radar/Dispossessor had at least 43 victim companies since the gang started out in August 2023, the agency said.
The FBI said the Radar/Dispossessor group, led by a ringleader named “Brain,” would exploit security flaws in a victim company’s systems, steal vast amounts of data and scramble the company’s data with encryption. The gang would hold the data hostage in exchange for a ransom, and threaten to publish the data if the ransom wasn’t paid, a common tactic used by extortion gangs known as “double extortion.” Read more
Aug. 16, 2024: Fraud & Cybersecurity Articles
- 2.9B People May Have Been Compromised in National Public Data Breach. Here’s What You Need to Know
- Unlocking the Front Door: Phishing Emails Remain a Top Cyber Threat Despite MFA
- How to Augment Your Password Security with EASM
- Information Security Vs. Cybersecurity: What’s The Difference?
2.9B People May Have Been Compromised in National Public Data Breach. Here’s What You Need to Know
There are many steps you can take to thwart cybercriminals if your data has been compromised.
Danni Santana, CNET Money
Following major data breaches targeting AT&T and Ticketmaster this year, another cyberattack in the news this week appears to have compromised the identities of billions of more people. National Public Data, a background check company owned by Jerico Pictures, is believed to be a victim of a cyberattack executed by cybercriminal group USDoD, Bloomberg Law reported.
The personal data of 2.9 billion people was allegedly compromised in the attack. Personal data obtained by attackers includes full names, current and past addresses — dating back decades — and Social Security numbers, according to a new lawsuit filed in Florida Southern District Court.
While the specifics of the data breach remain unclear, the trove of data was put up for sale on the dark web for $3.5 million in April, the complaint reads.
National Public Data has yet to inform victims affected by the breach about their data being compromised, according to the lawsuit. The plaintiff was only alerted of the breach thanks to a notification from his identity theft protection service on July 24. National Public Data and Jerico Pictures didn’t immediately respond to CNET’s requests for comment.
Data breaches are popping up more frequently. More than 1,500 data breaches have occurred in the first half of 2024, impacting about 1 billion people, according to the Identity Theft Resource Center. If you’re worried about this latest data breach or simply want to safeguard your personal data, there are steps you can take. Read more
Unlocking the Front Door: Phishing Emails Remain a Top Cyber Threat Despite MFA
Kevin Townsend, Security Week
SecurityWeek spoke with Mike Britton, CISO at Abnormal Security, to understand what the company has learned about current social engineering and phishing attacks.
It is easier to use a key to the front door rather than to force an exploit on the rear window. And it is remarkably easy to get that key, almost just by asking for it, through attacks via users’ email mailboxes.
Abnormal’s email threat analysis for H1 2024 notes that email attacks increased by almost 50% from H2 2023 to H1 2024 (from 139 attacks per thousand mailboxes to 208 attacks per thousand mailboxes).
The basis for this analysis (PDF) comes from Abnormal’s own telemetry. It has around 2,400 customers across the globe and from all industry sectors. It analyzes the threats it catches to understand the type of attack, and then normalizes the results to a per thousand mailboxes metric.
SecurityWeek spoke with Mike Britton, CISO at Abnormal Security, to understand what the ‘human behavior security’ firm has learned about current social engineering and phishing attacks.
The first question is why doesn’t MFA, which is a primary security recommendation, prevent successful phishing? “There are known attacks against MFA,” said Britton: “the MFA fatigue attack, some session attacks, and some MitM attacks. But I think the biggest problem is that very few organizations, especially organizations of any size or scale, have consistently applied MFA 100% of the time on 100% of accounts.”
It should be a minimum bar, but it’s not a silver bullet. “It doesn’t stop all attacks,” he continued. “It doesn’t stop a social engineering attack. It doesn’t stop a fake invoice attack. It is pretty effective against credential phishing in most situations, but not 100%.” Read more
How to Augment Your Password Security with EASM
The Hacker News
Simply relying on traditional password security measures is no longer sufficient. When it comes to protecting your organization from credential-based attacks, it is essential to lock down the basics first. Securing your Active Directory should be a priority – it is like making sure a house has a locked front door before investing in a high-end alarm system. Once the fundamentals are covered, look at how integrating external attack surface management (EASM) can significantly augment your password security, offering a robust shield against potential cyber threats and breaches.
First Secure Your Active Directory
IT administrators should not just adhere to the minimum password policy standards by including complexity mandates. To enhance Active Directory security, they should enforce a policy that prohibits users from generating feeble passwords and incorporate a tool to detect and block the use of compromised passwords. passwords and adding a solution that can check for the use of compromised passwords. Using a tool like Specops Password Policy enforces strong password practices and identifies password-related vulnerabilities, which is crucial for defending against credential-based attacks and other risks such as password reuse. Once these fundamentals are covered, EASM tools can further enhance security.
What’s EASM and how does it work?
An EASM solution begins by identifying and cataloging all publicly accessible digital assets of an organization, including both known and unknown assets. Following this, the EASM tool scans these assets for vulnerabilities, scrutinizing configurations and identifying potential security risks. It then prioritizes these vulnerabilities based on their severity and the specific context of the organization, helping IT teams to address the most critical issues first. Read more
Information Security Vs. Cybersecurity: What’s The Difference?
Brandon Galarita, Brenna Swanston, & Jordan Wigley, Forbes
It’s easy to confuse information security (infosec) and cybersecurity, as the two areas overlap in many ways. In fact, cybersecurity is a subset of information security. However, the fields are not quite the same, with each featuring distinct specialties and requiring different skill sets.
Even within the infosec and cybersecurity communities, the distinction between these terms is hotly debated and can be blurry. Many people use “information security” and “cybersecurity” interchangeably. However, understanding the textbook definitions of these terms can help you gain a deeper understanding of how the disciplines compare and interact.
Information Security vs. Cybersecurity
The National Institute of Standards and Technology (NIST) recognizes information security and cybersecurity as separate career areas. That said, there is certainly an overlap between the two. Below are the key definitions and distinctions of each.
What Is Information Security?
According to NIST, infosec’s core function is to safeguard information and information systems against unauthorized access and use. Unauthorized use as NIST defines it can include destroying, modifying or disclosing data, as well as disrupting the functioning of an information system. Read more
Aug. 9, 2024: Fraud & Cybersecurity Articles
- Opinion: How I Got ‘Hacked’ And What That Says About the Banking System
- Hackers Can Wirelessly Watch Your Display Via HDMI Radiation
- Surge In Magniber Ransomware Attacks Impact Home Users Worldwide
- 2.9 Billion Hit In One Of The Largest Data Breaches Ever — Full Names, Addresses And SSNs Exposed
Opinion: How I Got ‘Hacked’ And What That Says About the Banking System
A mysterious breach of a small bank in Arkansas shows fintech needs to focus more on its plumbing
Stephen Gandel, Financial Times
The hack of a small community bank in Arkansas and a related fight over as much as $95mn in missing customer funds that has increasingly drawn the ire of bank regulators and lawmakers has ensnared a surprising, personally at least, victim: Me.
Last week, my wife got an email from Evolve Bank & Trust, which is based in West Memphis, Arkansas, saying a data breach at the bank had exposed our personal information to hackers, but that our funds remained safe.
Here’s the catch: We don’t have an account or any funds at Evolve Bank, at least I didn’t think so. I live in New York, which is about 1,000 miles from where Evolve Bank is based. I have one bank account, jointly with my wife, that we opened in person at a New York City branch of one of the nation’s largest banks nearly two decades ago. We have one bank credit card account.
Another email arrived with a picture of a $480 cheque made out to my wife. I have confirmed that this is legit, a payout that Copper, a fintech that had partnered with Evolve, believes we are owed—money missing from my non-existent, at least to my knowledge, account. This is modern finance, or perhaps an indictment of it.
My personal data was stolen from a bank that I never was a client of, and my wife ended up with nearly $500 that I don’t think is hers is evidence of how interconnected, messy, and vulnerable our current banking system is. The small Arkansas bank’s troubles started in April when Synapse, a fintech, went bankrupt.Synapse wasn’t a typical fintech, offering loans or savings accounts online.
Instead, it specializes in connecting other fintechs to traditional banks, often small community lenders,in pass-through relationships that are sometimes called rent-a-bank. The small banks want more customers but need a way to reach them. The start-ups have sleek apps but no safe place to keep their clients’ funds. For dozens of apps and a handful of banks, Synapse becamethe matchmaker. Read more
Hackers Can Wirelessly Watch Your Display Via HDMI Radiation
Michael Crider, PC World
A newly discovered technique combines wireless EM monitoring and AI algorithms to “read” text on a victim’s screen via HDMI radiation, and it’s already being used in the wild.
Covertly intercepting video signals is a very old-fashioned way to go about electronic spying, but a new method discovered by researchers puts a frightening spin on it.
A research team out of Uruguay has found that it’s possible to intercept the wireless electromagnetic radiation coming from an HDMI cable and interpret the video by processing it with AI. Three scientists from the University of the Republic in Montevideo published their findings on Cornell’s ArXiv service, spotted by Techspot.
According to the paper, it’s possible to train an AI model to interpret the tiny fluctuations in electromagnetic energy from the wired HDMI signal. Even though it’s a wired standard and it’s usually encrypted digitally, there’s enough electromagnetic signal coming off of these cables to detect without direct access.
Detecting and decoding are two different things, of course. But the researchers also found that using an AI model paired to text recognition software, it’s possible to “read” the wirelessly recorded EM radiation with up to 70 percent accuracy. Read more
Surge In Magniber Ransomware Attacks Impact Home Users Worldwide
Lawrence Abrams, Bleeping Computer
A massive Magniber ransomware campaign is underway, encrypting home users’ devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.
Magniber launched in 2017 as a successor to the Cerber ransomware operation when it was spotted being distributed by the Magnitude exploit kit.
Since then, the ransomware operation has seen bursts of activity over the years, with the threat actors utilizing various methods to distribute Magniber and encrypt devices. These tactics include using Windows zero-days, fake Windows and browser updates, and trojanized software cracks and key generators.
Unlike the larger ransomware operations, Magniber has primarily targeted individual users who download malicious software and execute it on their home or small business systems.
In 2018, AhnLab released a decryptor for the Magniber ransomware. However, it no longer works as the threat actors fixed the bug allowing free file decryption.
