Cyber Risk News

Delivery Scams Most Prominent Form of Smishing

Info Security - Mon, 08/16/2021 - 09:51
Delivery Scams Most Prominent Form of Smishing

Texts purporting to be from parcel and delivery companies are the most prevalent form of ‘smishing’ scams, according to new data provided to UK Finance by cybersecurity firm Proofpoint.

The data showed that over two-thirds (67.4%) of all UK texts reported as spam to the NCSC’s 7726 text messaging system, operated by Proofpoint, during the 30 days to mid-July 2021, were supposedly from delivery companies. The next highest category of scam texts was those pretending to be financial institutions and banks (22.6%).

Over the 90 days to mid-July, the proportion of spam texts relating to parcel and package deliveries was lower, at 53.2%, while those purporting to be from financial institutions and banks were 36.8%.

As with other forms of phishing campaigns, smishing attacks have risen substantially during the COVID-19 pandemic, with the crisis providing significant opportunities for scammers to lure consumers into clicking on malicious links and giving away personal data such as credit card details. One of these relates to the rise in online deliveries as a result of social distancing restrictions.

Katy Worobec, managing director of economic crime at UK Finance, commented: “Criminals are experts at impersonating a range of organizations and have capitalized on the pandemic, knowing that many of us will be ordering goods online and awaiting parcel deliveries at home.

“We are urging people to follow the advice of the Take Five to Stop Fraud campaign and to always stop and think whenever you get a text message out of the blue before parting with your information or money. Always avoid clicking on links in a text message in case it’s a scam and forward any suspected scam text messages to 7726, which spells SPAM on your telephone keypad so that the criminals responsible can be brought to justice.”

Sarah Lyons, NCSC deputy director for economy & society, said, “Scammers and cyber-criminals regularly exploit well-known, trusted brands for their own personal gain, and sadly these latest findings bear that out.

“We would encourage people to be vigilant to any suspicious-looking text messages, which should be forwarded to 7726. However, these scam messages can be very hard to spot, so if you think you've already responded to a scam, don't panic. Whether you were contacted by text message, email or phone, there's lots you can do to limit any harm. Visit for more information on how to protect your online accounts and devices.”

Last week, consumer group Which? warned consumers to be aware of a new smishing scam impersonating international parcel delivery firm DPD, which requests the user to send a small fee to rearrange delivery of a parcel.

Categories: Cyber Risk News

Half of US Hospitals Shut Down Networks Due to Ransomware

Info Security - Mon, 08/16/2021 - 09:50
Half of US Hospitals Shut Down Networks Due to Ransomware

Nearly half (48%) of US hospitals have disconnected their networks in the past six months due to ransomware, according to a new study from Philips and CyberMDX.

The Perspectives in Healthcare Security Report is based on interviews with 130 IT and cybersecurity hospital executives and biomedical engineers and technicians.

The findings revealed the outsized impact ransomware continues to have on healthcare organizations (HCOs) after they battled a surge in attacks during the early months of the pandemic.

Respondents who admitted to shutting down networks due to ransomware were a mix of those who did so proactively to avoid a damaging breach and those forced to do so because of severe malware infection.

Medium-sized hospitals appear to have suffered most from the impact of such attacks. Of respondents that experienced a shutdown due to external factors, large facilities suffered an average of 6.2 hours downtime at the cost of $21,500 per hour. In comparison, mid-size hospitals averaged nearly 10 hours at $45,700 per hour.

Skills gaps and low levels of investment in cybersecurity were highlighted as possible contributing factors. Just 11% of respondents said cybersecurity is a “high priority” for spending, while nearly half of all respondent types claimed their medical device and IoT security staffing levels are inadequate.

More concerning still is that many hospitals still appear to be exposed to severe legacy vulnerabilities: 52% of respondents admitted they’re not protected against the BlueKeep bug, rising to 64% for WannaCry and 75% for NotPetya.

CyberMDX CEO, Azi Cohen, claimed the report would help to raise awareness of critical cybersecurity deficiencies among many HCOs.

“With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security,” he added. “Hospitals have a lot at stake — from revenue loss to reputational damage, and most importantly patient safety.”

One of the first steps towards improving security posture is comprehensive asset discovery and inventory. However, here too many HCOs are currently failing.

Nearly two-thirds (65%) of respondents claimed they rely on manual methods to calculate inventory, with many of those from mid-size hospitals (15%) and large hospitals (13%) admitting they have no way to determine the number of active or inactive devices on their networks.

