Tag Archives: BEC

Security News for the Week Ending January 31, 2020

UK Proposes Weak Security Law for IoT Devices; Calls it Strong

The UK is proposing a law similiar to California’s existing IoT law and calls it strong security.  What makes it strong is that they call it strong, maybe?

The bill requires that default passwords on IoT devices be unique (likely part of the serial number) and not resettable to a single default password.  It also requires the manufacturer to provide a public point of contact for security researchers to report bugs and finally it requires manufacturers to tell consumers the minimum length of time they will provide security updates.

It does not require that they fix reported bugs at all and it doesn’t say how over the manufacturer will provide security updates.  It also doesn’t make manufacturers liable for the damage their bugs do.

All in all, it is a pretty weak bill and even so, it has not been enacted yet.  Source: The UK Gov web site.

 

Business Email Compromise victim sues MSP for Professional Negligence

A Business Email Compromise victim who paid fake invoices to the tune of $1.7 million to businesses in Hong Kong and Cambodia is suing it’s managed service provider (MSP) for messing up.  The fake invoices came from the business owner’s hacked email account which the MSP was supposed to protect.  Source: Channel Futures

 

Travelex Says They Are Back Online

After a MONTH of downtime, Travelex says they are now back online.  They are still saying that it won’t impact their 2019 or 2020 financials.  Sources say that part of the losses will be covered by insurance.  This calls out the importance of having a tested incident response, disaster recovery and business continuity program – and the importance of having cyber insurance.  Source: Reuters

 

Apple Dropped Plans to Encrypt Cloud Backup After FBI Complained

Apple dropped plans to fully encrypt iCloud backups after the FBI told them that it would harm investigations according to multiple sources.  They often turn over iCloud backups to help police investigate crimes.

While Apple publicly says it protects your privacy and in many ways they do, sometimes they make business decisions that they would prefer their customers not  know about.  Source: Reuters

 

Extradition Hearing for Huawei’s CFO has Begun in Canada

The extradition hearings for Huawei’s CFO and daughter of its founder, Meng Wanzhou, have begun in Canada.

The U.S. says that she and her company violated the U.S. ban on selling to Iran.  China says it is a political stunt.

Currently, she is free on bail and living in one of the mansions she owns in Vancouver.  If she gets extradited to the U.S. her accommodations will not be as comfortable.

On the other hand, President Trump has indicated that all things with China are bargaining chips.  Stay tuned;  it is a long journey.  Source: The L.A. Times

Facebooktwitterredditlinkedinmailby feather

Weekly Security News for the Week Ending December 20, 2019

Retailer LightInTheBox Exposes 1.6 Billion Customer Records

The challenge with today’s big data world is that the breaches are enormous.  LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration.   They effectively breached themselves.  The data was a web server log with dates from Aug  9 to Oct 11 of this year.   It appears that there was no payment data in the log files, which is a good thing.  Also, they did not figure it out;  a security researcher told them about it.  1.6 billion records will cause them some pain.  The good news is that this happened before CCPA went into effect.  This time next month and it would have been a much, much more expensive breach.  Source: SC Mag

Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation

Facebook and Twitter this week disabled a  global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks.  The accounts, they say, were associated with two media groups, the BL and Epoch Media.  They said that the accounts were suspended because of their tactics and not because of their content.

Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.

On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements.  Twitter deleted 700 accounts.

Some of these activities were linked to the countries of Georgia and Saudi Arabia.

It looks like 2020 election engineering activities have already begun.  Source: WaPo

Business Email Compromise Scams Google and Facebook out of $120 Million

While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents  like contracts.

One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million.  Source: The Register

While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read

At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal.  The reason?  They don’t want their messages to be intercepted.  Source: The Register

Credentials Can Now Be Extracted From iPhones

iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.

They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix.  If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on.  In theory, they only sell to good guys, but that definition is probably a bit loose.  Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes.  Source: 9to5Mac

Facebooktwitterredditlinkedinmailby feather

$1.3 Billion is a Lot of Money

The FBI says that reported losses due to Business EMail Compromise attacks reached a whopping $1.3 billion in 2018, double the losses reported in 2017.

On the other hand, the number of ransomware complaints is down to levels reported in 2014.

There were 20,373 Business EMail Attacks reported last year, compared to 15,690 in 2017.   The losses in 2017 were $676 million, but increased to a whopping $1.297 billion last year.

For ransomware attacks, there were 1,783 attacks reported in 2017 and 1,493 attacks last year.   This represents $2.3 million in 2017 and $3.6 million last year (fewer attacks but more cost).

