Fraud & Cybersecurity

Dec. 8, 2023: Fraud and Cybersecurity Articles

Report Suggests Failure to Install Patch Opened Door for Ransomware Attack That’s Affecting CUs

Courtesy of CUToday

A new report suggests the failure to install a software patch is behind the ransomware attack on a CUSO that has caused outages at approximately 60 credit unions.

As CUToday.info reported here, the compromise reportedly occurred at the Oregon-based CUSO Ongoing Operations and has affected five-dozen or so credit unions running the Fedcomp core solution. Both are subsidiaries of St. Petersburg, Fla.-based Trellance.

According to DataBreaches.net, the attackers penetrated Ongoing Operations’ through a vulnerability known as the Citrix Bleed vulnerability in Netscale, patches for which were released on Oct. 10.

The report referred to the vulnerability in Netscale as the “cybersecurity challenge of 2023.” Ongoing Operations’ two Netscaler devices remain offline, DataBreaches.net reported.

“Ongoing Operations, failed to install the patch, leading to the credit union disruptions,” DataBreaches.net reported.

Systems Remain Down

The systems at the credit unions remain down, with members and credit unions unable to check account balances. There is no evidence that member data has been compromised, according to several reports and CUToday.info’s own interviews.

As reported here, at least one credit union has been forced to turn to manual reporting in its interactions with members.

Others Also Hit

Credit unions aren’t alone in dealing with the same ransomware attack. According to DataBreaches.net, HTC Global Services, aka HTC Inc, aka Caretech — a large MSP for the healthcare sector with remote access to hospitals across the U.S., did not patch Netscaler since July and is currently being held to extortion by AlphV ransomware group, “who display stolen documents on their ransomware portal which are branded Caretech, a division of HTC.”

Humans Are Notoriously Bad at Assessing Risk

Courtesy of Joshua Goldfarb, Security Week

When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.

Risk assessment should be a rational and objective undertaking. We as humans, with our emotions, can sometimes be irrational and subjective. As security professionals, this would seem to put us at odds with our duty to objectively assess, manage, and mitigate risk.

Unfortunately, subjectivity introduces bias, which skews risk assessment. When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.  This, in turn, results in a poorer overall security posture.

Given this, how can security professionals remove as much subjectivity as possible from risk assessment? There are likely many different approaches that can be taken. I’d like to offer seven steps that security teams can use to ensure that their risk assessment, management, and mitigation is as objective as possible.

  1. Critical resources and data: When we begin to think about risk objectively, we quickly realize that we need to focus on where there is the potential for damage and loss to the business.  Damage most often materializes due to monetary loss caused by compromised data, compromised resources (systems), and/or compromised accounts.  This monetary loss can be in the form of lost revenue (due to app unavailability, brand reputation damage, etc.), regulatory fines, disclosure costs, breach remediation costs, fraud, and others.  Thus, the first step towards objective risk assessment is enumerating critical resources and data that are likely to have a monetary impact on the business if affected in a security incident.
  2. Potential impact: Once critical resources and data are enumerated, the potential impact of each must be understood.  By potential impact, we mean financial.  In some cases, this may be easier to determine than in others.  Regardless, this impact will need to be determined as an important next step in this process.
  3. Threat landscape: There is no shortage of security threats out there.  Some of these are more relevant and applicable to the business than others.  Those that are relevant will need to be enumerated to keep the risk assessment process moving forward. Read more
Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

Courtesy of The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.

“The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,” CISA said, adding an unnamed federal agency was targeted between June and July 2023.

The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively.

It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it’s aware of the flaw being “exploited in the wild in very limited attacks.”

The agency noted that at least two public-facing servers were compromised using the flaw, both of which were running outdated versions of the software.

“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” CISA noted.

There is evidence to suggest that the malicious activity is a reconnaissance effort carried out to map the broader network, although no lateral movement or data exfiltration has been observed.

In one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources. Read more

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Courtesy of The Hacker News

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.

The DanaBot infections led to “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that’s capable of acting as a stealer and a point of entry for next-stage payloads.

UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.

Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot’s infrastructure.

“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond further noted.

The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.

The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.

It also follows the discovery of a new macOS ransomware strain dubbed Turtle that’s written in the Go programming language and is signed with an adhoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.

Dec. 1, 2023: Fraud and Cybersecurity Articles

Fidelity National Financial Takes Down Systems Following Cyberattack

Fidelity National Financial is experiencing service disruptions after systems were taken down to contain a cyberattack.

Courtesy of Ionut Arghire, Security Week

Title insurance giant Fidelity National Financial (FNF) is experiencing service disruptions after it has taken down multiple systems to contain a cyberattack.

The incident, FNF said in a Form 8-K filing with the Securities and Exchange Commission (SEC) just before Thanksgiving, has impacted “title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries”.

According to the company, its F&G Annuities & Life subsidiary, which provides insurance solutions, was not affected.

FNF says that an investigation was immediately launched into the incident and that law enforcement was also notified.

To date, the investigation has determined that the attackers gained unauthorized access to certain systems and that some credentials were stolen.

While FNF did not specify what type of cyberattack it fell victim to, the fact that it has shut down systems to contain the incident suggests that ransomware might have been involved.

In fact, the notorious Alphv/BlackCat ransomware group has already taken responsibility for the attack, adding FNF to their leak site.

The threat actor did not specify whether any information was exfiltrated from the victim’s network, claiming it would reveal this later, if FNF does not pay a ransom.

FNF is one of the largest title insurance entities and underwriters groups in the US. It also offers settlement services to the real estate and mortgage industries.

Dollar Tree Hit by Third-Party Data Breach Impacting 2 Million People

Courtesy of Bill Toulas, Bleeping Computer

Discount store chain Dollar Tree was impacted by a third-party data breach affecting 1,977,486 people after the hack of service provider Zeroed-In Technologies.

Dollar Tree is a discount retail company that operates the Dollar Tree and Family Dollar stores in 23,000 locations in the United States and Canada.

According to a data breach notification shared with the Maine Attorney General, Dollar Tree’s service provider, Zeroed-In, suffered a security incident between August 7 and 8, 2023.

As part of this cyberattack, the threat actors managed to steal data containing the personal information of Dollar Tree and Family Dollar employees.

“While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor,” reads the letter sent to affected individuals.

“Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates.”

The information stolen during the attack includes names, dates of birth, and Social Security numbers (SSNs).

Zeroed-In has notified the affected individuals and enclosed instructions on enrolling in a twelve-month identity protection and credit monitoring service.

BleepingComputer contacted Dollar Tree for a comment on the data breach, and we received the following statement:

“Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.” – Family Dollar spokesperson.

Other Zeroed-In customers apart from Dollar Tree and Family Dollar may have also been impacted by the security breach, but this hasn’t been confirmed yet.

We’ve contacted Zeroed-In with similar queries but received no answer by publication time.

PSA: Update Chrome Browser Now to Avoid an Exploit Already in The Wild

Courtesy of Jess Weatherbed, The Verge

An active exploit could leave your system vulnerable to data theft and malicious code. A critical security update is rolling out now.

