Tag Archives: Business Email Compromise

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

New Business Email Compromise Scam Variant

Some of the most popular business email compromise scams (BEC) target accounting and finance or human resources.

The scam usually works something like this.  Someone in the target department – often not too high up in the food chain –  gets a email pretending to be from an executive like the CEO or CFO.

The email urgently requests something like all of the W2s from last year or a wire transfer for a secret project.

The mid-level person, wanting to please the executive and being told that there is urgency, quickly processes the request without  the normal thought process.

Over the past couple of years, this has led to billions of dollars of losses, but companies have been doing extensive employee training so this attack is not working as well as used to.

So now a new attack method has been added to the mix.

Steal the credentials of employees, log on to the HR platform and change the direct deposit information.  The employee is completely unaware of this until they don’t get paid.  The attacker has already emptied the account by the time that the employee talks to HR.

Now the company has a problem:

  1. Do they believe the employee that he or she didn’t change the direct deposit instructions.
  2. The employer did nothing wrong so do they just eat the loss and pay the employee twice.

I suspect that most employers will make the employee whole and the law could be on the employee’s side, depending on the state.

If that vector doesn’t work, target the HR employee.  Using that account the attacker could change several paychecks at once and get a bigger payday.

Or both.

There are a number of things that an employer can do to protect themselves and their employees.

First of all, if you are do not have two factor authentication in place, do that now.  If you are using an outsourced Payroll/HR system and that vendor doesn’t support two factor authentication, “encourage” them to do that by including a contract clause to make them financially liable for any losses caused by their lack of two factor authentication.

Geofencing is the technology that restricts access to your HR system to a limited geographic area.  For example, if your company only operates in the continental U.S., block access from any I.P. address outside the U.S.  While this is not perfect, it does make it harder for the hackers.

Finally, generate a report just before the payroll run (assuming the hackers will try to make changes at the last minute so that it can’t be undone in time) of all direct deposit changes during that pay period.  If the number of changes or the location of changes or anything else seems out of whack, sound the hacker alarm.

And of course, educate people.

None of these changes should be particularly expensive or hard to do and could save you significant pain.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

SEC Investigates Companies That Send Wires to Scammers

You have probably heard about Business Email Compromise (BEC) attacks where scammers pose as company executives and ask the accounting department to wire money to them.

The FBI says this is highly effective and big business.  To the tune of $5 billion in losses since 2013.

In fact the SEC discovered that 9 publicly traded companies collectively wired almost $100 million dollars to scammers.

Is the SEC worried that these companies lost money to bad guys?

No, not exactly.

They ARE worried that these companies violated section 13(b)(2)(B)(i)  of the Securities Exchange Act of 1934 which requires some businesses to have appropriate accounting controls in place.

Wouldn’t that be a bit of a bummer to find out that you got fleeced out of $45 million (like one company did) and now you are being investigated over your accounting controls.

The SEC COULD sanction companies for having inadequate financial controls.

In some of the cases investigated, the Chief Accounting Officer was the one that was duped.

The good news is that the SEC has decided that none of THESE companies will be fined.

Whether the number is $100 million for 9 companies or $5 billion over the last 5 years, the number is huge and other than large publicly traded companies, this could be both a resume generating event for you and an existential threat for your company.

So what can you do?

First of all, if you are responsible for your company’s money, you need to become educated about the problem.  Quickly!

You need to train your employees.  Not just once, but recurringly.  For small companies we have a program we can provide that will allow you to send test emails to all of your employees every day if you want (probably overkill!) for less than $20 per employee per year.  Significantly less for bigger companies, so it is affordable (especially compared to wiring a million dollars to a scammer).

There is insurance that can be purchased to cover this loss.  Note that GCL (General Commercial Liability) insurance will not cover this, nor will fidelity insurance.  It is specialized insurance but it is not particularly expensive.  If you don’t have it, get it.  NOTE:  some of these policies have quirks so make sure you understand what the policy requires you to do in order to get reimbursed.

You also need to create policies that cover procedures so that it is harder for an employee to accidentally wire money to the scammers.  Most of the time the scam starts with an email.  If you get an email changing payment instructions, even though this means extra work, you need to verify the change.  And NO! that does not mean reply to the email asking ARE YOU SURE?  Communicate using a verified communications method.

If this wasn’t so damn profitable, scammers would stop.  Your employees are the only ones who can make it unprofitable. 

Be part of the solution and save yourself a bucket of money on top of it.

Information for this post came from the SEC and from Big Law Business.

