Fraud & Cybersecurity
Jan. 17, 2025: Fraud & Cybersecurity Articles
- State of Passkeys 2025: Passkeys Move to Mainstream
- Governments Call for Spyware regulations in UN Security Council Meeting
- Cyber Insights 2025: Cyber Threat Intelligence
- Microsoft: Happy 2025. Here’s 161 Security Updates
- Related reading: CISA Shares Guidance for Microsoft Expanded Logging Capabilities
State of Passkeys 2025: Passkeys Move to Mainstream
Vincent Delitz, BioMetric Update
More than 1 billion people have activated at least one passkey according to the FIDO Alliance – an astonishing number that highlights the quick evolution of passkeys from a buzzword to a trusted login method.
In just two years, consumer awareness of the technology jumped from 39% to 57%. Let’s see how passkeys have moved to mainstream.
Why did big tech bet on a new login technology?
Back in May 2022, the FIDO Alliance, with the collective support of Apple, Google and Microsoft, announced a major initiative to promote passkeys as passwordless authentication standard, ensuring compatibility across devices, operating systems and browsers.
At first glance, this seemed bold, even for these tech giants. Passwords have dominated authentication for decades – why risk time, money and reputation on a new technology?
The answer lies in addressing a growing problem: password management had become the biggest source of user frustration and security vulnerability. Users were juggling countless accounts and password resets, while businesses struggled with data breaches caused by stolen or weak passwords. Social engineering attacks, especially phishing exploited these weaknesses.
Passkeys moved out of early-adopter stage
While Apple, Google and Microsoft enabled passkey support on devices, the technology needed to be adopted by websites and apps. Early adopters emerged in environments with high security requirements:
Banking, payment & crypto
Payment providers (e.g. PayPal, Mastercard, Visa) and cryptocurrency exchanges (e.g. Binance, Coinbase) handle enormous volumes of financial transactions, making them high-value targets for cybercriminals. Strict regulations protect consumers and their accounts, so many payment providers already offer passkeys. Digital-first banks like Revolut, Ubank or Finom followed suit and offer passkeys to reduce fraud, build trust and comply with regulations. Read more
Governments Call for Spyware Regulations in UN Security Council Meeting
Lorenzo Franceschi-Bicchierai, TechCrunch
On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, which marks the first time this type of software — also known as government or mercenary spyware — has been discussed at the Security Council.
The goal of the meeting, according to the U.S. Mission to the UN, was to “address the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security.” The United States and 15 other countries called for the meeting.
While the meeting was mostly informal and didn’t end with any concrete proposals, most of the countries involved, including France, South Korea, and the United Kingdom, agreed that governments should take action to control the proliferation and abuse of commercial spyware. Russia and China, on the other hand, dismissed the concerns.
John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, gave testimony in which he sounded the alarm on the proliferation of spyware made by “a secretive global ecosystem of developers, brokers, middlemen, and boutique firms,” which “is threatening international peace and security as well as human rights.”
Scott-Railton called Europe “an epicenter of spyware abuses” and a fertile ground for spyware companies, referencing a recent TechCrunch investigation that showed Barcelona has become a hub for spyware companies in the last few years. Read more
Cyber Insights 2025: Cyber Threat Intelligence
Kevin Townsend, Security Week
SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months.
We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyber Threat Intelligence (CTI). CTI is valuable and beneficial to cybersecurity, but only if it is complete, accurate, and actionable.
The importance of Cyber Threat Intelligence
Cyber threat intelligence is cybersecurity’s early warning. It seeks to understand the source and nature of attacks, the adversaries and their targets, the presence of existing attacks, and the likelihood of imminent attacks. Being forewarned allows defenders to be forearmed.
“You cannot overstate the importance of cyber threat intelligence (CTI) as part of a comprehensive security program,” says Pascal Geenens, director of threat intelligence at Radware. “Threat intelligence is crucial in helping organizations gather insights on the threats they are facing and assess the risks so they can prioritize resources and budget to ensure adequate protections.”
