Fraud and Cybersecurity

Apr. 26, 2024: Fraud and Cybersecurity Articles

56% of Cyber Insurance Claims Originate in the Email Inbox

Help Net Security

56% of all 2023 claims were a result of funds transfer fraud (FTF) or business email compromise (BEC), highlighting the importance of email security as a critical aspect of cyber risk management, according to Coalition. The 2024 Cyber Claims Report is based on reported claims data from January 1 to December 31, 2023.

“Threat actors want to get paid, and the email inbox has proven to be an easy place for an attacker to uncover payment information and potentially intervene in payment processes to steal funds,” said Robert Jones, Coalition’s Head of Global Claims.

Some boundary devices increase the likelihood of a cyber claim
The report also revealed an increased risk for organizations using boundary devices, such as firewalls and virtual private networks (VPNs). While these tools can help to reduce cyber risk, using some boundary devices can actually increase the likelihood of a cyber claim if they have known vulnerabilities. cyber claim increase

For example, Coalition found businesses with internet-exposed Cisco ASA devices were nearly five times more likely to experience a claim in 2023, and businesses with internet-exposed Fortinet devices were twice as likely to experience a claim.

“We also found that policyholders using internet-exposed remote desktop protocol were 2.5 times more likely to experience a claim,” said Shelley Ma, Incident Response Lead at Coalition’s affiliate, Coalition Incident Response. “With new AI tools making it even easier to execute targeted cyber attack campaigns and identify exploitable assets, having an active partner that can help protect your organization from digital risk is crucial,” concluded Ma.

This new insight comes following Coalition’s Security Labs researchers’ discovery of a 59% increase in unique IP addresses scanning for open remote desktop protocol throughout last year.

Drop in ransomware severity, frequency, and demands in 2H 2023
Overall claims frequency increased 13% year-over-year (YoY), and overall claims severity increased 10% YoY, resulting in an average loss of $100,000. Claims frequency increased across all revenue bands, with businesses between $25 million and $100 million in revenue seeing the sharpest spike (a 32% YoY increase).

As ransomware payments hit $1 billion globally, Coalition ransomware severity dropped by 54%. Ransomware severity, frequency, and demands all dropped in 2H 2023, though not enough to offset the surge in 1H. Ransomware frequency was up 15% YoY, and severity was up 28%, to an average loss of more than $263,000. Read more

Machine Learning in Finance: Leveraging the Technology for Financial Fraud Detection

Sudeep Srivastava, AppInventive

With the ever-increasing growth of digital banking and online transactions, financial fraud detection has become an indispensable aspect of the BFSI market. Cybercrime activities like account takeover (ATO), credit card scams, and identity fraud can result in significant financial losses, legal implications, and reputational damage to financial firms.

According to Statista, the global eCommerce losses to online payment fraud reached $41 billion in 2022 and are estimated to cross $48 billion by the end of 2023. Therefore, detecting incidents of payment fraud and preventing associated losses has become a prime concern for businesses.

However, traditional fraud detection approach count on rule-based systems and have some limitations that can’t efficiently identify sophisticated fraud threats. This is where financial fraud detection using machine learning comes into play.

ML-based financial fraud detection offers more advanced techniques to analyze vast amounts of data and detect patterns to help identify susceptible behavior and prevent fraud related to money laundering, insurance claims, electronic payments, bank transactions, etc. Machine learning algorithms allow systems to automatically learn and improve from experience without being explicitly programmed.

Financial Fraud Detection Using Machine Learning vs. Traditional Rule-Based Systems
Financial fraud detection using machine learning has gained immense traction in recent years and shifted the industry from traditional rule-based systems to ML-based solutions.

Conventional methods of detecting fraudulent activities using rule-based systems have become obsolete in today’s tech-driven age. Since these systems work on predefined rules, they can effectively see known transaction patterns, but their capabilities are limited when it comes to identifying new and evolving ones. Also, they often generate false positives, flagging legitimate transactions as fraudulent activities. Read more

Cisco Says Hackers Subverted Its Security Devices to Spy on Governments

Raphael Satter, Reuters

Technology firm Cisco Systems said that hackers have subverted some of its digital security devices to break in to government networks globally.

In a blog post published on Wednesday,  the company said its Adaptive Security Appliances – pieces of equipment that roll several different digital defense functions into one – had previously unknown vulnerabilities that had been exploited by a group of hackers they called “UAT4356.

The blog post described the group as a “sophisticated state-sponsored actor” and said that the company’s investigation found victims that “involved government networks globally.” Cisco said the vulnerabilities have been patched. In a statement, the company said it urged customers to take “immediate action” to update their software. It did not give further details on the breaches, which it said dated back to earlier this year.

Security equipment like routers and other so-called edge devices has become an increasingly popular vector for advanced hackers because it resides at the perimeter of a target’s network and can be difficult to monitor. In its post, Cisco warned that it had seen evidence that the UAT4356 hackers were interested in “and potentially attacking” network devices from Microsoft and other vendors. Microsoft did not immediately return an email.

The Cybersecurity and Infrastructure Security Agency (CISA) said it had “not confirmed evidence of this activity affecting U.S. government networks at this time.” CISA released an alert on the Cisco vulnerabilities, on Wednesday.

Next-Gen Fraud Strategies Use Data to Onboard Customers Safely

PYMNTs Magazine

Data breaches and mail theft have resulted in a record level of available compromised identity information, payment information, login information and even stolen checks. It has been said that “At this point, all of our information is out on the dark web and it’s now just a matter of when it is going to be used against us.”

Combined with inadequate fraud strategies, fraudsters have the key to the castle; it’s a perfect scenario of having the answers to the quiz ahead of time.

Let’s talk about how it’s done:

  • Identity theft and identity impersonation: The onslaught started in 2017 with 147MM records breached and has multiplied every year since then. Last year, there were over 3,200 separate data breaches that resulted in over 353 million records being released on the dark web.
  • Rapid increases in mail theft provide more compromised information as well as valid documents that are used for identity theft and check fraud.
  • This breached data is shared online, where a criminal can purchase a complete identity that includes name, address, Social Security number, DOB, credit score and current open account information for less than $30 per identity. (The amount of data now available online is abundant.)
  • Armed with this trove of real data they purchase a fake ID from overseas for less than $100. These IDs have their picture on it with the PII data of their victim and pass the traditional ID verification checks which allows them to assume and impersonate the identity of the victim they targeted. These high-quality fakes even fool law enforcement.

From there, they can:

  • Open new accounts: By impersonating a victim with no previous instances of fraud having been reported through the traditional credit agencies they are able to open multiple accounts within a 30-day period before the victim or issuing lender is ever alerted.
  • Account takeover attacks: ATO attacks increased 354% year over year in 2023. Fraudsters know this is the easier path since no credit pulls are needed and knowledge-based answers are what is often deployed to verify account information. Contact and call centers are often used to explore the defenses in place and then social media is leveraged to gain additional information needed for successful ATO attempts.

What are some of the inadequate fraud strategies still being used?

  • Confirming the exact same data sources that the criminals use — which is the valid personal identifiable information that they have purchased through the dark web. Fraudsters are highly effective at gathering accurate information and using it to impersonate their targets. We must go beyond confirming the same data. Read more

Apr. 19, 2024: Fraud and Cybersecurity Articles

FinCEN Issues Notice on Counterfeit Passport Card Fraud

Peter D. Hardy, MoneyLaunderingNews.com

The Financial Crimes Enforcement Network (“FinCEN”) has issued a Notice on the Use of Counterfeit U.S. Passport Cards to Perpetrate Identity Theft and Fraud Schemes at Financial Institutions (“Notice”), asking financial institutions (“FIs”) to be vigilant in identifying suspicious activity relating to the use of counterfeit U.S. passport cards.  According to the Notice, the U.S. Department of State’s Diplomatic Security Service (“DSS”) has determined that there is a growing use of such counterfeit cards to gain access to victim accounts at FIs.  “This fraud occurs in person at [FIs] and involves an individual impersonating a victim by using a counterfeit U.S. passport card that contains the victim’s actual information.”

As its title plainly states, the Notice pertains to passport cards, rather than passport books.  Passport cards have more limited uses and can be used only for land, sea and domestic air travel into the U.S. from Canada, Mexico, the Caribbean and Bermuda.  The following graphic from the Department of State illustrates the difference.

The Notice observes that FIs are less likely to detect fraud involving passport cards because they are a less familiar form of U.S. government-issued identification.  Victims’ personal identifiable information (“PII”) is typically acquired through the darknet or the U.S. mail (see our blog post on the surge in mail-theft check fraud here).  After a fake card is created, the illicit actor or complicit money mule will visit a branch of the victim’s FI – often by trying to avoid any branches that the victim actually may visit, so as to reduce the chances of detection.

If bank staff are fooled successfully, the Notice describes what can follow:

  1. The illicit actor will seek to gain information about a victim’s account, by, for example, asking questions regarding the account balance and withdrawal limits. Once such information is obtained, the illicit actor will quickly withdraw large amounts of cash below the Currency Transaction Reporting (CTR) threshold, purchase cashier’s checks or money orders, or initiate wires.  To evade the CTR threshold, the illicit actor may visit other bank branch locations and repeat the process, using the same victim’s information. Read more
U.S. House of Representatives Committee on Financial Services Reintroduce Bill to Protect America’s Critical Financial Infrastructure from Ransomware Attacks

House Financial Services Committee Chairman Patrick McHenry (R-NC) and U.S. Representative Brittany Pettersen (D-CO) today introduced the bipartisan Ransomware and Financial Stability Act. This legislation will protect the critical financial infrastructure that makes daily economic activity possible by deterring hackers and setting commonsense guide rails for financial institutions to respond to ransomware attacks.

Background on the Ransomware and Financial Stability Act:

Focuses the Government’s Deterrence Efforts on Critical Financial Infrastructure

  • The bill focuses on Financial Market Utilities, large securities exchanges, and certain technology service providers essential for banks’ core processing services.

Gives Critical Institutions a Roadmap When Attacked

  • Requires covered entities to notify the Treasury Department before making a ransomware payment.
  • Deters hackers by prohibiting large ransomware payments in excess of $100,000 unless law enforcement provides a Ransomware Payment Authorization or the President determines a waiver is in the U.S. national interest.

Provides Legal Clarity When Responding to Attacks

  • Ensures reports made by institutions to authorities about ransomware attacks are kept confidential.
  • Gives clarity to financial institutions, including ransomware payment processors, by creating a safe harbor when they assess a cybersecurity attack or comply with a Ransomware Payment Authorization.

To view the full text of the bill, click here.

U.S. Government on High Alert as Russian Hackers Steal Critical Correspondence from Microsoft Inbox

Ryan Naraine, Security Week

The US government says Midnight Blizzard’s compromise of Microsoft corporate email accounts “presents a grave and unacceptable risk to federal agencies.” The US cybersecurity agency CISA issued an emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft’s corporate network and pivoted to steal sensitive correspondence from US government agencies.

The directive comes less than three months after Redmond disclosed the embarrassing hack and confirmed the ‘Midnight Blizzard’ attackers also stole source code and may still be poking around its internal computer systems.

According to the CISA directive, federal agencies must immediately “analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said.

The agency warned that the Russian government-backed hackers are using information initially exfiltrated from the corporate email systems — including authentication details shared between Microsoft customers and Microsoft by email — to gain, or attempt to gain, additional access to Microsoft customer systems.

The agency said it worked with the world’s largest software maker to notify all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by the Midnight Blizzard threat actor.

“In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies,” CISA said.

The agency said Micrsooft also agreed to provide metadata for all exfiltrated federal agency correspondence — regardless of the presence of authentication secrets — upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which is the single federal point of contact for this incident. Read more

U.S. Gov’t Commits $3.6M To Address Cybersecurity Skill Shortage

Savannah Fortis, CoinTelegraph

NIST allocated nearly $3.6 million in cooperative agreements to enhance the cybersecurity workforce aiming to combat the growing threat of cyberattacks. The United States National Institute of Standards and Technology (NIST) said it awarded cooperative agreements of almost $3.6 million, aiming to build a workforce to help guard businesses against cybersecurity risks.

The NIST, an agency of the Department of Commerce, announced on April 3 that 18 education and community-focused organizations in 15 states will receive grants of roughly $200,000 to address the shortage of skilled cybersecurity employees.

The cooperative agreements will be a multisector effort as they will be overseen by NICE — a partnership between government, academia and private entities.

Laurie E. Locascio, director of NIST, said the investment is filling a “critical gap” in the cybersecurity workforce.

According to the U.S.’s CyberSeek tool, which analyzes data about the cybersecurity job market and was funded by NICE, the local market has had around 450,000 cybersecurity job openings in the last year. Read more

 

Apr. 12, 2024: Fraud and Cybersecurity Articles

Did One Guy Just Stop a Huge Cyberattack?

A Microsoft engineer noticed something was off on a piece of software he worked on. He soon discovered someone was probably trying to gain access to computers all over the world.

Courtesy of Kevin Roose, The New York Times

The internet, as anyone who works deep in its trenches will tell you, is not a smooth, well-oiled machine.

It’s a messy patchwork that has been assembled over decades, and is held together with the digital equivalent of Scotch tape and bubble gum. Much of it relies on open-source software that is thanklessly maintained by a small army of volunteer programmers who fix the bugs, patch the holes and ensure the whole rickety contraption, which is responsible for trillions of dollars in global G.D.P., keeps chugging along.

Last week, one of those programmers may have saved the internet from huge trouble.

His name is Andres Freund. He’s a 38-year-old software engineer who lives in San Francisco and works at Microsoft. His job involves developing a piece of open-source database software known as PostgreSQL, whose details would probably bore you to tears if I could explain them correctly, which I can’t.

Recently, while doing some routine maintenance, Mr. Freund inadvertently found a backdoor hidden in a piece of software that is part of the Linux operating system. The backdoor was a possible prelude to a major cyberattack that experts say could have caused enormous damage, if it had succeeded.

Now, in a twist fit for Hollywood, tech leaders and cybersecurity researchers are hailing Mr. Freund as a hero. Satya Nadella, the chief executive of Microsoft, praised his “curiosity and craftsmanship.” An admirer called him “the silverback gorilla of nerds.” Engineers have been circulating an old, famous-among-programmers web comic about how all modern digital infrastructure rests on a project maintained by some random guy in Nebraska. (In their telling, Mr. Freund is the random guy from Nebraska.) Read more

CFPB Warns Banks of Video Games’ Money Laundering, Fraud Risks

Courtesy of Carter Pape, American Banker

The Consumer Financial Protection Bureau released a report last week on the inadequacies in consumer protections that video game makers provide to players, particularly against scams and account theft. The bureau also warned about data collection practices it says publishers can use to “take advantage of players’ proclivities to entice more spending.”

In the report, the bureau cited a 2019 paper that analyzed 13 patents about in-game purchases; the paper found the systems studied “optimize offers to incentivize continuous spending,” potentially exploiting vulnerable players such as adolescents and problem gamers — without the promise of refund entitlements.

Video games represent a large sector of the U.S. economy; American consumers spent nearly $57 billion on gaming in 2023, including on hardware, software and in-game transactions such as converting dollars to virtual currencies or other gaming assets, according to the bureau’s report.

The video game economy includes companies that are not game publishers, encompassing many large tech companies, as well. For example, according to a 2021 court ruling in a case between Apple and game publisher Epic Games, 70% of the revenue Apple collects from its app store comes from gaming apps. The court added that this 70% of revenue is generated by less than 10% of app store users. Read more

Hackers Stole 340,000 Social Security Numbers from a Government Consulting Firm

Courtesy of Lorenzo Franceschi-Bicchierai, TechCrunch

U.S. consulting firm Greylock McKinnon Associates (GMA) disclosed a data breach in which hackers stole as many as 341,650 Social Security numbers.

The data breach was disclosed on Friday on Maine’s government website, where the state posts data breach notifications. In its data breach notice sent by mail to affected victims, GMA said it was hit by an unspecified cyberattack in May 2023 and “promptly took steps to mitigate the incident.”

GMA provides economic and litigation support to companies and U.S. government agencies, including the U.S. Department of Justice, bringing civil litigation. According to its data breach notice, GMA told affected individuals that their personal information “was obtained by the U.S. Department of Justice (“DOJ”) as part of a civil litigation matter” supported by GMA.

The reasons and target of the DOJ’s civil litigation are not known. A spokesperson for the Justice Department did not respond to a request for comment.

GMA said that individuals notified of the data breach are “not the subject of this investigation or the associated litigation matters,” and that the cyberattack “does not impact your current Medicare benefits or coverage.”

“We consulted with third-party cybersecurity specialists to assist with our response to the incident, and we notified law enforcement and the DOJ. We received confirmation of which individuals’ information was affected and obtained their contact addresses on February 7, 2024,” the firm wrote. Read more

Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Courtesy of The Hacker News

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.

The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet FortiGuard Labs said in a technical report.

The modus operandi is notable for the use of the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts.

BatCloak, offered for sale to other threat actors since late 2022, has its foundations in another tool called Jlaive. Its primary function is to load a next-stage payload in a manner that circumvents traditional detection mechanisms.

ScrubCrypt, a crypter that was first documented by Fortinet in March 2023 in connection with a cryptojacking campaign orchestrated by the 8220 Gang, is assessed to be one of the iterations of BatCloak, according to research from Trend Micro last year.

In the latest campaign analyzed by the cybersecurity firm, the SVG file serves as a conduit to drop a ZIP archive that contains a batch script likely created using BatCloak, which then unpacks the ScrubCrypt batch file to ultimately execute Venom RAT, but not before setting up persistence on the host and taking steps to bypass AMSI and ETW protections. Read more

Apr. 5, 2024: Fraud and Cybersecurity Articles

U.S. Cybersecurity and Infrastructure Agency Releases Proposed Rules on Breach Reporting Requirements

Courtesy of Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth, National Law Review

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024. Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. Covered entities are required to notify CISA within 72 hours in the event of a qualifying cyber incident and within 24 hours, in the event that payment is made in response to a ransomware attack.

CISA proposes that qualifying cyber incidents are “substantial” cyber incidents that lead to (1) a substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network; (2) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; (3) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or (4) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

CISA also proposes that a “covered entity” include entities (1) within a critical infrastructure sector that exceed small business size standards specified by the U.S. Small Business Administration or (2) subject to sector-specific standards that CISA proposes developing for critical infrastructure entities. CISA considers 16 sectors to be “critical infrastructure:” chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; state, local, tribal, and territorial government coordinating council; transportation systems; and water and wastewater. Read more

AT&T Breach Demands Vigilance as Fraudsters Leverage ID Data

Courtesy of PYMNTS

The fallout from the massive data breach at AT&T — where information tied to 73 million current and former account holders was leaked — has yet to be felt. And changing passwords is a start, but by no means will it solve the problem. Bryan Lewis, CEO of Intellicheck, noted to PYMNTS: “It’s not just the passcode you have to worry about.

The real issue in a beach of this size, with this data,” he said of the fraudsters in a Monday (April 1) interview, “is that they’re going to use it to steal your identity.” The compromised data that’s now on the Dark Web spans everything from passwords and names to addresses and Social Security numbers. And the data itself? It can be bought on the cheap.

As Lewis recounted, the Dark Web serves as an online marketplace where names, emails and other data points can be bought for $10 or $20.  A driver’s license might go for $50. For a grand total of $80, Lewis said, an enterprising fraudsters can grab all the information they might need to pose as someone else. They could then essentially go shopping, trying every site they can to open accounts, run up bills and buy all manner of goods that can easily be resold for monetary gain.

Vigilance Will Be Key
“If you’re one of the people who’ve had their data breached,” at the telecom giant, he said, “you’ve really got to be vigilant now — especially anywhere credit can be issued.” The vulnerabilities linger. The fact remains that individuals use the same passwords over and over, Lewis said.  A prudent strategy would be that consumers make sure not to use the same passwords or PINs across multiple systems, particularly if they’re storing sensitive information with merchants and banks and enterprises.

Telecoms are especially appealing to fraudsters, said Lewis, who observed to PYMNTS that SIM card fraud and other scams allow bad actors access to victims’ phone and email accounts, and by extension their bank and brokerage accounts. Read more

U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers

Courtesy of The Hacker News

The U.S. Cyber Safety Review Board (CSRB) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year. The findings, released by the Department of Homeland Security (DHS) on Tuesday, found that the intrusion was preventable, and that it became successful due to a “cascade of Microsoft’s avoidable errors.”

“It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the DHS said in a statement.

The CSRB also lambasted the tech titan for failing to detect the compromise on its own, instead relying on a customer to reach out to flag the breach. It further faulted Microsoft for not prioritizing the development of an automated key rotation solution and rearchitecting its legacy infrastructure to meet the needs of the current threat landscape. The incident first came to light in July 2023 when Microsoft revealed that Storm-0558 gained unauthorized access to 22 organizations as well as more than more than 500 related individual consumer accounts.

Microsoft subsequently said a validation error in its source code made it possible for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, thus allowing the adversary to infiltrate the mailboxes.