Categories: Cyber Risk News

'Jigsaw Puzzle' Phishing Attacks Use Morse Code to Hide

Info Security - Mon, 08/16/2021 - 09:19
'Jigsaw Puzzle' Phishing Attacks Use Morse Code to Hide

Microsoft has revealed a “unique” phishing campaign using novel techniques to stay hidden from conventional email security filters.

The primary motivation of those behind the emails is to steal usernames and passwords, IP addresses and location data that can be used as entry points for later attacks.

Classic social engineering techniques are employed to trick users into opening a .xls HTML file. Opening the attachment takes the victim to a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document.

However, the real interest lies in how the attackers have tried to obfuscate and evade detection — by dividing the HTML attachment into several segments before encoding them via various mechanisms.

“Some of these code segments are not even present in the attachment itself. Instead, they reside in various open directories and are called by encoded scripts,” said Microsoft.

“In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.”

Since Microsoft began tracking the campaign in July 2020, it has observed multiple iterations featuring various encoding mechanisms and techniques, including the hosting of segments on third-party sites and the use of Morse code.

“Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (‘Organization report/invoice’) and May 2021 (‘Payroll’) waves,” the tech giant explained.

“In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.”

Constantly changing, multi-layer obfuscation techniques like these require dynamic threat protection, Microsoft argued.

Categories: Cyber Risk News

Europol: Islamic State Propaganda Networks Are Thriving

Info Security - Mon, 08/16/2021 - 08:49
Europol: Islamic State Propaganda Networks Are Thriving

Official propaganda from the Islamic State (IS) dwindled during 2020 after disruption from Western coalition forces, but informal supporter networks continue to spread its message far and wide, Europol has warned.

The law enforcement agency’s latest Online Jihadist Propaganda report analyzed the key trends of last year, highlighting the persistence of terrorist content across multiple online channels.

“Jihadist terrorist groups dedicate significant efforts to set up effective online communication campaigns. The production and dissemination of propaganda content is integral to these efforts,” explained Europol executive director, Catherine De Bolle.

“Driven by digital innovation, these groups do not refrain from exploiting the latest technologies to broadcast their message to intended audiences.”

IS’s official propaganda capabilities remained muted in 2020 after significant losses of infrastructure and personnel, with video releases becoming increasingly rare, the report claimed.

However, “committed IS supporters and their networks” are stepping in to spread the group’s messages and advance operational activity both online and off, it added.

IS-supporting media outlets have expanded their digital output and offered assistance to these supporters on how to use private online channels to stay hidden.

“IS-aligned media outlets that specialize in cybersecurity, privacy, and encrypted communications remained committed to their mission of providing online security awareness to IS supporters,” Europol explained.

“The Electronic Horizons Foundations even established a virtual ‘weekly meeting’ with its technical support administrators to provide answers on technical and security-related questions. The virtual ‘meeting’ took place on the Element application.”

Campaigns from media outlets have also helped to inspire Supporter-Generated Content (SGC) productions across encrypted platforms like Telegram. These, in turn, help to direct and inspire lone actor attacks in the EU and elsewhere, the report noted.

Efforts are being focused on staging an IS revival in Iraq and Syria, publicizing its military gains in Africa and spreading the message that freeing IS prisoners around the world is a priority.

Categories: Cyber Risk News

Il Makiage Acquires Israeli AI Company

Info Security - Fri, 08/13/2021 - 17:19
Il Makiage Acquires Israeli AI Company

American tech-driven beauty brand IL MAKIAGE has acquired Israeli deep-tech AI-based computational imaging startup Voyage81 for $40m. 

IL MAKIAGE, which is based in New York City's Soho area, was relaunched in 2018 by brother and sister duo Oran Holtzman and Shiran Holtzman-Erel. Two years later, the company became the fastest-growing online beauty brand in the United States.

Voyage81 developed the only patented software in the world that gives smartphones hyperspectral imaging capabilities. Where a normal smartphone photo detects three wavelengths of color, Voyage81's software can detect 31. 

The acquisition of Voyage81 was the result of a long-running search for specific technology, according to IL MAKIAGE CEO Oran Holtzman.

“For the past two years, we have been searching for computational imaging solutions that can work in beauty and wellness to further advance our existing AI capabilities," said Holtzman. 

"I have met dozens of computer vision startups but could not find a technology that can fit our industry and was strong enough to fulfill our goals. Bringing on Voyage81’s patented technology and exceptional team to our tech and data science departments is a HUGE win for our company's future, our users, and the industry at-large."