Callie Guenther, senior manager of cyber threat research at Critical Start: “CTI will become more critical as organizations pivot from reactive to proactive cybersecurity strategies,” she says.
“Current cybersecurity strategies are unsustainable for reasons other than the sheer futility of investing endlessly to raise higher ramparts. Simply building higher walls isn’t working,” says Morten Mjels, CEO at Green Raven Limited. “Better threat intelligence, so our practitioners don’t feel like they’re working blindfolded, will be a clear improvement that is already achievable.”
Guenther adds, “Since threats evolve faster than traditional defenses can adapt, CTI will play a vital role in enabling near-real-time situational awareness and informed decision-making.” Read more
Microsoft: Happy 2025. Here’s 161 Security Updates
Krebs on Security
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed it– CVE-2025-21335. These are sequential because all reside in Windows Hyper-V, a component that is heavily embedded in modern Windows 11 operating systems and used for security features including device guard and credential guard.
Related: CISA Shares Guidance for Microsoft Expanded Logging Capabilities
Tenable’s Satnam Narang says little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all “privilege escalation” vulnerabilities. Narang said we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit.
“As elevation of privilege bugs, they’re being used as part of post-compromise activity, where an attacker has already accessed a target system,” he said. “It’s kind of like if an attacker is able to enter a secure building, they’re unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they’re able to trick the system into believing they should have clearance.”
Several bugs addressed today earned CVSS (threat rating) scores of 9.8 out of a possible 10, including CVE-2025-21298, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw “exploitation more likely.” Read more
Jan. 10, 2025: Fraud & Cybersecurity Articles
- A Day in the Life of a Prolific Voice Phishing Crew
- Fraudsters on the Line: The Rise of Call Spoofing in the Financial Industry
- Sen. Scott, Rep. Hill Seek Information from Treasury on Cybersecurity Breach
- How Initial Access Brokers (IABs) Sell Your Users’ Credentials
A Day in the Life of a Prolific Voice Phishing Crew
Krebs on Security
Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices.
KrebsOnSecurity recently told the saga of a cryptocurrency investor named Tony who was robbed of more than $4.7 million in an elaborate voice phishing attack. In Tony’s ordeal, the crooks appear to have initially contacted him via Google Assistant, an AI-based service that can engage in two-way conversations. The phishers also abused legitimate Google services to send Tony an email from google.com, and to send a Google account recovery prompt to all of his signed-in devices.
Today’s story pivots off of Tony’s heist and new details shared by a scammer to explain how these voice phishing groups are abusing a legitimate Apple telephone support line to generate “account confirmation” message prompts from Apple to their customers.
Before we get to the Apple scam in detail, we need to revisit Tony’s case. The phishing domain used to steal roughly $4.7 million in cryptocurrencies from Tony was verify-trezor[.]io. This domain was featured in a writeup from February 2024 by the security firm Lookout, which found it was one of dozens being used by a prolific and audacious voice phishing group it dubbed “Crypto Chameleon.” Read more
Fraudsters on the Line: The Rise of Call Spoofing in the Financial Industry
Jonjie Sena, PaymentsJournal
Today, we carry devices with us wherever we go, making us highly vulnerable to imposter scams, call spoofing, and data breaches. With the rise of artificial intelligence, threat actors can now commit fraud by mimicking a person’s voice over the phone. This troubling trend is affecting both consumers and businesses, with financial institutions being especially at risk.
In an increasingly common imposter scam known as the “grandparent scam,” the threat actor calls someone, posing as a family member. They claim to be in some kind of trouble, such as a car accident or an arrest, and request money to help get them out of the predicament. The criminal is able to mimic the voice of the person they’re impersonating by closing it with AI. Today’s technology is so advanced that only a short audio clip is needed.
According to 2024 Federal Trade Commission data, consumers reported that imposter scams were the leading method of fraud in 2023, with the highest losses per person coming from phone scams. Scammers have stolen over $10 million from U.S. consumers this year, reaching an all-time high, according to the FTC.