A critical security update is now available for some Chrome users on Mac, Linux, and Windows that patches a zero-day vulnerability that could make systems susceptible to data theft and other cyberattacks. On Tuesday, Google confirmed in a Chrome stable channel update that it “is aware that an exploit for CVE-2023-6345 exists in the wild.” The vulnerability was discovered on November 24th by two security researchers working within Google’s Threat Analysis Group (TAG).

Google hasn’t released many details about the CVE-2023-6345 exploit yet, but that’s to be expected. As Android Central notes, Google, like many tech companies, often opts to keep information about vulnerabilities under wraps until they’ve been largely addressed, as detailed information could make it easier for attackers to exploit unprotected Chrome users. It isn’t clear how long the vulnerability had been actively exploited prior to its discovery last week.

What we do know is that CVE-2023-6345 is an integer overflow weakness that impacts Skia, the open-source 2D graphics library within the Chrome graphics engine. According to notes on the Chrome update, the exploit allowed at least one attacker to “potentially perform a sandbox escape via a malicious file.” Sandbox escapes can be utilized to infect vulnerable systems with malicious code and steal sensitive user data.

If you already have your Chrome browser set to update automatically, then you may not need to take any action. For anyone else, it’s worth manually updating to the latest version (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows) within the Google Chrome settings to avoid your system being left exposed. Google says the fix is rolling out “over the coming days/weeks,” so it may not be immediately available to everyone at the time of this writing.

Five Cybersecurity Predictions for 2024

Cybersecurity predictions for 2024 to help security professionals in prioritizing efforts to navigate the ever-changing threat landscape.

Courtesy of Torsten George, Security Week

The year 2023 saw heightened cybersecurity activity, with both security professionals and adversaries engaged in a constant cat-and-mouse game. The dynamic landscape of cyber threats and the ever-expanding digital attack surface have compelled organizations to refine and fortify their security architectures. Despite the collective hope for a reprieve from the onslaught of daily phishing, ransomware, and credential stuffing attacks, cybercriminals are poised to leverage successful tactics from this year to orchestrate more sophisticated campaigns in the coming year. To stay ahead, it is crucial to anticipate the key themes likely to dominate the cybersecurity space in 2024.

The following predictions serve as strategic insights for IT and security professionals, guiding them in prioritizing efforts to navigate the ever-changing threat landscape:

A Never-Ending Story: Compromised Credentials

The perpetual use of usernames and passwords for access control and authentication has made compromised credentials a recurring vulnerability. Post-mortem analysis of data breaches consistently identifies compromised credentials as the primary point of attack. In fact, a study by the Identity Defined Security Alliance (IDSA) reveals that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

Despite this, many organizations lack essential identity-related security controls. Those that have implemented proper access controls often focus on human users, neglecting the multitude of non-human identities arising from digital transformation initiatives (e.g., DevOps, cloud transformation, Internet of Things). As a result, compromised identities, both human and non-human, are expected to fuel cyberattacks in 2024. Organizations are urged to intensify efforts in implementing Zero Trust principles to reduce dependency on passwords.

Ransomware Attacks Continue to Wreak Havoc

The ransomware business thrives as cybercriminals exploit vulnerabilities in organizations, as witnessed in attacks on entities such as the Kansas Court SystemYamaha Motors, and Western Digital. In fact, the Ransomware-as-a-Service model has made launching attacks that much easier. Over the past year, ransomware attacks have evolved into multifaceted extortion schemes where data is exfiltrated and threatened to be publicly released if a ransom is not paid. The recent SEC complaint filed by the Alphv/BlackCat ransomware group against MeridianLink adds a new dimension to this tactic. With the new SEC disclosure ruling coming into effect on December 15, 2023, requiring companies to report “material” cybersecurity incidents within four days, this tactic is expected to become commonplace in ransomware attacks. Enterprises need to focus on ransomware preparedness, particularly in recovering endpoints and critical infrastructure such as Active Directory. Read more

 

Nov. 17, 2023: Fraud and Cybersecurity Articles

Mandates Failing in Cyber-Insurance: Why Mandates Work for Traditional Insurance Categories, But Not for Cyber-Insurance

Courtesy of Brett Helm, CUSO Magazine

Cyber insurance was the brainchild of Steve Haase, an insurance broker for Hamiliton Dorsey Alston Co. When first introduced in 1997, the coverage was called Internet Security Liability (ISL). Early policies were designed to mitigate the risks faced by e-commerce vendors and were underwritten by AIG. While cyber insurance can trace its roots back a quarter of a century, it is, in many ways, still in its infancy.

Cyber-insurance policies, unlike health, life, auto, and most traditional lines of insurance, are not governed by regulators or legislation. There are no requirements on what must be covered, what can be excluded, or what rates can be charged. Without governance, insurance companies are working on their own to standardize coverage, normalize policy terms, and manage their exposure. This is achieved, in large measure, by requiring cybersecurity controls and practices for companies carrying cyber-insurance.

Risk profiles for traditional lines of insurance such as health, auto, or property and casualty insurance, are relatively static. Furthermore, insurance companies have large collections of actuarial data and are able to reliably predict risk based on fairly static conditions.

Cyber threats, on the other hand, are constantly changing. Bad actors are continually developing new tactics, techniques, and exploits. At the same time, companies’ computing infrastructure is continuously evolving, and each change brings the potential for new risks. To ensure security in this ever-changing environment, continuous monitoring of internal networks is required. Continuous monitoring provides insurance companies with actuarial data and ensures mandates are followed.

Risk management by insurance companies

Insurance companies have long used terms and conditions as tools to manage and mitigate risk within their portfolios. Terms and conditions are requirements that policyholders must follow in order to qualify for coverage and to maintain their policies.

Follow-up Article: Mr. Cooper Hit with Consumer Class-Action Lawsuits Over Cyberattack

Courtesy of Flávia Furlan Nunes, Housing Wire

Customers accuse the company of negligence, breach of implied contract and unjust enrichment

Mr. Cooper Group became the target of at least four consumer class-action lawsuits after disclosing a cyberattack at the end of October when customer information was compromised and the company shut down certain systems.

On Oct. 31, the Dallas-based servicer and lender said it had experienced a cybersecurity incident with an unauthorized third party accessing certain portions of its technology systems and customer data. The firm informed law enforcement, regulatory authorities and other stakeholders.

In the lawsuits filed in a district court in Texas, customers claim that the defendant “failed to comply with industry standards to protect information in its systems that contain” personally identifiable information of millions of people. Mr. Cooper had 4.3 million customers in its servicing portfolio in the third quarter, consisting of $937 billion in UPB at the end of September.

Customers claim that, as a result of the attack, they are “in the hands of criminals” and face an “increased risk of identity theft.” Ultimately, they have spent and will continue to spend “significant time and money” to protect themselves due to Mr. Cooper’s failures. A representative for Mr. Cooper did not respond to a request for comment.

Plaintiffs complained that the company notified them about the incident days after discovering the data breach and the notice lacked information, including details of the cyberattack and customer recommendations. They also complained about emotional stress since, once stolen, fraudulent use of that information and damage to victims may continue for years. In addition, fraudulent activity might not show up for six to 12 months or even longer.

Customers seek, among other things, that the “company fully and accurately disclose the nature of the information that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent incidents like this in the future.”