Ongoing Magniber campaign
Since July 20, BleepingComputer has seen a surge in Magniber ransomware victims seeking help in our forums. Ransomware identification site ID-Ransomware has also seen a surge, with almost 720 submissions to the site since July 20, 2024. Read more
Related Reading: Google Issues Critical Chrome Update for All Windows Users—Check Your PC Now
2.9 Billion Hit In One Of The Largest Data Breaches Ever — Full Names, Addresses And SSNs Exposed
Anthony Spadafora, Tom’s Guide
Stolen data was then put up for sale on the dark web
Regardless of how careful you are online, your personal data can still end up in the hands of hackers—and a new data breach that exposed the data of 2.9 billion people is the perfect example of this.
As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month. A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.
The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million.
Here’s everything we know so far about this massive data breach along with some steps you can take to stay safe if your personal information was exposed online. Read more
Aug. 2, 2024: Fraud & Cybersecurity Articles
- Cost of Data Breach in 2024: $4.88 Million, Says Latest IBM Study
- CrowdStrike Faces Lawsuits from Customers, Investors
- If You’re Getting Dozens of Password Reset Notifications, You’re Being Attacked
- Credit Card Users Get Mysterious Shopify-Charge.Com Charges
- Related reading: Shopify denies it was hacked, links stolen data to third-party app
Cost of Data Breach in 2024: $4.88 Million, Says Latest IBM Study
The average cost of a data breach jumped to $4.88 million from $4.45 million in 2023, a 10% spike.
Kevin Townsend, Security Week
The bald figure of $4.88 million tells us little about the state of security. But the detail contained within the latest IBM Cost of Data Breach Report highlights areas we are winning, areas we are losing, and the areas we could and should do better.
“The real benefit to industry,” explains Sam Hector, IBM’s cybersecurity global strategy leader, “is that we’ve been doing this consistently over many years. It allows the industry to build up a picture over time of the changes that are happening in the threat landscape and the most effective ways to prepare for the inevitable breach.”
IBM goes to considerable lengths to ensure the statistical accuracy of its report (PDF). More than 600 companies were queried across 17 industry sectors in 16 countries. The individual companies change year on year, but the size of the survey remains consistent (the major change this year is that ‘Scandinavia’ was dropped and ‘Benelux’ added). The details help us understand where security is winning, and where it is losing. Overall, this year’s report leads toward the inevitable assumption that we are currently losing: the cost of a breach has increased by approximately 10% over last year.
While this generality may be true, it is incumbent on each reader to effectively interpret the devil hidden within the detail of statistics – and this may not be as simple as it seems. We’ll highlight this by looking at just three of the many areas covered in the report: AI, staff, and ransomware.
AI is given detailed discussion, but it is a complex area that is still only nascent. AI currently comes in two basic flavors: machine learning built into detection systems, and the use of proprietary and third party gen-AI systems. The first is the simplest, most easy to implement, and most easily measurable. According to the report, companies that use ML in detection and prevention incurred an average $2.2 million less in breach costs compared to those who did not use ML. Read more
CrowdStrike Faces Lawsuits from Customers, Investors
CrowdStrike is facing lawsuits from investors and customers following the incident that caused massive global outages.
Eduard Kovacs, Security Week
CrowdStrike is facing lawsuits from investors and customers following the incident that caused massive global outages, but some believe the company is likely shielded from legal action.
Roughly 8.5 million Windows devices worldwide entered a Blue Screen of Death (BSOD) loop on July 19 after CrowdStrike pushed out a bad update that was not properly tested. The incident caused problems for organizations in sectors such as aviation, financial, healthcare, and education, and it took roughly one week for most devices to be restored.
Insurer Parametrix estimates that the total direct financial loss for US Fortune 500 companies — excluding Microsoft — is $5.4 billion, with the total loss estimated at $15 billion. Parametrix believes that only 10-20% of the losses suffered by Fortune 500 customers will be covered by insurance.
Parametrix reported that airlines suffered the biggest losses — $143 million on average. One airline, Delta, was particularly badly hit, struggling for several days to recover from the outage caused by the CrowdStrike update. CNBC reported on Monday that Delta has hired a prominent attorney to pursue potential damages from both CrowdStrike and Microsoft. Delta is estimated to have lost between $350 million and $500 million due to the outages.
Delta is dealing with more than 176,000 refund or reimbursement requests after being forced to cancel thousands of flights. The airline has hired David Boies, an attorney known for representing the US government in an antitrust case against Microsoft. He also worked with former Hollywood mogul Harvey Weinstein and Theranos founder Elizabeth Holmes. Read more
If You’re Getting Dozens of Password Reset Notifications, You’re Being Attacked
Malcolm Owen, Apple Insider
Apple users are becoming the target of a new wave of phishing attacks called “MFA Bombing” that relies on user impatience, and a bug in Apple’s password reset mechanism.
Phishing attacks often rely on users supplying information to an attacker or allowing them to do something to their account, often via an email, text message, or other messaging means. A recently discovered phishing attack has used a new route to make victims fall for it, by using Apple’s password reset system.
Dubbed “MFA Bombing,” “MFA Fatigue,” or “Push Bombing,” the attack detailed by Krebs on Security is an elaborate phishing attack that appears to revolve around a bug in the password reset feature. Victims are inundated by “Reset Password” notifications, including the text “Use this iPhone to reset your Apple ID password,” and the options to allow or reject the request.
This notification is genuine. It is usually displayed once to the user when they attempt to reset their Apple ID password, as a form of multi-factor authentication on an iPhone, Mac, iPad, or Apple Watch.
The problem with the attack is that the attacker is bombarding the target with so many notifications. It is hoped the user will either accidentally select Allow instead of Don’t Allow, or will be annoyed by the deluge of notifications that they will select Allow in order to make it stop. Read more
Credit Card Users Get Mysterious Shopify-Charge.Com Charges
Lawrence Abrams, Bleeping Computer
People worldwide report seeing mysterious $1 or $0 charges from Shopify-charge.com appearing on their credit card bills, even when they did not attempt to purchase anything.
The charges have no rhyme or reason to them and are seen on physical and virtual credit cards of all types, including those from Discover, Monzo, Capital One, and other Visa cards. Some people report that charges were also attempted against older deactivated cards.
According to reports, the charges started approximately ten days ago, on July 21st, with the number of impacted people increasing as time passed.
“Not sure if it was just me today but seems like I’ve got a shopify active card check today. Thankfully, no money was debited. Got in touch with support and they confirmed it was a scammer,” warned a Monzo card member on Reddit.
“I just received an email from privacy.com notifying me of a decline. The declined payment was for $0.00 charge at SHOPIFY-CHARGE.COM I have not used this card outside of paying for my Wyze cam subscription,” warned another person. Read more
- Related reading: Shopify denies it was hacked, links stolen data to third-party app
July 26, 2024: Fraud & Cybersecurity Articles
- How a North Korean Fake IT Worker Tried to Infiltrate Us
- CISA’s Jack Cable Discusses US Push for More Secure Software
- Again?! Combating the Resurgence of the Medusa Banking Trojan
- Google Chrome Now Warns About Risky Password-Protected Archives
How a North Korean Fake IT Worker Tried to Infiltrate Us
Stu Sjouwerman, KnowBe4
First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you. We wrote an FAQ, answering questions from customers. Story updated 7/25/2024.
TLDR: KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.
Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI “enhanced”.
The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new hire and asked if they could help. That’s when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography (below). The detail in the following summary is limited because this is an active FBI investigation.
SUMMARY: This report covers the investigation of Employee ID: XXXX hired as a Principal Software Engineer. On July 15, 2024, a series of suspicious activities were detected on that user account. Based on the SOC teams evaluation of the activities it was found this may have been intentional by the user and suspected he may be an Insider Threat/Nation State Actor. Upon initial investigation and containment of host, a more detailed inquiry into the new hire took place. Read more
CISA’s Jack Cable Discusses US Push for More Secure Software
James Coker, Infosecurity Magazine
Cybersecurity researchers have observed a surge in the exploitation of vulnerabilities in widely used software products by both financially-motivated cybercriminals and nation-state actors.
As well as being able to gain initial access multiple organizations in a single hit, this approach provides a basis for evading defenses and establishing persistent access in target networks. Incidents like SolarWinds in 2020, Log4j in 2022 and MOVEit in 2023 significantly impacted government and critical sector organizations.
In response to this trend, the White House’s National Cybersecurity Strategy, unveiled in March 2023, aims to shift the security responsibility away from end users to those best placed to shoulder that burden, including software manufacturers. The Cybersecurity and Infrastructure Security Agency (CISA) developed a Secure by Design initiative in April 2023 to explain how software manufacturers can ensure security is built into their products.
A Secure by Design Pledge was then announced in May 2024, encouraging manufacturers to commit to making progress across a range of secure by design principles. Infosecurity Magazine recently spoke to Jack Cable, Senior Technical Advisor at CISA, to find out more about the Secure by Design initiative and pledge and their progress to date. Read more
Again?! Combating the Resurgence of the Medusa Banking Trojan
Anne Saita, The Financial Brand
The resurgence of the Medusa banking trojan poses a significant threat to Android users in seven countries, stealing financial information through sophisticated methods. Banks and credit unions can protect customers by educating them on detection, removal and prevention strategies, fostering trust and security.
Just as the gaze of the mythical Medusa turned onlookers to stone, the recent resurgence of the Medusa banking trojan stunned banks and credit unions. Financial institutions continue to field calls from customers fearing they’ve been infected and that their financial assets have been wiped out.
By understanding and conveying the threat and mitigations to all stakeholders, officials at banks and credit unions can safeguard funds and forge a stronger connection with their customers and members.
A Stealthier Banking Trojan Re-emerges
The Medusa banking trojan first surfaced in 2020 to steal sensitive financial information from Android devices. It spread through phishing emails and messages from seemingly trustworthy sources, prompting users to unwittingly download and install the malware that surreptitiously steals banking credentials.
Its developers have continuously updated the trojan, adding sophisticated features like keylogging, screen capturing and remote-control capabilities. This adaptability allowed Medusa to bypass many traditional anti-malware defenses, contributing to its early successes.