The software developed by Voyage81 can analyze skin and hair features from a photograph taken with a smartphone and use that data to create maps of blood flow and melanin. This information can in turn be used to create personalized skincare.  

Voyage81's founder and CEO Niv Price is the former head of R&D at Unit 81, described by the Jerusalem Post as "the most elite technological unit in the Israeli Defense Forces."

Price said that when he met with IL MAKIAGE, he had no intention of selling the company he founded in 2019. 

"But after meeting Oran and learning about the company’s long-term vision, we realized that under the IL MAKIAGE platform, Voyage81 technology will serve and benefit hundreds of millions of consumers, fulfilling our founding goal,” said Price. 

Voyage81 isn't the only tech company to be snapped up by IL MAKIAGE. In 2019, the beauty brand acquired NeoWize, a Y Combinator-backed data science startup that develops advanced active machine learning algorithms.

Categories: Cyber Risk News

US Agencies Ordered to Pinpoint Critical Software

Info Security - Fri, 08/13/2021 - 16:50
US Agencies Ordered to Pinpoint Critical Software

The White House has ordered federal agencies to identify all the critical software in their systems and secure it.

The order was issued to the heads of executive departments and agencies on August 10 in a memo from the Office of Management and Budget's acting director, Shalanda Young. Recipients were given 60 calendar days from the date of the memo's publication to pinpoint the critical software. 

According to the memo, much of the software that the federal government relies on to perform its critical functions is "commercially developed through an often-opaque process that may lack sufficient controls to prevent the creation and exploitation of significant application security vulnerabilities."

Young writes that this situation has resulted in "a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely in the manner intended."

In the memo, Young references guidance released by the National Institute of Standards and Technology (NIST) on what constitutes critical software. 

An executive order on Improving the Nation’s Cybersecurity, issued by President Joe Biden on May 12, 2021, directed NIST to publish a definition of the term critical software.

The resulting definition of critical software published by NIST in June described it as "any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

• is designed to run with elevated privilege or manage privileges;

• has direct or privileged access to networking or computing resources;

• is designed to control access to data or operational technology;

• performs a function critical to trust; or,

• operates outside of normal trust boundaries with privileged access."

After identifying their critical software, agencies have one year to implement critical software guidance security measures decided upon by NIST.

“The United States faces increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and, ultimately, the American people’s security and privacy,” the memo states. 

“The federal government must improve its efforts to detect, identify, deter, protect against, and respond to these campaigns and their perpetrators.”

Categories: Cyber Risk News

Dallas Loses 8TB of Criminal Case Data

Info Security - Fri, 08/13/2021 - 16:10
Dallas Loses 8TB of Criminal Case Data

A large cache of criminal case data belonging to the Dallas Police Department (DPD) is thought to have been lost forever. 

About 22 terabytes of data went missing from the DPD computer database when data was migrated from an online, cloud-based archive to a server at the city's data center in April.

The data that disappeared included images, video, audio, case notes and other information gathered by police officers and detectives in relation to cases from before July 28, 2020. 

Dallas PD attribute the data's permanent departure to the actions of a single city IT employee who it says "failed to follow proper, established procedures" while performing the data migration.

Authorities softened the announcement of the loss earlier this week with news that approximately 14 terabytes of data have since been recovered. The DPD believes the remaining eight terabytes of information are gone forever. 

The quantity of information lost is considerable, since one terabyte can store as many as six million documents and 250,000 images.

District attorney John Creuzot said in a memo that it was "too soon to estimate how many cases will be affected and what the impact will be on those individual cases," but he was hopeful that duplicates of some of the data may have been stored elsewhere.

"It is possible that much of the missing evidence had already been uploaded to this office’s data portal prior to April 5," said Creuzot.

The absence of the case data was first noticed by city information technology officials on April 5. However, the Charlotte Observer reports that the district attorney's office was not notified of the loss until August 6. 

This notification reportedly followed complaints from prosecutors who suddenly found themselves unable to locate computer files on pending cases.

"It is concerning that it took four months for the Dallas Police Department to inform the district attorney of the loss of the data," said Dallas defense attorney Amanda Branan, the president of the Dallas Criminal Defense Lawyers Association.

Dallas Mayor Eric Johnson is calling for the Dallas City Council to launch an investigation into the data loss.