Mr. Cooper is accused of negligence, breach of implied contract and unjust enrichment, among other claims. On Thursday, Mr. Cooper announced it had partially resumed its operations. After that, the company said phone systems and its website were running again.

“We are continuing to investigate precisely what information was exposed. In the coming weeks, we will mail notices to any affected customer and provide them with complimentary credit monitoring services,” Mr. Cooper said on its website.

The company estimates fourth-quarter earnings will include $5 to $10 million in additional vendor costs. At this time, however, it’s not possible to quantify the full extent of remediation and legal expenses due to the cyberattack.

Web Browsing Data Collected in More Detail Than Previously Known

Courtesy of Cristina Criddle, Financial Times

Campaigners warn proliferation of categories describing sensitive professions could leave users open to blackmail

Internet browsing data is being collected and sold in greater detail than previously thought, increasing the likelihood that individuals’ identities can be ascertained from the anonymised information, a new report has found.

Web users have for years been grouped by data brokers by traits such as their broad professional sector or interests, inferred from their browsing history. This anonymised information is then sold to advertisers so they can target specific categories, or segments, with personalised marketing.

An investigation by the non-profit Irish Council for Civil Liberties published on Tuesday shows the number of segments is greater than previously thought, including data on many influential and sensitive professions that were not known to be sold to advertisers.

Data has been put into segments used to target judges, elected officials, military personnel and “decision makers” working in national security, it found. Privacy campaigners argue that these more specific professional categories mean that information from different data points can be easily combined with location data and time stamps to identify people.

This could be used for surveillance or exploited by hostile actors, they added, noting that the data is available for a broad range of companies to purchase. “This data about political leaders, judges and military personnel shows that the [real-time bidding] industry’s security problem is in fact a national security problem too,” said Johnny Ryan, senior fellow at ICCL.

Real-time bidding is the process by which advertising is bought and sold based on data segments.

A document seen by the Financial Times showed that segments marketed by US data broker firm Eyeota include decision makers in government, national security and counter-terrorism. They also included categories such as military personnel, military families, judges and elected officials. Read more

Most Overused Passwords in The World — Make Sure Yours Isn’t On The List

Courtesy of Charmaine Jacob, CNBC

Racking your brains to come up with a strong password can be a pain. But if you want your emails, online banking, streaming platform credentials secure from the clutches of hackers, it would be wise to put in the effort.

NordPass, the password management tool from the team behind NordVPN, partnered with independent researchers to release its study of the 200 most common passwords used in 2023.

Of the world’s 20 most common passwords, 17 can be cracked in less than a second, so think twice before you decide to key in “123456” or the even more creative “password” to secure your online accounts.

The most popular passwords are some of the laziest combinations, even as cybersecurity threats continue to be on the rise with over 53 million U.S. citizens affected in the first half of 2022, according to AAG data.

The NordPass study showed that 86% of cyberattacks use stolen credentials, and online accounts, emails and passwords make up almost 20% of the most commonly sold items on the dark web.

To make sure your data stays safe, here are the world’s 20 most common passwords of 2023 — and how long it takes to crack each one: Click here for the list

Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks

Courtesy of the HackerNews

A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks.

“Starting from a single compromised machine, threat actors could progress in several ways: they could move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem,” Martin Zugec, technical solutions director at Bitdefender, said in a new report.

A prerequisite for these attacks is that the bad actor has already gained access to a local machine through other means, prompting Google to mark the bug as not eligible for fixing “since it’s outside of our threat model and the behavior is in line with Chrome’s practices of storing local data.”

However, the Romanian cybersecurity firm has warned that threat actors can exploit such gaps to extend a single endpoint compromise to a network-wide breach. The attacks, in a nutshell, rely on an organization’s use of Google Credential Provider for Windows (GCPW), which offers both mobile device management (MDM) and single sign-on (SSO) capabilities.

This enables administrators to remotely manage and control Windows devices within their Google Workspace environments, as well as allows users to access their Windows devices using the same credentials that are used to login to their Google accounts. Read more

 

Nov. 10, 2023: Fraud and Cybersecurity Articles

New York Adds Stiffer Requirements to Cybersecurity Rules

Financial companies must now report ransom payments and strengthen board oversight

Courtesy of James Rundle, Wall Street Journal

New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict provisions around board oversight and ransom payments that go further than recent federal rules. The New York State Department of Financial Services, which oversees banks, insurance firms, mortgage brokers and other financial institutions, expanded its initial cybersecurity rules, published in 2017, because rising cyberattacks require stronger protections, said Adrienne Harris, superintendent of financial services, in a statement.

Chief information security officers are placed front and center in the new regulations as having responsibility for ensuring that companies comply with the rules, and that internal policies are enforced. In some areas, the updated rules are similar to those recently approved by the U.S. Securities and Exchange Commission, particularly around how cybersecurity programs are supervised. However, New York’s rules go into greater detail than the SEC’s in some areas.

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function. In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.

DFS’s new requirements come as authorities generally have taken a stronger approach toward ransom payments than in the past. At a summit this week hosted by the U.S. government at the Justice Department, nations belonging to the Counter Ransomware Initiative were finalizing a pledge to not pay ransoms to criminals when government systems come under attack.

“As long as there’s money flowing to ransomware criminals, the problem will continue to grow,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology, on a call with reporters Tuesday. Read more

Internal Spoofing Attacks Are on The Rise – Is Your Staff Prepared?

Courtesy of League InfoSight/ League of Southeastern Credit Unions & Affiliates

Spoofing is a scam where cybercriminals impersonate a company with a fake email address, display name, text message, or website URL to convince a target that they are a trusted, well-known source from the company. It can be as simple as changing one letter, symbol, or number in a communication that is difficult to spot. The benefit of spoofing for cybercriminals is that the person will likely disclose financial and personal information, download malware, wire funds, and more.

Types of spoofing attacks:

  • Email Spoofing: This technique is one of the most common types where cybercriminals send an email posing as a trusted source. They usually ask for an urgent request or attempt to lure the target to click a malicious link or attachment.
  • Domain or Website Spoofing: These attacks aim to lure users into logging into their accounts on fake websites or exposing other personal information about themselves. The cybercriminals can then use the stolen credentials to log into the actual account on the real website.
  • Caller ID Spoofing: Similar to email spoofing, caller ID alters the phone number to show up as someone familiar to the target they are calling. For example, the fraudster may pose as a customer service representative from the target’s bank and attempt to gather personal information like their banking credentials, social security number, etc. in order to gain access to their account.
  • Text Message Spoofing: This technique targets a person via text message posing as a trusted source like their bank or a friend. They substitute the sender ID with a recognizable source and use the text message as a springboard for data theft, spear phishing, and scams.

The reality is that credit unions are being targeted, as well as employees. Implementing a Proactive Security Awareness Program aims to empower users with skills to identify and report suspicious activity, including emails, texts, or website links. People are the first line of defense for the credit union, and when equipped with cybersecurity awareness, it will only propel their security posture.