In September 2023, the company divulged that Storm-0558 acquired the consumer signing key to forge the tokens by compromising an engineer’s corporate account that had access to a debugging environment hosting a crash dump of its consumer signing system that also inadvertently contained the signing key. Read more

Related Reading: CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

FinCEN Updates: Financial Action Task Force Highlights Treasury’s Efforts to Counter Illicit Finance

The Financial Action Task Force (FATF)—the global standard-setting body for anti-money laundering, countering the financing of terrorism, and countering proliferation financing (AML/CFT/CPF)—announced that the United States has been upgraded to “largely compliant” with FATF Recommendation 24, which relates to beneficial ownership transparency for legal persons.

The FATF published the updated rating in the Seventh Enhanced Follow-Up Report of the United States, recognizing Treasury’s historic efforts to increase beneficial ownership transparency and address key vulnerabilities in the U.S. AML/CFT framework.

“The United States’ upgraded rating is a result of nearly a decade of hard work by the Treasury Department, along with our interagency partners, to stop the flow of dirty money through anonymous companies,” Secretary of the Treasury Janet L. Yellen said. “As the world’s largest economy, we have a unique responsibility to safeguard our financial system from criminal exploitation. We’re fully committed to strengthening the implementation of the FATF’s global standards as we work to advance transparency and fairness across the U.S. financial system.”

The Report details the United States’ progress in addressing deficiencies in its AML/CFT regime specific to Recommendation 24, including the ongoing implementation of the Corporate Transparency Act, the bipartisan law that requires many companies doing business in the United States to report information to Treasury’s Financial Crimes Enforcement Network (FinCEN) about who ultimately owns or controls them. This historic effort, among other Treasury initiatives, aims to prevent the misuse of anonymous companies and other corporate structures by criminal, corrupt, and illicit actors.

Treasury has made significant progress in implementing the Corporate Transparency Act and is engaged in a robust outreach and education campaign to educate small businesses about the reporting requirements. Reporting companies that existed before 2024 have until January 1, 2025, to report their beneficial ownership information to FinCEN. Reporting companies created or registered to do business in the United States in 2024 have 90 calendar days to file after receiving actual or public notice that their company’s creation or registration is effective. Learn more at fincen.gov/boi.

 

Mar. 29, 2024: Fraud and Cybersecurity Articles

Fake Data Breaches: Countering The Damage

Courtesy of Vitaly Simonovich, HelpNetSecurity

Amid the constant drumbeat of successful cyberattacks, some fake data breaches have also cropped up to make sensational headlines. Unfortunately, even fake data breaches can have real repercussions.

Earlier this year, a hacker on a criminal forum claimed to have stolen data on some 50 million Europcar customers. After investigation, the car rental company determined that the data claimed to have been stolen was completely bogus.

In February 2024, someone created a fake news story claiming a major data breach at the Maine Attorney General’s office and tricked the Attorney General’s office into posting it on their website. Epic Games, maker of Fortnite was a victim of a fake data breach by a cybercrime group that claimed without evidence it had absconded source code and sensitive user data.

Such fabricated attacks create panic and damage business reputations.

Unlike notorious and sophisticated cybercriminals with a reputation to maintain, novice hackers and amateurs can easily resort to such hoaxes. They can manipulate social media to spread misinformation and profit from the chaos. It doesn’t take much effort — a simple ChatGPT prompt can generate an entire database worth of realistic-looking records. Attackers can then try to sell this made-up information (like email addresses, passwords, credit card numbers), claiming it’s from a hacked company.

The exposed data may be fake, but these breaches can cause problems.

Why fake data breaches matter
Fake data breaches can hurt an organization’s security reputation, even if it quickly debunks the fake breach. Whether real or fake, news of a potential breach can create panic among employees, customers, and other stakeholders. Read more

Financial Crime Prevention: Credit Provider’s Cutting-Edge Approaches

Courtesy of Finextra

Credit providers understand the critical challenge with the rise of complex financial crimes, from cyber theft to money laundering. Criminals are using advanced technologies—the same ones that make digital banking possible—to break through security defences.

In response, credit providers are forced to constantly modernise their approach to crime prevention by replacing legacy systems with cutting-edge innovations. From AI to blockchain, leading lenders are implementing new strategies and technologies that set higher standards for security—while actively shaping safer lending.

In this blog, we’ll look at the techniques leading credit providers are using to guard against emerging threats and create a more secure future for themselves and their customers.

Let’s dive in.

What’s driving increased financial crime?
Digital transformation in banking has enabled convenience and efficiency, but according to Comply Advantage’s The State of Financial Crime 2023, as technology evolves, fraud and scams do too—especially as economies worsen.

Criminals are harnessing the anonymity of the online world to commit complex fake identity fraud, use fake videos and images to get past security, and transfer illegal money using digital currencies and online platforms. Meanwhile, cybercriminals are exploiting vulnerabilities in banking infrastructure to steal data and assets.

Ultimately, as financial crimes grow more advanced, traditionally reactive security measures are being outmatched. Credit providers are struggling to identify threats and stop attacks. Meanwhile, the European Union is preparing to roll out its most comprehensive anti-money laundering regulatory package ever.

How can firms effectively manage customer data, meet increasing regulatory expectations, and combat competitive pressures? Read more 

The Rise of Cyberattacks on Financial Institutions Highlights the Need to Build a Security Culture  

Courtesy of Callie Guenther, SC Media

The recent surge in cyberattacks targeting financial institutions marks a significant escalation in the threat landscape, a development that has intensified scrutiny on cybersecurity measures, and also raised pertinent questions about regulatory responses.

February’s attack on Bank of America, facilitated through a third-party service, underscores the intricate web of vulnerabilities that financial organizations navigate in an increasingly interconnected digital ecosystem.

This incident, particularly noteworthy for the involvement of the notorious LockBit ransomware group, exemplifies the sophisticated and relentless nature of advanced persistent threats (APTs) facing the financial sector. It’s even more of a threat because even with the recent takedown of LockBit, the gang has resurfaced and LockBit customers still have access to its ransomware.

LockBit’s recent activities, including attacks on Planet Home Lending and now Bank of America, reveal a trend of APT groups honing their focus on financial institutions. Financial companies are treasure troves of sensitive financial data, making them prime targets for ransomware attacks that can yield significant financial gain and disrupt critical services. LockBit’s modus operandi, which includes leveraging third-party vulnerabilities to infiltrate their primary targets, reflects a broader shift in cybercriminal tactics. It underscores the need for a holistic security approach that encompasses not only direct but also indirect avenues of potential compromise. Read more

Seeing is Believing…and Securing

Because you can’t secure what you can’t see, having real-time asset visibility across the network is vital to maximizing security, minimizing risk, and protecting the enterprise.

Courtesy of Danelle Au, SecurityWeek

According to financial market analyst firm Fitch Ratings, cyber insurance premium costs increased 178% from 2017 to 2022, including a 51% year-over-year increase in 2022 alone. Fitch says costs are expected to moderate in the coming quarters as profits and competition influence pricing, and as customers adjust to their own situations by improving cybersecurity measures, or abandoning cyber insurance as a part of their risk management strategy. For some high risk organizations, costs have become prohibitively expensive while, for others, the decision may be out of their hands as insurers deny them coverage outright. Still others may find that certain coverage is no longer available. That was the message Lloyd’s of London sent in late 2022 when it announced that it would require its underwriters to exclude coverage for damages related to state sponsored cyberattacks.

These evolutions in cyber insurance may be frustrating for customers, but they are to be expected as a part of the maturation of a relatively new insurance product in a highly volatile market. Underwriters have learned hard lessons as threat actors have become more sophisticated and belligerent, forcing them to take a more active and consultative role in their customers’ risk management by providing guidance aimed at improving security. As Robert Parisi, North American head of cyber solutions for the large reinsurer Munich Re told the Wall Street Journal, “The underwriting is aggressively moving toward, ‘How can we get a deeper, more insightful look.’”

Everything Under (12) Controls
For example, insurer Marsh McLennan Agency has a list of twelve security controls the firm provides to help inform its customers’ cybersecurity strategies, including the caveat that a failure to provide proof of the first five controls is likely to be a coverage disqualifier. Adoption and effective use of all twelve, on the other hand, will not only improve the organization’s overall risk profile, but it may well result in lower cyber insurance costs. Marsh has reported that by adopting and documenting its recommended controls, 14% of its customers enjoyed lower premiums in the past year even as their peers paid more. Read more

Mar. 22, 2024: Fraud and Cybersecurity Articles

If Companies Are So Focused on Cybersecurity, Why Are Data Breaches Still Rising?

Courtesy of Stuart Madnick, Wall Street Journal

One reason: Ransomware gangs are on the rise, allowing even criminals with minimal computer knowledge to get into the game

Organizations are spending more money than ever on cybersecurity—an estimated $188 billion globally in 2023, a figure expected to grow to almost $215 billion in 2024—yet hackers always seem to stay a step ahead. The number of reported data breaches in the U.S. rose to a record 3,205 in 2023, up 78% from 2022 and 72% from the previous high-water mark in 2021, according to the nonprofit Identity Theft Resource Center. Trends are similar in other parts of the world.

What can explain these two seemingly contradictory statistics? If awareness of and spending on cybersecurity is growing, why do data thieves remain undeterred? Based on our research, three things are helping to drive the current increases:

Evolving ransomware attacks: In traditional ransomware attacks, which I call Ransomware 1.0, hackers break into a company’s computer system, “lock up” data by scrambling it and demand a ransom payment in return for the decryption key. To resume business, companies typically have a choice: Pay the ransom or try to re-create the data that has been frozen. In these attacks, data isn’t stolen, so there is no data breach to report.

Ransomware attacks have evolved, however, in two key ways.

First, after a slight drop, these kinds of attacks are on the rise again due to the emergence of ransomware gangs that franchise their malware and make it available to budding cybercriminals. This trend is allowing more criminals, even those with minimal computer knowledge, to get into the ransomware game.

Second, these attacks are becoming more damaging in that many attackers are now stealing their victims’ data, in addition to just locking it up. I refer to this new approach as Ransomware 2.0. The hackers threaten to disclose the private information if they don’t receive a ransom payment. This results in large leaks of corporate and consumer data that didn’t occur before. Read more

From Ransomware to Pig Butchering, Visa Report Shows Top Scams Impacting Consumers and Businesses Globally

Courtesy of Visa Inc.

Visa released the Spring 2024 Edition of its Biannual Threats Report, which outlines the top payment threats impacting consumers and businesses around the world. The report points to increasingly organized, sophisticated threat actors targeting the most vulnerable point in the payments’ ecosystem: humans.

“With the use of Generative AI and other emerging technologies, scams are more convincing than ever, leading to unprecedented losses for consumers,” said Paul Fabara, Chief Risk and Client Services Officer, Visa. “Visa is uniquely positioned to address these threats, with investments in tech and innovation reaching over $10 billion over the past five years. These investments, in addition to our ongoing education and top talent, allow us to stay ahead of scams and protect consumers.”

Individuals as a Primary Target
Consumers are increasingly targeted by scammers, who rely on heightened emotions to create fraud opportunities. While the number of individual scam reports from June to December decreased, the total money lost increased, indicating scammers are targeting victims with more effective – and costly – scams. According to another recent Visa survey, more than one-third of adults surveyed decided not to report scams committed against them1, suggesting the losses are higher than reported.

Top consumer scams highlighted in the Spring Threats report include:

  • “Pig butchering” scams: Capitalizing on holidays like Valentine’s Day and New Year’s Eve through social media and dating sites, scammers lure victims into online relationships and convince them to invest in fake cryptocurrency trading platforms. Leveraging AI to create more convincing campaigns, pig butchering scams have led to billions of dollars of losses for consumers2. Per Visa’s study, 10 percent of surveyed adults have been targeted in a pig butchering scam1.
  • Inheritance scams: Victims are notified about an inheritance left by a long-lost relative, often coming from a seemingly legitimate law firm or other professional entity. Red flags include secrecy, urgency, requests for personal information, and the need for an initial payment to secure future gains. 15 percent of U.S. adults surveyed by Visa have been targeted in inheritance scams1.
  • Humanitarian relief scams: Capitalizing on tragic current events, these scams exploit calls for donations across social media to defraud unsuspecting donors.
  • Triangulation fraud: Threat actors create illegitimate online storefronts offering in-demand products at a low cost to collect payment information. Legitimate merchants fulfill the online order, but payment information is already compromised. Triangulation scams cost merchants up to $1 billion in a single month3. Read more
CISA Hit by Hackers, Key Systems Taken Offline

Courtesy of Jonathan Reed, SecurityIntelligence.com

The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.

“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.

In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.

Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.

CISA takes systems offline
Apparently, the attack compromised two CISA systems, which were immediately taken offline. As of this writing, no operational impact has been reported.

According to an early report on the breach, an anonymous source said that the compromised systems were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.

CSAT is an online portal that contains highly sensitive information that determines which facilities are considered high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS). CISA declined to confirm or deny which of their systems were taken offline.

Ongoing Ivanti vulnerabilities
In addition to the February warning about Ivanti products, CISA issued a directive in late January to all federal agencies that run the products. The directive stated that the agencies must disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network. Read more

Understanding and Responding to Distributed Denial-Of-Service Attacks

This joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, addresses the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques:

  • Volumetric, attacks aiming to consume available bandwidth.
  • Protocol, attacks which exploit vulnerabilities in network protocols.
  • Application, attacks targeting vulnerabilities in specific applications or running services.

CISA, FBI, and MS-ISAC urge network defenders and leaders of critical infrastructure organizations to read the guidance provided to defend against this threat. For more actionable recommendations, best practices, and operational insights designed to address common challenges, visit CISA’s Capacity Enhancement Guides for Federal Agencies page.

Mar. 15, 2024: Fraud and Cybersecurity Articles

Avoid the Scammers: 12 Tips for Public Wi-Fi Hotspot Security

Courtesy of Eric Griffith, PC Mag

Public Wi-Fi hotspots can be a hacker’s paradise. Following these basic security tips can mean the difference between safe surfing and an ID theft or data-loss nightmare.

People are addicted to free Wi-Fi. They need it, they crave it, and they don’t think twice about connecting to any network that can get them online. Getting Wi-Fi in a hotel, on an airplane, even in a restaurant or bar drives decision-making on where to go and stay. Many people even use public Wi-Fi in hotels/rentals to watch adult content—and I’m not talking about True Detective on Max.

Yet most people can’t tell a secure Wi-Fi network from an insecure one.

For many, public Wi-Fi is too convenient to ignore. But hotspots you don’t know can be risky. It’s not that hard to make sure you’re secure. Some of the tips below involve common sense, while the rest you can set up before you leave the house or office. Make sure the next hotspot you connect to—be it in a café or in the sky—isn’t a security nightmare waiting to happen.

1. Pick the Correct Network
Have you ever tried to connect to public Wi-Fi and seen multiple network names that are similar but not the same? EricsCoffeeHaus versus EriksCoffeeHaus, or HiltonGuest versus HiltonGuests, for example. This is a tried-and-true man-in-the-middle attack used by hackers—dubbed Wi-Phishing. It tries to trick you into logging into the wrong network to get to your info. Most people don’t take the time to check, they simply jump on the strongest, open signal they see. Always check that you picked the legitimate network. Just ask someone who works there for the proper network name if it’s not posted.

2. Pick a Secure Network
When you want to pick a Wi-Fi hotspot to log into, try and find one that’s got you locked out. You read that right. Usually, if you see the lock icon, it means you can’t get access. Networks with zero security don’t have a lock icon next to them. On an iPhone, if you click an unsecured network—even if it’s your own at home—you’ll get a warning that reads Security Recommendation.

Of course, this isn’t a hard and fast rule. Some hotspots don’t show the lock because they have what’s called “walled garden” security: You have to log in via a browser to get access to the internet. The login usually is provided by the hotspot—you may get it from the front desk at a hotel, for example, while checking in. Read more

Understanding Regulatory Frameworks for Trade-Based Money Laundering (TBML) Compliance

Courtesy of FinExtra

Trade-based money laundering (TBML) poses significant risks to the global financial system, requiring robust regulatory frameworks and international standards to combat this illicit activity. Compliance professionals play a crucial role in understanding and implementing these frameworks to ensure effective TBML prevention. This article will delve into the various regulations and guidelines issued by regulatory bodies such as the Financial Action Task Force (FATF) and the Wolfsberg Group. It will also explore the challenges and best practices in implementing these regulations in different jurisdictions.

Regulatory Frameworks for TBML Prevention:

  • Financial Action Task Force (FATF): The FATF is an intergovernmental organization that sets global standards for combating money laundering and terrorist financing. Its recommendations provide a comprehensive framework for TBML prevention. Compliance professionals should familiarize themselves with the FATF’s 40 Recommendations and the specific guidance on TBML issued by the organization.
  • Wolfsberg Group: The Wolfsberg Group is an association of global banks that aims to develop frameworks and guidance for the management of financial crime risks. Their Wolfsberg Trade Finance Principles provide valuable insights into best practices for TBML prevention in the trade finance industry.

Challenges in Implementing Regulatory Frameworks:

  • Harmonization across Jurisdictions: One of the key challenges in implementing TBML regulations is the lack of harmonization across jurisdictions. Different countries may have varying regulatory requirements and interpretations of TBML risks. Compliance professionals must navigate these differences and ensure compliance with multiple sets of regulations.
  • Lack of Clarity in Standards: While regulatory bodies provide guidance on TBML prevention, these recommendations are often non-binding and lack enforceability. This lack of clarity can create confusion for compliance professionals, making it challenging to determine which specific standards to follow for international operations. Read more
As Boards Focus More on Cybersecurity, Are They Missing One of the Biggest Threats?

Courtesy of Jeffrey Proudfoot and Keri Pearlson, Wall Street Journal

The weak link inside organizations might be the very people responsible for making sure companies aren’t vulnerable to attack

Board members are taking on more responsibility for cybersecurity strategy at the companies they oversee. But they might be overlooking one of the organization’s biggest vulnerabilities: themselves.

We uncovered this uncomfortable truth while conducting a series of interviews and surveys with dozens of directors across different companies and industries, part of our broader research into boards and cybersecurity issues.

Over the past decade, cybersecurity oversight has become an added board mandate, with directors becoming more accountable for ensuring that organizations have robust defenses in place against attacks. That means directors now have access to detailed tactical information about a company’s cyber defenses, in addition to a lot of other sensitive data.

Despite that, directors haven’t traditionally fallen within the scope of companies’ cybersecurity efforts. Nor are most companies we surveyed preparing directors to anticipate, respond to or avoid cyberattacks.

The upshot: The board members themselves, the people responsible for making sure a company is well-protected, could well become the weak link in an organization’s cyber defenses.

No preparation
Corporate executives have a number of ways to keep board members abreast of the company’s cybersecurity preparedness, including presentations from technology executives, tabletop exercises that simulate hypothetical attacks, and reports on key cybersecurity metrics. However, none of these measures prepare directors to be resilient against potential attacks targeting them directly.

And there’s no question that they are uniquely vulnerable. For example, based on research we have done, we know that many board members almost exclusively work remotely, meaning they share a lot of sensitive information electronically. In addition, directors usually aren’t involved in, and thus don’t benefit from, awareness programs, regular communications and informal water-cooler discussions that help keep cybersecurity on the minds of a company’s employees. And since boards may receive cybersecurity status updates only periodically, it can take a while for directors to identify and fully understand emerging threats such as AI-driven cyberattacks and how they might be used to target them individually. Read more

Still on Top: Cybersecurity Incidents Ranked #1 Global Business Threat in 2024

Courtesy of Craig S. Horbus of Dinsmore & Shohl LLP, National Law Review, Vol. XIV, No. 74

Regardless of an organization’s scale, cyberattacks and other cybersecurity incidents, such as data loss or merchant/vendor incidents, pose a significant threat to businesses globally. A quick search online easily identifies current cyberattacks being unleashed against corporations operating in today’s global economy including American Express and Change Health. With a proliferation of applications using around-the-clock connectivity, we find ourselves woven into an intricate and evolving scenario of cyber concern. With this backdrop, companies must have access to seasoned professionals well-versed in data security and privacy.

According to the Allianz Risk Barometer, cyber incidents such as ransomware attacks, data breaches and IT disruptions are the biggest worry for companies globally in 2024. Business interruption ranks second in their report, which is one step removed from cyber incidents. Natural catastrophes (#3), changes in legislation and regulation (#4) and macroeconomic developments (#5) round out the top 5 most important global business risks for 2024.

Not surprisingly, the study highlights cyberattacks and associated data loss as the top corporate risk. Year-over year, the concern has surpassed and holds steady over other significant risks such as regulatory concerns, climate change and a shortage of skilled workers threats. Cyber incidents sitting in the top spot simply reflects the escalating threat landscape fueled by cybercrime and the profound financial and reputational impact on companies and executives.

Allianz Risk Barometer report states, “[c]yber threats are constantly evolving as hackers and criminals gain access to new technologies or find new ways to exploit old vulnerabilities. Hackers are beginning to use artificial intelligence (AI) powered language models to increase the speed and scope of ransomware attacks, as well as create new malware and produce highly convincing phishing emails and deep fakes. Such attacks are likely to proliferate during 2024.”