Categories: Cyber Risk News

UK Government Launches New Program to Expand Cyber Sector

Info Security - Fri, 08/13/2021 - 10:50
UK Government Launches New Program to Expand Cyber Sector

The UK Government has launched a new program to “spark a wave of growth” in the UK’s cyber sector.

The Department for Digital, Culture, Media and Sport (DCMS) announced the initiative, known as “Cyber Runway,” today. It will be delivered by Plexal, CyLon, Deloitte and The Centre for Secure Information Technologies (CSIT).

Cyber Runway will help entrepreneurs and businesses from across the UK—England, Wales, Scotland and Northern Ireland—have access to business masterclasses, mentoring, product development support, networking events and backing to trade internationally and secure investment. DCMS said it is aiming to support at least 160 organizations across the course of six months.

In the last financial year, the cybersecurity sector’s revenue grew by 7%. The number of companies in the sector grew by 21%, with the sector now worth £8.9bn (approximately $12.3m).

According to the DCMS, companies that have participated in the government’s cyber growth initiatives in the past have, on average, more than tripled their revenues year-on-year.

“The UK’s cyber sector is booming and we’re working tirelessly to ensure the benefits are felt by businesses and individuals right across the country,” commented Matt Warman, Minister for Digital Infrastructure. “Our new Cyber Runway program will help tackle barriers to growth, increase investment and give firms vital support to take their businesses to the next level.”

The program is looking to focus on Scotland, Northern Ireland, Wales, the North East, North West and the South West of England to support the UK government’s ‘levelling up’ agenda. It will also support founders and innovators from a “diverse range of backgrounds,” in a bid to grow underrepresented groups in the UK’s cyber sector such as women and people from Black, Asian and minority ethnic backgrounds.

Saj Huq, director of innovation, Plexal, said: “COVID-19 has catalyzed the need for effective cybersecurity across industries, and a record level of capital is being invested into the sector. But there is still a need for support for businesses at the earliest stages of their development and innovators and entrepreneurs from underrepresented communities still face barriers when entering the ecosystem.

“These are challenges we look forward to addressing with Cyber Runway by supporting the best innovators, regardless of their background or geography, to thrive and grow.”

Cyber Runway follows a number of other DCMS-funded cyber programs which have now completed. These include HutZero, Cyber 101 and Tech Nation’s cyber accelerator for scaleups.

Earlier this week, the National Cyber Security Centre (NCSC) unveiled the first five cyber firms to take part in another government-backed cyber startup program, which is designed to support innovative cybersecurity firms to develop products that will help protect critical areas of the UK’s economy and society from online harms.

Categories: Cyber Risk News

Sporting Fans Heavily Targeted by Bad Bots This Summer

Info Security - Fri, 08/13/2021 - 10:10
Sporting Fans Heavily Targeted by Bad Bots This Summer

Bad bot activity rose on sporting and betting sites during sporting events such as Tour De France, EURO 2020 and the Tokyo Olympics.

Imperva Research Labs has revealed that punters were left at risk of account takeover (ATO) attacks, leaving their digital wallets vulnerable to exploitation. Alarmingly, during the Tokyo Olympics, the company saw a spike in search engine impersonators during the first week and by week two, it grew by 103% above average.

“Bad bots typically masquerade as legitimate users to remain undetected,” explained Imperva researchers in a blog post. “Incoming traffic to sporting sites saw an unusual 48% increase in Yahoo impersonators, 66% increase in Baidu impersonators and 88% increase in Google impersonators.

“Imperva Research Labs also found ATO attacks grew 43% the week prior to the start of the Olympic Games, and spiked 74% during the first week of competition.”

In the run up to the EURO 2020 football tournament, the organization monitored a 96% year-on-year increase in bot traffic on global sporting sites. ATO attacks also spiked by two or three times the daily average on the days when England played.

Imperva also monitored a pattern of attacks getting larger as the tournament progressed with a notable peak occurring at the start of the Round of 16 teams. 

A similar trend was spotted at the beginning of the Tour De France—bot activity on sporting and gambling sites spiked 52% as the race was scheduled to begin.

“Bot comment spammers were pervasive, with traffic increasing 62%,” the blog post stated. “The spammers took advantage of the interest in the event to post comments in Russian about an array of topics including: adult sites, crypto, coupons/discounts, casino sites and loans and investment opportunities.”

ATO attacks are a type of fraud where cyber-criminals use a botnet to gain illegal access to accounts that belong to other users. According to Imperva, this is usually achieved through brute force login techniques such as credential stuffing, credential cracking or a dictionary attack.