The following tips can help identify a spoofed message in the email headers:

  • Identify that the ‘From’ email address matches the display name. The from address may look legitimate at first glance, but a closer look in the email headers may reveal that the email address associated with the display name is actually coming from someone else.
  • Make sure the ‘Reply-To’ header matches the source. This is typically hidden from the recipient when receiving the message and is often overlooked when responding to the message. If the reply-to address does not match the sender or the site that they claim to be representing, there is a good chance that it is forged. Read more
Video: Nebraska Attorney General Mike Hilgers Warns of Bank Impersonation Scams
FCA Warns Banks Over App Fraud and Poor Treatment of Victims

Courtesy of FinExtra

With authorised push payment fraud on the rise, the FCA says banks should strengthen anti-crime systems and must treat victims of fraud better.

The warning shot from the regulator follows a review of firms’ fraud controls and complaint handling. While the review found examples of good practice, the watchdog expresses disappointment with the way some firms supported customers who were the victims of fraud. In the first six months of 2023 over 116,000 people reported falling victim to APP fraud, where someone is tricked into sending money to a fraudster posing as a genuine payee.

The latest fraud report by UK Finance showed that over £152 million was returned in total by the banking sector to victims in the first half of this year. However, recent figures published by the Payment Systems Regulator found a wide disparity in the way some banks treat victims, with new challengers such as Monzo and Starling scoring particularly poorly.

The FCA says banks are not fully considering characteristics of customer vulnerability when making decisions about fraud claims and complaints. The watchdog says customers were provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language.

The FCA says it is pressing banks to improve their anti-fraud systems and controls and review complaint-handling procedures to ensure better outcomes for customers.

“We are already working with firms in our review to strengthen their approach,” states the FCA. “We expect all payment service providers to use our findings to inform what more they can do to detect, manage and reduce fraud and losses more effectively. Customer treatment must also be improved, including how complaints are handled, to deliver consistently good consumer outcomes in line with the Consumer Duty.”

Cyberattack Hits Mr. Cooper, Blocks Millions of Mortgage Payments

The loan servicing giant shut down systems after it detected the intrusion and set up alternative methods for its 4.3 million customers to make payments.

Courtesy of Matt Kapko, CyberSecurity Dive

Mortgage servicing provider Mr. Cooper Group shut down multiple systems after it determined a threat actor accessed certain technology systems on Oct. 31, according to a Thursday filing with the Securities and Exchange Commission.

The company initiated precautionary containment measures in response to the cyberattack, a move that’s temporarily halting recurring payments and leading customers to make one-time loan payments online, via phone, email or third parties. The status of customers’ loans were last updated Oct. 31.

Mr. Cooper is the third-largest mortgage servicer in the U.S. with more than 4.3 million customers, according to the company.

The Texas-based company said it notified law enforcement and contacted cybersecurity experts to assist in an investigation. “While the company’s investigation is ongoing, based on information currently known, the company does not believe this incident will have a material adverse effect on its business, operations or financial results,” the company said in the SEC filing.

The ongoing investigation has yet to determine if any data was compromised and Mr. Cooper said it will notify any customers that are potentially impacted. A temporary site was set up to provide customers with updated information, including details about how to make payments as the company works to return to normal operations.

Mr. Cooper assured customers that it won’t impose any fees or negative credit reporting for late payments until the issue is resolved.

“At this time, we believe this cybersecurity incident was isolated to Mr. Cooper systems and technology and did not affect any of the company’s clients’ or partners’ systems or technology,” a company spokesperson said in a statement.

The cyberattack against Mr. Cooper, which blocked millions of customers from making payments and processing mortgage transactions, is credit negative, Moody’s Investors Service said Tuesday.

“The full impact of the event will depend on the duration of the disruptions, ensuing potential reputational damage and magnitude of the breach,” Stephen Lynch, VP and senior credit officer for Moody’s, said in a statement.

Mr. Cooper services approximately 450 residential mortgage-backed securities, according to Moody’s.

 

Nov. 3, 2023: Fraud and Cybersecurity Articles

Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO

Courtesy of Mike Lennon, SecurityWeek

In a development sparking chatter and debate through the cybersecurity world, the lawsuit filed by the U.S. Securities and Exchange Commission (SEC) against the Chief Information Security Officer (CISO) of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles.

The lawsuit alleges that SolarWinds CISO Timothy Brown failed to disclose critical information regarding the massive cyberattack on the company’s software supply chain that occurred in late 2020. The complex attack, widely attributed to state-sponsored Russian hackers, compromised the networks of numerous government agencies and corporations that relied on SolarWinds’ products. The breach was a significant event in the world of cybersecurity, leading to numerous breaches, a frenzy of investigations, and regulatory scrutiny.

The SEC’s lawsuit is a rare instance of a regulatory body targeting a CISO for alleged mismanagement of cybersecurity risks. The suit claims that SolarWinds’ CISO was aware of the vulnerabilities in systems but did not disclose them adequately to the company’s investors, leading to misleading statements in SolarWinds’ filings with the SEC.

Industry experts have expressed mixed opinions on the SEC’s lawsuit. Some view it as a necessary step toward holding CISOs accountable for their actions or inactions when it comes to cybersecurity. They argue that CISOs play a crucial role in safeguarding a company’s digital assets and must be transparent with both their organization and regulators about potential threats.

“The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would,” Jake Williams, a prominent cybersecurity expert wrote in a post on X. “CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead.”

However, others, including SolarWinds itself, argue that this lawsuit sets a concerning precedent. They fear that CISOs may become hesitant to share information about cyber threats within their organizations, worried that any disclosure might open them up to legal action. This, they say, could hinder the industry’s ability to effectively respond to cyberattacks and protect sensitive data.

“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”

FinCEN Proposes to Require Recordkeeping and Reporting for CVC Mixing Transactions

Courtesy of Peter D. Hardy, Lisa Lanham, Siana Danch & Kelly A. Lenahan-Pfahlert, Ballard Spahr

On October 23, the Financial Crimes Enforcement Network (“FinCEN”) published a notice of proposed rulemaking (“NPRM”) entitled Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern.  Section 311 of the Patriot Act, codified at 31 U.S.C. § 5318A (“Section 311”), grants the Secretary of the Treasury authority – which has been delegated to FinCEN – to require domestic financial institutions and agencies to take certain “special measures” if FinCEN finds that reasonable grounds exist for concluding that one or more classes of transactions within or involving a jurisdiction outside of the United States is of “primary money laundering concern.”

In this NPRM, FinCEN proposes to designate under Section 311 all convertible virtual currency (“CVC”) mixing transactions, as defined by the NPRM.  This designation would require imposing reporting and recordkeeping requirements upon covered financial institutions (“FIs”) regarding transactions occurring by, through, or to a FI when the FI “knows, suspects, or has reason to suspect” that the transaction involves CVC mixing.

The NPRM is complicated and raises complex questions.  We only summarize here, and note selected issues.  Comments are due on January 22, 2024.  FinCEN can expect many comments.

Reasons for Implementing Section 311

As we have blogged, FinCEN has employed Section 311 – a powerful tool – before.  But, prior uses of Section 311 have involved specific banks (see here and here) or specific geographies (see here and here).  In contrast, and as the government’s press release notes, “[t]his is FinCEN’s first ever use of the Section 311 authority to target a class of transactions of primary money laundering concern[.]” (emphasis added).  As a practical matter, the NPRM likely will impact primarily CVC exchanges dealing directly with CVC and operating as money services businesses under the Bank Secrecy Act (“BSA”), as opposed to traditional FIs such as banks, which typically do not deal directly with CVC.