The impact of the COVID-19 pandemic continues to exacerbate vulnerabilities as many organizations transitioned to permanent or hybrid remote work setups, providing fertile ground for cybercriminals to conduct operations. Additionally, human error still accounts for most of the patient zero triggers we see in daily incident response situations allowing the initial network intrusion and making employee training a key component of best practices. Ransomware activity alone is projected to cost its victims $265 billion annually by the start of the next decade[1]. These staggering figures underscore the imperative for businesses to bolster their cybersecurity posture. Read more

Mar. 8, 2024: Fraud and Cybersecurity Articles

American Express Notifies Customers of Data Breach

Courtesy of Ionut Arghire, Security Week

American Express is notifying customers that their information was compromised in a data breach at a third-party services provider.

In a notification letter to the impacted customers, a copy of which was submitted to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), the company explains that the incident impacted account information of some card members.

“We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system. It is important to note that American Express owned or controlled systems were not compromised by this incident,” the notification letter reads.

According to American Express, the compromised information includes names, current and previously issued card account numbers, and other card details, such as expiration dates. The financial services company says it is “vigilantly monitoring” customer accounts for fraud and notes that the impacted individuals are not liable for fraudulent charges on their accounts.

The notification letter also includes a series of recommendations on how individuals can protect their personal and card information, but does not share details on how the incident occurred. It is unclear how many individuals were impacted by the data breach.

Massachusetts OCABR’s latest data breach report shows that American Express disclosed several third-party data breaches over the past several weeks, involving retailers and merchant processors. Credit or debit card numbers were compromised in every incident.

“The potential impact of the American Express data breach is not yet known, as it is unclear whether customers’ data was simply accessed or if it has been exfiltrated through the third-party provider. If the sensitive data of customers, including card numbers and expiration dates, has been exfiltrated by attackers, it can be used to not only make fraudulent purchases, but also to extort customers into further payments,” BlackFog CEO and founder Darren Williams said in an emailed comment.

These Are the Biggest Fraud Risks Banks Will Face in 2024

Courtesy of Craig Guillot, The Financial Brand

Fraudsters will use Gen AI, synthetic identities and new tactics to increase and perpetrate fraud in 2024. Companies and financial institutions can mitigate risk with a multilayered prevention solution.

The report2024 Future of Fraud Forecast [February 2024] Source: Experian

Why we picked it: As a credit reporting agency with files on more than 220 million consumers, Experian has a strong pulse on the state of fraud. Its annual Future of Fraud Forecast is a valuable read for those in the financial services industry.

Executive Summary
Experian’s annual Future of Fraud Forecast highlights fraud trends impacting consumers, businesses, and the financial services industry. While presenting the findings in a recent webinar, Kathleen Peters, chief innovation officer, and Mike Thibodeaux, vice president of fraud and identity solutions, noted that fraud is becoming a growing problem for both businesses and consumers — and 2024 will bring not only an increase in volume but an increase in the types of attacks. Gen AI will enable new and creative attack methods, even for DIYers. More consumers are looking to in-person interactions to reduce digital risk. Experian also anticipates a surge in identity fraud and retailers being hit with empty returns.

Key Takeaways:

  • 70% of businesses report that fraud losses have increased in recent years and over half of consumers feel they are more of a fraud target than a year ago
  • APP/P2P transaction-based fraud is the most common, representing 41% of all attacks. Criminals like it because it is fast, hard to trace, and hard to recover.
  • While consumers want to feel safe, they also want convenience and don’t like overzealous security measures. Half (51%) of consumers who opened an account within the last six months considered abandoning the process.
  • Gen AI will be one of the greatest drivers of fraud in 2024, making it easier to orchestrate and offering opportunities for do-it-yourself fraudsters to create complex attacks.

What we liked: Few companies have such a strong pulse on fraud. Experian’s report offers first-hand insight into the fraud trends impacting customers and businesses. What we didn’t: While Experian offers great insight into identifying fraud trends, there’s little insight into what to do about it. The report and webinar lacked substantial recommendations beyond Experian’s solutions. Read more

Cyber Insights 2024: APIs – A Clear, Present, and Future Danger

Courtesy of Kevin Townsend, Security Week

The API attack surface is expanding and API vulnerabilities are growing. AI will help attackers find and exploit API vulnerabilities at scale.

API Security Insights
Over the last few years, APIs have become a serious threat vector. The reasons are complex and almost unavoidable in today’s online economy. Applications are served to users and clients over the web, but need to be accessed by users, clients, and other applications. APIs are the route for this access – and cybercriminals are using it.

The quantity required is difficult to comprehend. “Research shows that the average business has hundreds of APIs in production, while some have more than a thousand,” explains Lebin Cheng, head of API security at Imperva. This is growing, fueled by ongoing digital transformation and the expansion of mobile computing. Reliance on APIs is growing faster than our understanding of the implications of that reliance. While APIs already provide a clear and present danger to cybersecurity, that current danger might well be surpassed by the future danger.

Clear and present danger
There are many reasons for the expansion of the threat to APIs. Some are listed below. Some can be mitigated, but others are unavoidably inherent. Nevertheless, if security measures are not adopted, the API threat will only increase in the future.

Accessibility
“API attacks have low barriers to entry as their documentation is publicly available information. Hackers easily exploit weaknesses, gain unauthorized access, and manipulate endpoints for data and system control,” says Andy Grolnick, CEO at Graylog. Doug Dooley, COO of Data Theorem, adds, “API attacks are likely to grow as the attackers target APIs as the most attractive entry points for large-scale data breaches.”

API sprawl
“The challenge is many organizations don’t have the right defenses or controls in place. They don’t know where their APIs are deployed or what data they’re accessing. This exposes them to risk in magnitudes that they cannot comprehend, or even begin to quantify,” says Cheng. Read more

CISA’s New Plan to Better Align Cybersecurity Operations

Courtesy of Derace Lauderdale, Federal News Network

The Cybersecurity and Infrastructure Security Agency is introducing a new strategic approach for 2024 called the Federal Enterprise Operations Cyber Alignment Plan. Its focus is bringing agencies together to compare notes on recent cyber incidents and approaches, and align behind a common path forward, especially for  analysts in their security operations centers.

“It’s important for CISA as we look into fiscal 2024 and really have that strategic outlook of what the future holds. What does the cybersecurity threat landscape look like? It was important for CISA to convene all federal agencies, take an opportunity to walk through what we experienced in 2023. Walk through the major incidents, the cybersecurity issues that we’ve been dealing with as a community and work toward an action plan, an operational alignment plan for us to think about what comes next. What’s in 2024?” Michael Duffy, CISA’s associate director said on Federal Monthly Insights – Security Operations Centers. “The suite of binding operational directives, everything from the known exploited vulnerabilities to the network management interfaces, down to the asset visibility and vulnerability enumeration, that has been a meaningful shift in the way that we look at cybersecurity defense operations across the enterprise. It’s important for us, as we start the new year, to bring that community together, to talk about what we’re seeing, the challenges we have, and ultimately, come away with some commitments from them.”

CISA is committed to working collaboratively with state and local governments, election officials and federal partners to manage risks to the nation’s infrastructure. The continued evolution of the Continuous Diagnostics and Mitigation (CDM) dashboard to help agencies improve how they manage their cyber environments  is also a priority, as well as the Secure Cloud Business Application (SCuBA), which ensures agencies are using a baseline of secure workplace and collaboration applications in the cloud.

“The concept of alignment is an important shift in the way that we’re approaching this,” Duffy said. “We designed an operational cyber enterprise plan, which identified all of the areas that we think the federal government, as an enterprise, should be focusing on improvement actions. We had fantastic feedback from [chief information security officers] and agency teams.”

In a survey of chief information security officers (CISOs) across government, one challenge that emerged for CISA was identifying what else is needed for success in the agencies. Read more

 

Mar. 1, 2024: Fraud and Cybersecurity Articles

Android Banking Trojans: How They Steal Passwords and Drain Bank Accounts

Courtesy of David Ruiz, MalwareBytes

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals. These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

What are Android banking trojans?
The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play. Read more

Credit Unions Take Brunt of 2023 Fraud Losses, Report Finds

Courtesy of Natasha Chilingerian, Credit Union Times

Alloy finds CUs and community banks were more likely than other sectors to lose $500K-plus to fraud last year. Despite an overall slowdown in financial crime in 2023, credit unions had a tough year when it comes to fraud losses, according to a new report from an identity risk solutions company.

The 2024 State of Fraud Benchmark Report, released Thursday by the New York, N.Y.-based Alloy, revealed 79% of credit union and community bank decision-makers surveyed experienced more than $500,000 in direct fraud losses in 2023 – higher than any other segment included in the survey. That compared to 65% of mid-market banks, 63% of enterprise fintechs, 62% of enterprise banks, 57% of online/pure play lending banks, 32% of both regional banks and mid-market fintechs, and 28% of strategic fintechs whose decision-makers reported fraud losses of $500,000 or more last year.

Of note, only 9% of the survey’s participants were from credit unions or community banks. Conducted from Oct. 29-Nov. 17, the survey included 250 U.S.-based and 200 U.K.-based decision-makers working in the financial sectors listed above. Overall, the report found that while 98% of respondents were hit with fraud in 2023, the frequency of fraud attempts occurred at a slower rate than the previous year. And while respondents said they faced fewer financial setbacks as a result of fraud in 2023, they also recovered fewer of those losses compared to 2022.

What’s more, the report said authorized push-payment fraud, in which a fraudster posing as a legitimate company coerces their victim to send them a payment, was the most common type of fraud in the U.S. and U.K. combined last year. In the U.S. alone, bust-out fraud – which involves a bad actor maxing out a stolen credit card and bailing on the bill – topped the list of fraud types in 2023 among all respondents.

When it comes to fraud prevention measures, credit unions and community banks were more likely to focus on ongoing optimizations to their existing fraud models (71%), compared to 68% of enterprise banks, 65% of mid-market fintechs, 59% of both strategic and enterprise fintechs, 56% of mid-market banks, 51% of online/pure play lending banks and 49% of regional banks. Read more

Why Governance, Risk, and Compliance Must Be Integrated with Cybersecurity

Courtesy of Rosalyn Page, CSO Online

With pressure from regulators, evolving threats and the need for stronger oversight, integrating cybersecurity risks into GRC programs requires alignment between both areas. Persistent cyber threats, the growing array of regulations and rapidly changing technology have heightened the need for cybersecurity to be integrated into governance, risk and compliance (GRC) frameworks.

GRC programs include the processes and technologies that enable organizations to meet business goals, address risk, and comply with government and industry regulations. Incorporating cybersecurity into organization-wide GRC programs means aligning technology decisions with business objectives while meeting regulatory requirements and defining cyber risks.

Organizations need to move away from security and compliance being compartmentalized and move towards coordination and alignment between the two. By aligning cyber risk with GRC the aim is to limit liability from legal and compliance, ensure a governance mode fit for audit and comply with regulating bodies like the SEC — that’s the important thing, Jason Rader, CISO with Insight Enterprises, tells CSO.

What’s driving cyber risk’s integration into GRC?

Cloud adoption, hybrid workforces, the emergence of generative AI, building agile security functions and the need to secure organization-wide digital ecosystems are behind the predicted 14% growth of global spending on security and risk management in 2024. This is according to Gartner, which estimates a total $215-billion spend in this area. Read more

Healthcare Providers Hit by Frozen Payments in Ransomware Outage

Courtesy of Raphael Satter, Christopher Bing and Patrick Wingrove, Reuters

Healthcare providers across the United States are struggling to get paid following the week-long ransomware outage at a key tech unit of UnitedHealth Group, with some smaller providers saying they are already running low on cash.

Large hospital chains are also locked out of processing payments with some absorbing the upfront costs of being unable to collect, according to the American Hospital Association (AHA), which represents nearly 5,000 hospitals, healthcare systems, networks and other providers.

Reuters could not gauge the full magnitude of the problem, but six small businesses across the United States – five therapists and one laboratory – said they were unable to process claims and were racking up thousands of dollars in overdue payments.

The problems began last week after hackers gained access to UnitedHealth’s Change Healthcare unit, a vital lynchpin in the complex U.S. system for making and clearing insurance claims. It also affected electronic pharmacy refills and insurance transactions, particularly among independents, with some reverting to paper transactions.

“We are 100 percent down when it comes to billing right now,” said Phil Seubring, legal director at Forensic Fluids, a Kalamazoo, Michigan lab that does drug testing for doctors’ offices.

“I’m not getting paid,” said Jenna Wolfson, a Felton, California-based clinical social worker who provides therapy to about 30 clients a week. She said she had about $4,000 in claims in limbo. “This could be catastrophic for me and other small business mental health practitioners.” Read more

Feb. 23, 2024: Fraud and Cybersecurity Articles

AT&T Outage Impacting U.S. Customers Prompts Investigation into Possible Cyberattack

Courtesy of Max Zahn & Jon Haworth, ABC News

AT&T says their network is now 75% restored.

A network disruption is affecting AT&T customers in the U.S. Thursday, prompting federal agencies to investigate whether the outage was caused by a cyberattack. In a statement to ABC News, the company confirmed the outage and advised customers to make calls over Wi-Fi.

“Some of our customers are experiencing wireless service interruptions this morning. We are working urgently to restore service to them. We encourage the use of Wi-Fi calling until service is restored,” an AT&T spokesperson said. Later Thursday morning, AT&T issued an update saying 75% of its network had been restored.

“Some of our customers are experiencing wireless service interruptions this morning. Our network teams took immediate action and so far three-quarters of our network has been restored. We are working as quickly as possible to restore service to remaining customers,” the company said. Two sources briefed on the situation told ABC News that the FBI and Department of Homeland Security (DHS), among other agencies, are now urgently investigating to determine whether the AT&T outages are the result of a cyberattack or a hack, or simply some sort of technical malfunction.

As of 5:00 a.m. ET, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported, according to a confidential memo obtained by ABC News, that “the cause of the outage is unknown and there are no indications of malicious activity.” CISA is an agency within DHS tasked with monitoring cyber threats.

Several police departments and municipalities have warned local residents of what they’ve described as a nationwide outage. In turn, officials have urged callers to contact emergency services by alternative means.

“There is a nationwide AT&T outage that is preventing wireless customers from making and receiving any phone calls (including to 9-1-1),” the Charlotte-Mecklenburg Police Department, which serves the Charlotte, North Carolina area, said in a post on X. The county government in Fairfax, Virginia released a similar warning. Read more

Think You Know What the Top Scam Of 2023 Was? Take a Guess

A scammy snapshot of 2023Courtesy of Larissa Bungo, Federal Trade Commission

Every day people report to the FTC the scams they spot. Every year, the FTC shares the information we collect in a data book which tells a story about the top scams people tell us about – so we can all spot and avoid them.

The Data Book tells us that people lost $10 billion to scams in 2023. That’s $1 billion more than 2022 and the highest ever in reported losses to the FTC – even though the number of reports (2.6 million) was about the same as last year. One in four people reported losing money to scams, with a median loss of $500 per person. And email was the #1 contact method for scammers this year, especially when scammers pretended to be a business or government agency to steal money.

Here are other takeaways for 2023:

  • Imposter scams. Imposter scams remained the top fraud category, with reported losses of $2.7 billion. These scams include people pretending to be your bank’s fraud department, the government, a relative in distress, a well-known business, or a technical support expert.
  • Investment scams. While investment-related scams were the fourth most-reported fraud category, losses in this category grew. People reported median losses of $7.7K – up from $5K in 2022.
  • Social media scams. Scams starting on social media accounted for the highest total losses at $1.4 billion – an increase of 250 million from 2022. But scams that started by a phone call caused the highest per-person loss ($1,480 average loss).
  • Payment methods. How did scammers prefer that people pay? With bank transfers and payments, which accounted for the highest losses ($1.86 billion). Cryptocurrency is a close second ($1.41 billion reported in losses).
  • Losses by age. Of people who reported their age, younger adults (20-29) reported losing money more often than older adults (70+). However, when older adults lost money, they lost the most.

Check out the graphic for the top scams of 2023. Read the 2023 Data Book for more details and to learn what happened in your state.

South Dakota Regulator Requires BSA/AML Compliance for Money Lender Licensees and Non-Residential Mortgage Lenders

Courtesy of John D. Socknat & Kaley Schafer, Ballard Spahr, Money Laundering News

The South Dakota Division of Banking (the “Division”) issued a Memorandum notifying all licensed South Dakota money lenders and non-residential mortgage lenders that the Division has taken the position that they are subject to the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) obligations imposed by a 2020 Final Rule published by the Financial Crimes Enforcement Network (“FinCEN”) regarding banks lacking a federal functional regulator (“Final Rule”). The Final Rule became effective in 2020, and the Memorandum requires licensees to comply by March 31, 2024.  No other state has taken this same position, and the Final Rule itself stated that it applied to approximately 567 banks.

Accordingly, all money lender and non-residential mortgage lender licensees covered by the Memorandum must develop a BSA/AML compliance program that aligns with the Memorandum’s requirements, which are equivalent to that of a “bank” under FinCEN’s regulations. The compliance program must include a risk assessment, ongoing transaction monitoring, and filing of Suspicious Activity Reports (“SARs”) and Currency Transaction Reports (“CTRs”), among other requirements. In addition, licensees must register with FinCEN for BSA e-filing.

The statutory BSA/AML framework has always applied to “financial institutions.” The statutory definition is broad and includes entities such as banks, trust companies, pawnbrokers, and casinos. 31 U.S.C. § 3512(a)(2).

Over time, FinCEN has promulgated regulations to bring certain financial institutions under the scope of the regulations as well as set certain limited exemptions. For example, pawnbrokers are included in the statutory definition of a financial institution but are exempt (for now) from having a BSA/AML compliance program. Likewise, the statutory term “financial institution” includes loan or finance companies, which FinCEN has interpreted to date to apply to only non-bank residential mortgage loan originators. 31 C.F.R. § 1010.100(lll)(1).

The Memorandum states that FinCEN’s 2020 Final Rule applies to South Dakota licensees as “non-bank financial institutions.”

FinCEN’s Final Rule
FinCEN’s Final Rule closed a regulatory gap and extended certain BSA/AML requirements to “banks” lacking a federal functional regulator. We previously blogged on the final rule here. Read more

Cyber Insights 2024: Ransomware

Courtesy of Kevin Townsend, SecurityWeek

Ransomware Insights and Trends | 2024

Ransomware is a species of the genus Extortion. Extortion has always been a favored method of gaining funds, and always will be. Today it is probably more prevalent in the cyber world than in the physical world.

We can learn from its history. It has always existed at the national level (Danegeld), at the gang level (protection rackets) and at the personal level (bullying). This practice is now part of the cyber world, and it still involves nation states, criminal gangs, and individual hackers. Extortion will never go away, only the methods will change. Criminals will fine-tune existing profitable methods for greater profit or adapt them to accommodate new conditions.

The same applies to cyber ransomware, which is fundamentally the theft of victim data through either encryption or exfiltration, or both. The encrypted and/or stolen data is the lever for cyber extortion.

Ransomware is sufficiently effective and profitable to continue and increase. But it will be fine-tuned to expand the profit element, and new methods of extortion will be explored. Already, some companies are using the more general term of Cy-X (cyber extortion) to cover the developing range of threats that have coalesced around the term ransomware. Extortion is the threat; ransomware is just one (albeit currently the primary) method.

“Gangs will continue to up the ante and apply greater pressure on victims – this includes more actions along the lines of ‘information operations’ – more public shaming on social media and open websites, contacting executives, employees, and customers directly to pressure payments, threats of violence – including family members,” warns Keith Mularski, MD at EY Consulting Cybersecurity.

Matt Waxman, SVP and GM for data protection at Veritas Technologies has one specific example of the potential continued evolution of ransomware extortion. “In 2024, we expect hackers to turn to targeted cell-level data corruption attacks—code secretly implanted deep within a victim’s database that lies in wait to covertly alter or corrupt specific but undisclosed data if the target refuses to pay a ransom.” Read more 

Feb. 8, 2024: Fraud and Cybersecurity Articles

The Next Generation of Identity Theft Is Here: ‘Identity Hijacking’

Courtesy of Ian Krietzberg, The Street

Scammers last week used deepfake technology to steal $25 million from a multinational Hong Kong firm.

Deepfake technology — a synthetic representation of a person’s likeness — is not new technology. Think Mark Hamill’s de-aged return as a young Luke Skywalker in an episode of ‘The Mandalorian’ in 2019. Artificial intelligence is likewise nothing new. But when it launched at the end of 2022, ChatGPT made AI technology cheaply accessible to the masses, simultaneously setting off a race between nearly all of the mega-cap tech corporations (and a bunch of startups, too) to ship more powerful models.

The risks and active threats incited by this recent proliferation of AI have been called out by certain experts for months: enhanced socioeconomic inequity, economic disruption, algorithmic discrimination, misinformation, disinformation, political instability and a whole new era of fraud.

The past year has seen mounting cases — in a variety of formats — of AI-generated deepfake fraud, some that have attempted to squeeze money from unsuspecting civilianssome that have served to mock artists and some that have attempted to humiliate celebrities at scale.

Last week, scammers armed with AI-generated deepfake technology stole around $25 million from a multinational corporation in Hong Kong, according to AFP. Perhaps it would be more accurate to say that they were given the money.

A finance worker at the firm moved $25 million into designated bank accounts after talking to several senior officers, including the company’s chief financial officer, on a video conference call. No one on the call, besides the worker, was real. The worker said that, despite his initial suspicion, the people on the call both looked and sounded like colleagues he knew.