“Gambling sites are a lucrative target for account takeover attacks because user profiles often have financial information or even funds stored,” explained the blog post. “A successful account takeover can result in financial fraud, theft of personal data or sensitive business information.”

According to the Imperva Bad Bot Report 2021, websites face an ATO attack 16% of the time. The report also found that one third of all login attempts in 2020 were malicious. With the English Premier League and other elite football leagues in Europe set to begin playing matches and the Beijing 2022 Winter Olympics and football World Cup in Qatar on the horizon, the organization is concerned that the threat of bad bots targeting fans during these global sporting events is likely to grow.

“The bad bot problem is increasingly complex as automated web activity accounted for more than a quarter of all web traffic in 2020,” Imperva added in its blog post. “This trend is likely to grow as fans spend more time online searching for scores, placing bets and engaging in sport community forums. To mitigate automated threats across web, mobile and APIs, companies must take proactive steps to keep their users’ data secure.”

The organization advises that sporting and betting sites should block or CAPTCHA outdated user agents and browsers, block known hosting providers and proxy services, monitor for failed login attempts and evaluate a bot protection solution such as web application and API protection (WAAP). 

Categories: Cyber Risk News

Over a Third of Organizations Damaged by Ransomware or Breach

Info Security - Fri, 08/13/2021 - 09:16
Over a Third of Organizations Damaged by Ransomware or Breach

Over one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months, according to new research.

In a survey conducted by the International Data Corporation (IDC), it was found that many organizations that fell victim to ransomware experienced multiple ransomware events. In the US, the incident rate was notably lower (7%) compared to the worldwide rate of 37%.

"Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street," commented Frank Dickson, program vice president, cybersecurity products, IDC. "As the greed of cyber miscreants has been fed, ransomware has evolved in sophistication, moving laterally, elevating privileges, actively evading detection, exfiltrating data and leveraging multifaceted extortion. Welcome to digital transformation's dark side.”

The research, entitled IDC's 2021 Ransomware Study: Where You Are Matters!, showed that the manufacturing and finance industries reported the highest ransomware incident rates. The transportation, communication and utilities and media industries reported the lowest.

When it came to paying the piper, only 13% of organizations said that they had experienced a ransomware attack and not paid the ransom. For those that did, the average ransom payment was almost $250,000, with a few large ransom payments of over $1m.

In the report shared the responses of nearly 800 IT decision makers and influencers. The July 2021 survey focused on topics such as attention by the board of directors, ransomware payments, size of ransomware, number of ransomware payments and the exfiltration of data. 

Based on the responses, IDC found that companies who were further along in the digital transformation journey were less likely to have experienced a ransomware attack.

Joseph Carson, chief security scientist and advisory chief information security officer at ThycoticCentrify, believes that traditional cybersecurity solutions have failed to prevent ransomware from infecting organizations and creating mass disruption: “Conventional, signature-based antivirus programs are unable to prevent and detect these types of attacks due to the unique and quickly growing variants of ransomware.

“Encrypting your data doesn’t necessarily deter ransomware attacks either,” he continued. “Attackers may still threaten to publicly disclose that data, expecting that others are willing to pay for the opportunity to break the encryption.”

The research comes after Accenture, the global consulting firm, was the victim of a ransomware attack known as Lockbit 2.0. The Australian Cyber Security Centre (ACSC) also alerted organizations in the country that cyber-criminals were frequently using Lockbit 2.0 ransomware.

“The ACSC has received reporting from several Australian organizations that have been impacted by LockBit 2.0 ransomware,” said the alert. “This activity has occurred across multiple industry sectors.”

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company, explained that while company culture of educating employees is helpful in preventing ransomware, it will “only get you so far.”

Categories: Cyber Risk News

Hacker Partially Returns Money Stolen in Cryptocurrency Heist

Info Security - Fri, 08/13/2021 - 08:00
Hacker Partially Returns Money Stolen in Cryptocurrency Heist

The hacker behind the largest-ever cryptocurrency theft ever recorded has paid back nearly half ($260m) of the money to the victim organization, Poly Network.

Earlier this week, it was reported that hackers exploited a vulnerability in Poly Network, a company that implements interoperability between different blockchains, that enabled them to change the address of the “keeper role” of a blockchain contract and “construct any transaction at will and withdraw any amount of funds from the contract.”

This enabled the hacker to transfer $610m to three different addresses.