As the government’s press release further notes, the NPRM specifically seeks to combat illicit financing involving terrorism and evasion of U.S. sanctions: “This NPRM highlights the risks posed by the extensive use of CVC mixing services by a variety of illicit actors throughout the world and proposes a rule to increase transparency around CVC mixing to combat its use by malicious actors including Hamas, Palestinian Islamic Jihad, and the Democratic People’s Republic of Korea (DPRK).”  As the NPRM itself also notes, and as we also have blogged (see hereherehere and here), the U.S. government recently has instituted several enforcement actions involving CVC mixers, which the NPRM describes as “ripe for abuse by, and frequently used by, illicit foreign actors that threaten the national security of the United States and the U.S. financial system” because they are “intended to make CVC transactions anonymous.” Read more

FTC Orders Non-Bank Financial Firms to Report Breaches In 30 Days

Courtesy of Bill Toulas, Bleeping Computer

The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days. Such entities include mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.

This requirement adds to the Safeguards Rule, aiming to enhance data security measures to protect customer information and strengthen compliance obligations. It applies to security incidents that impact 500 or more consumers, especially if unauthorized third parties accessed unencrypted (cleartext) information.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” stated FTC’s Director of Bureau for Consumer Protection, Samuel Levine. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The notification requirement does not apply to cases where consumer information is encrypted as long as the attackers did not access the encryption key. The notice breached firms need to be submitted onto FTC’s online portal and must include details about the security incident, such as:

  • Name and contact information of the reporting institution.
  • Number of impacted consumers and of those potentially affected by it.
  • Description of the types of data that have been potentially exposed.
  • Exposure date and, if possible to determine, the duration of the incident.
  • Confirmation whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security.

The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident. The FTC emphasizes that submitting a data breach report doesn’t automatically imply a violation of the Safeguards Rule, nor does it ensure an investigation or enforcement action.

The new notification requirement will become effective 180 days after publication of the rule in the Federal Register, so the rule should be applicable starting in April 2024. For more details on the amendments and their development process based on the feedback FTC received from stakeholders, you can read this document.

10 Must-Know PC Security Tips That Keep You Safe Online

Criminals are always finding new ways to steal confidential info and smuggle in malware. These tips can help keep you safe.

Courtesy of Roland Freist, PC World

Staying safe online doesn’t mean having to learn coding or anything exotic. Germany’s Federal Office for Information Security recently published a brochure entitled “Using the internet safely” that contains ten helpful security tips that you should keep in mind while surfing the Internet to protect yourself from fraud and computer viruses.

The basic information is handy indeed, but we’ve expanded on these tips with recommendations on specific tools and security settings you can use to stay safe online.

Always keep Windows, browsers and applications up to date

Tip 1: “Set up your web browser securely and keep it up-to-date. Browser extensions should be disabled or uninstalled if necessary.

Google Chrome, Microsoft Edge, and Mozilla Firefox check for available updates every time they are started and install them automatically. This applies to Windows as well as Android and iOS devices. Refrain from experimenting with alternative browsers from dubious manufacturers. These programs are often not carefully maintained.

Even among the browser extensions in the manufacturers’ stores, there are quite a few candidates for which it is unclear what information they access and to whom they pass on this data. So you should install as few extensions as possible. For most users, the only thing that is almost indispensable is a password manager. These programs are now mostly offered in the form of browser extensions. Our guide to the best password managers can help you find a great one.

Tip 2: Keep your operating system and other software up-to-date by allowing updates to be installed automatically.”

Windows, Microsoft 365, and many other applications have an automatic update mechanism that installs new versions and patches as soon as they appear. For all other programs, there are tools such as Sumo or the Iobit Software Updater that check the version numbers of installed programs and indicate available updates.

Tip 3: “Use applications for virus protection and a firewall. Some operating systems already offer such applications, but they must be activated.”

Windows includes virus protection and also a firewall, both of which are active by default, but they’re basic and aren’t very configurable. The best antivirus software suites include protect against threats like ransomware, phishing, and stolen identities. Read more

 

Oct. 27, 2023: Fraud and Cybersecurity Articles

The Rise of S3 Ransomware: How to Identify and Combat It

Courtesy of The Hacker News

In today’s digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations.

Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization’s buckets.

To effectively combat these evolving threats, it is vital to ensure that your organization has visibility into your S3 environment, that you are aware of how threat actors can compromise data for ransom and most importantly, best practices for minimizing the risk of cyber criminals successfully executing such an attack.

Ensuring Visibility: CloudTrail and Server Access Logs#

Visibility serves as the foundation for any effective detection strategy. In Amazon S3, nearly every action translates to an API call, which are meticulously recorded in CloudTrail and documented in AWS documentation.

The two primary options for logging activity in S3 buckets — CloudTrail Data Events and Server Access Logs — hold a wealth of information that security practitioners must leverage to anticipate and detect suspicious activity. Each offer distinct advantages and trade-offs:

  • Cloud Trail Data Events: offer visibility into resource operations performed on or within a resource in real-time, but comes with potential cost implications due to high API call volumes
  • Server Access Logs: free access to records for each request made to your S3 bucket, but come with potential delays in log availability and potential logging with less integrity.

Mitigating Risk by Understanding the Attack Scenarios#

Utilizing the above logs to ensure adequate visibility, it is possible to keep an eye out for potential attack scenarios in order to mitigate risks effectively. There are three main attack scenarios that we observe with S3 ransomware attacks, all which can prevent an organization from accessing its data. Read more

State Bank Regulators Update Ransomware Self-Assessment Tool for Banks

Courtesy of Conference of State Bank Supervisors

State regulators, in collaboration with the Bankers’ Electronic Crimes Taskforce and the U.S. Secret Service, this week released an updated Ransomware Self-Assessment Tool (R-SAT) for banks to help mitigate new risks associated with ransomware attacks and identify security gaps.

The new version updates the R-SAT originally released in 2020 due to evolutions in the ransomware threat environment, bad actor tactics and changes in bank environments and controls. The revised R-SAT incorporates insights from cybersecurity experts, feedback from financial institutions and lessons learned from analyzing real-life ransomware attacks.

While financial institutions may have good cybersecurity practices in place, rapid advancements in ransomware techniques and the potentially devastating consequences of a successful attack require every financial institution to review and update their ransomware-specific controls. The updated R-SAT places an increased emphasis on topics such as multi-factor authentication, employee awareness and security training, cloud-based systems or activities, and the identification of control risks that have not been mitigated to an acceptable risk level.

An industry-wide webinar hosted by the Conference of State Bank Supervisors briefed bankers on the updated tool, covering the specific changes to the R-SAT, research and insights from the industry that led to these changes and how banks can most effectively leverage the tool to protect their institution and customers.

State regulators continue to be proactive and adaptive to the needs of the diverse banking system. Updates to the R-SAT are yet another example of state regulators empowering their institutions with the tools to ensure our financial system remains safe, sound and resilient.