One new feature allows the attacker to display a full black screen on the target device, creating the illusion that it is locked or turned off. This acts as camouflage for conducting malicious operations undetected. Read more
Google Chrome Now Warns About Risky Password-Protected Archives
Sergiu Gatlan, Bleeping Computer
Google Chrome now warns when downloading risky password-protected files and provides improved alerts with more information about potentially malicious downloaded files.
These new, more detailed warning messages help users quickly learn the nature of the danger presented by each file downloaded from the Internet. For this, Google introduced a two-tier download warning system that uses AI-powered malware verdicts sourced from its Safe Browsing service to help evaluate the actual risk quickly.
Users will now see warnings alerting them of suspicious files (based on lower confidence verdicts and unknown risk of user harm) or dangerous files (on high confidence verdicts and high risk of user harm). “These two tiers of warnings are distinguished by iconography, color, and text, to make it easy for users to quickly and confidently make the best choice for themselves based on the nature of the danger and Safe Browsing’s level of certainty,” the Chrome Security team explains.
“Overall, these improvements in clarity and consistency have resulted in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and all in all, better protection from malicious downloads.” The Chrome browser now also sends suspicious files to the company’s servers for a deeper scan for users with Enhanced Protection mode enabled in Safe Browsing, providing extra protection while “reducing user friction.” Read more
July 19, 2024: Fraud & Cybersecurity Articles
- How To Tell If Your Online Accounts Have Been Hacked
- Related Reading: How To Protect Your Startup from Email Scams
- Apple Warns iPhone Users in 98 Countries of Spyware Attacks
- BSA Filings and Their Utility to Law Enforcement
- AT&T Breach Linked to American Hacker, Telecom Giant Paid $370k Ransom
How To Tell If Your Online Accounts Have Been Hacked
Lorenzo Franceschi-Bicchierai, TechCrunch
More and more hackers are targeting regular people with the goal of stealing their crypto, perhaps getting into their bank accounts or simply stalking them. These types of attacks are still relatively rare, so there’s no need for alarm. But it’s important to know what you can do to protect yourself if you suspect someone got into your email or social media account.
A few years ago, I wrote a guide to help people protect themselves, and understand that most of the companies you have an account with already offer you tools to take control of your accounts’ security, even before you contact them for help, which in some cases you still should do.
Just like in the previous guide, there’s an important caveat. You should know that these methods don’t guarantee that you haven’t been compromised. If you still aren’t sure, you should contact a professional, especially if you are a journalist, a dissident or activist, or otherwise someone who has a higher risk of being targeted. In those cases, the nonprofit Access Now has a digital security helpline that will connect you to one of their experts.
Another caveat, if you don’t do this already, you should enable multi-factor authentication on all your accounts, or at least the most important ones (email, banking, social media). This directory is a great resource that teaches you how to enable multi-factor authentication on more than 1,000 websites. (Note that you don’t have to use the multi-factor app promoted on that site, there are plenty of other alternatives.)
Related Reading: How To Protect Your Startup from Email Scams
Apple Warns iPhone Users in 98 Countries of Spyware Attacks
Manish Singh, TechCrunch
Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It’s the second such alert campaign from the company this year, following a similar notification sent to users in 92 nations in April.
Since 2021, Apple has been regularly sending these notifications, reaching users in over 150 countries, according to a support document on the company’s website. The latest warnings, out Wednesday, did not disclose the attackers’ identities or the countries where users received notifications.
Users in India are among those who have received Apple’s latest threat notifications, according to user testimonials. In October, Apple sent similar warnings to several journalists and politicians in the country. Amnesty International, a human rights advocacy group, later reported discovering the presence of Pegasus, a highly invasive spyware developed by Israeli firm NSO Group, on the iPhones of prominent Indian journalists. Read more
BSA Filings and Their Utility to Law Enforcement
Peter D. Hardy & Siana Danch, MoneyLaundering News
First in a Two-Part Series on the Utility of BSA Filings
Today we are very pleased to welcome guest blogger, Don Fort, who is the Director of Investigations at Kostelanetz LLP, and the past Chief of the Internal Revenue Service’s Criminal Investigation (CI) Division.
As Chief of IRS-CI from 2017 to 2020, Don led the sixth largest U.S. law enforcement agency, managing a budget of over $625 million and a worldwide staff of approximately 3,000, including 2,100 special agents in 21 IRS field offices and 11 foreign countries. Don’s time in law enforcement included overseeing investigations of some of the most significant financial crimes involving tax evasion, sanctions evasion, money laundering, bribery, international corruption, bank malfeasance, cyber and cryptocurrency crimes, and terrorist financing.
We reached out to Don because we were interested in his perspective on the 2023 Year-in-Review (YIR) published by the Financial Crimes Enforcement Network (FinCEN), on which we previously blogged. According to the YIR, there are about 294,000 financial institutions and other e-filers registered to file Bank Secrecy Act (BSA) reports with FinCEN. Collectively, they filed during FY 2023 a total of 4.6 million Suspicious Activity Reports (SARs) and 20.8 million Currency Transaction Reports (CTRs), as well as 1.6 million Reports of Foreign Bank and Financial Accounts (FBARs), 421,500 Forms 8300 regarding cash payments over $10,000 received in a trade or business, and 143,200 Reports of International Transportation of Currency or Monetary Instruments (CMIRs) for certain cross-border transactions exceeding $10,000. Although the YIR necessarily represents only a snapshot lacking full context, only a very small portion of those filings ever became relevant to actual federal criminal investigations. But, the YIR makes clear that one of the most, or the most, important consumers of BSA filings is IRS-CI.
In our next related blog, we will discuss the utility of filings in the global anti-money laundering/countering the financing of terrorism compliance regime, from the perspective of industry – specifically, recent publications by the Wolfsberg Group, and the Bank Policy Institute, the Financial Technology Association, the Independent Community Bankers of America, the American Gaming Association, and the Securities Industry and Financial Markets Association. Read more
AT&T Breach Linked to American Hacker, Telecom Giant Paid $370k Ransom
The massive AT&T breach has been linked to an American hacker living in Turkey, and reports say the telecom giant paid a $370,000 ransom.
Eduard Kovacs, Security Week
The recently disclosed AT&T data breach has been linked to an American hacker living in Turkey, and the telecom giant reportedly paid a significant ransom to ensure that the stolen information would be deleted.
AT&T revealed on Friday that it had suffered a data breach affecting nearly all of its wireless customers. The company said that in April hackers exfiltrated records of customer call and text interactions from May 1, 2022, to October 31, 2022, as well as on January 2, 2023. The data originated from AT&T’s ‘workspace’ on a third-party cloud platform.
The company explained that the compromised records identify other phone numbers that impacted customers interacted with, including call or text counts and call durations. The content of calls or texts, timestamps, and other sensitive personal information was not impacted.
“While the data doesn’t include customer names, there are often ways to find a name associated with a phone number using publicly available online tools,” AT&T said. The telecom giant also noted that it does not believe the stolen data is publicly available and said it had received information that “at least one person has been apprehended”. AT&T is notifying roughly 110 million customers about the incident.
More information relating to the AT&T hack became available over the weekend. Wired reported that AT&T paid a hacker roughly $370,000 in bitcoin back in May in order to prevent the data from getting leaked. The hacker in question, a member of the notorious ShinyHunters group, provided proof of the transaction, which was also confirmed to Wired by others based on cryptocurrency transfer records.
The hacker reportedly demanded a $1 million ransom from AT&T, but he ultimately settled for far less. The hacker provided AT&T with a video showing that he had deleted the stolen data.
July 12, 2024: Fraud & Cybersecurity Articles
- Supreme Court Opens Door to More APA Challenges by Ruling that Right of Action Accrues When Regulation First Causes Injury
- RockYou2024: 10 Billion Passwords Leaked In The Largest Compilation of All Time
- Intuit Class Action Claims Co. Failed to Prevent TurboTax, Credit Karma Data Breach
- Hackers Target WordPress Calendar Plugin Used By 150,000 Sites
Supreme Court Opens Door to More APA Challenges by Ruling that Right of Action Accrues When Regulation First Causes Injury
Opinion Can Invite New Challenges to Long-Standing BSA/AML Regulations
Kristen E. Larson, John Culhane, Alan Kaplinsky & Peter D. Hardy, Ballard Spahr
On July 1, 2024, the Supreme Court issued its opinion in Corner Post, Inc. v Board of Governors of the Federal Reserve System in which the Court determined when a Section 702 claim under the Administrative Procedure Act (APA) to challenge a final agency action first accrues. In a 6-3 Opinion, the Supreme Court sided with Corner Post in holding that a right of action first accrues when the plaintiff has the right to assert it in court—and in the case of the APA, that is when the plaintiff is injured by final agency action.
This ruling could open the litigation floodgates for industry newcomers to challenge longstanding agency rules. These APA challenges will be further aided by the Supreme Court’s recent overruling of Chevron deference, giving the courts the power to interpret statutes without deferring to the agency’s interpretation.
This development is relevant to potential challenges to anti-money laundering (“AML”) regulations promulgated under the Bank Secrecy Act (“BSA”) or other statutory schemes by the Financial Crimes Enforcement Network, the federal functional regulators, the Securities Exchange Commission, and FINRA. Many BSA/AML regulations were promulgated many years ago. Historically, litigation challenges to BSA/AML regulations have been rare. Given the combined effect of recent rulings by the Supreme Court, that could change.
Background
This case involves a convenience store merchant, Corner Post, Inc., that opened its truck stop business in 2018. In 2021, Corner Post sued the Federal Reserve Board seeking to invalidate Regulation II, which the FRB enacted 10 years before to cap interchange fees charged by debit card issuers. Without reaching the merits of the complaint, the district court dismissed the case as time-barred and ruled that the six-year statute of limitations for bringing facial APA claims (28 U.S.C. § 2401(a)) begins to run when a final rule is issued. Read more
RockYou2024: 10 Billion Passwords Leaked In The Largest Compilation of All Time
Vilius Petkauskas, CyberNews
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.
The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.
While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.
The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said. Read more
Intuit Class Action Claims Co. Failed to Prevent TurboTax, Credit Karma Data Breach
Anne Bucher, Top Class Actions
Intuit class action lawsuit overview:
- Who: Plaintiff Joseph Garite filed a class action lawsuit against Intuit Inc.
