CEO fraud reaches 1 in 6 users
With an average of 1 in 6 users receiving email-based impersonation attacks (CEO fraud attempts) , it spells bad news for organizations.
Cybercriminals need users to believe the emails being sent are legitimate. No better way can be found than to impersonate someone known to the sender. According to email security vendor Mimecast, email impersonation—aka CEO Fraud or Business Email Compromise—has risen 80% over last quarter in their latest Email Security Risk Assessment Report.
Impersonation works
Utilizing the findings from the inspection of over 140 million messages, Mimecast’s report is particularly statistically relevant and should be given the proper attention. The massive increase in impersonation denotes the cybercriminals finding greater successes with impersonation than without.
Over 40,000 impersonated email messages reached users’ inboxes, demonstrating that bad guy ingenuity can ... Read More
CEO fraud victims had weak cybersecurity
A recent U.S. Securities and Exchange Commission report of nine companies that had been victims of CEO fraud...had sufficient internal controls in place as required by law.
The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO Fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013.
In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one ... Read More
Big $$ in social engineering
According to an alert published last year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:
Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a ... Read More
Business manager had a hacked email account
The bank isn’t always responsible for making you whole after a business email compromise. Indiana’s Lake Ridge Schools lost more than $120,000 from a seven-million-dollar construction fund established to build an athletic complex. The funds were stolen via a wire transfer ordered through a hacked email account. That account belonged to a business manager who was authorized to request payments.
The money was requested in the form of wire transfers to several people thought to be contractors on the project. At the time the wire transfers were requested, the business manager was on vacation and the bank, BNY Mellon had received an out-of-office notification days before.
Email had a different font
Lake Ridge Schools sued BNY Mellon, alleging that the bank’s failure ... Read More
Government shut down does not stop the thieves
Once again we are starting tax season, and Internet thieves are spinning up phishing campaigns to exploit the myriad opportunities afforded by this annual ritual to trick unsuspecting users into coughing up their money, identities, and the credentials to online accounts.
Curiously, these campaigns are proceeding even though the U.S. government is partially shut down, causing widespread confusion over whether the IRS will be sufficiently operational to process tax returns and issue refunds. The bad guys, of course, appear to be facing no operational difficulties and are more than happy to step in to take your refunds, your bank accounts, and your identity.
Although we have not as yet seen the now infamous W-2 phishing campaigns that have plagued previous tax seasons, they are almost ... Read More
California wildfires used for social engineering
Internet thieves are using the California wildfires as a social engineering tactic to trick you into buying gift cards supposedly intended for victims of the disaster, according to James Linton at Agari. The scammers send emails to employees of organizations posing as their CEO.
These CEO Fraud emails target employees who work in accounting, finance, or administration, and tell their recipients to purchase gift cards worth hundreds of dollars to be sent to clients affected by the fires. The employees are instructed to send photos of the codes on the purchased cards, after which the criminals can use online services to convert them into regular currency.
Scammers exploit tragedies
One of the demoralizing byproducts of large-scale tragedies is the tendency for scammers to exploit people’s charitable ... Read More
Office Depot found malware in scans...not really
Office Depot and its tech partner tricked customers into buying unneeded tech support services by offering malware scans that gave fake results, according to the FTC (Federal Trade Commission). Consumers paid up to $300 each for unnecessary services.
The FTC yesterday announced that Office Depot and its software supplier, Support.com, have agreed to pay a total of $35 million in settlements with the agency. Office Depot agreed to pay $25 million while Support.com will pay the other $10 million. The FTC said it intends to use the money to provide refunds to wronged consumers.
Office Depot caught claiming out-of-box PCs showed “symptoms of malware”
Between 2009 and 2016, Office Depot and OfficeMax offered computer scans inside their stores using a "PC Health Check" ... Read More
Triton got into a petrochemical plant
In the summer of 2017, a petrochemical plant in Saudi Arabia experienced a worrisome security incident that cybersecurity experts consider to be the first-ever cyber attack carried out with “a blatant, flat-out intent to hurt people.” The attack involved a highly sophisticated new malware strain called Triton, which was capable of remotely disabling safety systems inside the plant with potentially catastrophic consequences. It all started when someone launched a spear phishing attack and someone else clicked a link they should not have clicked.
Luckily, a flaw in the Triton code triggered a safety system that responded by shutting down the plant. If it hadn’t been for that flaw, the hackers could have released toxic hydrogen sulfide gas or caused explosions. As ... Read More
Phishing and File Sharing
Internet thieves have long used file sharing sites and services to host their malicious files. When they do this, they typically use the underlying service to generate download links that anyone can click without logging in to the hosting service.
Over the past month we started noticing apparently legitimate Dropbox emails pushing links to files with names suspiciously similar to those routinely used by the bad guys. When we clicked the links to check, however, we were greeted with a demand to log in to the service. That's typically been a sign that the files involved were legit.
Still, something wasn't right here. Given the file names presented, we reckoned there was little chance those files were innocuous. So, we decided to log in to ... Read More
Ransomware knocked most systems offline
Officials in Jackson County, Georgia, paid $400,000 to cyber-criminals this week to get rid of a ransomware infection and regain access to their IT systems. The County hired cyber-security consultant to negotiate ransom fee with hacker group. Jackson County officials have not yet confirmed how hackers breached their network.
The infection forced most of the local government's IT systems offline, with the exception of its website and 911 emergency system.
"Everything we have is down," Sheriff Janis Mangum told StateScoop in an interview. "We are doing our bookings the way we used to do it before computers. We're operating by paper in terms of reports and arrest bookings. We've continued to function. It's just more difficult."
Jackson County officials notified the FBI and hired a cyber-security consultant. ... Read More