A separate report on cyberattack trends found that financial services is the most impersonated industry by criminals. Case in point, a Hong Kong finance worker was duped out of more than $25 million after falling prey to a deepfake video call scam earlier this year, in which the attendees looked and sounded just like his coworkers. Read more
Sen. Scott, Rep. Hill Seek Information from Treasury on Cybersecurity Breach
Dave Kovaleski, Financial Regulation News
U.S. Sen. Tim Scott (R-SC) and U.S. Rep. French Hill (R-AR) are seeking answers about the China state-sponsored cybersecurity breach at the U.S. Department of Treasury.
In a letter to Treasury Secretary Janet Yellen, Scott and Hill wanted more information about the protocols for safeguarding sensitive federal government information.
“We write regarding the major cybersecurity incident that the Department of the Treasury disclosed to the Senate Banking and House Financial Services Committees yesterday involving a China state-sponsored Advanced Persistent Threat actor breaking into Treasury’s computer systems and remotely accessing information maintained by Treasury users. This breach of federal government information is extremely concerning. As you know, Treasury maintains some of the most highly sensitive information on U.S. persons throughout government, including tax information, business beneficial ownership, and suspicious activity reports.
This information must be vigilantly protected from theft or surveillance by our foreign adversaries, including the Chinese Communist Party, who seek to harm the United States. As such, the fact that a CCP-sponsored APT actor was able to access Treasury’s information systems is unacceptable and raises serious questions about the protocols for safeguarding sensitive federal government information from future cybersecurity incidents,” Scott and Hill wrote in a letter to Yellen.
The lawmakers also demanded a detailed briefing on the incident. Specifically, they are seeking details on cybersecurity incident, including when and how it occurred and which China-sponsored APT actor is responsible. They also want to know about the type and extent of information accessed by the CCP-aligned actor.
How Initial Access Brokers (IABs) Sell Your Users’ Credentials
Bleeping Computer/Specops Software
Even if you haven’t looked into the methods of initial access brokers (IABs), you’ve almost certainly read about their handiwork in recent cyber-attacks.
These specialized cybercriminals break into corporate networks and sell stolen access to other attackers. Think of them as high-tech locksmiths for hire — they crack security systems and sell the “keys” to ransomware groups and cyber criminals who launch their own attacks.
To understand how IABs operate, consider a recent incident targeting Amazon Web Services (AWS) customers. The attackers systematically scanned AWS systems for vulnerabilities, stealing over two terabytes of sensitive data, including thousands of credentials — from AWS access keys to database logins.
True to the IAB business model, they sold this stolen access through private Telegram channels, allowing other criminals to target the compromised organizations. So how can your business protect itself against IABs? Here’s what you need to know about how IABs operate, why they prize user credentials above other digital assets, and the steps you can take to fortify your organization’s defenses.
How IABs run their criminal enterprises
IABs run their operations like legitimate businesses, complete with customer service teams, tiered pricing models, and money-back guarantees if their stolen access doesn’t work. And they have something for everyone on the dark web. For small-scale criminals who have funds but lack technical expertise, IABs provide an entry point to high-value corporate targets they could never breach independently. Read more
Dec. 20, 2024: Fraud & Cybersecurity Articles
- How to Lose a Fortune with Just One Bad Click
- How To Tell If A USB Cable Is Hiding Malicious Hacker Hardware
- FBI Warns Americans to Keep Their Text Messages Secure: What to Know
- FinCEN Warns of Fraud Schemes That Abuse Its Name, Insignia, and Authorities for Financial Gain
How to Lose a Fortune with Just One Bad Click
Krebs on Security
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies.
A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.
Griffin is a battalion chief firefighter in the Seattle area, and on May 6 he received a call from someone claiming they were from Google support saying his account was being accessed from Germany. A Google search on the phone number calling him — (650) 203-0000 — revealed it was an official number for Google Assistant, an AI-based service that can engage in two-way conversations.
At the same time, he received an email that came from a google.com email address, warning his Google account was compromised. The message included a “Google Support Case ID number” and information about the Google representative supposedly talking to him on the phone, stating the rep’s name as “Ashton” — the same name given by the caller.