All the deepfake fraud
This comes on the heels of an incident at the end of January in which fake, sexually explicit images of Taylor Swift went viral on social media. The images were generated using  (MSFT) Microsoft’s Designer AI image generator. Read more

FinCEN Analysis Reveals $212 Billion in Identity-Related Suspicious Activity

Courtesy of Kelly A. Lenahan-Pfahlert, BallardSpahr, Money Laundering News

The Financial Crimes Enforcement Network (“FinCEN”) recently released a Financial Trend Analysis (“FTA”) focusing on identity-related suspicious activity.  The FTA was issued pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.

FinCEN examined information from Bank Secrecy Act (“BSA”) filings submitted in the 2021 calendar year.  According to FinCEN’s analysis, 1.6 million “BSA filings” – presumably, the vast majority of which constituted Suspicious Activity Reports (“SARs”) – were identity-related, representing a total of $212 billion in suspicious activity.  These filings constituted 42% of filings for that year, thereby meaning that approximately 3.8 million SARs were filed in 2021.

The descriptions and the explanations in the FTA necessarily turn on how the SAR filings chose to describe the suspicious activity at issue.  This is presumably why most of the activity falls into the vague category of “general fraud” – because, apparently, this is the particular box on the SAR form which most of the SAR filers happened to choose.  However, and we will describe, the activity in fact animating the vast majority of these SARs is some form of identity theft.

Key highlights from the analysis include:

  • In sixty-nine percent of identity-related BSA reports, attackers were found to have impersonated others.
  • General fraud is the most reported typology, with 1.2 million BSA reports totaling $149 billion in suspicious amounts. The next two most reported typologies were false records and identity theft, respectively.
  • Depository institutions account for the highest percentage of BSA reports at fifty-four percent, followed by money services businesses at twenty-one percent.
  • There is a significant number of identity-related abuses based on BSA report volumes and dollar values.

Read more

Government Hackers Targeted iPhone Owners

Courtesy of Lorenzo Franceschi-Bicchierai, TechCrunch

Government hackers last year exploited three unknown vulnerabilities in Apple’s iPhone operating system to target victims with spyware developed by a European startup, according to Google.

On Tuesday, Google’s Threat Analysis Group, the company’s team that investigates nation-backed hacking, published a report analyzing several government campaigns conducted with hacking tools developed by several spyware and exploit sellers, including Barcelona-based startup Variston.

In one of the campaigns, according to Google, government hackers took advantage of three iPhone “zero-days,” which are vulnerabilities not known to Apple at the time they were exploited. In this case, the hacking tools were developed by Variston, a surveillance and hacking technology startup whose malware has already been analyzed twice by Google (in 2022 and 2023).

Google said it discovered the unknown Variston customer using these zero-days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target’s phone with spyware, and then redirected the victim to a news article by the Indonesian newspaper Pikiran Rakyat. Google did not say who was Variston’s government customer in this case.

An Apple spokesperson did not comment to TechCrunch, asking whether the company is aware of this hacking campaign found by Google.

While Variston keeps getting attention from Google, the company has lost multiple employees over the past year, according to former staff who spoke to TechCrunch on the condition of anonymity because they were under a non-disclosure agreement.

It is not yet known who Variston sold its spyware to. According to Google, Variston collaborates “with several other organizations to develop and deliver spyware.” Read more

Google Links Over 60 Zero-Days to Commercial Spyware Vendors

Courtesy of Eduard Kovacs, Security Week

More than 60 of the Adobe, Google, Android, Microsoft, Mozilla and Apple zero-days that have come to light since 2016 attributed to spyware vendors.

More than 60 of the Apple, Adobe, Google, Microsoft, and Mozilla product zero-day vulnerabilities that have come to light since 2016 have been attributed to commercial spyware vendors, Google said in a new report published on Tuesday.

The tech giant’s report provides insights into the operations of companies that help governments install spyware on devices. While these commercial spyware vendors claim that their products and services are only used for lawful surveillance, typically for law enforcement purposes, numerous investigations have shown that oppressive regimes are using them to target political opponents, journalists, dissidents, and human rights defenders.

Commercial spyware vendors are prepared to pay millions of dollars for exploits that can give them full control of devices, particularly phones running Android and iOS, but these companies can also earn millions from a single customer. In addition to the spyware itself, the customer is provided the initial delivery mechanism and required exploits, command and control infrastructure, as well as tools for organizing data stolen from compromised devices.

Google’s Threat Analysis Group (TAG) currently tracks roughly 40 commercial spyware vendors that develop and sell exploits and malware to governments. In its latest report, Google names 11 of these vendors, including Candiru, Cy4Gate, DSIRF, Intellexa, Negg, NSO Group, PARS Defense, QuaDream, RCS Lab, Variston, and Wintego Systems.

The company attributes more than 60 unique Android, Chrome, iOS/macOS, WhatsApp, and Firefox zero-day vulnerabilities discovered since 2016 to these companies. This list does not include the known (n-day) security flaws that spyware vendors have been observed exploiting.  Read more

Feb. 2, 2024: Fraud and Cybersecurity Articles

Former Credit Union BSA Compliance Officer Pleads Guilty to AML Charge

Courtesy of Peter Strozniak, Credit Union Times

After his plea, FinCEN slaps a $100,000 civil money penalty and a five-year ban against Gyanendra Asre. On Wednesday morning, Gyanendra Asre, 56, of Greenwich, Conn., pleaded guilty in a federal courtroom to running a failed anti-money laundering program at a New York credit union.

By Wednesday afternoon, the Financial Crimes Enforcement Network (FinCEN) slapped a $100,000 civil money penalty against Asre, saying his willful violations of the Bank Secrecy Act (BSA) led to the collapse of the $1.8 million New York State Employees Federal Credit Union (NYSEFCU) that served 1,183 members for more than eight decades. But in just two years, Asre transformed “NYSEFCU from a one branch, not-for-profit credit union with a single common bond field of membership serving New York State employees to a conduit for repatriating bulk cash and checks from Mexico, through MSBs that Asre controlled, without any requisite AML oversight of the underlying transactions,” according to FinCEN’s 26-page consent order.

The total unreported suspicious transactions volume associated with Asre’s scheme that should have been reported in suspicious activity reports was more than $940 million, FinCEN said. What’s more, because Asre was a former NYSEFCU member of its supervisory committee and became the credit union’s BSA compliance officer, FinCEN’s consent order said it is fair to say that at least some management of the credit union and a check-clearing company under Asre’s control were complicit in a cash and check financial repatriation scheme using Mexican banks.

FinCEN’s consent order also bans the former credit union member from participating in the affairs of any federally insured financial institution subject to the BSA for five years.

Asre had decades of experience at complex financial institutions and was a manager of an armored car company, IBI. He approached NYSEFCU in early 2014 and made a pitch to the board of directors to join the credit union’s supervisory committee because he possessed extensive hands-on expertise in know your client due diligence, documentation, transaction monitoring and AML risk management, including proficiency in Anti Money Laundering and the Bank Secrecy Act. Read more

Outsmarting Ransomware’s New Playbook

Courtesy of Rik Ferguson, Security Week

The cybersecurity landscape of 2024 presents an evolving challenge for professionals, particularly in the realm of ransomware. The emerging threats demand not only a strategic realignment in defense mechanisms but also an understanding of the legal implications of these cyberattacks.

Ransomware operations continue to transform, beginning to move away from traditional encryption-based “denial of access” to a focus on the less complex approach of data theft and extortion, or “denial of confidentiality”. The rationale is straightforward: why bother with the complexities of key management, coding cryptographic modules, and avoiding decryption efforts by security experts and public/private initiatives such as nomoreransom.org when you can simply steal the data and demand a ransom to avoid publication? A “data out and cash out” approach negates the challenges of traditional ransomware operations and eliminates the Get Out of Jail Free card of recovery from backups, making data theft and extortion both more efficient and more appealing for cybercriminals.

Indeed, in 2023, even long-standing ransomware threat actor Cl0p made use of zero-day vulnerabilities in both MOVEit and GoAnywhere file transfer software to simply exfiltrate data, eschewing their prior modus operandi of data encryption. BlackCat/ALPHV conducted a “smash and grab” attack against Western Digital demanding a ransom for 10TB of stolen data and took the unusual step of reporting another of their victims, MeridianLink, to the SEC for a failure to disclose data theft. In both these cases, no encryption was deployed.  This trend may suggest a continuing interest in zero-day vulnerabilities that expose access to data and services, and there is little doubt that significant lessons will have already been learned in the cybercrime world, regarding the effective monetization of vast quantities of data and victims.

In this new landscape, ironically, encryption emerges as a key defense (of course, in conjunction with those mature backup and recovery procedures). By ensuring that all sensitive data is effectively encrypted, organizations render any exfiltrated data useless to the attackers. Such an approach requires comprehensive encryption of sensitive data at rest, in transit, and during processing. Additionally, regular updates and audits of encryption standards are crucial to stay ahead of potential vulnerabilities. Read more

Paving the Way to Cyber Resiliency

Courtesy of Charlie Thomas, Solutions Review

Is cybersecurity working?
The straight answer? Partially. It’s definitely helping, but it could be much better. The Splunk 2023 CISO Report released in October states that 96 percent of respondents experienced a ransomware attack, and 83 percent paid the attackers. I’m not an alarmist, but these numbers certainly grab your attention.

Having led a managed security provider for the last six years, providing cyber protection for hundreds of major enterprises across many industries, including finance, healthcare, manufacturing, retail, services, infrastructure, hospitality, and others, we have seen many approaches, including many successes and some shortcomings.

MDR: Paving the Way to Cyber Resiliency

Minding the Gaps: I continue to see gaps in the fundamentals of successful cybersecurity programs. These gaps include updating firewall configurations, auditing policies regularly, applying policies such as deep packet inspection, or updating firmware and system policies on edge devices.

As an industry, we’re good at protecting against older attack vectors, the known knowns. Still, as we advance and increasingly migrate to the cloud, where day-to-day maintenance is off-loaded to third parties, the industry is no longer as diligent about remaining legacy elements of its environment.

Here are some questions to consider with your existing cyber tools:

  • Have you deployed the latest agent version available on your endpoint detection?
  • Perhaps you intentionally delay installing the latest software version because you don’t want your business to be a beta customer. Understood. But how many revisions are you behind? Is this n-2 applicable across all of your agents for that endpoint?
  • Same questions on your firewall – when did you last audit your existing firewall policies and active rules or cloud compliance policies?
  • Do you have any vulnerability scanning gaps? Authentication issues for authenticated scans? Connectivity issues with network scans? Scanning external assets that aren’t part of your environment?

None of these are the interesting or innovative areas of cybersecurity, but in the same way we develop tech debt in the coding world, we also develop security debt.  As an industry, we look to cyber tools to solve the next big thing that drops. For example, generative AI and hyperautomation are changing how cybersecurity is managed and coordinated. However, these exciting new technologies cannot solve every issue, including the security tech debt mentioned above. Read more

The Basel AML Index: Forfeiture, Non-Profits, Crypto, and More

Courtesy of Peter D. Hardy, MoneyLaunderingNews

Forfeiting illicit assets is key to ensuring that justice is done and that stolen money is returned to victims. That includes citizens of states suffering the effects of widescale corruption and organized crime. Asset forfeiture is also key to preventing crime – the idea is that it deters wrongdoers and prevents illicit funds from being reinvested in illegal activities.

A failure to forfeit illicitly obtained assets undermines the fundamental principles of democracy, too. Citizens rightly ask: where is the rule of law if people get to keep what they steal?

Different countries obviously have different capacities to go after illicit assets. The U.S. is a high-capacity jurisdiction, for example, with strong laws enabling both criminal and civil forfeiture. The Department of the Treasury Forfeiture Fund recorded “total gross non-exchange revenues of $1.150 billion” in 2022, according to its Accountability Report. In 2023 it announced blockbuster forfeitures in the millions and even billions of dollars for cryptocurrencies, in cases ranging from relationship scams and narcotics trafficking to the hack of crypto exchange Bitfinex and the Silk Road dark web marketplace.

Many other countries are also equipped with strong asset forfeiture laws. Data from FATF evaluations shows that most jurisdictions have sufficient legal instruments to confiscate illicit assets. Globally, the average score for technical compliance with Recommendation 4 (the FATF’s standard on confiscation or forfeiture) is 76 percent. This is well above the average of 65 percent across all 40 Recommendations. No jurisdictions are assessed as non-compliant.

The main problem lies with the effectiveness of asset forfeiture in practice. The average global effectiveness in terms of the FATF’s Immediate Outcome 8 (measuring the effectiveness of a jurisdiction’s forfeiture measures) is just 28 percent. The score has not changed since last year.

If you were a factory owner with a process that was just 28 percent effective in producing a good, you would take urgent steps to sort it out. Read more

Jan. 26, 2024: Fraud and Cybersecurity Articles

“The Mother of All Breaches”: 26 Billion Records Found Online

Courtesy of Pieter Arntz, MalwareBites

Security researchers have discovered billions of exposed records online, calling it the “mother of all breaches”.

However, the dataset doesn’t seem to be from one single data breach, but more a compilation of multiple breaches. These sets are often created by data enrichment companies. Data enrichment is the process of combining first party data from internal sources with disparate data from other internal systems or third party data from external sources. Enriched data is a valuable asset for any organization because it becomes more useful and insightful.

The researchers stated:
“While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.”

In other news about leaked personal data, a cybercriminal going by the name of “emo” claims they have 15 million unique records of project management tool Trello accounts for sale. Trello is used by many organizations, so it understandably raised some concerns.

Atlassian, the company that runs Trello, however denies there has been a breach. It seems as if someone has used a large collection of email addresses and tested it against Trello. This brings us to the question: when do you call a giant leak of personal information a breach, and when don’t you?

A definition of a breach that makes sense to me is this one:

“A breach is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.”

So you might say that exposing of billions of records was a breach because it is unlikely the instance was left open on purpose. After all, that amount of data can be sold for a pretty penny. Read more

Regtech ComplyAdvantage Releases Financial Crime Report, Examining Fraud, Money Laundering, Illicit Activities

Courtesy of Omar Faridi, CrowdFund Insider

ComplyAdvantage has launched its annual report into fraud, money laundering, and financial crime: The State of Financial Crime 2024. The latest research report identifies “the criminal use of artificial intelligence (AI) as an emerging fraud challenge while revealing that most financial institutions are investing in technology to combat this growing threat. However, a majority of consumers remain uncomfortable with AI, even when it is being used to protect them.”

AI: Fighting the emerging threat
Two-thirds (66%) of financial industry respondents think “the use of AI by fraudsters and other criminals poses a growing cybersecurity threat. Risks include deepfakes, sophisticated cyber hacks, and the use of generative AI to create malware.”

Banks and other financial institutions are “increasing their defenses against these threats, with 86% of respondents saying their company is investing in new technologies.” However, only 53% of financial industry respondents said “they prioritize explaining their use of AI to their customers.”

Ongoing problem of payment fraud with millennials hardest hit
One example of growing criminal sophistication highlighted “in the survey is payment fraud. With digital payments continuing to experience double-digit growth year on year, criminals are using new technologies to commit fraud on a mass scale.”

60% of industry executives surveyed say that payment fraud “has remained at the same high levels over the last 12 months, with 8% reporting an increase.” Nine out of ten consumers surveyed (89%) expressed anxiety “about being a possible victim of fraud.” 1 in 4 consumers (23%) report being “the victim of fraud in the last three years, with millennials (age 27-42) the hardest hit at 31%.” Read more

Podcast: What Has Been the Fallout of the SolarWinds Cyber Attack?

Courtesy of Stephanie Pell, Shoba Pillay, Jennifer Lee& Jen Patja, Lawfare

The fallout from the SolarWinds intrusion took a new turn with the U.S. Security and Exchange Commission’s (SEC) decision to file a cybersecurity-related enforcement action against the SolarWinds corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, on October 30 of last year. To talk about the details and significance of this enforcement action, Lawfare Senior Editor Stephanie Pell sat down with Shoba Pillay, a partner at Jenner & Block and a former federal prosecutor, and Jennifer Lee, also a partner at Jenner & Block and a former Assistant Director in the SEC’s Division of Enforcement. They discussed the cybersecurity and national security implications of the SolarWinds hack, what the SolarWinds enforcement action suggests about the SEC’s expectations for disclosure obligations of companies, and whether the SEC or another agency is best suited to determine whether and how SolarWinds should be held accountable.  They also discussed larger takeaways and messages sent by the SEC’s decision to charge a CISO in this case.

Top U.S. Cybersecurity Watchdog Issues Emergency Directive to Federal Agencies About Popular Software

Courtesy of Kevin Collier, NBC News

The directive ordered agencies to patch the software that allows for remote work.

The top U.S. cyber watchdog agency issued an emergency directive Friday, mandating that all federal agencies protect themselves against a dangerous vulnerability in a popular software program. The watchdog said it is conducting investigations into whether China had used the program to spy on the agencies.

The program used by the agencies is called Ivanti Connect Secure, which allows employees to remotely connect to work. A devastating vulnerability in the program, first discovered in December by the cybersecurity company Volexity, can grant hackers significant access to the businesses or government agencies that use it and allows for the creation of additional back doors to return later.

As news of the vulnerability has become widespread, at least 1,700 known organizations around the world have been hacked with it, Volexity has found.

In a press call with reporters late Friday afternoon, Eric Goldstein, the executive assistant director at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said that hackers have learned about the vulnerability and increasingly have tried to hack companies and government agencies that use Connect Secure.

“We have observed additional targeting of federal agencies as part of the broader opportunity campaign at this point. Each of those instances are under investigation by CISA and the relevant agency,” Goldstein said.

Someone tried to use the Ivanti flaw to try to hack some federal agencies, Goldstein said, though it wasn’t yet clear if any had been successful. Around 15 agencies use the software, he said. Read more

Jan. 19, 2024: Cybersecurity Articles

The FTC’s Unprecedented Move Against Data Brokers, Explained

Courtesy of Tate Ryan-Mosley, MIT Technology Review

We’re only a few weeks into 2024, and violations of people’s privacy are already making some big headlines! First we had the continued drama with the 23andMe data breach; then a major financial software company was shut down for inappropriately using private information; and then this week, the FTC took an unprecedented step and banned a data broker from selling people’s location data.

It’s a major move that could signal some more aggressive action from policymakers to curb the corrosive effects that data brokers have on personal privacy.

If you’re not familiar with data brokers, they make up a massive and growing industry that collects, buys, and analyzes personal data and sells it to other companies or groups, which use that information to target messages and advertisements or sell products. I wrote about the sector a few months ago, after researchers found brokers selling data about US military personnel and their families with little discretion and for mere pennies. The researchers told me they were “shocked” at how easy it was to buy sensitive data about military members.

These companies, though, are often cloaked in extreme secrecy, and given that it’s a pretty new industry, they aren’t bound by a ton of regulations. It’s been really interesting to see how lawmakers and other government actors have responded to them over the past several years.

Notably, these firms have been under particular scrutiny since the Supreme Court eliminated the legal right to abortion in 2022. After the Dobbs decision, a lot of Democrats in particular were concerned that data brokers would track and sell data about visits to sensitive locations, like a doctor’s office or abortion clinic. And in July 2022, President Joe Biden issued an executive order directing federal agencies to increase privacy protections related to reproductive care.

So on Tuesday, the FTC announced that it was banning Outlogic, formerly X-Mode Social, from sharing and selling users’ sensitive information—particularly, precise location data that tracked people’s visits to places like medical clinics—and required that it delete all the previous location data it collected. Read more

CISA: Critical Microsoft SharePoint Bug Now Actively Exploited

Courtesy of Sergiu Gatlan, BleepingComputer

CISA warns that attackers are now exploiting a critical Microsoft SharePoint privilege escalation vulnerability that can be chained with another critical bug for remote code execution. Tracked as CVE-2023-29357, the security flaw enables remote attackers to get admin privileges on unpatched servers by circumventing authentication using spoofed JWT auth tokens.

“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft explains. “An attacker who successfully exploited this vulnerability could gain administrator privileges. The attacker needs no privileges nor does the user need to perform any action.”

Remote attackers can also execute arbitrary code on compromised SharePoint servers via command injection when chaining this flaw with the CVE-2023-24955 SharePoint Server remote code execution vulnerability. This Microsoft SharePoint Server exploit chain was successfully demoed by STAR Labs researcher Jang (Nguyễn Tiến Giang) during last year’s March 2023 Pwn2Own contest in Vancouver, earning a $100,000 reward.

The researcher published a technical analysis on September 25 describing the exploitation process in detail. Just one day later, a security researcher also released a CVE-2023-29357 proof-of-concept exploit on GitHub. Even though the exploit does not grant remote code execution on targeted systems, since it’s not a complete exploit for the chain demoed at Pwn2Own, its author said attackers could chain it with the CVE-2023-24955 bug themselves for RCE.

“The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes,” the PoC exploit’s developer says. “However, to maintain an ethical stance, this script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing.” Read more

How To Improve Cyber Resilience Across Your Workforce

Courtesy of Nicholas Fearn, Financial Times

A security-focused company culture and clear protocols for staff can help reduce attacks. Cyber attacks are increasing both in number and complexity, yet many businesses are still failing to provide adequate cyber security training for their employees. Although British companies experienced 2.39 million cyber attacks over the past year, only 18 percent of them provided cyber security training to their staff, according to the UK government’s 2023 Cyber Security Breaches Survey.