The Securities and Exchange Commission reported late last year that they investigated around a dozen companies who spent $98 million on Business EMail Compromise scams.

Also remember that this only represents what was reported to the FBI.  The total costs are unknown.

This probably means that people are getting better at backups and having emergency plans, so other than the massive ransomware attacks, people are beginning to understand what they need to do in order to avoid paying the ransom.  Are you prepared?

On the other hand, it apparently means that businesses have not gotten their arms around sending money to scammers.  The dollars basically doubled from 2017 to 2018.  That is not a good sign.

The attacks are, for the most part, straight forward.  Usually they send someone an email saying change the destination for a payment (ACH or wire into the scammers account) or create fake invoices and see if they get paid.  Creating some processes should really reduce the likelihood of falling for an attack.  One common thread to these scams is that they try to create a lot of urgency around getting the money out to them.  They probably figure that the longer the request is in accounting, the greater the chance that the scam will be detected.

Train your employees to resist the temptation to respond to the urgency, to walk down the hall to executive row if some large or odd request comes in and follow the defined payment processes.

$1.3 billion is a number that is enough to get my attention.  Does it get your attention?

Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

New Business Email Compromise Scam Variant

Some of the most popular business email compromise scams (BEC) target accounting and finance or human resources.

The scam usually works something like this.  Someone in the target department – often not too high up in the food chain –  gets a email pretending to be from an executive like the CEO or CFO.

The email urgently requests something like all of the W2s from last year or a wire transfer for a secret project.

The mid-level person, wanting to please the executive and being told that there is urgency, quickly processes the request without  the normal thought process.

Over the past couple of years, this has led to billions of dollars of losses, but companies have been doing extensive employee training so this attack is not working as well as used to.

So now a new attack method has been added to the mix.

Steal the credentials of employees, log on to the HR platform and change the direct deposit information.  The employee is completely unaware of this until they don’t get paid.  The attacker has already emptied the account by the time that the employee talks to HR.

Now the company has a problem:

  1. Do they believe the employee that he or she didn’t change the direct deposit instructions.
  2. The employer did nothing wrong so do they just eat the loss and pay the employee twice.

I suspect that most employers will make the employee whole and the law could be on the employee’s side, depending on the state.

If that vector doesn’t work, target the HR employee.  Using that account the attacker could change several paychecks at once and get a bigger payday.

Or both.

There are a number of things that an employer can do to protect themselves and their employees.

First of all, if you are do not have two factor authentication in place, do that now.  If you are using an outsourced Payroll/HR system and that vendor doesn’t support two factor authentication, “encourage” them to do that by including a contract clause to make them financially liable for any losses caused by their lack of two factor authentication.

Geofencing is the technology that restricts access to your HR system to a limited geographic area.  For example, if your company only operates in the continental U.S., block access from any I.P. address outside the U.S.  While this is not perfect, it does make it harder for the hackers.

Finally, generate a report just before the payroll run (assuming the hackers will try to make changes at the last minute so that it can’t be undone in time) of all direct deposit changes during that pay period.  If the number of changes or the location of changes or anything else seems out of whack, sound the hacker alarm.

And of course, educate people.

None of these changes should be particularly expensive or hard to do and could save you significant pain.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Business Email Compromise Attacks Are Not Always Sophisticated

 

Business email compromise (BEC) attacks are relentlessly attacking businesses with no let-up in sight.  BEC attacks have traditionally used CEOs and CFOs as their foils, pretending to be them and getting people to wire money to the hackers.

The oil and gas industry was targeted by a single individual using old generic malware readily available online and scraping company’s web sites for email addresses.  It doesn’t always require a sophisticated plan of attack,

One guy in his 20s targeting 4,000 organizations using a few fake Yahoo email addresses was all it took in this case. Over a few months he successfully attacked a few large companies, getting away with a lot of money.

According to Cisco’s midyear cybersecurity report, over the last 3 years, businesses lost over $5 billion.  Likely, this number is low because a lot of companies don’t want to let customers know that they were hacked – possibly by a lone hacker using obsolete software and no infrastructure to support him.

One industry that is being hammered is the real estate industry.  For the most part, industry members don’t like talking about it, but every now and then we do hear stories.  One group that is often targeted is real estate agents.  These people are often one person organizations with limited technical support and, in many cases, not technically sophisticated.  And, they act as trusted intermediaries between all the parties to the transaction.  My recommendation to real estate agents is to not get in the middle of the finances and make that clear to the parties.  Otherwise they will potentially wind up in the middle of a lawsuit just for trying to help out.