Following the incident, Poly Network took to Twitter to urge the attackers to return the money, stating: “We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto currency members, hence the people.

“You should talk to us to work out a solution.”

The hacker subsequently posted a three-page ‘Q&A’ in which they provided more details on how they carried out the heist and claimed to have ethical motives, stating it was “always the plan” to return the funds and that they “not very interested in money.” The hacker added: "I know it hurts when people are attacked, but shouldn't they learn something from those hacks?"

Poly Network has since revealed that $260m of “assets” have been returned via three types of cryptocurrencies: $3.3m worth of Ethereum, $256m worth of Binance Coin and $1m worth of Polygon. However, $269m worth of Ethereum and $84m worth of Polygon are still not recovered.

Commenting on the story, Arseny Reutov, head of the application security research team at Positive Technologies, said: “When such a massive hack occurs, everyone's attention is fixed on a particular cryptocurrency address. Although DeFi is non-custodial, some protocols can blacklist any address, for example, USDT stablecoin, which blacklisted the attacker's address preventing him or her from moving the funds. 

“Withdrawing such a large amount of money is a challenge in cryptocurrency. Although there are some cryptocurrency mixers that can complicate the tracking of the funds, it appears the hacker quickly realized he or she didn’t  have a plan for this, which likely led to the decision to transfer the stolen funds back."

Speaking to Infosecurity, BitK, technical ambassador at crowdsourced bug bounty platform YesWeHack, provided more insights into the possible motives of the hacker: "Incidents in which a hacker steals money, or cryptocurrency in this instance, and then returns what they stole is not something you see every day. It’s clear the hacker intentionally targeted Poly Network and found a bug to exploit to their advantage. Whether they did this as a publicity stunt or to make a huge fortune is up for debate. There is no real way of knowing whether the intention was always to return the funds or if legal threats pressured them into doing so.  

"For businesses looking to avoid falling into the same predicament as Poly Network, one strong preventive method would be to work with ethical hackers in the context of a bug bounty program. This enables companies to identify flaws in advance, and thus prevent a malicious hacker from finding and exploiting them. However, in cases such as this which involve large sums of money or cryptocurrency, the bounty offered by the organization would have to be substantial enough to encourage the best hackers to participate and deter them from illegally taking the jackpot."

Categories: Cyber Risk News

Chanel Apologizes for Data Breach

Info Security - Thu, 08/12/2021 - 19:29
Chanel Apologizes for Data Breach

The Korean arm of French luxury brand Chanel has issued an apology after personal data belonging to its customers was exposed.

In a statement issued earlier this week, Chanel Korea blamed the data leak that happened on August 8 on a recent cyber-attack. A database belonging to the famed perfume and fashion brand is believed to have been compromised by a hacker or hackers at some point between August 5 and 6. 

Data exfiltrated in the attack and later leaked included some customers' names, birth dates, gender, phone numbers, and shopping history.

The Korea Herald reported that other sensitive information contained in the compromised database, including customers' IDs, passwords, and payment information, had not been leaked. 

"Parts of our database, containing the personal information of the customers who had registered for our cosmetics brand membership, have been compromised. The leaked personal information included names, birthdays, phone numbers and product purchase lists," Chanel Korea wrote on its official website. 

The company asked customers who suspect that their data has been misused to make contact by phone or email.

“We sincerely apologize to our customers for the matter and the inconvenience it caused," stated Chanel Korea.

The company went on to say that it has hired "a leading independent cybersecurity firm" to investigate the attack and gauge its full impact. 

Chanel Korea said that it had not found any "evidence of further impact on other systems and data" but had reported the incident to the Korea Internet & Security Agency (KISA). The matter is also under investigation by Korea's Personal Information Protection Commission (PIPC).

Customers are reportedly being informed of the cyber-attack and data breach via email and text messages. Chanel Korea has not published details on how many individuals were impacted by the security incidents. 

One Chanel Korea customer told the Korea Times that the brand ought to do more than just apologize to its customers.

They said: "When we think of Chanel, we expect the best-quality products and high-level service. That is why we spend thousands of dollars at their boutiques. Chanel Korea should compensate its customers who were affected by the cyber-attack."

Categories: Cyber Risk News

GoVanguard Acquires Gotham Security

Info Security - Thu, 08/12/2021 - 18:27
GoVanguard Acquires Gotham Security

A boutique cybersecurity firm that provides the financial, health care and retail sectors with custom security services has been acquired by technology security firm GoVanguard.