- Why: Intuit allegedly failed to adequately safeguard sensitive data which was compromised in a TurboTax and Credit Karma data breach disclosed in March 2024.
- Where: The TurboTax data breach class action lawsuit was filed in California federal court.
Intuit Inc. failed to adequately protect its computer systems, leaving sensitive data vulnerable to a TurboTax and Credit Karma data breach earlier this year, according to a new class action lawsuit.
Plaintiff Joseph Garite alleges Intuit, the maker of popular software services including TurboTax, Credit Karma, Quickbooks and Mailchimp, failed to maintain reasonable security safeguards and failed to adequately train employees about cybersecurity.
Hackers Target WordPress Calendar Plugin Used By 150,000 Sites
Bill Toulas, Bleeping Computer
Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely. The plugin is developed by Webnus and is used to organize and manage in-person, virtual, or hybrid events.
The vulnerability exploited in attacks is identified as CVE-2024-5441 and received a high-severity score (CVSS v3.1: 8.8). It was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence’s Bug Bounty Extravaganza.
In a report describing the security issue, Wordfence says that the security issue stems from a lack of file type validation in the plugin’s ‘set_featured_image’ function, used for uploading and setting featured images for the events. The function takes an image URL and post ID, tries to get the attachment ID, and if not found, downloads the image using the get_web_page function.
It retrieves the image using wp_remote_get or file_get_contents, and saves it to the WordPress uploads directory using file_put_contents function. Modern Event Calendar versions up to and including 7.11.0 have no checks for the file type of extension in uploaded image files, allowing any file type, including risky .PHP files, to be uploaded. Read more
June 28, 2024: Fraud & Cybersecurity Articles
- Evolve Data Breach Adds to Woes of Synapse Partner
- New AML Rules Will Change the EU’s Financial Crime Prevention Landscape for Good. But What Will Change in Practice?
- SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately
- Leader of Money Laundering and Bank Fraud Ring Sentenced to Seven Years in Prison
Evolve Data Breach Adds to Woes of Synapse Partner
Customer data was released to the dark web, the bank said Wednesday, two weeks after the Fed handed Evolve an enforcement action regarding its partnerships.
Dan Ennis, Banking Dive
Evolve Bank & Trust customer data has been breached, the company confirmed Wednesday in a statement on its website. “A known cybercriminal organization … appears to have illegally obtained and released on the dark web the data and personal information of some Evolve customers,” the bank said.
Debit cards, online and digital banking credentials of the firm’s retail-banking customers have not been affected, Evolve said in an update. But the bank is notifying customers of its fintech partners, it said. Evolve did not name the hacking organization, but Bloomberg reported Wednesday that LockBit 3.0 posted data taken from Evolve’s systems on the dark web a day earlier.
Affected information “may have included full name, account number, email address, mailing address, phone number, Social Security number [and] date of birth,” Evolve wrote in its statement. The bank is offering affected customers complimentary credit monitoring services with identity theft monitoring, it said. It did not detail how many customers are affected.
Evolve is communicating with law enforcement to help with an investigation of the matter, the bank said. “Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat,” Evolve said. Read more
New AML Rules Will Change the EU’s Financial Crime Prevention Landscape for Good. But What Will Change in Practice?
Alexandra Jour-Schroeder, European Union
On 24 April, the European Parliament formally endorsed the future Anti-Money Laundering Package, a reform that has been in the making for the past 5 years. Since the European Commission published its proposals in July 2021, and even before, much has been said about how this reform will change the EU’s financial crime prevention landscape for good.
But how will things change in practice? Here are a few simple examples!
Real estate
Criminals often channel money into super fancy mansions and estates. Until now, only information about EU owners has been available to investigative authorities. When the property is owned by a company in a non-EU country, it is extremely hard to identify whether it may have been acquired with illicit funds. The new rules require foreign companies, as well as trusts, that have owned a piece of real estate in the EU since 2014 to record in our beneficial ownership registers who the individuals who own or control the company or trust are. Member States can put the reference date further back in the past, if they consider that certain risks make this necessary.
Cash
As the sudden peak in online fraud during the pandemic showed, criminals do not suffer from any kind of digital divide. Yet, any investigator would tell you that of all the means that exist to launder illicit proceeds, cash remains criminals’ preferred choice. Why? Because it’s easy to transfer, fully anonymous and therefore difficult, if not impossible, to trace back to some criminal act. Of course, access to cash is and will remain a right for everybody in the EU and most cash transfers are absolutely clean. The continued acceptance and availability of cash is an important issue for our consumers, including for financial inclusion. Read more
SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately
The Hacker News
A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.
The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine. Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.
The list of products susceptible to CVE-2024-28995 is below –
- Serv-U FTP Server 15.4
- Serv-U Gateway 15.4
- Serv-U MFT Server 15.4, and
- Serv-U File Server 15.4
Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available.
Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it’s not locked. Read more
Leader of Money Laundering and Bank Fraud Ring Sentenced to Seven Years in Prison
U.S. Attorney’s Office, Southern District of New York
Damian Williams, the United States Attorney for the Southern District of New York, announced that ADEDAYO JOHN was sentenced today by U.S. District Judge Loretta A. Preska to seven years in prison for his role as a leader of a money laundering and bank fraud ring that laundered millions of dollars in proceeds derived from business email compromises and romance fraud schemes impacting more than 50 victims. JOHN previously pled guilty to one count of conspiracy to commit money laundering and one count of conspiracy to commit bank fraud on January 4, 2024. In total, 11 defendants have pled guilty for their roles in the money laundering and bank fraud schemes.
Victims were typically defrauded in one of two ways. In some instances, business email compromise fraud schemes were used to trick businesses into transferring funds to bank accounts the victims believed were under the control of legitimate recipients of the funds as part of normal business operations, when in fact the bank accounts were under the control of the defendants or their co-conspirators. In other instances, romance scams were used, primarily through electronic messages sent via email, text messaging, social media, or online dating websites, to deceive victims – many of whom were older men and women – into believing they were in romantic relationships with fake identities, and then using false pretenses to cause the victims to transfer funds to bank accounts controlled by the defendants or their co-conspirators.
As a result of these frauds, law enforcement officers have identified transfers of more than $19 million into bank accounts under the control of the defendants. Read more
June 21, 2024: Fraud & Cybersecurity Articles
- 7 Warning Signs Your Computer Has Been Hacked — And What to Do
- Swiss Regulator Finds HSBC Violated Money Laundering Rules
- Security Bug Allows Anyone to Spoof Microsoft Employee Emails
- Dallas-Based Frontier Communications Hit with Multiple Class Action Lawsuits
7 Warning Signs Your Computer Has Been Hacked — And What to Do
If something doesn’t seem right, it’s time to run some scans.
Chris Hoffman, PC World
Your antivirus will protect you from many online threats, but no antivirus is perfect. Truth is, your PC can still be hacked even if you’re using reputable security software with a solid track record. When we talk about your computer possibly being “hacked,” that’s exactly what we mean: a cybercriminal has gained access to your PC and compromised it in some way.
The hacker in question may be a criminal organization that’s installing malware on millions of PCs (e.g., to spy on you and steal your credit card numbers), or the hacker may be an individual using a remote access Trojan (RAT) to personally spy on you through your webcam.
Here some common warning signs that your PC might’ve been hacked, exposing your personal data and system resources.
Is something fishy? Run an antivirus scan
First things first: If you’re concerned that your computer has a virus or another type of malware, you should run a scan with an antivirus program—ideally one of our recommended antivirus software picks.
You should also consider using the free Norton Power Eraser (or a similar tool). Tools like this will reboot your PC into a special scanning environment outside of Windows so they can spot and remove malware like rootkits that normally evade detection. Perhaps you’ve already run a scan. If your scan didn’t find anything wrong but you’re still concerned, I recommend getting a second opinion. Read more
Swiss Regulator Finds HSBC Violated Money Laundering Rules
Finma bans bank’s Swiss subsidiary from taking on prominent public figures as clients
Owen Walker, Financial Times
Switzerland’s financial regulator has banned HSBC’s Swiss private bank from taking on prominent public figures as clients after finding the lender violated anti-money laundering regulations.
Finma imposed a range of penalties on HSBC’s subsidiary in relation to a case that involved several transactions between 2002 and 2015 in which more than $300mn was transferred between Lebanon and Switzerland.
HSBC failed to notify authorities about the transactions until September 2020, despite closing the accounts down in 2016 because of the risks of maintaining the relationships.
“In its checks, the bank failed to recognise the indications of money laundering presented by these transactions; it likewise failed to satisfy requirements for the initiation and continuation of customer relationships with politically exposed persons, and was thus in serious breach of its due diligence obligations,” Finma said.
As part of the sanctions handed down on Tuesday, Finma ordered HSBC to carry out an anti-money laundering review of all its high-risk relationships and business dealings withprominent public clients, known as politically exposed persons. Finma said the bank couldnot start new relationships with PEPs until it had completed its review. Finma and HSBC declined to name the former clients involved in the case. Read more
Security Bug Allows Anyone to Spoof Microsoft Employee Emails
Lorenzo Franceschi-Bicchierai, Tech Crunch
A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets.
As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft’s account security team.
Last week, Vsevolod Kokorin, also known online as Slonser, wrote on X (formerly Twitter) that he found the email-spoofing bug and reported it to Microsoft, but the company dismissed his report after saying it couldn’t reproduce his findings. This prompted Kokorin to publicize the bug on X, without providing technical details that would help others exploit it.
“Microsoft just said they couldn’t reproduce it without providing any details,” Kokorin told TechCrunch in an online chat. “Microsoft might have noticed my tweet because a few hours ago they reopen [sic] one of my reports that I had submitted several months ago.”
The bug, according to Kokorin, only works when sending the email to Outlook accounts. Still, that is a pool of at least 400 million users all over the world, according to Microsoft’s latest earnings report. Read more
Dallas-Based Frontier Communications Hit with Multiple Class Action Lawsuits
Nadia El-Yaouti, Law Commentary
The Dallas-based company Frontier Communications is facing at least six class action lawsuits after it was hit with a cyber data breach attack in April. The widespread attack resulted in the personally identifiable information (PII) of over 750,000 customers being stolen by the criminal ransomware group RansomHub. Nearly 90,000 of those victims are Texans.