Griffin didn’t learn this until much later, but the email he received had a real google.com address because it was sent via Google Forms, a service available to all Google Docs users that makes it easy to send surveys, quizzes and other communications. Read more
How To Tell If A USB Cable Is Hiding Malicious Hacker Hardware
Dominic Bayley, PCWorld
Are your USB cables sending your data to hackers?
We expect USB-C cables to perform a specific task: transferring either data or files between devices. We give little more thought to the matter, but malicious USB-C cables can do much more than what we expect.
These cables hide malicious hardware that can intercept data, eavesdrop on phone calls and messages, or, in the worst cases, take complete control of your PC or cellphone. The first of these appeared in 2008 — but back then they were very rare and expensive — which meant the average user was largely safeguarded.
Since then, their availability has increased 100-fold and now with both specialist spy retailers selling them as “spy cables” as well as unscrupulous sellers passing them off as legitimate products, it’s all too easy to buy one by accident and get hacked. So, how do you know if your USB-C cable is malicious?
Identifying malicious USB-C cables
Identifying malicious USB-C cables is no easy task since they are designed to look just like regular cables. Scanning techniques have been largely thought of as the best way to sort the wheat from the chaff, which is what industrial scanning company, Lumafield of the Lumafield Neptune industrial scanner fame, recently set out to show. Read more
FBI Warns Americans to Keep Their Text Messages Secure: What to Know
Bill Chappell, NPR
It’s not often that a piece of FBI advice triggers a Snopes fact check. But the agency’s urgent message this month to Americans, often summarized as “stop texting,” surprised many consumers.
The warning from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) highlighted vulnerabilities in text messaging systems that millions of Americans use every day.
The U.S. believes hackers affiliated with China’s government, dubbed Salt Typhoon, are waging a “broad and significant cyber-espionage campaign” to infiltrate commercial telecoms and steal users’ data — and in isolated cases, to record phone calls, a senior FBI official who spoke to reporters on condition of anonymity said during a Dec. 3 briefing call.
The CISA released a list of best security practices for smartphone users on Thursday, with specific tips for iPhone and Android owners. The agencies’ guidance may have surprised consumers — but not security experts.
“People have been talking about things like this for years in the computer security community,” Jason Hong, a professor at Carnegie Mellon University’s School of Computer Science, told NPR. “You should not rely on these kinds of unencrypted communications because of this exact reason: There could be snoopers in lots of infrastructure.”
So what should you do to keep your messages private?
“Encryption is your friend” for texts and phone calls, Jeff Greene, CISA’s executive assistant director for cybersecurity, said on the briefing call. “Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard, for them to detect it. So our advice is to try to avoid using plain text.” Read more
FinCEN Warns of Fraud Schemes That Abuse Its Name, Insignia, and Authorities for Financial Gain
The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an alert today to raise awareness of fraud schemes abusing FinCEN’s name, insignia, and authorities for financial gain.
These FinCEN-specific fraud schemes include scams that exploit beneficial ownership information reporting; misuse FinCEN’s Money Services Business Registration tool; or involve the impersonation of, or misrepresent affiliation with, FinCEN and its employees.
“We are very concerned about reports of scammers using FinCEN’s name to perpetrate fraud schemes against the public for financial gain,” said FinCEN Director Andrea Gacki. “We urge the public to be vigilant in identifying and avoiding these schemes and to be extremely cautious when dealing with unsolicited correspondence. FinCEN and its employees will never threaten a member of the public by email, call, or text, or demand immediate payment for any reason.”
The alert provides guidance to the public on how to identify and avoid these scams and provides typologies and red flag indicators to help financial institutions detect, prevent, and report potential suspicious activity to FinCEN. Combating fraud is one of FinCEN’s Anti-Money Laundering and Countering the Financing of Terrorism National Priorities.