Such a lack of security training often means staff are unequipped to deal with existing — and emerging — cyber threats. A study by the UK’s Chartered Management Institute found that just one in 10 managers understood security basics, such as setting strong passwords and spotting malicious emails.

This knowledge gap persists despite humans playing a role in 74 percent of cybersecurity breaches — according to the Verizon 2023 Data Breach Investigations Report — for example, by clicking on malicious hyperlinks or opening documents in phishing emails.

Businesses must therefore view cyber security hygiene as a “top priority” and develop a “cyber-conscious company culture”, says Tris Morgan, managing director of security at UK telecoms group BT. He says companies should provide their staff with regular online safety training and empower them to make better decisions regarding cyber security risks.

As part of the process, they should promote transparency, so that staff “openly discuss safety concerns and report these”, while not “apportioning blame to employees if they fall foul and celebrating when they do spot a cyberthreat”. He says companies can complement their cyber security training programs with additional protections such as password discipline, secure corporate WiFi, antivirus and anti-malware software, and virtual private networks.

“Well over half of businesses (61 percent) in the UK find it challenging to keep up with cyber security measures,” Morgan adds. “However, by establishing a cyber-focused company culture and a solid foundation of security protocols for staff, businesses can boost cyber resilience for the year ahead.” Read more

Final CTA Access Rule Answers Some Questions and Leaves Open Others

Courtesy of Peter D. Hardy & Siana Danch, BallardSpahr

The beneficial ownership information (“BOI”) registry under the Corporate Transparency Act (“CTA”) is now up and running at the Financial Crimes Enforcement Network (“FinCEN”).  This post will follow up on a previous blog regarding the recently-published CTA BOI access regulations (the “Access Rule”).  As we will discuss, the Access Rule leaves open many important questions for financial institutions (“FIs”) covered by the CTA as they await further proposed regulations from FinCEN regarding the alignment of the CTA with the Customer Due Diligence (“CDD”) Rule.

The full federal register publication for the Access Rule is here.  It is 82 pages long.  We therefore have created this separate 13-page document, which is slightly more user-friendly, setting forth only the actual regulations (now published at 31 C.F.R. § 1010.955).

The Basics: The Access Rule allows disclosure of BOI by FinCEN for five groups of audiences for specific purposes:

  • Disclosure to federal agencies for use in furtherance of national security, intelligence, or law enforcement activity;
  • Disclosure to State, local, and Tribal law enforcement agencies for use in criminal or civil investigations;
  • Disclosure for use in furtherance of foreign national security, intelligence, or law enforcement activity;
  • Disclosure to FIs subject to the CDD Rule and their federal regulators to facilitate compliance with CDD Rule requirements; and
  • Disclosure to officers or employees of the Department of the Treasury, including for the purposes of tax administration.  Read more

Jan. 12, 2024: Cybersecurity Articles

There is a Ransomware Armageddon Coming for Us All

Courtesy of The Hacker News

The least surprising headline from 2023 is that ransomware again set new records for a number of incidents and the damage inflicted. We saw new headlines every week, which included a who’s-who of big-name organizations. If MGM, Johnson Controls, Chlorox, Hanes Brands, Caesars Palace, and so many others cannot stop the attacks, how will anyone else?

Phishing-driven ransomware is the cyber threat that looms larger and more dangerous than all others. CISA and Cisco report that 90% of data breaches are the result of phishing attacks and monetary losses that exceed $10 billion in total. A report from Splunk revealed that 96 percent of companies fell victim to at least one phishing attack in the last 12 months and 83 percent suffered two or more.

Those of us in the cybersecurity segment have seen incredible advances in defenses in the past 20 years. The one thing that has not advanced is humans. Users in every organization and not much more advanced at stopping cyber-attacks than they were two decades ago. This is why phishing is so effective for cybercriminals – because it exploits human weaknesses, not technology. That leaves legacy MFA as the most critical defense mechanism. And guess what, most companies are using legacy MFA technology that is also 20 years old.

Here is why things are about to get much worse. With the rise of Generative Artificial Intelligence (GenAI), cybercriminals are able to take phishing to an entirely new level where every attack can become nearly impossible for users to identify, and attackers will now be able to do this with little effort. Read on to find out why, and what you can do about it.

What Does GenAI Have to Do with Phishing?

Phishing uses deceptive communications – emails, text messages, and voice messages- to trick users into revealing sensitive information, including login credentials, passwords, one-time passwords, personal information, and clicking on phony approval messages.

Cybercriminal gangs are learning to harness the incredible power of GenAI tools like fraud-versions of ChatGPT to create more persuasive, convincing, and realistic phishing messages. This highly personalized and context-aware text is practically indiscernible from normal human communication. And this makes it extremely challenging for recipients to tell the difference between genuine and fake messages. LLMs also allow almost anyone, not just the hacking pros, to launch phishing attacks. Read more

VIDEO: Cybersecurity Expert Says Advancements in AI Will Increase Cyber Threats in 2024

Courtesy of CBS News

 Cybersecurity expert says advancements in AI will increase cyber threats in 2024

Artificial intelligence is giving cyber criminals another weapon, says CrowdStrike chief security officer Shawn Henry. As AI becomes more accessible, it is enabling individuals with limited coding skills to engage in hacking activities. He discusses how this evolving landscape of AI may affect cyber threats against the U.S. in 2024 and beyond.

Law Firm That Handles Data Breaches Was Hit by Data Breach

Courtesy of Zack Whittaker, TechCrunch

An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims.

San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023.

Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims’ information in order to notify state authorities and the individuals affected.

In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.

Orrick said that the breach of its systems involved its clients’ data, including individuals who had vision plans with insurance giant EyeMed Vision Care and those who had dental plans with Delta Dental of California, a healthcare insurance network giant that provides dental coverage to about 45 million individuals. Orrick also said it notified health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon) and the U.S. Small Business Administration that their data was also compromised in Orrick’s data breach. Read more

12 Best Cybersecurity Podcasts as Recommended by The Professionals

Courtesy of Linda Rosencrance, CSO Online

In the ever-evolving world of cybersecurity, it’s important for CISOs and other security leaders to stay up to date – cybersecurity podcasts are a great way to stay informed.

Cybersecurity podcasts can provide valuable insights into the current state of the industry as well as provide tips and best practices that CISOs can incorporate into their own security strategies. Additionally, they can be a great way for security leaders to stay connected to their peers and understand the challenges they’re facing.

Here are 12 of the best cybersecurity podcasts to listen to as recommended by CISOs/security leaders:

  • Troy Hunt’s Weekly Update
    In his podcast, host Troy Hunt takes a look at the latest security news and trends from around the world.
  • Risky.Biz
    Co-hosted by founder Patrick Gray and Adam Boileau, Risky.Biz is a weekly information security podcast that features news as well as comprehensive interviews with industry luminaries.
  • Darknet Diaries
    Created by Jack Rhysider, Darknet Diaries is a “podcast about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all the things that dwell on the hidden parts of the network.”
  • CISO Series
    In the CISO Series podcast, hosts cybersecurity journalist David Spark and veteran CISOs Mike Johnson and Andy Ellis talk about various aspects of cybersecurity leadership.
  • SANS Internet Storm Center
    Published every weekday, the Internet Storm Center podcast offers a brief summary of current network security-related events to get listeners ready for the day.
  • Redefining CyberSecurity
    Hosted by Sean Martin, Redefining CyberSecurity brings together executives, lines of business owners, and practitioners to discuss the importance of their information security investments. Read more

Jan. 5, 2024: Fraud and Cybersecurity Articles

Money Laundering Watch: 2023 Year in Review

Courtesy of Peter D. Hardy, Celia Cohen, Terence M. Grugan, Beth Moskow-Schnoll, Michael Robotti, Ronald K. Vaske, Siana Danch, Brian N. Kearney, Kelly A. Lenahan-Pfahlert, Alexa L. Levy, Shauna Pierson & Kaley Schafer, MoneyLaunderingNews/BallardSpahr

Farewell to 2023, and welcome 2024.  As we do every year, let’s look back.
We highlight 10 of our most-read blog posts from 2023, which address many of the key issues we’ve examined during the past year: criminal money laundering enforcement; compliance risks with third-party fintech relationships; the scope of authority of bank regulators; sanctions evasion — particularly sanctions involving Russia; cryptocurrency and digital assets; AML enforcement by the SEC; and BSA/AML compliance and its tension with de-risking.

We move on to 2024.  It will be another critical year, as the Corporate Transparency Act (“CTA”) is now in effect — with regulations pertaining to the alignment of the CTA and the Customer Due Diligence Rule still to come.  FinCEN also is expected to issue proposed regulations for the real estate industry, AML whistleblowing, and, potentially, investment advisors.  Criminal and regulatory enforcement relating to digital assets and fintech and third-party relationships will continue.  We look forward to keeping you informed throughout 2024 on these and other developments.

We also want to thank our many readers around the world who continue to make this blog such a success. The feedback we receive from financial industry professionals, compliance officers, in-house and external lawyers, BSA/AML consultants, government personnel, journalists, and others interested in this field is invaluable, and we hope you will continue to share your perspectives with us.  We pride ourselves on providing in-depth discussions of the important developments in this ever-evolving area. Read more

Here We Go Again: 2023’s Badly Handled Data Breaches

Courtesy of Carly Page, TechCrunch

Last year, we compiled a list of 2022’s most poorly handled data breaches, looking back at the bad behavior of corporate giants when faced with hacks and breaches. That included everything from downplaying the real-world impact of spills of personal information to failing to answer basic questions.

Turns out this year, many organizations continue to make the same mistakes. Here’s this year’s dossier on how not to respond to security incidents.

Electoral Commission hid details of a huge hack for a year, yet still tight-lipped
The Electoral Commission, the watchdog responsible for overseeing elections in the United Kingdom, confirmed in August that it had been targeted by “hostile actors” that accessed the personal details — including full names, email addresses, home addresses, phone numbers and any personal images sent to the Commission — on as many as 40 million U.K. voters.

While it may sound like the Electoral Commission was upfront about the cyberattack and its impact, the incident occurred in August 2021 — some two years ago — when hackers first gained access to the Commission’s systems. It took another year for the Commission to catch the hackers in the act. The BBC reported the following month that the watchdog had failed a basic cybersecurity test around the same time hackers gained entry to the organization. It has not yet been revealed who carried out the intrusion — or if it is known — and how the Commission was breached.

Samsung won’t say how many customers hit by year-long data breach
Samsung has once again made it onto our badly handled breaches list. The electronics giant once again took its typical tight-lipped approach when faced with questions about a year-long breach of its systems that gave hackers access to the personal data of its U.K.-based customers. In a letter sent to affected customers in March, Samsung admitted that attackers exploited a vulnerability in an unnamed third-party business application to access the unspecified personal information of customers who made purchases at its U.K. store between July 2019 and June 2020.

In the letter, Samsung admitted that it didn’t discover the compromise until more than three years later in November 2023. When asked by TechCrunch, the tech giant refused to answer further questions about the incident, such as how many customers were affected or how hackers were able to gain access to its internal systems. Read more

Formal Ban on Ransomware Payments? Asking Orgs Nicely to Not Cough Up Ain’t Working

Courtesy of Jessica Lyons Hardcastle, The Register

Emsisoft has called for a complete ban on ransom payments following another record-breaking year of digital extortion. Ransomware gangs breached the IT networks of at least 2,207 US hospitals, schools, and government organizations in addition to “thousands” of private-sector businesses last year, the security shop said on Tuesday. On average, these attacks cost targets about $1.5 million to rectify.

“In 2023, the US was once again battered by a barrage of financially motivated ransomware attacks that denied Americans access to critical services, compromised their personal information, and probably killed some of them,” the New Zealand-based infosec firm noted.

This included 46 American hospital systems, 108 K-12 school districts, 72 colleges and universities, and 95 government bodies. For comparison: 2022 saw 25 attacks against hospitals, 45 against K-12 schools, 44 targeting post-secondary education, and 106 against government organizations.

The only reason that US government saw a year-over-year decline is because 2022 numbers included 55 local governments in Arkansas affected by a single intrusion into the agencies’ shared IT services provider.  If it weren’t for this one digital break-in, the number of 2023 incidents would have seen more than a 50 percent increase compared to 2022 ransomware infections.

There’s also the high-profile private-sector entities that fell victim to extortionists last year – including BoeingMGM Resorts, Caesars Entertainment, and Dish Network. Now that it’s mandatory for listed companies to disclose ransomware attacks, per the US Securities and Exchange Commission’s rules that took effect at the end of last year, we’d expect the number of reported infections to increase in 2024.

We should also note that Emsisoft does not include the MOVEit attacks, during which ransomware gang Clop exploited a zero-day to steal a ton of data from more than 2,600 public- and private-sector victims via the popular file-transfer software, in its 2023 numbers.

This is because no data was encrypted and not every organization received a ransomware demand. Still, this breach cost upwards of $15 billion in clean-up fees. The only solution to this problem, according to Emsisoft, is to ban ransom payments completely.

“Ransomware is estimated to have killed about one American per month between 2016 and 2021, and it likely continues to do so,” the report observes, citing the University of Minnesota School of Public Health’s statisticsRead more

CISA Warns of Actively Exploited Bugs in Chrome and Excel Parsing Library

Courtesy of Bill Toulas, Bleeping Computer

The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to the Known Exploited Vulnerabilities catalog, a recently patched flaw in Google Chrome and a bug affecting an open-source Perl library for reading information in an Excel file called Spreadsheet::ParseExcel.

America’s cyber defense agency has given federal agencies until January 23 to mitigate the two security issues tracked as CVE-2023-7024 and CVE-2023-7101 according to vendor instructions or to stop using the vulnerable products.

Spreadsheet::ParseExcel RCE
The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101, a remote code execution vulnerability that affects versions 0.65 and older of the Spreadsheet::ParseExcel library.

“Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval.” Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic,” reads CISA’s description of the flaw.

Spreadsheet::ParseExcel is a general-purpose library that allows data import/export operations on Excel files, run analysis and automation scripts. The product also provides a compatibility layer for Excel file processing on Perl-based web apps.

One product using the open-source library is Barracuda ESG (Email Security Gateway), which has been targeted in late December by Chinese hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise appliances. In collaboration with cybersecurity firm Mandiant, Barracuda assesses that the threat actor behind the attacks is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.

Barracuda applied mitigations for ESG on December 20, and a security update that addressed CVE-2023-7101 was made available on December 29, 2023, with Spreadsheet::ParseExcel version 0.66.

Google Chrome buffer overflow
The latest actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome web browser. “Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution,” reads CISA’s summary of the flaw. Read more

Google Password Resets Not Enough to Stop These Info-Stealing Malware Strains

Courtesy of Connor Jones, The Register

Security researchers say info-stealing malware can still access victims’ compromised Google accounts even after passwords have been changed.

A zero-day exploit of Google account security was first teased by a cybercriminal known as “PRISMA” in October 2023, boasting that the technique could be used to log back into a victim’s account even after the password is changed. It can also be used to generate new session tokens to regain access to victims’ emails, cloud storage, and more as necessary.

Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.

They’re called info stealers because once they’re running on some poor sap’s computer, they go to work finding sensitive information – such as remote desktop credentials, website cookies, and cryptowallets – on the local host and leaking them to remote servers run by miscreants.

Eggheads at CloudSEK say they found the root of the Google account exploit to be in the undocumented Google OAuth endpoint “MultiLogin.”

The exploit revolves around stealing victims’ session tokens. That is to say, malware first infects a person’s PC – typically via a malicious spam or a dodgy download, etc – and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.

Those session tokens are then exfiltrated to the malware’s operators to enter and hijack those accounts. It turns out that these tokens can still be used to login even if the user realizes they’ve been compromised and change their Google password.

Here’s an important part: It appears users who’ve had their cookies stolen should log out entirely, and thus invalidate their session tokens, to prevent exploitation. MultiLogin is responsible for synchronizing Google accounts across different services. It accepts a vector of account IDs and auth-login tokens to manage simultaneous sessions or switch between user profiles. Read more

Dec. 22, 2023: Fraud and Cybersecurity Articles

Comcast Xfinity Data Breach Affects Over 35 Million People

Courtesy of Emma Roth, The Verge

A Citrix vulnerability was exploited, leaking names, contact information, partial social security numbers, and birth dates.

Comcast is notifying Xfinity customers of a “data security incident” it says resulted in the theft of customer information, including usernames, passwords, contact information, partial social security numbers, and more. In a notice on Monday, Xfinity said “there was unauthorized access” to its systems from October 16th to October 19th, 2023.

BleepingComputer linked this breach notice published in the state of Maine, which shows the total number of people affected by the breach is 35,879,455, including over 50,000 people in Maine.

Xfinity traces the breach to a security vulnerability disclosed by cloud computing company Citrix, which began alerting customers about a flaw in software Xfinity and other companies use on October 10th. While Xfinity now says it patched the security hole, it later uncovered suspicious activity on its internal systems “that was concluded to be a result of this vulnerability.”

The report from BleepingComputer also notes Citrix released a notification of the vulnerability (now known as “Citrix Bleed”) nearly two weeks earlier, on October 10th, telling customers to patch as soon as possible, although it had not noted active exploitation of the flaw. However, by October 18th, the security researchers at Mandiant reported it was under “active” exploitation, and on October 23rd, a Citrix blog post said it was aware of targeted attacks.

The hack resulted in the theft of customer usernames and hashed passwords, according to Xfinity’s notice. Meanwhile, “some customers” may have had their names, contact information, the last four digits of their social security numbers, dates of birth, and / or secret questions and answers exposed. Xfinity has notified federal law enforcement about the incident and says the “data analysis is continuing.” Read more

Clorox, Boeing, MGM and More: Why Big Hacks Have Surged in 2023

Courtesy of Jordan Robertson and Jessica Nix, InsuranceJournal.com

Widely disruptive, large-scale hacks are surging.

After a lull in 2022, ransomware attacks on high-value targets such as big companies, banks, hospitals or government agencies, have seen a “massive uptick” this year, rising 51% through late November, according to cybersecurity firm Crowdstrike Holdings Inc. Last year, such attacks declined from the year before, the company said.

And the breaches are costing victims more money. Payments made to hackers who hold systems hostage for ransom increased by almost half through September, according to blockchain analytics firm Chainalysis Inc., totaling almost $500 million in payouts.

“Activity is at an all-time high,” said Nikesh Arora, chief executive officer of network security company Palo Alto Networks Inc. Arora singled out ransomware attacks in particular as increasing in frequency and severity during a recent call with investors. “Bad actors are doing damage in a much shorter amount of time,” he said.

In just the past few months, hackers have paralyzed shipping at some of Australia’s largest ports; wreakedhavoc on Las Vegas casinos; brought about a shortage of disinfecting wipes and garbage bags at Clorox Co.; and disrupted clearance of some Treasury market trades.

The number of victims of cyber extortion — which includes ransomware — in the first three quarters of 2023 is already 33% higher than all of last year, according to a report published last month by Orange Cyberdefense, the cybersecurity arm of French telecommunications service provider Orange SA. Most of the roughly 2,900 known new victims were concentrated in the US, the UK and Canada, with growing numbers in India, the Pacific islands and Africa, according to the report. This year has seen the highest count of victims Orange has ever recorded.  Read more

Top 7 Trends Shaping SaaS Security in 2024

Courtesy of The Hacker News

Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud.

These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data.

Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it.

Democratization of SaaS
SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, it does require organizations to rethink the way they secure data.

Security teams are being forced to develop new ways to secure company data. Lacking access and visibility into an application, they are placed in the role of advising a business unit that is using SaaS applications. To further complicate matters, every SaaS application has different settings and uses different terminology to describe security features. Security teams can’t create a one-size-fits-all guidance document because of the differences between the apps.

Security teams must find new ways to collaborate with business units. They need a tool that offers visibility and guidance for each application setting so that they – and the business unit – understand the risks and ramifications involved in the configuration choices that they make. Read more

FBI: Play Ransomware Breached 300 Victims, Including Critical Orgs

Courtesy of Sergiu Gatlan, Bleeping Computer

The Federal Bureau of Investigation (FBI) says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities. The warning comes as a joint advisory issued in partnership with CISA and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).

The Play ransomware operation surfaced in June 2022, after the first victims reached out for help in BleepingComputer’s forums.

In contrast to typical ransomware operations, Play ransomware affiliates opt for email communication as their negotiation channel and will not provide victims a Tor negotiations page link in ransom notes left on compromised systems.

Nevertheless, before deploying ransomware, they will steal sensitive documents from compromised systems, which they use to pressure victims into paying ransom demands under the threat of leaking the stolen data online.

The gang is also using a custom VSS Copying Tool helps steal files from shadow volume copies even when those files are in use by applications. Recent high-profile Play ransomware victims include the City of Oakland in California, car retailer giant Arnold Clark, cloud computing company Rackspace, and the Belgian city of Antwerp.