Gotham Security, acquired by the firm for an undisclosed sum, was described by GoVanguard CEO Mahdi Hedhli as a close partner of some years' standing. 

The headquarters of Gotham Security are situated a two-minute walk away from world-famous landmark the Empire State Building. The company, which specializes in professional security services and managed security SOC services, has a second office in Washington, DC. 

Gotham Security CEO Trevor Goering and COO Blake Shalem co-founded the company in 2013. Following the acquisition, Shalem will be joining GoVanguard as its chief customer officer.

She said: "This move allows us to elevate what we do best, which translates to a superior class of protection for our clients."

GoVanguard said the acquisition would allow it to provide elite-level cybersecurity to its clients, which include Odyssey Group, nTopology, Insurance Technologies, and Abacus Group. 

"As threat actors become more sophisticated, it's become obvious that the best defense is to go on the offensive. Adversary simulation has become increasingly valuable for organizations looking to quickly gauge and improve their security position. After all, if you can't measure it, you can't improve it," said Hedhli.

"Gotham Security has been a close partner for years, and this was a natural next step to allow our red-teaming experts to take our clients' defenses to the next level and continue our dedication to finding the security gaps before cyber-criminals do."

Gotham offers security assessments that include penetration testing, phishing vulnerability analysis, and an evaluation of an organization's system for weak points.

GoVanguard said that the acquisition was part of a move to provide clients with adversarial red-team tactic cybersecurity assistance that could identify and resolve vulnerabilities before cyber-criminals had a chance to strike. 

"We're doubling down on our commitment to improve the cybersecurity landscape by honing our focus on red teaming," Hedhli said. "We feel this is the area where GoVanguard makes the biggest impact for our clients and the industry as a whole."

Categories: Cyber Risk News

23 Charged Over BEC Scam

Info Security - Thu, 08/12/2021 - 17:21
23 Charged Over BEC Scam

Police in Europe have arrested nearly two dozen individuals on suspicion of being part of an international group of online fraudsters.

The alleged cyber-criminals are accused of cheating companies in at least 20 countries out of approximately $1.17m.

Charges were brought against 23 individuals on August 10. The suspects were taken into custody in a series of raids simultaneously carried out at 34 addresses in Ireland, Romania, and the Netherlands. 

Europol, which coordinated the action, said the cyber-criminal gang had been running scams for years, updating its tactics to exploit current events.

"The fraud was run by an organized crime group which prior to the COVID-19 pandemic already illegally offered other fictitious products for sale online, such as wooden pellets," said Europol in a press release

"Last year the criminals changed their modus operandi and started offering protective materials after the outbreak of the COVID-19 pandemic."

The group accused of running the scams is allegedly made up of individuals hailing from various countries in Africa, who relocated to Europe. There, they created fake web pages and email addresses that allowed them to impersonate legitimate wholesale companies.

Members of the group, posing as employees of these wholesalers, would then defraud other companies by soliciting orders from them and requesting payments in advance of goods' being shipped. 

Victims companies – most of which were located in Europe and Asia – sent the money in good faith; however, the goods they had ordered never arrived. 

Europol said that the gang's criminal proceeds "were laundered through Romanian bank accounts controlled by the criminals before being withdrawn at ATMs."

An ongoing investigation into the cyber-criminal gang has been supported by Europol since 2017. Assistance offered by the organization included the deployment of two of its cyber-crime experts to the raids that took place in the Netherlands to help secure relevant evidence and support Dutch authorities with cross-checking data against real-time information gathered during the operation.

This latest coordinated action against cybercrime follows an Interpol operation that led to the arrest of an alleged 45-year-old sexual predator and human trafficker on August 6 in Guatemala. The unnamed man is suspected of producing and distributing child sexual abuse material.

Categories: Cyber Risk News

Attackers Increasingly Turning to DDoS as a Ransom Vector

Info Security - Thu, 08/12/2021 - 11:37
Attackers Increasingly Turning to DDoS as a Ransom Vector

Nearly half (44%) of organizations have been targeted or fallen victim to a ransom-related distributed denial of service (RDDoS) attack in the past 12 months, according to a survey of 313 cybersecurity professionals by the Neustar International Security Council (NISC).

Interestingly, during the same period, a lower proportion (41%) of organizations were targeted by a ransomware attack, suggesting cyber-criminals are increasingly using DDoS attacks as a means of extorting money from victims.