The public is reminded that any solicitations from individuals or entities abusing FinCEN’s name, insignia, or authorities, or impersonating a FinCEN employee should be reported to Treasury’s Office of Inspector General and the Federal Trade Commission. Victims of cyber-enabled government imposter scams should file a complaint with the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center and file a report with their nearest FBI field office. Anyone with knowledge of fraud schemes involving victims who are age 60 or older can call the U.S. Department of Justice’s National Elder Fraud Hotline at 833-FRAUD-11 or 833-372-8311.
Questions regarding the contents of this alert should be sent to the FinCEN Regulatory Support Section by submitting an inquiry at www.fincen.gov/contact.
The full alert is available online at FIN-2024-Alert005.
Dec. 13, 2024: Fraud & Cybersecurity Articles
- Sweden’s Klarna Bank Fined $46M for Breaking Anti-Money Laundering Rules
- CISA Resource: Shop Safely This Holiday Season
- Font or Fiction: How Scammers Are Using Fonts to Trick Your Members
- Fifth Circuit Rejects OFAC Designation of Tornado Cash Immutable Smart Contracts
Sweden’s Klarna Bank Fined $46M for Breaking Anti-Money Laundering Rules
Supantha Mukherjee and Terje Solsvik, Reuters
Sweden’s financial regulator fined Klarna Bank 500 million Swedish crowns ($46 million) on Wednesday for violating anti-money laundering rules.
Summary
- Regulator found significant deficiencies at Klarna
- FSA says not serious enough for warning
- FSA says investigation has concluded
It said a review of the buy now, pay later company for the year to March 2022 had found significant deficiencies, including a lack of assessment of how its services could be used for money laundering or terrorist financing.
Klarna is widely expected to go public next year and said last month it had filed paperwork with the U.S. Securities and Exchange Commission for an initial public offering.
Sweden’s Financial Supervisory Authority said the violations warranted a fine but were not serious enough to issue a formal warning or to withdraw its authorisation. “We have concluded this investigation as of today,” Erik Blommé, Director of Money Laundry Supervision at the FSA, told Reuters. “This is not an injunction so there is no specific timeframe … but we expect Klarna to remedy the deficiencies in an expedient manner.”
Klarna, which got its banking licence in 2017, said the regulator’s decision followed a routine review of its compliance with regulations and did not relate to actual cases of money laundering. “We have maintained constructive dialogue throughout this process which is part of our commitment to a robust and secure financial environment,” a Klarna spokesperson said.
Another Swedish payments firm, Trustly, received a warning from the regulator in 2021, which led to the company pulling, opens new tab its $11 billion planned IPO. Read more
CISA Resource: Shop Safely This Holiday Season
While looking for the best deals online, follow these tips to keep your devices and information safe.
The Holiday Season Is a Prime Time for Scams!
During the holiday season, criminals will try to scam us with too-good-to-be true deals or even fake charities. Their tactics typically include malicious links that install malware on our devices or fraudulent websites that can steal our money or even our identities.
The good news is that Secure Our World has tips to protect you and your family, friends and business from these scams.
Protect Your Devices & Accounts Against Scammers
Take these steps before making any online purchases to help protect your devices, personal and financial information, and accounts.
- Update Software
Software updates protect you against known threats—but only if you install them. Update software on all devices you’re using for online shopping. Better yet, enable automatic software updates to make things easier. - Use Strong Passwords
Strong passwords are long (at least 16 characters), random and unique for each account. At minimum, strengthen passwords for financial accounts and email. Always change the default password on new tech items you’ve purchased. - Use a Password Manager
A password manager can generate, save and fill in strong passwords for you. Search a trusted source for “password managers” like Consumer Reports, which offers a selection of highly rated password managers. Set one up today! - Turn on MFA
Multifactor authentication (MFA) is a second step to prove your identity when logging in, like using your fingerprint or entering a code sent to you. It keeps your accounts safer than a password alone. Turn it on for every account that offers it. Read more
Font or Fiction: How Scammers Are Using Fonts to Trick Your Members
Emily Claus, CUSO Magazine
Odds are, in the last few years you have received a spam text or email supposedly from reputable companies such as Apple and Amazon. These texts or emails were probably claiming you owed them a certain amount or that there was an issue with your account that could all be solved if you clicked on the very suspicious link they included.