In guidance issued today by the FBI, CISA, and ASD’s ACSC, organizations are urged to prioritize addressing known vulnerabilities that have been exploited to reduce their likelihood of being used in Play ransomware attacks. Read more

Dec. 15, 2023: Fraud and Cybersecurity Articles

That QR Code You’re About to Scan Could Be Risky, F.T.C. Warns

Courtesy of Amanda Holpuch, New York Times

QR codes, the square bar codes that can be scanned and read by smartphones, are seemingly used everywhere: to board flights, enter concerts and look at restaurant menus.

But scammers trying to steal personal information have also been using QR codes to direct people to harmful websites that can harvest their data, wrote Alvaro Puig, a consumer education specialist at the Federal Trade Commission, in a blog post Wednesday on the agency’s consumer advice page. Would-be scammers hide dangerous links in the black-and-white jumble of some QR codes, the F.T.C. warned.

The people behind those schemes direct users to the harmful QR codes in deceptive ways, using tactics that include placing their own QR codes on top of legitimate codes on parking meters or sending the patterns to be scanned by text or email in ways that make them appear legitimate, the post said.

Once people have clicked those links, the scammer can steal information that is entered on the website. The QR code can also be used to install malware that steals the person’s personal information, the F.T.C. said.

The deceptive codes sent by text or email often use lies to create a sense of urgency, such as saying that a package couldn’t be delivered and it needs to be rescheduled or posing as a company and saying that there is suspicious information on a person’s account and that the user’s password needs to be changed, the F.T.C. said. “They want you to scan the QR code and open the URL without thinking about it,” the F.T.C. said.

John Fokker, head of threat intelligence at Trellix, a cybersecurity company, said in an email on Sunday that the company’s advanced research center saw more than 60,000 samples of QR code attacks in the third quarter of 2023. The most common type included postal scams, malicious file sharing, and messages impersonating human resources, information technology, and payroll departments, he said.

“The pandemic led to a resurgence of QR codes in our daily lives — everywhere from restaurant menus to use in doctors’ offices — making QR codes an attractive vector for cybercriminals to use to target individuals and organizations around the world,” Mr. Fokker said. Read more

Microsoft Takes Legal Action to Crack Down on Storm-1152’s Cybercrime Network

Courtesy of the Hacker News

Microsoft on Wednesday said it obtained a court order to seize infrastructure set up by a group called Storm-1152 that peddled roughly 750 million fraudulent Microsoft accounts and tools through a network of bogus websites and social media pages to other criminal actors, netting the operators millions of dollars in illicit revenue.

“Fraudulent online accounts act as the gateway to a host of cybercrime, including mass phishing, identity theft, and fraud, and distributed denial-of-service (DDoS) attacks,” Amy Hogan-Burney, the company’s associate general counsel for cybersecurity policy and protection, said.

These cybercrime-as-a-service (CaaS) offerings, per Redmond, are designed to get around identity verification software across various technology platforms and help minimize the efforts needed to conduct malicious activities online, including phishing, spamming, ransomware, and fraud, effectively lowering the barriers to entry for attackers.

Multiple threat actors, counting Octo Tempest (aka Scattered Spider), are said to have used Storm-1152’s accounts to pull off ransomware, data theft, and extortion schemes. Two other financially motivated threat actors that have purchased fraudulent accounts from Storm-1152 to scale their own attacks are Storm-0252 and Storm-0455.

The group, active since at least 2021, has been attributed to the following websites and pages –

  • Hotmailbox.me for selling fraudulent Microsoft Outlook accounts
  • 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA for selling machine learning-based CAPTCHA solving services to bypass identity verification
  • Social media pages for advertising the services

Microsoft, which collaborated with Arkose Labs on the initiative, said it was able to identify three individuals based in Vietnam who were instrumental in developing and maintaining the infrastructure: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

“These individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” Hogan-Burney noted.

“Not only did the company sell its technology like any other kind of software company – with pricing structures based upon a customer’s needs – but it also would perform fake account registration attacks, sell those fake accounts to other cybercriminals, and then cash out with cryptocurrency,” Kevin Gosschalk and Patrice Boffa said.

How Cybercriminals Are Using Wyoming Shell Companies for Global Hacks

Courtesy of Raphael Satter, Reuters

Somali reporter Abdalle Ahmed Mumin was doubly distressed when he heard that a colleague had been abducted by masked gunmen at the University of Mogadishu on the morning of Aug. 17.

A fellow journalist was missing and Mumin – the chairman of the Somali Journalists Syndicate – had little way of getting the word out. Digital sabotage had knocked his syndicate’s website and email accounts offline a few days earlier. “I can still feel the frustration,” Mumin told Reuters. “Our link to the outside world, to the international media, is our website.”

It was only after getting help from Qurium, a Swedish nonprofit that does digital defense work for news organizations and nonprofits, that Mumin was able to get his site back on its feet and properly raise the alarm about the missing reporter.

When Qurium investigated, it eventually traced a source of the outage to a surprising place: Wyoming.

Although Qurium said it wasn’t able to get to a lock on who pulled the trigger on the cyberattack, it did discover that the sabotage was carried out with the help of a limited liability company, or LLC, based out of the vast western state.

Reuters has found it was one of at least three instances in the past four months in which digital defenders have implicated Wyoming LLCs in high-profile hacking activity. Interviews with half a dozen tech and compliance experts and hacking victims like Mumin suggest that the state once known as the rugged refuge for 19th century bandits is now catering to 21st century outlaws.

“It’s the virtual Wild, Wild West,” said Sarah Beth Felix, who runs Palmera Consulting, an anti-money laundering advisory firm. She said the state made registering anonymous shell companies so easy that foreign crooks “don’t have to be physically in Wyoming to hide out in Wyoming.”

Joe Rubino, the general counsel for the Wyoming Secretary of State’s Office, which is responsible for registering the state’s business entities, said his colleagues were taking the information flagged by Reuters “for further review and investigation.” Read more

Apple Sets Trap to Catch iMessage Impersonators

Courtesy of Ryan Naraine, SecurityWeek

New iMessage Contact Key Verification feature in Apple’s iOS and macOS platforms help catch impersonators on its iMessage service. Apple’s latest iOS and macOS platform refresh came with a lot more than urgent security patches.

The company activated a new feature called iMessage Contact Key Verification in another attempt to block impersonators and sophisticated threat actors abusing its iMessage server infrastructure.

With the activation, fully patched iPhones and macOS-powered devices adds an ON/OFF toggle for users to verify they’re messaging only with the people that they intend and receive alerts if there’s a hiccup in the verification process.

Apple first announced the feature in October and is positioning it as another roadblock to raise the cost for advanced threat actors and mercenary hacking companies that target its iMessage service. In the past, surveillance spyware vendors like NSO Group have been caught using iMessage zero-days and zero-click exploits against high-profile targets around the world.

Apple previously rolled out ‘Lockdown Mode’ to remove attack surfaces and block state-sponsored malware exploits on its platform for the company continues to struggle to contain a surge in in-the-wild zero-days.

The company has published guidance on turning on the new feature to help users to automatically they’re messaging with the intended person. Devices must be running iOS 17.2, macOS 14.2 or watchOS 9.2 on all devices signed in to iMessage.

“In iMessage conversations with people who have also turned on iMessage Contact Key Verification, you receive an alert if there’s an error in this verification process. These alerts help make sure that even a very sophisticated attacker can’t impersonate anyone in the conversation,” Cupertino explained.

In addition, iPhone and macOS  users can manually verify contacts by comparing verification codes. “When you manually verify a contact, iMessage Contact Key Verification verifies that the code you have saved matches the one provided by the iMessage servers for that contact and notifies you if the verification code changes,” the company explained. Read more

Dec. 8, 2023: Fraud and Cybersecurity Articles

Report Suggests Failure to Install Patch Opened Door for Ransomware Attack That’s Affecting CUs

Courtesy of CUToday

A new report suggests the failure to install a software patch is behind the ransomware attack on a CUSO that has caused outages at approximately 60 credit unions.

As CUToday.info reported here, the compromise reportedly occurred at the Oregon-based CUSO Ongoing Operations and has affected five-dozen or so credit unions running the Fedcomp core solution. Both are subsidiaries of St. Petersburg, Fla.-based Trellance.

According to DataBreaches.net, the attackers penetrated Ongoing Operations’ through a vulnerability known as the Citrix Bleed vulnerability in Netscale, patches for which were released on Oct. 10.

The report referred to the vulnerability in Netscale as the “cybersecurity challenge of 2023.” Ongoing Operations’ two Netscaler devices remain offline, DataBreaches.net reported.

“Ongoing Operations, failed to install the patch, leading to the credit union disruptions,” DataBreaches.net reported.

Systems Remain Down

The systems at the credit unions remain down, with members and credit unions unable to check account balances. There is no evidence that member data has been compromised, according to several reports and CUToday.info’s own interviews.

As reported here, at least one credit union has been forced to turn to manual reporting in its interactions with members.

Others Also Hit

Credit unions aren’t alone in dealing with the same ransomware attack. According to DataBreaches.net, HTC Global Services, aka HTC Inc, aka Caretech — a large MSP for the healthcare sector with remote access to hospitals across the U.S., did not patch Netscaler since July and is currently being held to extortion by AlphV ransomware group, “who display stolen documents on their ransomware portal which are branded Caretech, a division of HTC.”

Humans Are Notoriously Bad at Assessing Risk

Courtesy of Joshua Goldfarb, Security Week

When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.

Risk assessment should be a rational and objective undertaking. We as humans, with our emotions, can sometimes be irrational and subjective. As security professionals, this would seem to put us at odds with our duty to objectively assess, manage, and mitigate risk.

Unfortunately, subjectivity introduces bias, which skews risk assessment. When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.  This, in turn, results in a poorer overall security posture.

Given this, how can security professionals remove as much subjectivity as possible from risk assessment? There are likely many different approaches that can be taken. I’d like to offer seven steps that security teams can use to ensure that their risk assessment, management, and mitigation is as objective as possible.

  1. Critical resources and data: When we begin to think about risk objectively, we quickly realize that we need to focus on where there is the potential for damage and loss to the business.  Damage most often materializes due to monetary loss caused by compromised data, compromised resources (systems), and/or compromised accounts.  This monetary loss can be in the form of lost revenue (due to app unavailability, brand reputation damage, etc.), regulatory fines, disclosure costs, breach remediation costs, fraud, and others.  Thus, the first step towards objective risk assessment is enumerating critical resources and data that are likely to have a monetary impact on the business if affected in a security incident.
  2. Potential impact: Once critical resources and data are enumerated, the potential impact of each must be understood.  By potential impact, we mean financial.  In some cases, this may be easier to determine than in others.  Regardless, this impact will need to be determined as an important next step in this process.
  3. Threat landscape: There is no shortage of security threats out there.  Some of these are more relevant and applicable to the business than others.  Those that are relevant will need to be enumerated to keep the risk assessment process moving forward. Read more
Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

Courtesy of The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.

“The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,” CISA said, adding an unnamed federal agency was targeted between June and July 2023.

The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively.

It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it’s aware of the flaw being “exploited in the wild in very limited attacks.”

The agency noted that at least two public-facing servers were compromised using the flaw, both of which were running outdated versions of the software.

“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” CISA noted.

There is evidence to suggest that the malicious activity is a reconnaissance effort carried out to map the broader network, although no lateral movement or data exfiltration has been observed.

In one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources. Read more

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

Courtesy of The Hacker News

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.

The DanaBot infections led to “hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware,” the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that’s capable of acting as a stealer and a point of entry for next-stage payloads.

UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.

Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot’s infrastructure.

“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Redmond further noted.

The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.

The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.

It also follows the discovery of a new macOS ransomware strain dubbed Turtle that’s written in the Go programming language and is signed with an adhoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.

Dec. 1, 2023: Fraud and Cybersecurity Articles

Fidelity National Financial Takes Down Systems Following Cyberattack

Fidelity National Financial is experiencing service disruptions after systems were taken down to contain a cyberattack.

Courtesy of Ionut Arghire, Security Week

Title insurance giant Fidelity National Financial (FNF) is experiencing service disruptions after it has taken down multiple systems to contain a cyberattack.

The incident, FNF said in a Form 8-K filing with the Securities and Exchange Commission (SEC) just before Thanksgiving, has impacted “title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries”.

According to the company, its F&G Annuities & Life subsidiary, which provides insurance solutions, was not affected.

FNF says that an investigation was immediately launched into the incident and that law enforcement was also notified.

To date, the investigation has determined that the attackers gained unauthorized access to certain systems and that some credentials were stolen.

While FNF did not specify what type of cyberattack it fell victim to, the fact that it has shut down systems to contain the incident suggests that ransomware might have been involved.

In fact, the notorious Alphv/BlackCat ransomware group has already taken responsibility for the attack, adding FNF to their leak site.

The threat actor did not specify whether any information was exfiltrated from the victim’s network, claiming it would reveal this later, if FNF does not pay a ransom.

FNF is one of the largest title insurance entities and underwriters groups in the US. It also offers settlement services to the real estate and mortgage industries.

Dollar Tree Hit by Third-Party Data Breach Impacting 2 Million People

Courtesy of Bill Toulas, Bleeping Computer

Discount store chain Dollar Tree was impacted by a third-party data breach affecting 1,977,486 people after the hack of service provider Zeroed-In Technologies.

Dollar Tree is a discount retail company that operates the Dollar Tree and Family Dollar stores in 23,000 locations in the United States and Canada.

According to a data breach notification shared with the Maine Attorney General, Dollar Tree’s service provider, Zeroed-In, suffered a security incident between August 7 and 8, 2023.

As part of this cyberattack, the threat actors managed to steal data containing the personal information of Dollar Tree and Family Dollar employees.

“While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor,” reads the letter sent to affected individuals.

“Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates.”

The information stolen during the attack includes names, dates of birth, and Social Security numbers (SSNs).

Zeroed-In has notified the affected individuals and enclosed instructions on enrolling in a twelve-month identity protection and credit monitoring service.

BleepingComputer contacted Dollar Tree for a comment on the data breach, and we received the following statement:

“Zeroed-In is a vendor that we and other companies use. They informed us that they identified a security incident, and they provided notice of the incident to current and former employees.” – Family Dollar spokesperson.

Other Zeroed-In customers apart from Dollar Tree and Family Dollar may have also been impacted by the security breach, but this hasn’t been confirmed yet.

We’ve contacted Zeroed-In with similar queries but received no answer by publication time.

PSA: Update Chrome Browser Now to Avoid an Exploit Already in The Wild

Courtesy of Jess Weatherbed, The Verge

An active exploit could leave your system vulnerable to data theft and malicious code. A critical security update is rolling out now.

A critical security update is now available for some Chrome users on Mac, Linux, and Windows that patches a zero-day vulnerability that could make systems susceptible to data theft and other cyberattacks. On Tuesday, Google confirmed in a Chrome stable channel update that it “is aware that an exploit for CVE-2023-6345 exists in the wild.” The vulnerability was discovered on November 24th by two security researchers working within Google’s Threat Analysis Group (TAG).

Google hasn’t released many details about the CVE-2023-6345 exploit yet, but that’s to be expected. As Android Central notes, Google, like many tech companies, often opts to keep information about vulnerabilities under wraps until they’ve been largely addressed, as detailed information could make it easier for attackers to exploit unprotected Chrome users. It isn’t clear how long the vulnerability had been actively exploited prior to its discovery last week.

What we do know is that CVE-2023-6345 is an integer overflow weakness that impacts Skia, the open-source 2D graphics library within the Chrome graphics engine. According to notes on the Chrome update, the exploit allowed at least one attacker to “potentially perform a sandbox escape via a malicious file.” Sandbox escapes can be utilized to infect vulnerable systems with malicious code and steal sensitive user data.

If you already have your Chrome browser set to update automatically, then you may not need to take any action. For anyone else, it’s worth manually updating to the latest version (119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows) within the Google Chrome settings to avoid your system being left exposed. Google says the fix is rolling out “over the coming days/weeks,” so it may not be immediately available to everyone at the time of this writing.

Five Cybersecurity Predictions for 2024

Cybersecurity predictions for 2024 to help security professionals in prioritizing efforts to navigate the ever-changing threat landscape.

Courtesy of Torsten George, Security Week

The year 2023 saw heightened cybersecurity activity, with both security professionals and adversaries engaged in a constant cat-and-mouse game. The dynamic landscape of cyber threats and the ever-expanding digital attack surface have compelled organizations to refine and fortify their security architectures. Despite the collective hope for a reprieve from the onslaught of daily phishing, ransomware, and credential stuffing attacks, cybercriminals are poised to leverage successful tactics from this year to orchestrate more sophisticated campaigns in the coming year. To stay ahead, it is crucial to anticipate the key themes likely to dominate the cybersecurity space in 2024.

The following predictions serve as strategic insights for IT and security professionals, guiding them in prioritizing efforts to navigate the ever-changing threat landscape:

A Never-Ending Story: Compromised Credentials

The perpetual use of usernames and passwords for access control and authentication has made compromised credentials a recurring vulnerability. Post-mortem analysis of data breaches consistently identifies compromised credentials as the primary point of attack. In fact, a study by the Identity Defined Security Alliance (IDSA) reveals that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

Despite this, many organizations lack essential identity-related security controls. Those that have implemented proper access controls often focus on human users, neglecting the multitude of non-human identities arising from digital transformation initiatives (e.g., DevOps, cloud transformation, Internet of Things). As a result, compromised identities, both human and non-human, are expected to fuel cyberattacks in 2024. Organizations are urged to intensify efforts in implementing Zero Trust principles to reduce dependency on passwords.

Ransomware Attacks Continue to Wreak Havoc

The ransomware business thrives as cybercriminals exploit vulnerabilities in organizations, as witnessed in attacks on entities such as the Kansas Court SystemYamaha Motors, and Western Digital. In fact, the Ransomware-as-a-Service model has made launching attacks that much easier. Over the past year, ransomware attacks have evolved into multifaceted extortion schemes where data is exfiltrated and threatened to be publicly released if a ransom is not paid. The recent SEC complaint filed by the Alphv/BlackCat ransomware group against MeridianLink adds a new dimension to this tactic. With the new SEC disclosure ruling coming into effect on December 15, 2023, requiring companies to report “material” cybersecurity incidents within four days, this tactic is expected to become commonplace in ransomware attacks. Enterprises need to focus on ransomware preparedness, particularly in recovering endpoints and critical infrastructure such as Active Directory. Read more

 

Nov. 17, 2023: Fraud and Cybersecurity Articles

Mandates Failing in Cyber-Insurance: Why Mandates Work for Traditional Insurance Categories, But Not for Cyber-Insurance

Courtesy of Brett Helm, CUSO Magazine

Cyber insurance was the brainchild of Steve Haase, an insurance broker for Hamiliton Dorsey Alston Co. When first introduced in 1997, the coverage was called Internet Security Liability (ISL). Early policies were designed to mitigate the risks faced by e-commerce vendors and were underwritten by AIG. While cyber insurance can trace its roots back a quarter of a century, it is, in many ways, still in its infancy.

Cyber-insurance policies, unlike health, life, auto, and most traditional lines of insurance, are not governed by regulators or legislation. There are no requirements on what must be covered, what can be excluded, or what rates can be charged. Without governance, insurance companies are working on their own to standardize coverage, normalize policy terms, and manage their exposure. This is achieved, in large measure, by requiring cybersecurity controls and practices for companies carrying cyber-insurance.

Risk profiles for traditional lines of insurance such as health, auto, or property and casualty insurance, are relatively static. Furthermore, insurance companies have large collections of actuarial data and are able to reliably predict risk based on fairly static conditions.

Cyber threats, on the other hand, are constantly changing. Bad actors are continually developing new tactics, techniques, and exploits. At the same time, companies’ computing infrastructure is continuously evolving, and each change brings the potential for new risks. To ensure security in this ever-changing environment, continuous monitoring of internal networks is required. Continuous monitoring provides insurance companies with actuarial data and ensures mandates are followed.

Risk management by insurance companies

Insurance companies have long used terms and conditions as tools to manage and mitigate risk within their portfolios. Terms and conditions are requirements that policyholders must follow in order to qualify for coverage and to maintain their policies.

Follow-up Article: Mr. Cooper Hit with Consumer Class-Action Lawsuits Over Cyberattack

Courtesy of Flávia Furlan Nunes, Housing Wire

Customers accuse the company of negligence, breach of implied contract and unjust enrichment

Mr. Cooper Group became the target of at least four consumer class-action lawsuits after disclosing a cyberattack at the end of October when customer information was compromised and the company shut down certain systems.

On Oct. 31, the Dallas-based servicer and lender said it had experienced a cybersecurity incident with an unauthorized third party accessing certain portions of its technology systems and customer data. The firm informed law enforcement, regulatory authorities and other stakeholders.

In the lawsuits filed in a district court in Texas, customers claim that the defendant “failed to comply with industry standards to protect information in its systems that contain” personally identifiable information of millions of people. Mr. Cooper had 4.3 million customers in its servicing portfolio in the third quarter, consisting of $937 billion in UPB at the end of September.

Customers claim that, as a result of the attack, they are “in the hands of criminals” and face an “increased risk of identity theft.” Ultimately, they have spent and will continue to spend “significant time and money” to protect themselves due to Mr. Cooper’s failures. A representative for Mr. Cooper did not respond to a request for comment.