Three of those lawsuits were filed in the Northern District of Texas earlier this month and accused the business of not doing enough to safeguard and properly maintain its network systems and databases. As a result of the company’s negligence and recklessness, the plaintiffs say that they and other victims are now more susceptible to identity theft. One lawsuit maintains that “Frontier knew or should have known that its electronic records would be targeted by cybercriminals.”
Frontier detected the attack on April 14 when the IT department noted abnormal activity on the company’s networks. According to RansomHub, Frontier ignored contact from the criminal group for nearly two months. The contact was likely to demand a ransom payment in exchange for the stolen data. After Frontier ignored and failed to comply with the demand, the criminal group published the stolen data. Among the data were names, birthdates, social security numbers, addresses, and other personal information.
Frontier disclosed that it was the victim of a cyberattack to the Securities and Exchange Commission (SEC) in May. Under the SEC’s disclosure rules, companies are required to report cybersecurity incidents within four business day. Read more
June 14, 2024: Fraud & Cybersecurity Articles
- Alarming Cybersecurity Stats: What You Need to Know in 2024
- City of Cleveland Scrambling to Restore Systems Following Cyberattack
- Frontier Hackers Threaten to Release Private Data For At Least 750,000 Customers
- National Internet Safety Month: This June, Take 4 Easy Steps to Stay Safe Online
Alarming Cybersecurity Stats: What You Need to Know in 2024
Chuck Brooks, Forbes
There is no doubt that 2023 was a tough year for cyber security. The amount of data breaches keeps rising from previous years, which was already very scary. An exponential rise in the complexity and intensity of cyberattacks like social engineering, ransomware, and DDOS attacks was also seen. This was mostly made possible by hackers using AI tools.
The last few years have seen a steady rise in the cost of breaches. By letting people work from home, companies created new security holes that hackers can use from their home offices. These holes made the cyber-attack area much bigger.
In addition, the prevalence of malware, and hackers in all commercial verticals has made everyone connected to the internet more susceptible to being breached. There are just too many criminal adversaries and too many entry points available to be reined in and mitigated. Unfortunately, in 2024, the cyber statistics will continue to remain alarming.
Most businesses lack a clear AI adoption roadmap: McKinsey.
Usage has doubled among businesses in the last year, but CIOs still have a laundry list of to-do’s to prepare the tech foundation and governance structure.
- “Generative AI adoption in the workplace is on the rise, but organizations aren’t equipped to guide usage adequately, according to a McKinsey global survey published Thursday. The company surveyed 1,363 organizations, 878 of which regularly use generative AI in at least one function.
- While generative AI high performers are more likely to adhere to best practices, around 3 in 4 nonleading businesses lack an enterprise wide roadmap for generative AI, the report found. Less than 2 in 5 respondents said senior leaders understand how the technology can create value for the business.” Read more
City of Cleveland Scrambling to Restore Systems Following Cyberattack
Ionut Arghire, Security Week
The City of Cleveland is struggling to restore certain services that have been affected by a cyberattack earlier this week.
The incident was disclosed on June 10, when the city announced that it took its systems offline as a containment measure.
“City Hall and Erieview are closed today June 10, except for essential staff, as we investigate a cyber incident. We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available,” the city announced on X.
While Cleveland re-opened both the City Hall and its satellite offices at Erieview Plaza on Wednesday, it decided to close the City Hall again for the remainder of the week, as it continues to work on restoring shut-down systems. “City services will not be available to the public at City Hall tomorrow, June 13 and Friday, June 14. City Hall will be open for employees,” Cleveland announced, advising the public to wait for further information on when services will be restored.
The city said it has been working with key partners to investigate the nature and scope of the incident, noting that taxpayer information held by the CCA and customer information held by Public Utilities are confirmed to have not been affected by the attack. Cleveland also announced that basic city services, including emergency services, public works, public utilities, airport, and online payments were not affected. The Municipal Courts continued to function normally, as they are on a different system.
“Residents are encouraged to use online services or call 311 for more information. We ask for the public’s patience as the city continues its effort to restore system access and broadly recover from the incident in a safe and strategic manner,” Cleveland said. The city shared no information on the identity of the attackers or on whether file-encrypting ransomware was used, albeit taking systems offline is the typical response to a ransomware attack.
Frontier Hackers Threaten to Release Private Data For At Least 750,000 Customers
Jess Weatherbed, the Verge
Frontier Communications has revealed that information for over 750,000 customers — including full names and Social Security numbers — was exposed in a data breach following a cyberattack on April 14th. Hackers claim to have even more and will release it unless Frontier pays a ransom.
The attack enabled hackers to access 751,895 customers’ personal data on Frontier’s systems according to a sample of the notice Frontier submitted to the Office of the Maine Attorney General. Frontier has notified impacted customers and provided them with one year of free credit monitoring and identity theft services, but says it “does not believe” customer financial information was exposed in the breach.
Bleeping Computer reports that the RansomHub extortion group claimed responsibility for the attack on June 4th and is threatening to leak the 5GB of customer data it allegedly stole unless Frontier responds to their demands by June 14th. The group claims the stolen dataset contains information belonging to two million Frontier customers, including their full name, physical address, date of birth, social security number, email address, credit score, and phone number.
Frontier says it’s bolstered its network security following the attack and notified both regulatory authorities and law enforcement. A securities filing reveals that the company was forced to shut down some of its systems to contain the incident.
The Verge’s Tom Warren and David Pierce discuss the announcements from Microsoft’s Surface event, including the new Arm-powered Surface Laptop, and Copilot Plus PCs. Verge senior AI reporter Kyle Robison joins the show to chat about OpenAI’s GPT-4o demo and where we’re headed in the next few years of AI. Nilay Patel answers a question about iPads for this week’s Vergecast Hotline.
National Internet Safety Month: This June, Take 4 Easy Steps to Stay Safe Online
By Trent Frazier, Deputy Assistant Director, CISA Stakeholder Engagement Division
The U.S. Senate first designated June as National Internet Safety Month in 2005, primarily to raise awareness of internet dangers and highlight the need for education about online safety, especially among young people. In the years since then, with the rise of smartphones, social media and other new technologies, the amount of time people spend online has grown enormously—as have the risks.
Yet, as data from numerous studies show, the nation needs more education and training about the risks we face online and how to stay safe when using connected devices.
Most of the time, cyberattacks occur due to poor cyber hygiene…the basics. Fortunately, there are four simple things we can all do to help protect ourselves and, by extension, others:
- Use strong passwords. “Strong” means at least 16 characters, random, and unique to each account. Use a password manager to automatically generate, store, and fill in passwords for you.
- Turn on multifactor authentication (MFA). MFA provides an extra layer of security in addition to a password when logging into accounts and apps, like a fingerprint, a code from an authenticator app, or a code sent to your phone. Enable it on any account that offers it, especially your email, social media, and financial accounts.
- Update software. When devices, apps, or software programs notify us that updates are available, install them as soon as possible. Updates fix security risks to better protect our data. Turn on automatic updates to make it even easier.
- Recognize and report phishing. Learn to recognize signs of phishing—messages designed to trick you into downloading malware (malicious programs) or giving personal information to a criminal. If an offer is too good to be true, it’s probably social engineering. If the message is alarming and requires urgent action, it might be a phishing message. Do not click or engage—report the phish and delete the message.
CISA offers a variety of free resources to implement these steps and spread the word to friends and family. Our new cybersecurity awareness program Secure Our World provides many resources for improving online safety, such as short how-to videos on the four actions above, tip sheets in 10 languages, and more.
As the school year ends, take this opportunity to discuss the importance of these basic precautions with family and friends. You wouldn’t drive your car without buckling your seatbelt. I buckle my seatbelt so I can be safe. I ask passengers to do the same so they can be safe. If you take these four easy steps to better cyber hygiene when online, your family and the devices you use every day will be much safer and ready for summer fun in just a few minutes.
June 7, 2024: Fraud & Cybersecurity Articles
- Hackers Claim to Have Bank Account Details of 30M Santander Customers
- Google Chrome Deadline—72 Hours to Update or Delete Your Browser
- U.S. Dismantles World’s Largest 911 S5 Botnet with 19M Infected Devices
Hackers Claim to Have Bank Account Details of 30M Santander Customers
FinExtra
Hackers are trying to sell what they claim are the bank account details of 30 million Santander customers for $2 million.
Earlier this month, Santander confirmed that a data breach at a third party provider had exposed some client and employee data.
Now, in a post on a hacking forum, the ShinyHunters gang is offering to sell a trove of data, including 30 million bank account details; 28 million credit card numbers; six million account numbers and balances; and HR information on the bank’s 200,000 staffers.
The asking price is $2 million, says the post, adding: “Santander is also very welcome if they want to buy this data.” Earlier this week, the ShinyHunters hackers also claimed responsibility for an attack on TicketMaster. They have previously hit telco AT&T.
However, according to the BBC, experts are urging caution, suggesting that the TicketMaster sale may have been a stunt to bring attention to a new hacking forum replacing one that the police had taken down.
In a statement on the attack two weeks ago, Santander said a bank database hosted by a third party had been accessed. The breach, it said, affected operations in Spain, Chile and Uruguay.
Added the bank: “No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank’s operations and systems are not affected, so customers can continue to transact securely.”
Related Reading:
- Data Breach at Debt Collector Affects More Than 3.2M People
- Data Breach Involving Millions of Ticketmaster User Accounts Under Investigation
Google Chrome Deadline—72 Hours to Update or Delete Your Browser
Zak Doffman, Forbes
For Google Chrome and its 2 billion-plus desktop users, May will go down as a month to forget: four zero-days and emergency update warnings inside 10 days launched a tidal wave of wall-to-wall headlines that were hard to miss.
The U.S. government has warned federal employees to install May’s emergency updates or to cease using Chrome. They issued a June 3 deadline for the first of those updates to be applied and a June 6 update for the second. June 3 has now passed, and so you should have already applied the first update. This is a timely reminder that you must ensure you have applied the second update within the next 72 hours. Clearly, when you update your browser, all fixes to that point will be applied.