These tricks have become fairly well known and easy to spot. The messages often contain misspellings or odd grammar, the URLs and links they provided only vaguely resembled the actual company they claimed to be from, and should you dare to click on the link, the website would most likely look a little off. For many, these texts were probably easy to spot as fake, delete, and move on from. No big deal.
Text scams are on the rise
Yet, despite the shortcomings in these earlier iterations of the scam, many still fell for them. The number of times I received a panicked call from my parents or grandparents because they were worried they somehow owed Apple $537.19 and weren’t sure how it could have happened and could I please help them look at their Apple transactions, is more than one might like to think. Even my younger more tech-savvy friends have fallen—or nearly fallen—prey to such scams.
In fact, according to the Federal Trade Commission, from July 2020 to June 2021, Amazon scammers alone had increased more than fivefold and managed to steal over $27 million from Americans.
These scams are not limited to Amazon either. Often, these bad actors will pose as the victim’s bank or credit union and lead them to a copy of your online banking website to trick them into sharing their credentials. While this trick is not exactly “new,” the method and execution behind it have reached a near-perfect level. Read more
Fifth Circuit Rejects OFAC Designation of Tornado Cash Immutable Smart Contracts
Peter D. Hardy, Siana Danch & Kelly A. Lenahan-Pfahlert, Money Laundering News
In a closely watched and complicated case, Van Loon et al. v. Dep’t of the Treasury et al., the U.S. Court of Appeals for the Fifth Circuit ruled that the Office of Foreign Assets Control (“OFAC”) cannot sanction Tornado Cash, “an open-source, crypto-transactions software protocol that facilitates anonymous transactions by obfuscating the origins and destinations of digital asset transfers.” The opinion, which reversed the ruling of the District Court, is here. A recording of the oral argument is here. The opinion is complex but written in a very clear style.
We previously blogged on OFAC’s designation of Tornado Cash (here) and the resulting civil suit (here). We also covered the indictment returned against the alleged developers of Tornado Cash, Roman Storm and Roman Semenov, who were charged with conspiring to commit money laundering, operating an unlicensed money transmitting business, and violating sanctions under the International Emergency Economic Powers Act, or IEEPA (here). The DOJ subsequently obtained a superseding indictment against Storm only (here); Storm’s trial currently is scheduled for April 2025). When the initial indictment was unsealed, Treasury simultaneously sanctioned Semenov, who remains outside the U.S., by adding him to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List.
These actions are a reminder that, putting aside the complex issues presented by the Fifth Circuit decision regarding OFAC’s (in)ability to sanction a technology, law enforcement and regulators still can pursue people for related alleged conduct. And, invariably, people are involved in a technology. Read more
Dec. 6, 2024: Fraud & Cybersecurity Articles
- U.S. Officials Urge Americans to Use Encrypted Apps Amid Unprecedented Cyberattack
- Starbucks and Other Retailers Hit with Ongoing Ransomware Attack on Software Provider
- New DroidBot Android Malware Targets 77 Banking, Crypto Apps
- Phishing Prevention Framework Reduces Incidents by Half
U.S. Officials Urge Americans to Use Encrypted Apps Amid Unprecedented Cyberattack
FBI and CISA officials said it was impossible to predict when the telecommunications companies would be fully safe from interlopers.
Kevin Collier, NBC News
Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers.
The hacking campaign, nicknamed Salt Typhoon by Microsoft, is one of the largest intelligence compromises in U.S. history, and it has not yet been fully remediated. Officials on a news call Tuesday refused to set a timetable for declaring the country’s telecommunications systems free of interlopers. Officials had told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers.
A spokesperson for the Chinese Embassy in Washington denied the country was behind the hacking campaign, telling NBC News in an email that “China firmly opposes and combats all kinds of cyber attacks.”
In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.