Visit www.csbs.org/ransomware-self-assessment-tool for more information on the updated R-SAT and how to implement it at your institution.

CISA Releases Fact Sheet on Effort to Revise the National Cyber Incident Response Plan (NCIRP)

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet on the effort to revise the National Cyber Incident Response Plan (NCIRP). Through the Joint Cyber Defense Collaborative (JCDC), CISA will work to ensure that the updated NCIRP addresses significant changes in policy and cyber operations since the initial NCIRP was released.

First published in 2016, the NCIRP was developed in accordance with Presidential Policy Directive 41 (PPD-41) on U.S. Cyber Incident Coordination and describes how federal government, private sector, and state, local, tribal, territorial (SLTT) government entities will organize to manage, respond to, and mitigate the consequences of significant cyber incidents.

NCIRP 2024 will address changes to the cyber threat landscape and in the nation’s cyber defense ecosystem by incorporating principles grounded in four main areas:

  • Unification
  • Shared Responsibility
  • Learning from the Past
  • Keeping Pace with Evolutions in Cybersecurity

CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.

Oct. 20, 2023: Fraud and Cybersecurity Articles

Lost and Stolen Devices: A Gateway to Data Breaches and Leaks

By implementing strong security practices, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.

Courtesy of Torsten George, SecurityWeek

In our digital age, data is king. It drives businesses, informs decision-making, and plays an essential role in our everyday lives. However, with the convenience of technology comes the risk of data breaches and leaks.

One often overlooked aspect of this risk is the role that lost and stolen computers play in compromising sensitive information. According to Forrester Research’s 2023 State of Data Security report, only 7% of security decision makers are concerned about a lost or stolen asset causing a breach, even though such incidents account for 17% of breaches. Such assets can include smartphones, tablets, laptops, external hard drives, and USB flash drives.

While these types of breaches may not command the same attention-grabbing headlines as major cyberattacks, the theft or loss of laptops, desktops, and flash drives poses a very real problem. It underscores the pressing need for endpoint resilience and recovery.

The Rising Threat
Lost and stolen computers are a growing concern for individuals and organizations alike. The portability and value of modern laptops and smartphones make them attractive targets for thieves. When a computer is lost or stolen, the data it contains becomes vulnerable to unauthorized access. Despite substantial investments in endpoint security controls, devices are often not as secure as organizations would hope. This vulnerability has led to numerous high-profile data breaches over the years.

The threats that arise from lost or stolen devices are as follows:

  • Unauthorized Access: When a computer falls into the wrong hands, unauthorized access to sensitive data becomes a real threat. Even if the device is password-protected, threat actors can employ various techniques to bypass security measures and gain access to files, emails, and other confidential information. This access can lead to data breaches, identity theft, and financial loss.
  • Lack of Encryption: Many users fail to encrypt their data, leaving it exposed in the event of theft or loss. Encryption is a crucial security measure that renders data unreadable without the appropriate decryption key. Without encryption, thieves can easily access and misuse sensitive data, putting both individuals and organizations at risk. Having encryption enabled is often a legally required control, and not being able to prove its efficacy can expose an organization to liability.
  • Physical Access to Networks: In some cases, lost or stolen computers are used as a means to gain physical access to corporate networks. If an employee’s laptop is stolen, and it contains access credentials or VPN configurations, the thief may use this information to infiltrate the organization’s network. Once inside, they can carry out malicious activities, steal more data, and potentially compromise the entire network’s security. Read more
‘Phantom Hacker’ Scams That Target Seniors’ Savings Are on The Rise, FBI Says

Courtesy of Greg Iacurci, CNBC

Key Points

  • “Phantom hacker” scams are an evolution of tech support scams, a type of cybercrime.
  • Losses from tech support scams were up 40% as of August, the FBI said.
  • “Phantom hacker” scams often wipe out bank, savings, retirement and investment accounts, the FBI said.

There has been a nationwide increase in “phantom hacker” scams, a type of fraud “significantly impacting senior citizens,” who often lose their entire bank, savings, retirement or investment accounts to such crime, according to the FBI.

“Phantom hacker” scams are an evolution of tech support scams, a type of cybercrime.

As of August 2023, losses from tech support scams were up 40% during the same period in 2022, according to a recent FBI public service announcement. It didn’t disclose the total dollar loss during that period.

Half the victims were over 60 years old and comprise 66% of the total financial losses, the FBI said.

Older adults have generally amassed a larger nest egg than younger age groups, and therefore pose a more lucrative target for criminals. Older adults are also “particularly mindful of potential risks to their life savings,” Gregory Nelsen, FBI Cleveland special agent in charge, said in a statement.

“These scammers are cold and calculated,” Nelsen said. “The criminals are using the victims’ own attentiveness against them,” he added.

How ‘phantom hacker’ scams operate

“Phantom hacker” crimes are multilayered.Initially, fraudsters generally pose as computer technicians from well-known companies and persuade victims they have a serious computer issue such as a virus, and that their financial accounts may also be at risk from foreign hackers.

Accomplices then pose as officials from financial institutions or the U.S. government, who convince victims to move their money from accounts that are supposedly at risk to new “safe” accounts, under the guise of protecting their assets. Read more

Banks Combine AI And Communication to Combat the Rising Threat of Payment Fraud

With the rise of digital transactions and online services, fraud has become an increasing concern for both consumers and businesses.

Courtesy of PYMNTS.com

In March 2023, for example, 11% of consumers who paid for groceries encountered payment fraud, marking an 88% increase since December 2021. This is one of key findings in a recent PYMNTS Intelligence report entitled “The Next Chapter in Fraud: Using AI to Unveil Payments Intelligence,” which examines concerns around cybercrime and how financial institutions (FIs) are mitigating fraud risks.

Data from the joint PYMNTS Intelligence-AWS study shows that businesses are also grappling with the far-reaching impacts of fraud, with failure to prevent sophisticated fraud schemes leading to customer attrition. In fact, more than 30% of Big Tech and FinTech firms have lost customers due to fraud or financial crimes, the study found.

In response, firms are planning investments in fraud detection and management tools, with many turning to artificial intelligence (AI) and machine learning (ML) for enhanced fraud prevention. These advanced tools offer the potential to analyze vast amounts of data, identify patterns, and detect anomalies that indicate fraudulent activities.

For Big Tech and FinTech firms that still need convincing, the fact that 66% of FIs that use ML or AI experienced a decrease in overall fraud rates could help increase their trust in the effectiveness of AI in combating fraud.

Michael Jabbara, vice president and global head of fraud services at Visa, has also made a case for AI in fraud prevention efforts, telling PYMNTS in a recent interview that the technology can help combat the “democratization” of cybercrime and ransomware.

As he noted to PYMNTS, AI is “the superpower that gives us the ability to detect that proverbial fraudulent needle in the overall haystack of legitimate interactions — and then build the automation necessary to carve out the fraud while letting the authentic transactions go through.”

Strengthening Anti-Fraud Efforts
While most banks and firms are focusing primarily on increasing the use of ML/AI models to stem the rising tide of fraudulent activities, FIs also plan to improve anti-fraud efforts in other areas.