In one example, a real estate agent got an email from a person claiming to be looking for a house.  The scammer then sent a link in another email to the agent, claiming that the link was a bank mortgage pre-approval letter.  In fact, it was an attempt to steal the agent’s email password.  If successful the attacker, could then, silently, read all of the agent’s emails.

As soon as the hacker sees an exchange with information about wiring funds, they can inject their own emails changing those instructions and wiring money to them.

We have seen multiple cases where the money lost was well over a hundred thousand dollars in each case.  For a company, with the right kind of insurance, while this loss is a pain, but it is manageable.  We know of one local company that lost close to $150,000 because they did not have the right insurance coverage.

For homeowners who are either buying or selling a house, they have no insurance and the real estate agent or title company likely has zero liability for giving you back the money.  It is possible that the might have insurance coverage, but it depends a lot on exactly how the attack worked.

If the company does not have the right kind of insurance and they don’t have the funds to reimburse the buyer or seller, that company will likely face a lawsuit and may go out of business.  For real estate agents, that could be a judgement against them and bankruptcy.

We always tell people that they need to have the right kind of cyber insurance and the Cisco report gives 5 billion reasons why.

It is important to understand exactly what insurance coverage you do have and we strongly recommend that our customers seek out the advice of a cyber insurance knowledgeable insurance agent before purchasing cyber risk insurance.  Unfortunately, many agents who sell cyber insurance do not have the training needed to take care of the customer.  They are not bad people, just people who need more training before selling an insurance product that can be very complicated.

Information for this post came from Dark Reading .

Facebooktwitterredditlinkedinmailby feather

Leoni AG Lost $44 Million to CEO Fraud

Leoni makes cables and wiring harnesses for cars, trucks, healthcare systems, appliances and many other products.   They operate worldwide, are publicly traded, have 75,000 employees and in 2015 had sales of over 4 billion euros.  You would think that a company like this would not fall for a business email compromise scam.  But they did.

CEO fraud, AKA Business Email Compromise (BEC) , cost Leoni AG almost 40 million euros to the scammers.  BEC is a huge problem with the FBI saying that it is costing companies worldwide over $2 billion during the last several years.

The scammers had done their homework.  They targeted a subsidiary of the company in Romania.  It turns out Leoni has four factories in Romania, but only one of them is authorized to send wires.  They targeted that one.

They sent an email that looked like it came from the CFO in Germany.

People inside the company said that it was common to send money that way.  Even large amounts of money.  40 million Euros later they hopefully are reconsidering that strategy.

I continue to be amazed that large companies – Leoni has revenues of over $4 Billion Euros – authorize wires via email.  And then they are surprised that they are taken to the cleaners for almost $45 million.

The company’s press release said hackers used falsified documents and identities and electronic communications channels to perpetrate the scam.  This means that they pretended to be the CFO and sent an email requesting the wire transfers.

The good news is that 40 million Euros, while substantial, will not cause the company to go under.  Their profit before taxes in 2015 was around 150 million euros.

Unfortunately, for many companies that fall victim to a business email compromise attack, that isn’t the case.  In some cases, the attack has a very significant financial impact on the business.  I wrote about a company yesterday that went out of business as a result.

This incident makes me ask some questions.  Consider what the answers for your company are.

  1. Can someone send an email, pretending to be, say, the CEO or CFO, to someone in accounting asking to wire some money to some random bank account in a foreign country and no one says anything about it BEFORE sending the payment?
  2. Is there a policy that dictates how employees are supposed to handle requests for payments made via email?  For example, is there a validation process?  Does the request require approval?  Is there a dollar value threshold above which extra authorization is required (such as $40 million)?  What about if the sender says that this is a super-secret hush-hush deal?
  3. Does your company attempt to phish its employees as part of its training program?  If so, how often is that done?  HINT:  Doing it once a year as part of the review of corporate HR policies probably won’t have much of a positive effect.
  4. Does your insurance cover this loss?  Typically cyber insurance does not cover it, nor does general liability.  Since the employees voluntarily sent the money, it is not covered by forgery coverage.  Some insurers are creating a social engineering coverage to address this.  To be sure that you are covered, ask in writing and make sure that the amount of coverage is adequate.

This is a significant business problem that can only be addressed by training people.  This is not a technology problem.  And since it is so profitable, it is not going away any time soon.

 

Information for this post came from Leoni’s press release on the issue.

Facebooktwitterredditlinkedinmailby feather