The FBI official said, “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant” multi-factor authentication for email, social media and collaboration tool accounts. Read more
Starbucks and Other Retailers Hit with Ongoing Ransomware Attack on Software Provider
Jessica Bursztynsky, Fast Company
Blue Yonder, which provides supply-chain software to many large retailers, was hit with a ransomware attack ahead of Thanksgiving.
Major supply-chain software provider Blue Yonder is working to restore its systems after a ransomware attack hit the Panasonic-owned firm last week. Blue Yonder, which counts Starbucks, major U.K. grocers, and other large retailers among its customers, said it wasn’t sure when it could restore services.
The attack didn’t hit systems run on its public cloud-based platforms. It’s unclear how many of its more than 3,000 customers have been impacted. No group has yet claimed being behind the ransomware attack. It’s also not clear whether customer data was stolen.
“Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process,” the company said in a release. “We have implemented several defensive and forensic protocols.”
Several companies using Blue Yonder’s systems said they’ve put contingency plans in place. Starbucks said Monday that the attack affected company-owned stores in its network in North America. The chain, which relies on Blue Yonder for its employee payment and scheduling system, has struggled to pay baristas and manage their schedules, so managers have to calculate employees’ pay.
A spokesperson for Morrisons, a large U.K. grocery outlet, told CNN in a statement that it has “reverted to a backup process” but the flow of goods into stores have been impacted in the meantime. Read more
New DroidBot Android Malware Targets 77 Banking, Crypto Apps
Bill Toulas, Bleeping Computer
A new Android banking malware named ‘DroidBot’ attempts to steal credentials for over 77 cryptocurrency exchanges and banking apps in the UK, Italy, France, Spain, and Portugal.
According to Cleafy researchers who discovered the new Android malware, DroidBot has been active since June 2024 and operates as a malware-as-a-service (MaaS) platform, selling the tool for $3,000/month.
At least 17 affiliate groups have been identified using malware builders to customize their payloads for specific targets. Although DroidBot lacks any novel or sophisticated features, analysis of one of its botnets revealed 776 unique infections across the UK, Italy, France, Turkey, and Germany, indicating a significant activity.
Also, Cleafy says the malware appears to be under heavy development at the time, with signs of attempting expansion to new regions, including Latin America.
The DroidBot MaaS operation
DroidBot’s developers, who appear to be Turkish, provide affiliates with all the tools required to conduct attacks. This includes the malware builder, command and control (C2) servers, and a central administration panel from which they can control their operations, retrieve stolen data, and issue commands.
The payload builder allows the affiliates to customize DroidBot to target specific applications, use different languages, and set other C2 server addresses. Affiliates are also provided access to detailed documentation, support from the malware’s creators, and access to a Telegram channel where updates are published regularly. All in all, the DroidBot MaaS operation makes the barrier of entry fairly low for inexperienced or low-skilled cybercriminals. Read more
Phishing Prevention Framework Reduces Incidents by Half
Robert Lemos, Dark Reading
The anti-fraud plan calls for companies to create a pipeline for compiling attack information, along with formal processes to disseminate that intelligence across business groups.
A data-focused approach to tackling phishing and business fraud promises significant reductions in the amount of phishing and phone-based fraud that companies — and their customers — face, but worries remain over whether fraudsters will adapt.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) unveiled its Phishing Prevention Framework on Nov. 19, a program consisting of best practices in data collection, defense, and customer communications that has already reduced the volume of phishing incidents — as measured by abuse complaints — in a pilot program with three banks. The framework cut the incidence of abuse complaints for those financial services firms in half and promises significant benefits for any business targeted by cybercriminals, if they implement certain best practices — such as security education and intelligence collection — included in the framework.
While FS-ISAC has released the framework for the financial services sector — where phishing is a pernicious problem — the techniques are broadly applicable, says Linda Betz, executive vice president of global community engagement at the organization.
“While the framework is tailored for financial institutions due to the sensitive nature of their operations, the strategies can benefit businesses across industries,” she says. “For instance, cataloging communication channels and deploying anti-phishing technologies are broadly applicable and scalable solutions for any organization dealing with sensitive customer interactions or high volumes of transactional data.” Read more