Others organizations should do the same and mandate full employee compliance, as should personal users. Google rushed out emergency fixes for a reason. The U.S. government warnings come via its Cybersecurity and Infrastructure Security Agency, adding May’s Chrome warnings to its Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
It looks like June 3 has been a significant day all round for Chrome. Not only was that the U.S. government’s first update cutoff, but it’s also the day Google started to pull the plug on many Manifest V2 extensions as its rollout of Manifest V3 takes shape.
While this will affect multiple developers and enterprises, headlines have focused on the detrimental effect this will have on ad blockers, which will need to adopt a complex workaround to work as now. There is a risk that users reading those headlines might seek to delay updating their browser, to prevent any ad blocker issues; you really shouldn’t go down this road—the security update is critical. Read more
The Hacker Newsroom
The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as “likely the world’s largest botnet ever,” which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses.
The botnet, which has a global footprint spanning more than 190 countries, functioned as a residential proxy service known as 911 S5. A 35-year-old Chinese national, YunHe Wang, was arrested in Singapore on May 24, 2024, for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022.
Wang has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, Wang faces a maximum penalty of 65 years in prison.
The Justice Department said the botnet was used to carry out cyber attacks, financial fraud, identity theft, child exploitation, harassment, bomb threats, and export violations.
It’s worth noting that Wang was identified as the proprietor of 911 S5 by security journalist Brian Krebs in July 2022, following which the service abruptly shut down on July 28, 2022, citing a data breach of its key components.
Although it was resurrected under a different brand name called CloudRouter a few months later, according to Spur, the service has since ceased operations sometime this past weekend, the cybersecurity company’s co-founder Riley Kilmer told Krebs. Read more
May 31, 2024: Fraud & Cybersecurity Articles
- Google’s New AI Search Goes Horribly Wrong—M Is for Malware
- Alleged Ticketmaster Data Breach Sees 560M Users’ Info for Sale in Hacking Forum
- The Escalating Threat of Mortgage Fraud
- Inside a Zelle Fraud That Almost Lost a Florida Consumer $3,500
Google’s New AI Search Goes Horribly Wrong—M Is for Malware
Zak Doffman, Forbes
Be careful what you search for—that’s the message, as Google’s new AI search suddenly delivers up a nasty menu of dangerous malware and scams…
Well, this is awkward. As the world waits to see the transition from traditional search to the newer, sparklier, more exciting AI alternative, the first update out the traps is not what we expected and appears to have gone horribly wrong.
Google wants to “supercharge search with generative AI,” and has launched its new SGE—or Search Generative Experience to give users an early taste of how this more powerful, contextual mechanism will transform boring old search results.
But last week, one SEO consultant playing with the new technology discovered pretty obvious scams within the results. Bleeping Computer confirmed the results, warning that “Google’s new AI-powered ‘Search Generative Experience’ algorithms recommend scam sites that redirect visitors to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams.”
And the issue with generative AI, of course, is that dangers come dressed up in nice, friendly, chatty language to which we have not yet honed our defenses.
Google told Bleeping Computer that “we continue to update our advanced spam-fighting systems to keep spam out of Search, and we utilize these anti-spam protections to safeguard SGE.” They also confirmed that “we’ve taken action under our policies to remove the examples shared, which were showing up for uncommon queries.” I have approached Google for any further comments on these issues. Read more
Alleged Ticketmaster Data Breach Sees 560M Users’ Info for Sale in Hacking Forum
Aldohn Domingo, Tech Times
Ticketmaster has reportedly been breached by the hacking group ShinyHunters, as claimed by the group. The breach compromises the sensitive data of 560 million users, as it is currently on sale for $500,000 in a hacking forum.
Allegedly, ShinyHunters gained access to many private user data, including complete names, email addresses, phone numbers, addresses, order information, and partial credit card information. The last four digits of credit card numbers, expiration dates, customer names, and even information on customer fraud are among the specific payment data exposed.
If confirmed, the data breach might have serious repercussions for the impacted users, including the possibility of identity theft, financial fraud, and other cyberattacks. The hacker gang’s daring move to sell this data further demonstrates the threat that cybercrime poses and the increasing sophistication of these adversaries.
According to the infamous hacker collective ShinyHunters, Ticketmaster-Live Nation’s security was broken, exposing the personal information of an astounding 560 million members. Now, Breach Forums is offering this enormous 1.3 terabyte of data for a one-time sale of $500,000.
Ticketmaster, the US-based ticket-selling company, could potentially be another major firm this month to confirm it suffered a data breach within its systems. Read more
The Escalating Threat of Mortgage Fraud
Joe Wilson & Sarah Atkinson, Financial Services Perspectives
Overview
Mortgage companies must maintain a heightened level of vigilance when it comes to preventing mortgage fraud. The incidence of fraud attempts targeting mortgage companies continues to rise, prompting decisive action against this threat. In a criminal complaint filed on April 23, 2024, in the U.S. District Court for the District of New Jersey, the U.S. Department of Justice (DOJ) leveled charges against two former mortgage loan originators (MLOs) for conspiracy to commit bank fraud, one of who was recognized as a “top producing loan originator” and named Scotsman Guide’s fourth-ranked MLO in America in 2022. While the news of this type of fraud is shocking, it unfortunately is very common.
The Charges, Market Trends
Fraudulent behavior within the financial services arena is not uncommon. According to a recent study published by LexisNexis, businesses in the home lending segment saw an increase of 34.6% in monthly fraud attempts in 2023. Over half of those fraud attempts were successful, costing lenders nearly 4.5 times the lost transaction value, including fines, fees and investigative costs. Notably, mortgage fraud due to fraudulent “scams” was up 51% in 2023.
These statistics and the DOJ’s pending suit should be a wake-up call for businesses in the mortgage space. According to the allegations in the DOJ’s complaint, Christopher Gallo and Mehmet Elmas were employed by an unidentified “financial institution” during the period in question; Elmas served as Gallo’s assistant as well as an MLO. The allegations against Gallo and Elmas include benefiting from mortgage loans with reduced interest rates and fabricating property records.
More specifically, the complaint asserts that, from 2018 to 2023, Gallo and Elmas used their positions to conspire and engage in a fraudulent scheme to falsify loan origination documents to obtain mortgage loans based on false and fraudulent pretenses, representations, and promises, and that the two routinely misled mortgage lenders about the intended use of particular properties to fraudulently secure lower mortgage interest rates from mortgage lenders. Read more
Inside a Zelle Fraud That Almost Lost a Florida Consumer $3,500
Penny Crosman, American Banker
Just after 8:00 a.m. on Monday, April 24, Margaret Menotti was writing a report for a client.
“I heard my phone ding, and I got a text from Bank of America saying there was suspicious fraud activity on my account,” said Menotti, a freelance media relations professional who works from her home in Venice, Florida.
Immediately after that, she got a phone call from someone who said they worked in Bank of America’s fraud department and they had seen suspicious activity on her account. The caller asked if she had made two Zelle transactions: a $109 payment for sporting event tickets and a one-cent transaction. Menotti doesn’t use Zelle.
“I closed out what I was doing, got into my bank account and said, yeah, I didn’t make these,” Menotti said in an interview. “She said, don’t worry about it, we’re here to help you, we can immediately reverse these.” The caller also asked Menotti if she knew someone named Doug Bland who lives in Denver. Menotti said no. Bland was trying to put through two Zelle transactions from Menotti’s accounts, one from her savings account, the other from her checking account, the woman said.
“I said, well, that’s not authorized, I don’t know anybody by that name,” Menotti said. Read more
May 23, 2024: Fraud & Cybersecurity Articles
- Beware – Your Customer Chatbot is Almost Certainly Insecure
- 6 Mistakes Organizations Make When Deploying Advanced Authentication
- Spyware Found on U.S. Hotel Check-In Computers
- The Seven Layers of Cybersecurity Defense
Beware – Your Customer Chatbot is Almost Certainly Insecure: Report
As chatbots become more adventurous, the dangers will increase.
Kevin Townsend, Security Week
Customer chatbots built on top of general purpose gen-AI engines are proliferating. They are easy to develop but hard to secure.
In January 2024, Ashley Beauchamp ‘tricked’ DPD’s chatbot into behaving unconventionally. The chatbot told him how bad DPD’s service is, swore, and even composed a disparaging haiku about its owner:
- DPD is a useless
- Chatbot that can’t help you.
- Don’t bother calling them.
DPD shut down the chatbot and blamed an error following an update (fuller story from Ivona Gudelj on LinkedIn). Others were not so sure – the output bears all the hallmarks of ‘jailbreaking’, or breaching AI’s guardrails through prompt engineering.
Immersive Labs was not surprised. From June to September 2023, it ran a public online challenge to determine whether, and if so, how easily, a chatbot could be jailbroken by prompt engineering. The results, just published and analyzed, are not reassuring. More than 34,500 participants completed the challenge of obtaining secret information from an Immersive Labs chatbot (ILGPT) set at ten increasingly protected levels. By collecting and analyzing the attempts at prompt engineering, the firm was able to gauge the psychology of prompt engineers, and the security of chatbots.
First, we need to understand chatbots. They generally sit on top of one of the large-scale publicly available gen-AI systems, most often ChatGPT. Immersive Labs’ test chatbot used ChatGPT 3.5. They are constructed via the ChatGPT API, and given customer-specific instructions and guardrails. User queries are passed through the chatbot to ChatGPT where they are processed (customer data acquired in this way is not added to ChatGPT’s reinforcement training data) before the ‘answers’ are sent back to the chatbot for delivery to the user.
In theory, the users’ queries and the chatbot’s replies are protected by ChatGPT’s guardrails and the chatbot’s additional guardrails and instructions, as applied by the chatbot developer. The Immersive Labs chatbot challenge demonstrates this may not be enough. At a low level of difficulty (the chatbot was simply instructed not to reveal the word ‘password’), eighty-eight percent of the prompt injection challenge participants successfully tricked the ILGPT chatbot into revealing ‘password’. Read more
6 Mistakes Organizations Make When Deploying Advanced Authentication
The Hacker News
Deploying advanced authentication measures is key to helping organizations address their weakest cybersecurity link: their human users. Having some form of 2-factor authentication in place is a great start, but many organizations may not yet be in that spot or have the needed level of authentication sophistication to adequately safeguard organizational data. When deploying advanced authentication measures, organizations can make mistakes, and it is crucial to be aware of these potential pitfalls.