PYMNTS Intelligence data shows that in 2023, 62% of FIs plan on improving communication with customers as an anti-fraud measure, up from about 57% in 2022. This includes regularly updating customers on the measures taken to protect their accounts and transfers from fraud, which can go a long way to alleviating customer fears and foster trust. Read more

Navigating Risk and Fraud Management in The World of Bank Transfers

Courtesy of Payments Journal

Digital transformation has accelerated the evolution of financial transactions dramatically in the last decade. Gone are the days when paper checks were the norm, with a recent Philadelphia Fed Study, reporting that since 2009, paper check usage has been dropping by 1.2 billion annually. Instead, bank transfers and digital payments have taken center stage. While these digital payment methods offer convenience and efficiency, they also bring new challenges in risk and fraud.

Businesses can combat these threats by educating themselves on risk and fraud management for digital transactions and by exploring emerging fraud trends in the world of bank transfers. For example, one of the most pressing fraud trends right now is credit push schemes. While getting hacked is a common fear, social engineering remains a more significant concern.

These fraudulent activities often involve convincing individuals, whether employees or account owners, to provide critical information. These schemes rely heavily on social engineering to trick consumers or businesses into sending money to fraudsters. Common variants of these schemes include business email compromise, vendor impersonation fraud, payroll impersonation, account takeover, and more.

This underscores the importance of understanding and implementing robust controls to prevent users from falling victim to such schemes.

Effective Fraud Prevention and Risk Management Strategies
One key business strategy to combat fraud across bank transfers is real-time transaction monitoring. Monitoring transactions in real time and identifying suspicious activity is crucial to prevent fraud. This approach, when combined with effective onboarding identity and verification processes, helps stop anomalies or high-value transactions that could lead to fraud or financial loss.

Education also plays a vital role in building a strong defense against fraud. It is essential not only to train internal teams but also to educate customers. The emphasis is on identifying and combating social engineering tactics. Encouraging a culture of security where individuals are encouraged to report suspicious activities further strengthens the organization’s defenses.

Managing risk is a little different. There are two risk management controls that are crucial to prioritize.

The first is balanced friction. While frictionless payments and onboarding are essential for a seamless user experience, adding the right amount of friction at appropriate points is vital. This ensures that businesses verify the authenticity of transactions and prevent fraud without deterring legitimate customers. Read more

Oct. 13, 2023: Fraud and Cybersecurity Articles

Our Industry and Cybersecurity in 2023 and Beyond

Courtesy of Matt Sawtell, *CUAnswers, CUSO Magazine

October is Cybersecurity Month, and as such, I can think of no better time to reassess where our industry is and where it’s going in regard to cybersecurity. Earlier this year, the NCUA said cybersecurity would be a priority focus in 2023, and we’ve seen more regulators with this specific focus added to engagements. Looking forward, there are many areas in which credit unions will need to implement new or stronger cybersecurity plans. Today, we’ll focus on a few of those areas and how you can keep your credit union up-to-date and secure.

Incident response plans

In Michigan, the state regulators are on a 3-year rotation of bringing in an IT specialist as part of the examination process and doing a deeper dive than the normal checklist items. In preparation, credit unions should have a formal incident response plan prepared as it has been a focal point the last couple of years (and you can look at the headlines ransomware and other attacks get as a motivator there). The incident response plan should specifically refer to cyber incidents such as the aforementioned, breach, exposure of member data, and things more cyber-related, as opposed to the robbery, internal fraud, and more traditional incidents of the past.

If you do have an incident response plan already, be prepared to be asked about how you’re training staff with a tabletop exercise at least once per year or another type of awareness/readiness training with staff. The role playing, especially for those new to the concept is a good way to practice the workflow and decision-making that would need to happen in the event of a real incident, so there is real value in some preparation. There has been a marked shift from looking at incident response as an IT responsibility to more of a key item for the entire institution, with the CEO and board of directors participating. Read more

7 Resources for Determining Financial Institutions’ and Companies’ OFAC Compliance Obligations 

Courtesy of Dr. Nick Oberheiden of Oberheiden P.C., National Law Review

Office of Foreign Assets Control (OFAC) compliance is essential for financial institutions and companies that conduct business with foreign entities and individuals. However, it is also extremely challenging. There are numerous aspects to OFAC regulations compliance, and no two institutions’ or companies’ compliance obligations are exactly alike.

As a result, when assessing their OFAC compliance obligations, financial institutions and companies must do so on an individualized basis. The Office of Foreign Assets Control has published several resources that institutions and companies can (and should) use. These resources include:

  1. OFAC’s Sanctions Programs 

The Office of Foreign Assets Control has established several economic and trade sanctions programs that either prohibit or restrict financial transactions involving designated foreign nations, entities, and individuals. These OFAC sanctions programs fall into four broad categories: (i) country-based sanctions, (ii) list-based sanctions (also known as “smart sanctions”), (iii) sector-based sanctions, and (iv) secondary sanctions that apply to parties affiliated with blocked entities and individuals. Information about all of OFAC’s sanctions programs is available through the Office’s website, and users can search for sanctions that apply to specific nations, entities, and individuals.

  1. OFAC’s General Licenses 

General licenses permit transactions that would otherwise be blocked under an OFAC sanctions program. The Office of Foreign Assets Control has issued several general licenses which are available for use by financial institutions and companies in the United States. When determining what compliance efforts are necessary, institutions and companies should not only determine which sanctions programs apply, but also whether they can structure their transactions or operations to secure protection under any general licenses that are currently in effect.

  1. A Framework for OFAC Compliance Commitments  

Framework for OFAC Compliance Commitments (the “Framework”) is a guidance document that OFAC published to help financial institutions and companies assess the sufficiency and efficacy of their OFAC compliance programs (which OFAC refers to as “sanctions compliance programs” or “SCPs”). The Framework identifies “five essential components of compliance” and provides insight into what financial institutions and companies can (and should) do to meet OFAC’s expectations in these areas.  Read more

Google Looks to Do Away with Passwords, Making ‘Passkeys’ the Default Option

Courtesy of Jennifer Korn, CNN

 Google is looking to make passwords obsolete by prompting users to create passkeys to unlock accounts and devices with a fingerprint, face scan or pin number.

Google said Tuesday that passkeys don’t require users to memorize passwords, are quicker to use and can offer more security. The company unveiled support for passkeys in May but announced in a blog post that users will now be prompted to use the option where passwords are usually used.

“[W]e’ll continue encouraging the industry to make the pivot to passkeys — making passwords a rarity, and eventually obsolete,” Google wrote.

Google will continue to support traditional passwords, and users can dodge passkeys altogether by disabling their account’s “skip password when possible” option.

Passkeys are now used as password alternatives for apps including YouTube, Search, Maps, Uber and eBay. WhatsApp is also adding capability, according to the blog.

The FIDO Alliance, a security consortium that counts many tech firms as members, previously developed standards for passkeys. Microsoft, Apple and Google have since been working to make passkeys a reality.

Apple rolled out its passkey option with the release of iOS 16, allowing people to use the technology across apps, including Apple Wallet, and passkey support was first rolled out on Chrome and Android devices in October 2022.

New WordPress Backdoor Creates Rogue Admin to Hijack Websites

Courtesy of Bill Toulas, BleepingComputer

A new malware has been posing as a legitimate caching plugin to target WordPress sites, allowing threat actors to create an administrator account and control the site’s activity.