Plaintiffs complained that the company notified them about the incident days after discovering the data breach and the notice lacked information, including details of the cyberattack and customer recommendations. They also complained about emotional stress since, once stolen, fraudulent use of that information and damage to victims may continue for years. In addition, fraudulent activity might not show up for six to 12 months or even longer.

Customers seek, among other things, that the “company fully and accurately disclose the nature of the information that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent incidents like this in the future.”

Mr. Cooper is accused of negligence, breach of implied contract and unjust enrichment, among other claims. On Thursday, Mr. Cooper announced it had partially resumed its operations. After that, the company said phone systems and its website were running again.

“We are continuing to investigate precisely what information was exposed. In the coming weeks, we will mail notices to any affected customer and provide them with complimentary credit monitoring services,” Mr. Cooper said on its website.

The company estimates fourth-quarter earnings will include $5 to $10 million in additional vendor costs. At this time, however, it’s not possible to quantify the full extent of remediation and legal expenses due to the cyberattack.

Web Browsing Data Collected in More Detail Than Previously Known

Courtesy of Cristina Criddle, Financial Times

Campaigners warn proliferation of categories describing sensitive professions could leave users open to blackmail

Internet browsing data is being collected and sold in greater detail than previously thought, increasing the likelihood that individuals’ identities can be ascertained from the anonymised information, a new report has found.

Web users have for years been grouped by data brokers by traits such as their broad professional sector or interests, inferred from their browsing history. This anonymised information is then sold to advertisers so they can target specific categories, or segments, with personalised marketing.

An investigation by the non-profit Irish Council for Civil Liberties published on Tuesday shows the number of segments is greater than previously thought, including data on many influential and sensitive professions that were not known to be sold to advertisers.

Data has been put into segments used to target judges, elected officials, military personnel and “decision makers” working in national security, it found. Privacy campaigners argue that these more specific professional categories mean that information from different data points can be easily combined with location data and time stamps to identify people.

This could be used for surveillance or exploited by hostile actors, they added, noting that the data is available for a broad range of companies to purchase. “This data about political leaders, judges and military personnel shows that the [real-time bidding] industry’s security problem is in fact a national security problem too,” said Johnny Ryan, senior fellow at ICCL.

Real-time bidding is the process by which advertising is bought and sold based on data segments.

A document seen by the Financial Times showed that segments marketed by US data broker firm Eyeota include decision makers in government, national security and counter-terrorism. They also included categories such as military personnel, military families, judges and elected officials. Read more

Most Overused Passwords in The World — Make Sure Yours Isn’t On The List

Courtesy of Charmaine Jacob, CNBC

Racking your brains to come up with a strong password can be a pain. But if you want your emails, online banking, streaming platform credentials secure from the clutches of hackers, it would be wise to put in the effort.

NordPass, the password management tool from the team behind NordVPN, partnered with independent researchers to release its study of the 200 most common passwords used in 2023.

Of the world’s 20 most common passwords, 17 can be cracked in less than a second, so think twice before you decide to key in “123456” or the even more creative “password” to secure your online accounts.

The most popular passwords are some of the laziest combinations, even as cybersecurity threats continue to be on the rise with over 53 million U.S. citizens affected in the first half of 2022, according to AAG data.

The NordPass study showed that 86% of cyberattacks use stolen credentials, and online accounts, emails and passwords make up almost 20% of the most commonly sold items on the dark web.

To make sure your data stays safe, here are the world’s 20 most common passwords of 2023 — and how long it takes to crack each one: Click here for the list

Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks

Courtesy of the HackerNews

A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks.

“Starting from a single compromised machine, threat actors could progress in several ways: they could move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem,” Martin Zugec, technical solutions director at Bitdefender, said in a new report.

A prerequisite for these attacks is that the bad actor has already gained access to a local machine through other means, prompting Google to mark the bug as not eligible for fixing “since it’s outside of our threat model and the behavior is in line with Chrome’s practices of storing local data.”

However, the Romanian cybersecurity firm has warned that threat actors can exploit such gaps to extend a single endpoint compromise to a network-wide breach. The attacks, in a nutshell, rely on an organization’s use of Google Credential Provider for Windows (GCPW), which offers both mobile device management (MDM) and single sign-on (SSO) capabilities.

This enables administrators to remotely manage and control Windows devices within their Google Workspace environments, as well as allows users to access their Windows devices using the same credentials that are used to login to their Google accounts. Read more

 

Nov. 10, 2023: Fraud and Cybersecurity Articles

New York Adds Stiffer Requirements to Cybersecurity Rules

Financial companies must now report ransom payments and strengthen board oversight

Courtesy of James Rundle, Wall Street Journal

New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict provisions around board oversight and ransom payments that go further than recent federal rules. The New York State Department of Financial Services, which oversees banks, insurance firms, mortgage brokers and other financial institutions, expanded its initial cybersecurity rules, published in 2017, because rising cyberattacks require stronger protections, said Adrienne Harris, superintendent of financial services, in a statement.

Chief information security officers are placed front and center in the new regulations as having responsibility for ensuring that companies comply with the rules, and that internal policies are enforced. In some areas, the updated rules are similar to those recently approved by the U.S. Securities and Exchange Commission, particularly around how cybersecurity programs are supervised. However, New York’s rules go into greater detail than the SEC’s in some areas.

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function. In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.

DFS’s new requirements come as authorities generally have taken a stronger approach toward ransom payments than in the past. At a summit this week hosted by the U.S. government at the Justice Department, nations belonging to the Counter Ransomware Initiative were finalizing a pledge to not pay ransoms to criminals when government systems come under attack.

“As long as there’s money flowing to ransomware criminals, the problem will continue to grow,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology, on a call with reporters Tuesday. Read more

Internal Spoofing Attacks Are on The Rise – Is Your Staff Prepared?

Courtesy of League InfoSight/ League of Southeastern Credit Unions & Affiliates

Spoofing is a scam where cybercriminals impersonate a company with a fake email address, display name, text message, or website URL to convince a target that they are a trusted, well-known source from the company. It can be as simple as changing one letter, symbol, or number in a communication that is difficult to spot. The benefit of spoofing for cybercriminals is that the person will likely disclose financial and personal information, download malware, wire funds, and more.

Types of spoofing attacks:

  • Email Spoofing: This technique is one of the most common types where cybercriminals send an email posing as a trusted source. They usually ask for an urgent request or attempt to lure the target to click a malicious link or attachment.
  • Domain or Website Spoofing: These attacks aim to lure users into logging into their accounts on fake websites or exposing other personal information about themselves. The cybercriminals can then use the stolen credentials to log into the actual account on the real website.
  • Caller ID Spoofing: Similar to email spoofing, caller ID alters the phone number to show up as someone familiar to the target they are calling. For example, the fraudster may pose as a customer service representative from the target’s bank and attempt to gather personal information like their banking credentials, social security number, etc. in order to gain access to their account.
  • Text Message Spoofing: This technique targets a person via text message posing as a trusted source like their bank or a friend. They substitute the sender ID with a recognizable source and use the text message as a springboard for data theft, spear phishing, and scams.

The reality is that credit unions are being targeted, as well as employees. Implementing a Proactive Security Awareness Program aims to empower users with skills to identify and report suspicious activity, including emails, texts, or website links. People are the first line of defense for the credit union, and when equipped with cybersecurity awareness, it will only propel their security posture.

The following tips can help identify a spoofed message in the email headers:

  • Identify that the ‘From’ email address matches the display name. The from address may look legitimate at first glance, but a closer look in the email headers may reveal that the email address associated with the display name is actually coming from someone else.
  • Make sure the ‘Reply-To’ header matches the source. This is typically hidden from the recipient when receiving the message and is often overlooked when responding to the message. If the reply-to address does not match the sender or the site that they claim to be representing, there is a good chance that it is forged. Read more
Video: Nebraska Attorney General Mike Hilgers Warns of Bank Impersonation Scams
FCA Warns Banks Over App Fraud and Poor Treatment of Victims

Courtesy of FinExtra

With authorised push payment fraud on the rise, the FCA says banks should strengthen anti-crime systems and must treat victims of fraud better.

The warning shot from the regulator follows a review of firms’ fraud controls and complaint handling. While the review found examples of good practice, the watchdog expresses disappointment with the way some firms supported customers who were the victims of fraud. In the first six months of 2023 over 116,000 people reported falling victim to APP fraud, where someone is tricked into sending money to a fraudster posing as a genuine payee.

The latest fraud report by UK Finance showed that over £152 million was returned in total by the banking sector to victims in the first half of this year. However, recent figures published by the Payment Systems Regulator found a wide disparity in the way some banks treat victims, with new challengers such as Monzo and Starling scoring particularly poorly.

The FCA says banks are not fully considering characteristics of customer vulnerability when making decisions about fraud claims and complaints. The watchdog says customers were provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language.

The FCA says it is pressing banks to improve their anti-fraud systems and controls and review complaint-handling procedures to ensure better outcomes for customers.

“We are already working with firms in our review to strengthen their approach,” states the FCA. “We expect all payment service providers to use our findings to inform what more they can do to detect, manage and reduce fraud and losses more effectively. Customer treatment must also be improved, including how complaints are handled, to deliver consistently good consumer outcomes in line with the Consumer Duty.”

Cyberattack Hits Mr. Cooper, Blocks Millions of Mortgage Payments

The loan servicing giant shut down systems after it detected the intrusion and set up alternative methods for its 4.3 million customers to make payments.

Courtesy of Matt Kapko, CyberSecurity Dive

Mortgage servicing provider Mr. Cooper Group shut down multiple systems after it determined a threat actor accessed certain technology systems on Oct. 31, according to a Thursday filing with the Securities and Exchange Commission.

The company initiated precautionary containment measures in response to the cyberattack, a move that’s temporarily halting recurring payments and leading customers to make one-time loan payments online, via phone, email or third parties. The status of customers’ loans were last updated Oct. 31.

Mr. Cooper is the third-largest mortgage servicer in the U.S. with more than 4.3 million customers, according to the company.

The Texas-based company said it notified law enforcement and contacted cybersecurity experts to assist in an investigation. “While the company’s investigation is ongoing, based on information currently known, the company does not believe this incident will have a material adverse effect on its business, operations or financial results,” the company said in the SEC filing.

The ongoing investigation has yet to determine if any data was compromised and Mr. Cooper said it will notify any customers that are potentially impacted. A temporary site was set up to provide customers with updated information, including details about how to make payments as the company works to return to normal operations.

Mr. Cooper assured customers that it won’t impose any fees or negative credit reporting for late payments until the issue is resolved.

“At this time, we believe this cybersecurity incident was isolated to Mr. Cooper systems and technology and did not affect any of the company’s clients’ or partners’ systems or technology,” a company spokesperson said in a statement.

The cyberattack against Mr. Cooper, which blocked millions of customers from making payments and processing mortgage transactions, is credit negative, Moody’s Investors Service said Tuesday.

“The full impact of the event will depend on the duration of the disruptions, ensuing potential reputational damage and magnitude of the breach,” Stephen Lynch, VP and senior credit officer for Moody’s, said in a statement.

Mr. Cooper services approximately 450 residential mortgage-backed securities, according to Moody’s.

 

Nov. 3, 2023: Fraud and Cybersecurity Articles

Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO

Courtesy of Mike Lennon, SecurityWeek

In a development sparking chatter and debate through the cybersecurity world, the lawsuit filed by the U.S. Securities and Exchange Commission (SEC) against the Chief Information Security Officer (CISO) of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles.

The lawsuit alleges that SolarWinds CISO Timothy Brown failed to disclose critical information regarding the massive cyberattack on the company’s software supply chain that occurred in late 2020. The complex attack, widely attributed to state-sponsored Russian hackers, compromised the networks of numerous government agencies and corporations that relied on SolarWinds’ products. The breach was a significant event in the world of cybersecurity, leading to numerous breaches, a frenzy of investigations, and regulatory scrutiny.

The SEC’s lawsuit is a rare instance of a regulatory body targeting a CISO for alleged mismanagement of cybersecurity risks. The suit claims that SolarWinds’ CISO was aware of the vulnerabilities in systems but did not disclose them adequately to the company’s investors, leading to misleading statements in SolarWinds’ filings with the SEC.

Industry experts have expressed mixed opinions on the SEC’s lawsuit. Some view it as a necessary step toward holding CISOs accountable for their actions or inactions when it comes to cybersecurity. They argue that CISOs play a crucial role in safeguarding a company’s digital assets and must be transparent with both their organization and regulators about potential threats.

“The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would,” Jake Williams, a prominent cybersecurity expert wrote in a post on X. “CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead.”

However, others, including SolarWinds itself, argue that this lawsuit sets a concerning precedent. They fear that CISOs may become hesitant to share information about cyber threats within their organizations, worried that any disclosure might open them up to legal action. This, they say, could hinder the industry’s ability to effectively respond to cyberattacks and protect sensitive data.

“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”

FinCEN Proposes to Require Recordkeeping and Reporting for CVC Mixing Transactions

Courtesy of Peter D. Hardy, Lisa Lanham, Siana Danch & Kelly A. Lenahan-Pfahlert, Ballard Spahr

On October 23, the Financial Crimes Enforcement Network (“FinCEN”) published a notice of proposed rulemaking (“NPRM”) entitled Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern.  Section 311 of the Patriot Act, codified at 31 U.S.C. § 5318A (“Section 311”), grants the Secretary of the Treasury authority – which has been delegated to FinCEN – to require domestic financial institutions and agencies to take certain “special measures” if FinCEN finds that reasonable grounds exist for concluding that one or more classes of transactions within or involving a jurisdiction outside of the United States is of “primary money laundering concern.”

In this NPRM, FinCEN proposes to designate under Section 311 all convertible virtual currency (“CVC”) mixing transactions, as defined by the NPRM.  This designation would require imposing reporting and recordkeeping requirements upon covered financial institutions (“FIs”) regarding transactions occurring by, through, or to a FI when the FI “knows, suspects, or has reason to suspect” that the transaction involves CVC mixing.

The NPRM is complicated and raises complex questions.  We only summarize here, and note selected issues.  Comments are due on January 22, 2024.  FinCEN can expect many comments.

Reasons for Implementing Section 311

As we have blogged, FinCEN has employed Section 311 – a powerful tool – before.  But, prior uses of Section 311 have involved specific banks (see here and here) or specific geographies (see here and here).  In contrast, and as the government’s press release notes, “[t]his is FinCEN’s first ever use of the Section 311 authority to target a class of transactions of primary money laundering concern[.]” (emphasis added).  As a practical matter, the NPRM likely will impact primarily CVC exchanges dealing directly with CVC and operating as money services businesses under the Bank Secrecy Act (“BSA”), as opposed to traditional FIs such as banks, which typically do not deal directly with CVC.

As the government’s press release further notes, the NPRM specifically seeks to combat illicit financing involving terrorism and evasion of U.S. sanctions: “This NPRM highlights the risks posed by the extensive use of CVC mixing services by a variety of illicit actors throughout the world and proposes a rule to increase transparency around CVC mixing to combat its use by malicious actors including Hamas, Palestinian Islamic Jihad, and the Democratic People’s Republic of Korea (DPRK).”  As the NPRM itself also notes, and as we also have blogged (see hereherehere and here), the U.S. government recently has instituted several enforcement actions involving CVC mixers, which the NPRM describes as “ripe for abuse by, and frequently used by, illicit foreign actors that threaten the national security of the United States and the U.S. financial system” because they are “intended to make CVC transactions anonymous.” Read more

FTC Orders Non-Bank Financial Firms to Report Breaches In 30 Days

Courtesy of Bill Toulas, Bleeping Computer

The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days. Such entities include mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.

This requirement adds to the Safeguards Rule, aiming to enhance data security measures to protect customer information and strengthen compliance obligations. It applies to security incidents that impact 500 or more consumers, especially if unauthorized third parties accessed unencrypted (cleartext) information.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” stated FTC’s Director of Bureau for Consumer Protection, Samuel Levine. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The notification requirement does not apply to cases where consumer information is encrypted as long as the attackers did not access the encryption key. The notice breached firms need to be submitted onto FTC’s online portal and must include details about the security incident, such as:

  • Name and contact information of the reporting institution.
  • Number of impacted consumers and of those potentially affected by it.
  • Description of the types of data that have been potentially exposed.
  • Exposure date and, if possible to determine, the duration of the incident.
  • Confirmation whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security.

The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident. The FTC emphasizes that submitting a data breach report doesn’t automatically imply a violation of the Safeguards Rule, nor does it ensure an investigation or enforcement action.

The new notification requirement will become effective 180 days after publication of the rule in the Federal Register, so the rule should be applicable starting in April 2024. For more details on the amendments and their development process based on the feedback FTC received from stakeholders, you can read this document.

10 Must-Know PC Security Tips That Keep You Safe Online

Criminals are always finding new ways to steal confidential info and smuggle in malware. These tips can help keep you safe.

Courtesy of Roland Freist, PC World

Staying safe online doesn’t mean having to learn coding or anything exotic. Germany’s Federal Office for Information Security recently published a brochure entitled “Using the internet safely” that contains ten helpful security tips that you should keep in mind while surfing the Internet to protect yourself from fraud and computer viruses.

The basic information is handy indeed, but we’ve expanded on these tips with recommendations on specific tools and security settings you can use to stay safe online.

Always keep Windows, browsers and applications up to date

Tip 1: “Set up your web browser securely and keep it up-to-date. Browser extensions should be disabled or uninstalled if necessary.

Google Chrome, Microsoft Edge, and Mozilla Firefox check for available updates every time they are started and install them automatically. This applies to Windows as well as Android and iOS devices. Refrain from experimenting with alternative browsers from dubious manufacturers. These programs are often not carefully maintained.

Even among the browser extensions in the manufacturers’ stores, there are quite a few candidates for which it is unclear what information they access and to whom they pass on this data. So you should install as few extensions as possible. For most users, the only thing that is almost indispensable is a password manager. These programs are now mostly offered in the form of browser extensions. Our guide to the best password managers can help you find a great one.

Tip 2: Keep your operating system and other software up-to-date by allowing updates to be installed automatically.”

Windows, Microsoft 365, and many other applications have an automatic update mechanism that installs new versions and patches as soon as they appear. For all other programs, there are tools such as Sumo or the Iobit Software Updater that check the version numbers of installed programs and indicate available updates.

Tip 3: “Use applications for virus protection and a firewall. Some operating systems already offer such applications, but they must be activated.”

Windows includes virus protection and also a firewall, both of which are active by default, but they’re basic and aren’t very configurable. The best antivirus software suites include protect against threats like ransomware, phishing, and stolen identities. Read more

 

Oct. 27, 2023: Fraud and Cybersecurity Articles

The Rise of S3 Ransomware: How to Identify and Combat It

Courtesy of The Hacker News

In today’s digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations.

Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization’s buckets.

To effectively combat these evolving threats, it is vital to ensure that your organization has visibility into your S3 environment, that you are aware of how threat actors can compromise data for ransom and most importantly, best practices for minimizing the risk of cyber criminals successfully executing such an attack.

Ensuring Visibility: CloudTrail and Server Access Logs#

Visibility serves as the foundation for any effective detection strategy. In Amazon S3, nearly every action translates to an API call, which are meticulously recorded in CloudTrail and documented in AWS documentation.

The two primary options for logging activity in S3 buckets — CloudTrail Data Events and Server Access Logs — hold a wealth of information that security practitioners must leverage to anticipate and detect suspicious activity. Each offer distinct advantages and trade-offs:

  • Cloud Trail Data Events: offer visibility into resource operations performed on or within a resource in real-time, but comes with potential cost implications due to high API call volumes
  • Server Access Logs: free access to records for each request made to your S3 bucket, but come with potential delays in log availability and potential logging with less integrity.

Mitigating Risk by Understanding the Attack Scenarios#

Utilizing the above logs to ensure adequate visibility, it is possible to keep an eye out for potential attack scenarios in order to mitigate risks effectively. There are three main attack scenarios that we observe with S3 ransomware attacks, all which can prevent an organization from accessing its data. Read more

State Bank Regulators Update Ransomware Self-Assessment Tool for Banks

Courtesy of Conference of State Bank Supervisors

State regulators, in collaboration with the Bankers’ Electronic Crimes Taskforce and the U.S. Secret Service, this week released an updated Ransomware Self-Assessment Tool (R-SAT) for banks to help mitigate new risks associated with ransomware attacks and identify security gaps.

The new version updates the R-SAT originally released in 2020 due to evolutions in the ransomware threat environment, bad actor tactics and changes in bank environments and controls. The revised R-SAT incorporates insights from cybersecurity experts, feedback from financial institutions and lessons learned from analyzing real-life ransomware attacks.

While financial institutions may have good cybersecurity practices in place, rapid advancements in ransomware techniques and the potentially devastating consequences of a successful attack require every financial institution to review and update their ransomware-specific controls. The updated R-SAT places an increased emphasis on topics such as multi-factor authentication, employee awareness and security training, cloud-based systems or activities, and the identification of control risks that have not been mitigated to an acceptable risk level.

An industry-wide webinar hosted by the Conference of State Bank Supervisors briefed bankers on the updated tool, covering the specific changes to the R-SAT, research and insights from the industry that led to these changes and how banks can most effectively leverage the tool to protect their institution and customers.