1. Failing to conduct a risk assessment
A comprehensive risk assessment is a vital first step to any authentication implementation. An organization leaves itself open to risk if it fails to assess current threats and vulnerabilities, systems and processes or needed level of protections required for different applications and data.
Not all applications demand the same levels of security. For example, an application that handles sensitive customer information or financials may require stronger authentication measures compared to less critical systems. Without a risk assessment, organizations won’t be able to effectively categorize and prioritize what needs additional authentication.
Hence, the a need for elevating organizational security with advanced authentication.
On top of that, not all users need access to all applications or data. For example, a user in marketing doesn’t need access to sensitive HR data. By evaluating roles as part of a risk assessment, organizations can look to implement role-based access controls (RBAC) which ensure that users in a particular role only have access to the data and applications needed to complete their work.
2. Not completing due diligence to integrate authentication with current systems
Considering compatibility with existing systems, especially legacy ones, is essential to ensure a cohesive authentication framework across an entire infrastructure. Adhering to industry-standard authentication methods is crucial. This may involve recoding application frontends to adopt OIDC (OpenID Connect) or SAML (Security Assertion Markup Language) flows. Many vendors offer toolkits that simplify this process to help ensure seamless integration. Read more
Spyware Found on U.S. Hotel Check-In Computers
Zack Whittaker, Tech Crunch
The check-in computers at several hotels around the US are running a remote access app, which is leaking screenshots of guest information to the internet
A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned.
The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware’s intended users.
This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It’s also the second known time that pcTattletale has exposed screenshots of the devices on which the app is installed. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.
Guest and reservation details captured and exposed
pcTattletale allows whomever controls it to remotely view the target’s Android or Windows device and its data, from anywhere in the world. pcTattletale’s website says the app “runs invisibly in the background on their workstations and can not be detected.” Read more
The Seven Layers of Cybersecurity Defense
Brian Henderson, CU*Answers/CUSO Magazine
In the world of cybersecurity, there is a constant battle to protect our information. As the world moves deeper into the digital age of security, the defenses credit unions provide as holders of sensitive information are becoming ever more critical and the tools to perform breaches are becoming more advanced. Having your members’ sensitive information locked down is vital as it builds the trust of your clients in any industry, and trust is key to doing business.
Cybercriminals are just that, criminals, and they are looking to take anything they can to benefit not only themselves but any others they may be working for. Any information that is available to them can be used to help them piece together many facets of your credit union and your members.
To keep these criminals out of your members’ data, you need to understand and reinforce your seven layers of defense.
The seven layers
So what makes up the seven layers? What purpose does each one serve, and how can we best strengthen each layer in order to keep cybercriminals out? Let’s break it down layer by layer and examine what each of the seven layers of defense looks like.
- The human layer
This can often be regarded as the most vulnerable layer. This layer involves implementing practices and policies that ensures contractors, employees, and other users do not fall into the clutches of phishing and other attacks. Phishing attacks are the most frequent due to a lack of knowledge or training. These are simple threats that can have a large impact. Read more
May 17, 2024: Fraud and Cybersecurity Articles
- Seasons of Fraud: How Fraud Patterns Shift Throughout the Year
- Executive Insight: For Today’s Businesses, Beating Chargebacks Is a Team Sport
- Intellicheck Posts Record Quarter as Identity Fraud Continues to Run Rampant
- Positive Pay: An Underused Tool for Fighting Check Fraud
Seasons of Fraud: How Fraud Patterns Shift Throughout the Year
PaymentsJournal
The end-of-the-year flurry of holiday shopping is a classic example of business seasonality. As fraud professionals have long observed, fraud activity also follows seasonal patterns, with seasonal upticks and slow-downs. The challenge has been reacting to seasonality with precision in real-time, instead of just recognizing them in the rear-view mirror. And new data shows that this seasonality doesn’t correlate to the business year as much as one might expect—fraudsters have a seasonal calendar all their own.
In a recent PaymentsJournal podcast, NeuroID Head of Operational Strategy Nash Ali and Tracy Kitten, Director of Fraud & Security at Javelin Strategy & Research, discussed the seasonality of fraud. They analyzed the methods criminals use and offered solutions to keep businesses safe.
Winter Fraud
Fraud attempts are rising overall, up 57% from 2022 to 2023. Due to the holiday frenzy, December might seem like the logical peak of fraudulent activity.
“In fact, it’s January,” Ali said. “January has a 78% higher fraud attack rate than the average monthly rate. That includes a 59% increase in application fraud, where criminals falsify data or misrepresent themselves to business owners. There’s also an 85% increase in the hours businesses are under attack in January compared to the rest of the year.”
After a February slowdown, there’s a 44% higher fraud attack rate in March compared with the typical monthly average. A higher portion of March attacks consists of identity fraud, identity theft, or creating synthetic identities with bots and scripts. After another lull in April, fraud picks back up in May.
“We see 50% more application fraud in May compared to monthly averages,” Ali said. “A lot of that fraud is concentrated fraud attacks committed via fraud rings. After a slow summer, fraud rates pick back up in the fall, peaking again in October.” Read more
Collaboration is the key to beating fraud without causing friction for customers
Roenen Ben Ami, JUSTT.AI
For today’s enterprises, “friendly fraud” and illegitimate credit-card chargebacks are a serious problem: at least 40% of businesses lose 1% of their total revenues to bogus chargebacks, and well over half say they see chargeback rates climb year-on-year. Putting systems in place to mitigate these revenue losses can be tough. However, excessive scrutiny of individual transactions can sour customer relationships while collecting data and managing disputes at scale create enormous logistical headaches for internal teams.
To figure out how successful organizations handle these challenges, I headed to Payments MAGnified in Dallas to host a panel with Best Buy execs Jen Renner, Associate Manager for eCommerce Fraud Risk, and Ryan O’Connor, Senior Finance Manager. They had some great insights about the need for cross-team collaboration and strong partnerships to drive effective chargeback mitigation, and I wanted to take this opportunity to share a few of their most important points with a broader audience.
- Chargeback mitigation is a balancing act. It’s tempting to think of chargebacks as a narrow or esoteric piece of the payments landscape — but nothing could be further from the truth. It’s not just the financial losses, which can reach $5 million a year for a business with $500M in annual sales. It’s also the fact that handling chargebacks effectively requires input from a wide range of internal stakeholders, including in-house fraud mitigation teams, operations and customer support divisions, and finance and IT leaders. An effective mitigation strategy has to help all those different stakeholders come together — and it has to do so in a way that balances the need to reduce chargebacks with the need to provide delightful and frictionless experiences for customers. “You need to ensure that all those teams understand that there will always be some risks,” said Renner. “The goal should be to find common ground where teams can minimize risk while still providing a super-seamless experience for customers.” Read more
Intellicheck Posts Record Quarter as Identity Fraud Continues to Run Rampant
As identity fraud continues to plague business verticals from banking to automotive and even higher education, verification company Intellicheck posted record Q1 earnings Monday (May 13).
“The landscape of the market for identity verification is evolving against the backdrop of a growing sense of urgency being fueled by across-the-board incidents of identity theft and fraud,” Intellicheck CEO Bryan Lewis told the company’s earnings call. “This has led to a significant new focus on security and the consumers’ user experience, and businesses in every market vertical are feeling the effects of identity theft.
“Consumers are sending a clear message to businesses of every size in every market vertical. They want better protection. They do not want to be burdened with time-consuming, arduous processes to get that protection, and they will take their business elsewhere if they don’t get what they want in a user-friendly process.”
By the numbers, the company reported a 10% increase in Q1 revenue, reaching $4.68 million, up from $4.25 million in the same period last year. Software-as-a-service (SaaS) revenue also saw a 9% rise to $4.61 million.
Lewis attributed the growth to heightened demand for robust yet user-friendly identity verification amid escalating identity theft and fraud incidents. Gross profit margin remained high at 90.7%, slightly down from 92.2% in Q1 2023. Operating expenses dropped by 10% to $4.77 million, bolstered by reduced non-cash equity compensation. Net loss improved significantly to $442,000, or $0.02 per diluted share, compared to a loss of $1.39 million, or $0.07 per share, a year earlier.
During the earnings call, Lewis detailed the company’s strategic initiatives and new ventures, emphasizing the rise in identity theft and fraud across various sectors. Read more
Positive Pay: An Underused Tool for Fighting Check Fraud
PaymentsJournal
Even though the number of checks written continues to decline, mail theft remains on the rise. Beyond the theft of checks directly from mailboxes, there have been instances of stolen mail trucks. The ease of modifying checks allows criminals to simply wash and modify the payee’s name.
Q2’s positive pay system, used by roughly 550 banks across the country, is on track to stop more than $2.5 billion in fraud this year. In a recent PaymentsJournal podcast, Bruce Dragoo, Manager, Solutions Consultant for Q2, and John Byl, SVP Product Development at Mercantile Bank of Michigan—a Q2 customer—discussed how to get people on board to combat check fraud with Albert Bodine, Director, Commercial and Enterprise Payments for Javelin Strategy & Research.
A Problem for Businesses of All Sizes
In 2022, around $720 million of fraud was identified and stopped by Q2’s positive pay system. Last year, that number doubled to $1.4 billion. “It seems like it’s wider-reaching at this point and coming downstream to smaller businesses,” Byl said. “It had been historically viewed as a large corporate need, but it’s indiscriminate at this point—and it’s affecting everybody.”
A third of commercial payments globally are still made by check, which presents a huge opportunity for criminals. But only 30% of eligible businesses use positive pay, which matches the details on a check to the details on file with the bank to ensure its validity. Some related solutions cover just checks, and others cover ACH transactions, but they don’t address the gamut of everything a business may need. Read more
May 10, 2024: Fraud and Cybersecurity Articles
- New Report: Authorized Fraud Scams Damaging to Bank-Customer Relationships
- Shields Up: How to Minimize Ransomware Exposure
- US State Dept Broadens Security Vendor List Amid Microsoft Hacking Woes
- ASD’s ACSC, CISA, and Partners Release Secure by Design Guidance on Choosing Secure and Verifiable Technologies
New Report: Authorized Fraud Scams Damaging to Bank-Customer Relationships
PYMNTS
Despite ongoing efforts to educate consumers on protecting themselves against financial crime, increasing authorized fraud and scam instances are nightmares for banks and their customers. Authorized fraud, which targets customers or bank employees, is particularly troubling.