The malware is a backdoor with a variety of functions that let it manage plugins and hide itself from active ones on the compromised websites, replace content, or redirect certain users to malicious locations.

Fake plugin details

Analysts at Defiant, the makers of the Wordfence security plugin for WordPress, discovered the new malware in July while cleaning a website.

Taking a closer look at the backdoor, the researchers noticed that it came “with a professional looking opening comment” to disguise as a caching tool, which typically helps reduce server strain and improve page load times.

The decision to mimic such a tool appears deliberate, ensuring it goes unnoticed during manual inspections. Also, the malicious plugin is set to exclude itself from the list of “active plugins” as a means to evade scrutiny.

The malware features the following capabilities:

  • User creation – A function creates a user named ‘superadmin’ with a hard-coded password and admin-level permissions, while a second function can remove that user to wipe the trace of the infection
  • Bot detection– When visitors were identified as bots (e.g. search engine crawlers), the malware would serve them different content, such as spam, causing them to index the compromised site for malicious content. As such, admins could see a sudden increase in traffic or reports from users complaining about being redirected to malicious locations. Read more

Oct. 6, 2023: Fraud and Cybersecurity Articles

Banks Need to Be on the Cutting Edge of AI’s Double-Edged Fraud Sword

Courtesy of PYMNTS.com

The greatest innovations are those that democratize access to new skills and empower populations. Generative artificial intelligence (AI) promises to be one of those innovations. But a side effect of that democratization is that it can be used by anyone — even criminals and bad actors. And as AI continues to evolve, so do the tactics of fraudsters.

“Everyone has an equal ability to deploy technology, no matter who they are,” Karen Postma, managing vice president of risk analytics and fraud services at PSCU, told PYMNTS. Generative AI programs like OpenAI’s ChatGPT have made phishing and other behaviorally-driven fraud techniques not only more effective and convincing, but also easier to conduct on a larger scale.

“Utilizing generative AI, a fraudster can effectively mimic a voice within three seconds of having recorded data,” Postma said.

Fraudsters can use these recordings to impersonate individuals, potentially deceiving even the most cautious of consumers. The proliferation of AI-generated voices in scams poses a serious threat, eroding trust and making it difficult for individuals to discern genuine calls from fraudulent ones.

Staying Ahead of Fraudsters Means Never Losing a Step 

Because fraudsters are quick to adapt to new technologies and are relatively unconstrained by regulations or moral considerations, the pace of play bad actors take can make it challenging for credit unions and other financial institutions to keep up.

“Fraudsters are utilizing AI to not just commit attacks, but to become very good at committing these attacks,” Postma said. She added that traditional guardrails and red flags, like CVV (card verification value) mismatch, account not on file and number of declines, are becoming less reliable as cyber criminals increasingly use AI for their attacks. Adding to the challenge is that today’s bad actors operate across multiple channels, and detecting their activities requires a cross-functional analysis of data.

“If you have a tool that is monitoring your call center, a tool that is monitoring your online banking, and a tool that is monitoring your transactions — they might only be singularly seeing individual interactions, which might not necessarily look suspicious, but are really part of a pattern of bad activity,” Postma explained. This requires financial institutions to adopt a more holistic approach to fraud detection that combines data from various channels Read more

APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries

Courtesy of The Hacker News

In today’s interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive target for cybercriminals and a significant cybersecurity risk across various industries. This article dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and providing real-world examples of API breaches across different sectors.

Download API Security Guide.

The API Revolution

The proliferation of cloud computing, mobile apps, and the Internet of Things (IoT) has accelerated the adoption of APIs. They serve as the building blocks of modern software applications, enabling developers to integrate third-party services, enhance functionalities, and create innovative solutions rapidly. From extended healthcare services to e-commerce, APIs have become an integral part of our digital lives.

Why APIs are a Cybersecurity Risk

On the API side, the top-ranked vulnerability cited by the Open Web Application Security Project (OWASP) is now BOLA, or broken object-level authorization. This flaw can allow attackers to manipulate the ID of an object in an API request, in effect letting unprivileged users read or delete another user’s data. This is a particularly high-risk attack, given that it doesn’t require any degree of technical skill to execute, and intrusions resemble normal traffic to most security systems.

Detection logic must differentiate between 1-to-1 connections and 1-to-many connections among resources and users. Post-event BOLA attacks are difficult to see because of their low volume, and it does not show a strong indication of any behavioral anomalies, such as injection or denial of service.

2023 reports indicate cyberattacks targeting APIs have jumped 137%, with healthcare and manufacturing seen as prime targets by attackers. Attackers are especially interested in the recent influx of new devices under the Internet of Medical Things and associated apps and API ecosystem that has supported the provision of more accessible patient care and services. Another industry that is also vulnerable is manufacturing, which has experienced an increase in IoT devices and systems, leading to a 76% increase in media attacks in 2022. Read more

Sony Confirms Data Breach Impacting Thousands in the U.S.

Courtesy of Bill Toulas, BleepingComputer

Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information. The company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.

The zero-day is CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution, leveraged by the Clop ransomware in large-scale attacks that compromised numerous organizations across the world.

Clop ransomware gang added Sony Group to its list of victims in late June. However, the firm did not provide a public statement until now. According to the data breach notification, the compromise happened on May 28, three days before Sony learned from Progress Software (the MOVEit vendor) about the flaw, but it was discovered in early June.

“On June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability,” reads the notice. “An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony says in the data breach notification.

Sony says the incident was limited to the particular software platform and had no impact on any of its other systems. Still, sensitive information belonging to 6,791 people in the U.S. was compromised. The firm has individually determined the exposed details and listed them in each individual letter, but it is censored in the notification sample submitted to the Office of the Maine Attorney General.

The notification recipients are now offered credit monitoring and identity restoration services through Equifax, which they can access by using their unique code until February 29, 2024.

CISA: More than a Password. Protecting Yourself from Malicious Hackers with Multifactor Authentication

Ever worry about getting hacked? Same…

Your password isn’t protecting you the way you think it is. Especially if someone can guess your password from looking at your social media. But let’s say you have a complex password – or a password manager even – unfortunately malicious cyber actors still have ways to get past your password. And once they’re in your accounts… you can wave bye-bye to your money, and possibly your identity.

So, what do you need? More than a Password! A second method to verify your identity.
Multifactor authentication (MFA) can make you much more secure. Taking the extra step beyond just a password can protect your business, online purchases, bank accounts, and even your identity from potential hackers.

Different ways to say MFA:

  • Multifactor Authentication
  • Two Step Authentication
  • 2-Step Verification
  • Two Factor Authentication
  • 2FA

What is Multifactor Authentication?
Prove it’s you with two! … Two step authentication, that is. 

MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password.

Users who enable MFA are significantly less likely to get hacked. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.

Online services want to make sure you are who you say you are, and—more importantly—they want to prevent unauthorized individuals from accessing your account and data. So, they are taking a step to double check. Instead of asking you just for something you know (e.g., a password)—which can be reused, more easily cracked, or stolen—they can verify it’s you by asking for another piece of information. Read more