State regulators continue to be proactive and adaptive to the needs of the diverse banking system. Updates to the R-SAT are yet another example of state regulators empowering their institutions with the tools to ensure our financial system remains safe, sound and resilient.

Visit www.csbs.org/ransomware-self-assessment-tool for more information on the updated R-SAT and how to implement it at your institution.

CISA Releases Fact Sheet on Effort to Revise the National Cyber Incident Response Plan (NCIRP)

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet on the effort to revise the National Cyber Incident Response Plan (NCIRP). Through the Joint Cyber Defense Collaborative (JCDC), CISA will work to ensure that the updated NCIRP addresses significant changes in policy and cyber operations since the initial NCIRP was released.

First published in 2016, the NCIRP was developed in accordance with Presidential Policy Directive 41 (PPD-41) on U.S. Cyber Incident Coordination and describes how federal government, private sector, and state, local, tribal, territorial (SLTT) government entities will organize to manage, respond to, and mitigate the consequences of significant cyber incidents.

NCIRP 2024 will address changes to the cyber threat landscape and in the nation’s cyber defense ecosystem by incorporating principles grounded in four main areas:

  • Unification
  • Shared Responsibility
  • Learning from the Past
  • Keeping Pace with Evolutions in Cybersecurity

CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.

Oct. 20, 2023: Fraud and Cybersecurity Articles

Lost and Stolen Devices: A Gateway to Data Breaches and Leaks

By implementing strong security practices, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.

Courtesy of Torsten George, SecurityWeek

In our digital age, data is king. It drives businesses, informs decision-making, and plays an essential role in our everyday lives. However, with the convenience of technology comes the risk of data breaches and leaks.

One often overlooked aspect of this risk is the role that lost and stolen computers play in compromising sensitive information. According to Forrester Research’s 2023 State of Data Security report, only 7% of security decision makers are concerned about a lost or stolen asset causing a breach, even though such incidents account for 17% of breaches. Such assets can include smartphones, tablets, laptops, external hard drives, and USB flash drives.

While these types of breaches may not command the same attention-grabbing headlines as major cyberattacks, the theft or loss of laptops, desktops, and flash drives poses a very real problem. It underscores the pressing need for endpoint resilience and recovery.

The Rising Threat
Lost and stolen computers are a growing concern for individuals and organizations alike. The portability and value of modern laptops and smartphones make them attractive targets for thieves. When a computer is lost or stolen, the data it contains becomes vulnerable to unauthorized access. Despite substantial investments in endpoint security controls, devices are often not as secure as organizations would hope. This vulnerability has led to numerous high-profile data breaches over the years.

The threats that arise from lost or stolen devices are as follows:

  • Unauthorized Access: When a computer falls into the wrong hands, unauthorized access to sensitive data becomes a real threat. Even if the device is password-protected, threat actors can employ various techniques to bypass security measures and gain access to files, emails, and other confidential information. This access can lead to data breaches, identity theft, and financial loss.
  • Lack of Encryption: Many users fail to encrypt their data, leaving it exposed in the event of theft or loss. Encryption is a crucial security measure that renders data unreadable without the appropriate decryption key. Without encryption, thieves can easily access and misuse sensitive data, putting both individuals and organizations at risk. Having encryption enabled is often a legally required control, and not being able to prove its efficacy can expose an organization to liability.
  • Physical Access to Networks: In some cases, lost or stolen computers are used as a means to gain physical access to corporate networks. If an employee’s laptop is stolen, and it contains access credentials or VPN configurations, the thief may use this information to infiltrate the organization’s network. Once inside, they can carry out malicious activities, steal more data, and potentially compromise the entire network’s security. Read more
‘Phantom Hacker’ Scams That Target Seniors’ Savings Are on The Rise, FBI Says

Courtesy of Greg Iacurci, CNBC

Key Points

  • “Phantom hacker” scams are an evolution of tech support scams, a type of cybercrime.
  • Losses from tech support scams were up 40% as of August, the FBI said.
  • “Phantom hacker” scams often wipe out bank, savings, retirement and investment accounts, the FBI said.

There has been a nationwide increase in “phantom hacker” scams, a type of fraud “significantly impacting senior citizens,” who often lose their entire bank, savings, retirement or investment accounts to such crime, according to the FBI.

“Phantom hacker” scams are an evolution of tech support scams, a type of cybercrime.

As of August 2023, losses from tech support scams were up 40% during the same period in 2022, according to a recent FBI public service announcement. It didn’t disclose the total dollar loss during that period.

Half the victims were over 60 years old and comprise 66% of the total financial losses, the FBI said.

Older adults have generally amassed a larger nest egg than younger age groups, and therefore pose a more lucrative target for criminals. Older adults are also “particularly mindful of potential risks to their life savings,” Gregory Nelsen, FBI Cleveland special agent in charge, said in a statement.

“These scammers are cold and calculated,” Nelsen said. “The criminals are using the victims’ own attentiveness against them,” he added.

How ‘phantom hacker’ scams operate

“Phantom hacker” crimes are multilayered.Initially, fraudsters generally pose as computer technicians from well-known companies and persuade victims they have a serious computer issue such as a virus, and that their financial accounts may also be at risk from foreign hackers.

Accomplices then pose as officials from financial institutions or the U.S. government, who convince victims to move their money from accounts that are supposedly at risk to new “safe” accounts, under the guise of protecting their assets. Read more

Banks Combine AI And Communication to Combat the Rising Threat of Payment Fraud

With the rise of digital transactions and online services, fraud has become an increasing concern for both consumers and businesses.

Courtesy of PYMNTS.com

In March 2023, for example, 11% of consumers who paid for groceries encountered payment fraud, marking an 88% increase since December 2021. This is one of key findings in a recent PYMNTS Intelligence report entitled “The Next Chapter in Fraud: Using AI to Unveil Payments Intelligence,” which examines concerns around cybercrime and how financial institutions (FIs) are mitigating fraud risks.

Data from the joint PYMNTS Intelligence-AWS study shows that businesses are also grappling with the far-reaching impacts of fraud, with failure to prevent sophisticated fraud schemes leading to customer attrition. In fact, more than 30% of Big Tech and FinTech firms have lost customers due to fraud or financial crimes, the study found.

In response, firms are planning investments in fraud detection and management tools, with many turning to artificial intelligence (AI) and machine learning (ML) for enhanced fraud prevention. These advanced tools offer the potential to analyze vast amounts of data, identify patterns, and detect anomalies that indicate fraudulent activities.

For Big Tech and FinTech firms that still need convincing, the fact that 66% of FIs that use ML or AI experienced a decrease in overall fraud rates could help increase their trust in the effectiveness of AI in combating fraud.

Michael Jabbara, vice president and global head of fraud services at Visa, has also made a case for AI in fraud prevention efforts, telling PYMNTS in a recent interview that the technology can help combat the “democratization” of cybercrime and ransomware.

As he noted to PYMNTS, AI is “the superpower that gives us the ability to detect that proverbial fraudulent needle in the overall haystack of legitimate interactions — and then build the automation necessary to carve out the fraud while letting the authentic transactions go through.”

Strengthening Anti-Fraud Efforts
While most banks and firms are focusing primarily on increasing the use of ML/AI models to stem the rising tide of fraudulent activities, FIs also plan to improve anti-fraud efforts in other areas.

PYMNTS Intelligence data shows that in 2023, 62% of FIs plan on improving communication with customers as an anti-fraud measure, up from about 57% in 2022. This includes regularly updating customers on the measures taken to protect their accounts and transfers from fraud, which can go a long way to alleviating customer fears and foster trust. Read more

Navigating Risk and Fraud Management in The World of Bank Transfers

Courtesy of Payments Journal

Digital transformation has accelerated the evolution of financial transactions dramatically in the last decade. Gone are the days when paper checks were the norm, with a recent Philadelphia Fed Study, reporting that since 2009, paper check usage has been dropping by 1.2 billion annually. Instead, bank transfers and digital payments have taken center stage. While these digital payment methods offer convenience and efficiency, they also bring new challenges in risk and fraud.

Businesses can combat these threats by educating themselves on risk and fraud management for digital transactions and by exploring emerging fraud trends in the world of bank transfers. For example, one of the most pressing fraud trends right now is credit push schemes. While getting hacked is a common fear, social engineering remains a more significant concern.

These fraudulent activities often involve convincing individuals, whether employees or account owners, to provide critical information. These schemes rely heavily on social engineering to trick consumers or businesses into sending money to fraudsters. Common variants of these schemes include business email compromise, vendor impersonation fraud, payroll impersonation, account takeover, and more.

This underscores the importance of understanding and implementing robust controls to prevent users from falling victim to such schemes.

Effective Fraud Prevention and Risk Management Strategies
One key business strategy to combat fraud across bank transfers is real-time transaction monitoring. Monitoring transactions in real time and identifying suspicious activity is crucial to prevent fraud. This approach, when combined with effective onboarding identity and verification processes, helps stop anomalies or high-value transactions that could lead to fraud or financial loss.

Education also plays a vital role in building a strong defense against fraud. It is essential not only to train internal teams but also to educate customers. The emphasis is on identifying and combating social engineering tactics. Encouraging a culture of security where individuals are encouraged to report suspicious activities further strengthens the organization’s defenses.

Managing risk is a little different. There are two risk management controls that are crucial to prioritize.

The first is balanced friction. While frictionless payments and onboarding are essential for a seamless user experience, adding the right amount of friction at appropriate points is vital. This ensures that businesses verify the authenticity of transactions and prevent fraud without deterring legitimate customers. Read more

Oct. 13, 2023: Fraud and Cybersecurity Articles

Our Industry and Cybersecurity in 2023 and Beyond

Courtesy of Matt Sawtell, *CUAnswers, CUSO Magazine

October is Cybersecurity Month, and as such, I can think of no better time to reassess where our industry is and where it’s going in regard to cybersecurity. Earlier this year, the NCUA said cybersecurity would be a priority focus in 2023, and we’ve seen more regulators with this specific focus added to engagements. Looking forward, there are many areas in which credit unions will need to implement new or stronger cybersecurity plans. Today, we’ll focus on a few of those areas and how you can keep your credit union up-to-date and secure.

Incident response plans

In Michigan, the state regulators are on a 3-year rotation of bringing in an IT specialist as part of the examination process and doing a deeper dive than the normal checklist items. In preparation, credit unions should have a formal incident response plan prepared as it has been a focal point the last couple of years (and you can look at the headlines ransomware and other attacks get as a motivator there). The incident response plan should specifically refer to cyber incidents such as the aforementioned, breach, exposure of member data, and things more cyber-related, as opposed to the robbery, internal fraud, and more traditional incidents of the past.

If you do have an incident response plan already, be prepared to be asked about how you’re training staff with a tabletop exercise at least once per year or another type of awareness/readiness training with staff. The role playing, especially for those new to the concept is a good way to practice the workflow and decision-making that would need to happen in the event of a real incident, so there is real value in some preparation. There has been a marked shift from looking at incident response as an IT responsibility to more of a key item for the entire institution, with the CEO and board of directors participating. Read more

7 Resources for Determining Financial Institutions’ and Companies’ OFAC Compliance Obligations 

Courtesy of Dr. Nick Oberheiden of Oberheiden P.C., National Law Review

Office of Foreign Assets Control (OFAC) compliance is essential for financial institutions and companies that conduct business with foreign entities and individuals. However, it is also extremely challenging. There are numerous aspects to OFAC regulations compliance, and no two institutions’ or companies’ compliance obligations are exactly alike.

As a result, when assessing their OFAC compliance obligations, financial institutions and companies must do so on an individualized basis. The Office of Foreign Assets Control has published several resources that institutions and companies can (and should) use. These resources include:

  1. OFAC’s Sanctions Programs 

The Office of Foreign Assets Control has established several economic and trade sanctions programs that either prohibit or restrict financial transactions involving designated foreign nations, entities, and individuals. These OFAC sanctions programs fall into four broad categories: (i) country-based sanctions, (ii) list-based sanctions (also known as “smart sanctions”), (iii) sector-based sanctions, and (iv) secondary sanctions that apply to parties affiliated with blocked entities and individuals. Information about all of OFAC’s sanctions programs is available through the Office’s website, and users can search for sanctions that apply to specific nations, entities, and individuals.

  1. OFAC’s General Licenses 

General licenses permit transactions that would otherwise be blocked under an OFAC sanctions program. The Office of Foreign Assets Control has issued several general licenses which are available for use by financial institutions and companies in the United States. When determining what compliance efforts are necessary, institutions and companies should not only determine which sanctions programs apply, but also whether they can structure their transactions or operations to secure protection under any general licenses that are currently in effect.

  1. A Framework for OFAC Compliance Commitments  

Framework for OFAC Compliance Commitments (the “Framework”) is a guidance document that OFAC published to help financial institutions and companies assess the sufficiency and efficacy of their OFAC compliance programs (which OFAC refers to as “sanctions compliance programs” or “SCPs”). The Framework identifies “five essential components of compliance” and provides insight into what financial institutions and companies can (and should) do to meet OFAC’s expectations in these areas.  Read more

Google Looks to Do Away with Passwords, Making ‘Passkeys’ the Default Option

Courtesy of Jennifer Korn, CNN

 Google is looking to make passwords obsolete by prompting users to create passkeys to unlock accounts and devices with a fingerprint, face scan or pin number.

Google said Tuesday that passkeys don’t require users to memorize passwords, are quicker to use and can offer more security. The company unveiled support for passkeys in May but announced in a blog post that users will now be prompted to use the option where passwords are usually used.

“[W]e’ll continue encouraging the industry to make the pivot to passkeys — making passwords a rarity, and eventually obsolete,” Google wrote.

Google will continue to support traditional passwords, and users can dodge passkeys altogether by disabling their account’s “skip password when possible” option.

Passkeys are now used as password alternatives for apps including YouTube, Search, Maps, Uber and eBay. WhatsApp is also adding capability, according to the blog.

The FIDO Alliance, a security consortium that counts many tech firms as members, previously developed standards for passkeys. Microsoft, Apple and Google have since been working to make passkeys a reality.

Apple rolled out its passkey option with the release of iOS 16, allowing people to use the technology across apps, including Apple Wallet, and passkey support was first rolled out on Chrome and Android devices in October 2022.

New WordPress Backdoor Creates Rogue Admin to Hijack Websites

Courtesy of Bill Toulas, BleepingComputer

A new malware has been posing as a legitimate caching plugin to target WordPress sites, allowing threat actors to create an administrator account and control the site’s activity.

The malware is a backdoor with a variety of functions that let it manage plugins and hide itself from active ones on the compromised websites, replace content, or redirect certain users to malicious locations.

Fake plugin details

Analysts at Defiant, the makers of the Wordfence security plugin for WordPress, discovered the new malware in July while cleaning a website.

Taking a closer look at the backdoor, the researchers noticed that it came “with a professional looking opening comment” to disguise as a caching tool, which typically helps reduce server strain and improve page load times.

The decision to mimic such a tool appears deliberate, ensuring it goes unnoticed during manual inspections. Also, the malicious plugin is set to exclude itself from the list of “active plugins” as a means to evade scrutiny.

The malware features the following capabilities:

  • User creation – A function creates a user named ‘superadmin’ with a hard-coded password and admin-level permissions, while a second function can remove that user to wipe the trace of the infection
  • Bot detection– When visitors were identified as bots (e.g. search engine crawlers), the malware would serve them different content, such as spam, causing them to index the compromised site for malicious content. As such, admins could see a sudden increase in traffic or reports from users complaining about being redirected to malicious locations. Read more

Oct. 6, 2023: Fraud and Cybersecurity Articles

Banks Need to Be on the Cutting Edge of AI’s Double-Edged Fraud Sword

Courtesy of PYMNTS.com

The greatest innovations are those that democratize access to new skills and empower populations. Generative artificial intelligence (AI) promises to be one of those innovations. But a side effect of that democratization is that it can be used by anyone — even criminals and bad actors. And as AI continues to evolve, so do the tactics of fraudsters.

“Everyone has an equal ability to deploy technology, no matter who they are,” Karen Postma, managing vice president of risk analytics and fraud services at PSCU, told PYMNTS. Generative AI programs like OpenAI’s ChatGPT have made phishing and other behaviorally-driven fraud techniques not only more effective and convincing, but also easier to conduct on a larger scale.

“Utilizing generative AI, a fraudster can effectively mimic a voice within three seconds of having recorded data,” Postma said.

Fraudsters can use these recordings to impersonate individuals, potentially deceiving even the most cautious of consumers. The proliferation of AI-generated voices in scams poses a serious threat, eroding trust and making it difficult for individuals to discern genuine calls from fraudulent ones.

Staying Ahead of Fraudsters Means Never Losing a Step 

Because fraudsters are quick to adapt to new technologies and are relatively unconstrained by regulations or moral considerations, the pace of play bad actors take can make it challenging for credit unions and other financial institutions to keep up.

“Fraudsters are utilizing AI to not just commit attacks, but to become very good at committing these attacks,” Postma said. She added that traditional guardrails and red flags, like CVV (card verification value) mismatch, account not on file and number of declines, are becoming less reliable as cyber criminals increasingly use AI for their attacks. Adding to the challenge is that today’s bad actors operate across multiple channels, and detecting their activities requires a cross-functional analysis of data.

“If you have a tool that is monitoring your call center, a tool that is monitoring your online banking, and a tool that is monitoring your transactions — they might only be singularly seeing individual interactions, which might not necessarily look suspicious, but are really part of a pattern of bad activity,” Postma explained. This requires financial institutions to adopt a more holistic approach to fraud detection that combines data from various channels Read more

APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries

Courtesy of The Hacker News

In today’s interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive target for cybercriminals and a significant cybersecurity risk across various industries. This article dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and providing real-world examples of API breaches across different sectors.

Download API Security Guide.

The API Revolution

The proliferation of cloud computing, mobile apps, and the Internet of Things (IoT) has accelerated the adoption of APIs. They serve as the building blocks of modern software applications, enabling developers to integrate third-party services, enhance functionalities, and create innovative solutions rapidly. From extended healthcare services to e-commerce, APIs have become an integral part of our digital lives.

Why APIs are a Cybersecurity Risk

On the API side, the top-ranked vulnerability cited by the Open Web Application Security Project (OWASP) is now BOLA, or broken object-level authorization. This flaw can allow attackers to manipulate the ID of an object in an API request, in effect letting unprivileged users read or delete another user’s data. This is a particularly high-risk attack, given that it doesn’t require any degree of technical skill to execute, and intrusions resemble normal traffic to most security systems.

Detection logic must differentiate between 1-to-1 connections and 1-to-many connections among resources and users. Post-event BOLA attacks are difficult to see because of their low volume, and it does not show a strong indication of any behavioral anomalies, such as injection or denial of service.

2023 reports indicate cyberattacks targeting APIs have jumped 137%, with healthcare and manufacturing seen as prime targets by attackers. Attackers are especially interested in the recent influx of new devices under the Internet of Medical Things and associated apps and API ecosystem that has supported the provision of more accessible patient care and services. Another industry that is also vulnerable is manufacturing, which has experienced an increase in IoT devices and systems, leading to a 76% increase in media attacks in 2022. Read more

Sony Confirms Data Breach Impacting Thousands in the U.S.

Courtesy of Bill Toulas, BleepingComputer

Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information. The company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.

The zero-day is CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution, leveraged by the Clop ransomware in large-scale attacks that compromised numerous organizations across the world.

Clop ransomware gang added Sony Group to its list of victims in late June. However, the firm did not provide a public statement until now. According to the data breach notification, the compromise happened on May 28, three days before Sony learned from Progress Software (the MOVEit vendor) about the flaw, but it was discovered in early June.

“On June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability,” reads the notice. “An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony says in the data breach notification.

Sony says the incident was limited to the particular software platform and had no impact on any of its other systems. Still, sensitive information belonging to 6,791 people in the U.S. was compromised. The firm has individually determined the exposed details and listed them in each individual letter, but it is censored in the notification sample submitted to the Office of the Maine Attorney General.

The notification recipients are now offered credit monitoring and identity restoration services through Equifax, which they can access by using their unique code until February 29, 2024.

CISA: More than a Password. Protecting Yourself from Malicious Hackers with Multifactor Authentication

Ever worry about getting hacked? Same…

Your password isn’t protecting you the way you think it is. Especially if someone can guess your password from looking at your social media. But let’s say you have a complex password – or a password manager even – unfortunately malicious cyber actors still have ways to get past your password. And once they’re in your accounts… you can wave bye-bye to your money, and possibly your identity.

So, what do you need? More than a Password! A second method to verify your identity.
Multifactor authentication (MFA) can make you much more secure. Taking the extra step beyond just a password can protect your business, online purchases, bank accounts, and even your identity from potential hackers.

Different ways to say MFA:

  • Multifactor Authentication
  • Two Step Authentication
  • 2-Step Verification
  • Two Factor Authentication
  • 2FA

What is Multifactor Authentication?
Prove it’s you with two! … Two step authentication, that is. 

MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password.

Users who enable MFA are significantly less likely to get hacked. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.

Online services want to make sure you are who you say you are, and—more importantly—they want to prevent unauthorized individuals from accessing your account and data. So, they are taking a step to double check. Instead of asking you just for something you know (e.g., a password)—which can be reused, more easily cracked, or stolen—they can verify it’s you by asking for another piece of information. Read more