PYMNTS Intelligence finds that 43% of the fraudulent transactions that financial institutions (FIs) report are authorized fraud. Product and service or trust/relationship scams are common. With fraud and financial crime an ever-growing reality for FIs of all sizes, the result is often financial loss. Adopting fraud prevention measures such as machine learning (ML) and artificial intelligence (AI) has increased FIs’ confidence in protecting customers, employees and themselves from fraud-related financial losses.
These are just some of the findings detailed in “Leveraging AI and ML to Thwart Scammers,” a PYMNTS Intelligence and Hawk collaboration. This report explores the impact of authorized fraud scams on FIs and their customers. We surveyed 200 U.S. FIs with more than $1 billion in assets between March 20, 2023, and June 16, 2023. The survey examined how they perceive the fraud risks and the impact of the technology solutions used to mitigate losses.
Other key findings from the report include:
Scams represent one-third of authorized fraud and are the most harmful to customer finances.
The second-most common type of authorized fraud is scams, representing 34% of incidents. Scammers manipulate or deceive the authorized party to get them to make a payment. Scams are particularly concerning because they negatively impact customer satisfaction and retention. Moreover, scams represent 14% of all fraudulent transactions at FIs with assets of $5 billion or more, making them a common occurrence. Read more
Shields Up: How to Minimize Ransomware Exposure
Organizations need to look beyond preventive measures when it comes to dealing with today’s ransomware threats and invest in ransomware response.
Torsten George, Security Week
The ransomware attack on UnitedHealth subsidiary Change Healthcare has remained top of mind since its disclosure in February 2024. This incident highlights the attractiveness of data-rich healthcare firms to hackers and the increasing sophistication of cybercriminals. However, the Change Healthcare attack is merely the tip of the iceberg, with numerous ransomware attacks staying underreported in the media.
Ransomware has emerged as a highly profitable enterprise, evidenced by Change Healthcare’s payment of a $22 million ransom in bitcoin. In 2023 alone, payments made by ransomware attack victims doubled compared to the previous year, surpassing $1 billion, as reported by blockchain analysis firm Chainalysis.
A ransomware attack can swiftly cripple an organization, rendering it unable to access critical data and conduct business. Moreover, threat actors have evolved from merely infecting systems with ransomware to employing multi-faceted extortion tactics, which may include publicly naming and shaming victims, exfiltrating data, and threatening to disclose or sell it (e.g., Omni Hotels & Resorts, Nexperia, EquiLed).
While organizations may attempt to mitigate their exposure to such extortion schemes through cybersecurity insurance policies, this approach may no longer be as effective. Insurers like Lloyds are increasingly imposing restrictions on payouts, including the exclusion of losses related to state-backed cyber attackers. Consequently, fewer companies can rely on cybersecurity insurance to mitigate catastrophic risks. Instead, businesses must bolster their ransomware preparedness, with cyber resilience playing a pivotal role in enhancing their ability to prepare for and swiftly recover from ransomware attacks. Read more
U.S. State Dept Broadens Security Vendor List Amid Microsoft Hacking Woes
Zeba Siddiqui, Reuters
The U.S. Department of State has been working with a range of security vendors beyond Microsoft since China-linked hackers stole tens of thousands of the department’s emails by breaching the tech giant’s network last year, a senior official said.
That hack, which compromised some 60,000 State Department emails, including those of Commerce Secretary Gina Raimondo, was one of the worst in recent years against a federal agency and triggered much criticism of Microsoft. The Cyber Safety Review Board slammed the company last month for its lack of transparency.
“It’s not even that the software they gave me wasn’t secure. It’s that the keys to the kingdom were in the corporate network and their corporate network wasn’t secure,” Kelly Fletcher, the department’s chief information officer said on the sidelines of the RSA Conference in San Francisco on Monday.
“We’re seeing this sort of across the ecosystem … that these corporate networks are really important,” she said in an interview. “I’m counting on all my vendors, not just Microsoft, not only to sell me software that’s secure, but to have a secure corporate network.”
A hacking group Microsoft calls Storm-558 had gained access to a digital key that allowed it to break into several government inboxes, the tech firm earlier said. The incident strained an already tense U.S.-China relationship as the Chinese embassy in Washington dismissed allegations that Chinese government-linked hackers were behind it. Read more
ASD’s ACSC, CISA, and Partners Release Secure by Design Guidance on Choosing Secure and Verifiable Technologies
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), together with CISA, the Canadian Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the New Zealand National Cyber Security Centre (NCSC-NZ) are releasing the following guidance: Secure by Design Choosing Secure and Verifiable Technologies. This guidance was crafted to provide organizations with secure by design considerations when procuring digital products and services.
The guidance contains a range of internal and external considerations and offers sample questions to leverage at each stage of the procurement process. Additionally, the guidance informs manufacturers on steps they should be taking to align their development processes to secure by design principles and practices.
CISA and partners encourage all organizations to read the guidance to assist with making secure and informed choices when procuring digital products and services. Software manufacturers are also encouraged to incorporate the secure by design principles and practices found in the guidance. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.
May 3, 2024: Fraud and Cybersecurity Articles
- FinCEN Issues Analysis of Increasing Elder Financial Exploitation
- ‘Like Wildfire’: Rising Check Fraud Pits Small Banks Against Big Banks
- Hackers Compromised Dropbox eSignature Service
- CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
FinCEN Issues Analysis of Increasing Elder Financial Exploitation
Kristen E. Larson, Beth Moskow-Schnoll & Peter D. Hardy, Ballard Spahr
The Financial Crimes Enforcement Network (“FinCEN”) recently issued a Financial Trend Analysis (“Analysis”) focusing on patterns and trends identified in Bank Secrecy Act (“BSA”) data linked to Elder Financial Exploitation (“EFE”) involving scams or theft perpetrated against older adults.
The Analysis is a follow up to FinCEN’s June 2022 EFE Advisory (“2022 Advisory”). The Analysis reviews BSA reports filed between June 15, 2022 and June 15, 2023 that either used the key term referenced in the 2022 Advisory (“EFE FIN-2022-A002”) or checked “Elder Financial Exploitation” as a suspicious activity type. In its 2022 Advisory, FinCEN warned financial institutions (“FIs”) about the rising trend of EFE, which FinCEN defines as “the illegal or improper use of an older adult’s funds, property, or assets, and is often perpetrated either through theft or scams.” The 2022 Advisory identified 12 “behavioral” and 12 “financial” red flags to help FIs detect, prevent, and report suspicious activity connected to EFE. Additionally, FinCEN recommended EFE victims file incident reports to the FBI’s Internet Crime Complaint Center (IC3) and the Federal Trade Commission. Consistent with a risk-based approach to BSA compliance, FinCEN encouraged FIs to perform additional due diligence where appropriate.
Reports of EFE are significant, and increasing. In the Analysis, FinCEN identified 155,415 relevant BSA filings over this period, reporting approximately $27 billion in EFE-related suspicious activity. Further, FinCEN continues to receive EFE BSA reports, and has received on average 15,993 reports per month between June 15, 2023 and January 15, 2024.
Key findings from the Analysis include:
- Banks filed 72% of all EFE-related BSA filings;
- 80% of EFE-related BSA filings involve scams (the transfer of money to a stranger or imposter for a promised benefit that the older adult does not receive). Most elder scam reports referenced “account takeover” by an unknown perpetrator where fraudsters relied on unsophisticated means to steal the funds; Read more
‘Like Wildfire’: Rising Check Fraud Pits Small Banks Against Big Banks
Kate Berry, American Banker
Check fraud is wreaking havoc on community banks, which are urging the Office of the Comptroller of the Currency to crack down on their large bank competitors for failing to comply with rules meant to stop criminals from opening accounts.
Small banks say they’re taking hits to earnings and face negative impacts on their business customers. Many bankers say that check fraud is so rampant that it is leading to a loss of faith in the banking system and the U.S. Postal Service.
“Check fraud is out of hand,” said Chris Doyle, president and CEO of the $2.2 billion-asset Texas First Bank, in Texas City, Texas. “It’s an all-out war and we have people fighting it every day at our bank. The capture and washing of checks is out of control. There’s no security around checks. It’s too easy to wash them and commit fraud.”
Community banks are laying the blame for check fraud mostly on seven large banks, including JPMorgan Chase, Bank of America and Wells Fargo, for not doing enough to police new account openings. Checks are intercepted by criminals through the mail, altered by check washing, and then deposited in so-called drop accounts or mule accounts, which are later emptied. Small banks end up repaying their customers whose checks are stolen, but it can take months for them to get reimbursed by large banks in contravention of longstanding Uniform Commercial Code rules. Read more
Hackers Compromised Dropbox eSignature Service
Eduard Kovacs, SecurityWeek
Dropbox says hackers breached its Sign production environment and accessed customer email addresses and hashed passwords.
Dropbox on Wednesday disclosed a data breach impacting customers of Sign, the company’s electronic signature service. Dropbox Sign, formerly known as HelloSign, enables users to send, receive and manage legally binding e-signatures.
According to Dropbox, a threat actor gained access to the Sign production environment and accessed customer information, including email addresses, usernames, phone numbers, hashed passwords, data on general account settings, and authentication data such as API keys, OAuth tokens and multi-factor authentication.
Even users who only received or signed a document through Sign without creating an account had names and email addresses compromised. However, there is no indication that payment information or customers’ files (signed documents and agreements) were accessed.
The intrusion was discovered on April 24. The investigation is ongoing, but to date there is no evidence that other Dropbox products were impacted. The company has determined that the hacker gained access to an automated system configuration tool.
“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database,” Dropbox explained.
In response to the incident, the company is notifying impacted users, logging them out of the Sign service, and resetting their passwords. In addition, API keys and OAuth tokens are being rotated. Read more
CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
Today, CISA, in collaboration with U.S. and international partners, published a joint fact sheet, Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity. This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors.
The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.
CISA and partners encourage OT operators in critical infrastructure sectors to apply the recommendations listed in the fact sheet to defend against this activity. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.