Facebooktwitterredditlinkedinmailby feather

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Facebooktwitterredditlinkedinmailby feather

Business Email Compromise Attacks Are Not Always Sophisticated

 

Business email compromise (BEC) attacks are relentlessly attacking businesses with no let-up in sight.  BEC attacks have traditionally used CEOs and CFOs as their foils, pretending to be them and getting people to wire money to the hackers.

The oil and gas industry was targeted by a single individual using old generic malware readily available online and scraping company’s web sites for email addresses.  It doesn’t always require a sophisticated plan of attack,

One guy in his 20s targeting 4,000 organizations using a few fake Yahoo email addresses was all it took in this case. Over a few months he successfully attacked a few large companies, getting away with a lot of money.

According to Cisco’s midyear cybersecurity report, over the last 3 years, businesses lost over $5 billion.  Likely, this number is low because a lot of companies don’t want to let customers know that they were hacked – possibly by a lone hacker using obsolete software and no infrastructure to support him.

One industry that is being hammered is the real estate industry.  For the most part, industry members don’t like talking about it, but every now and then we do hear stories.  One group that is often targeted is real estate agents.  These people are often one person organizations with limited technical support and, in many cases, not technically sophisticated.  And, they act as trusted intermediaries between all the parties to the transaction.  My recommendation to real estate agents is to not get in the middle of the finances and make that clear to the parties.  Otherwise they will potentially wind up in the middle of a lawsuit just for trying to help out.

In one example, a real estate agent got an email from a person claiming to be looking for a house.  The scammer then sent a link in another email to the agent, claiming that the link was a bank mortgage pre-approval letter.  In fact, it was an attempt to steal the agent’s email password.  If successful the attacker, could then, silently, read all of the agent’s emails.

As soon as the hacker sees an exchange with information about wiring funds, they can inject their own emails changing those instructions and wiring money to them.

We have seen multiple cases where the money lost was well over a hundred thousand dollars in each case.  For a company, with the right kind of insurance, while this loss is a pain, but it is manageable.  We know of one local company that lost close to $150,000 because they did not have the right insurance coverage.

For homeowners who are either buying or selling a house, they have no insurance and the real estate agent or title company likely has zero liability for giving you back the money.  It is possible that the might have insurance coverage, but it depends a lot on exactly how the attack worked.

If the company does not have the right kind of insurance and they don’t have the funds to reimburse the buyer or seller, that company will likely face a lawsuit and may go out of business.  For real estate agents, that could be a judgement against them and bankruptcy.

We always tell people that they need to have the right kind of cyber insurance and the Cisco report gives 5 billion reasons why.

It is important to understand exactly what insurance coverage you do have and we strongly recommend that our customers seek out the advice of a cyber insurance knowledgeable insurance agent before purchasing cyber risk insurance.  Unfortunately, many agents who sell cyber insurance do not have the training needed to take care of the customer.  They are not bad people, just people who need more training before selling an insurance product that can be very complicated.

Information for this post came from Dark Reading .

Facebooktwitterredditlinkedinmailby feather

Facebook and Google Fell For Business Email Compromise

Since we all know that misery loves company, it may bring some comfort that even Facebook and Google can fall victim to business email compromise scams.

In one way, that makes perfect sense since the weak link is always people.  On the other hand, you would think that big companies like Facebook and Google would have been controls in place, but apparently not.

What is staggering is the scale of the business email compromise.

ONE HUNDRED MILLION DOLLARS.

A hacker in Lithuania was recently arrested at the request of the U.S., but he claims he is innocent and is fighting extradition.

According to the indictment, filed in New York, he created false invoices under a legitimate Asian support, Quanta, for computer parts.  Both companies apparently buy lots of stuff from these guys so the invoices didn’t seem out of line, I guess.  While the details of the indictment are not clear, I assume that he used his own, special wiring instructions.

Because we are talking about Facebook and Google, the indictment only calls them Company 1,2 and 3.  Quanta has admitted they are Company 1.  Facebook, in response to a request from Fortune, admitted they are one of the parties.  Google just admitted that they are one of the parties also.

Facebook said they were able to recover “the bulk of” the funds, whatever that means.  Google also said that they recouped the funds.  For an attack as sophisticated as a hundred million dollar scam would be, it is surprising that he was not able to hide the money.  YOU should be so lucky.

The only difference between this attack and an attack on you or me and why the Manhattan U.S. Attorney was willing to take the case was the sheer size of it.

One question is whether this is a material event that needed to be disclosed to shareholders.  For either company, $50 million (half of the take) might not be material and it certainly might not be material if they got some or all of the money back.

Still, this indicates that it can be hard to stop these guys and companies really need to pay attention, especially when amounts that ARE material to smaller companies are involved.

Information for this post came from Fortune.

 

Facebooktwitterredditlinkedinmailby feather