Rodney Joffe, chairman of NISC, SVP and fellow, Neustar, explained: “Rather than spending a lot of time and careful planning on infecting an organization’s network with malware or ransomware, cyber-criminals are taking an easier approach and using DDoS as a ransom vector. For bad actors, launching a DDoS attack is relatively simple and also has the added benefit of being harder to trace back to its origin.”

The research indicates that this is an effective ransom tactic; 70% of organizations hit by RDDoS were targeted multiple times, and 36% admitted they paid the ransom. This compares to 57% of those infected by ransomware being targeted on multiple occasions, with the same proportion (36%) choosing to pay the ransom.

Neustar added that while RDDoS threats have traditionally targeted online industries, attackers are increasingly turning their attention to other sectors, including financial services, government and telecoms.

Worryingly, less than a quarter (24%) of cybersecurity professionals said they were ‘very confident’ in their organization’s knowledge of how to respond to an RDDoS attack. The respondents listed ransomware (70%), DDoS (68%) and targeted hacking (66%) as the most increasing cyber-threats to their organization.

Joffe commented, “It’s common for organizations to feel pressure to pay to get their website back up and running and avoid disruption. However, with attackers targeting the same company multiple times, paying the ransom only makes it more likely that you will fall victim again. Instead, businesses must take an ‘always on’ approach to DDoS security, ensuring that their site remains protected even in the event of an attack.”

Categories: Cyber Risk News

Accenture Tied Up in $50M Ransom Lockbit 2.0 Attack

Info Security - Thu, 08/12/2021 - 10:56
Accenture Tied Up in $50M Ransom Lockbit 2.0 Attack

Global consulting firm Accenture has been the target of ransomware group Lockbit, with the gang reportedly taking encrypted data from the company.

Lockbit says it will publish the data if Accenture does not pay the ransom, according to screenshots of the ransomware group’s website. Infosecurity has asked Accenture for a comment on the ransomware attack.

In a statement provided to CNN, an Accenture spokesperson told the international outlet., “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers.”

This data breach comes after the Australian Cyber Security Centre (ACSC) alerted organizations in the country that cybercriminals were frequently using Lockbit 2.0 ransomware. “The ACSC has received reporting from several Australian organizations that have been impacted by LockBit 2.0 ransomware,” explains the alert. “This activity has occurred across multiple industry sectors.

“Victims have received demands for ransom payments. In addition to data encryption, victims have received threats that data stolen during the incidents will be published.”

What is Lockbit 2.0?

Lockbit 2.0 was rolled out earlier this month — the latest version of the ransomware — and implements lots of additional features.

“With the recent international efforts on fighting ransomware, those gangs are finding it difficult to advertise their malware in hacking forums,” explains Felipe Duarte, security researcher, Appgate.  “A few posts from this new version of LockBit were spotted on a few forums frequented by cybercrime gangs, but they were quickly removed. This version is currently advertised on a new version of their website.

“Our team got access to LockBit’s deep-web site, where the ad is published along with data from victims that refused to pay the ransom,” continues Duarte. “Among the advertised capabilities is a new dangerous feature to encrypt entire Windows domains through group policies.

“After infecting a domain controller, the malware creates new group policies and pushes them to every device connected on the network. Those policies disable antivirus protections and execute the ransomware. Additionally, LockBit seems to have copied a feature from Egregor ransomware that, after a successful infection, sends to all connected printers a command to repeatedly print the ransom note.”

Appgate explains that the new version of Lockbit adds a new strategy to acquire affiliates — after encrypting a device, it sets the wallpaper to a ransom note and claims responsibility for the attack, and points to a more detailed one note .txt file.

“Now the set wallpaper also contains a recruitment ad, promising millions of dollars to employees that provides them access to the company systems so they can launch a ransomware attack,” the security researcher explains. “According to the ad, the access can be a valid credential or even executing a threat attached in an email.

“This strategy may seem unusual at first, but it’s somewhat common for companies to get breached by employees. For example, in 2020, a Russian citizen living in the U.S. was arrested after offering $1 million to a Tesla employee to deploy ransomware in Tesla’s internal network.”

What is Accenture’s response?

At the time of reporting, Accenture had not confirmed the details of the ransomware attack to Infosecurity. However, multiple news sources appear to show  Accenture giving little weight to the attack, with the company saying that it has had “no impact” on the business.

According to ZDNet, the consultancy firm provided a statement that says, “There was no impact on Accenture’s operations or on our clients’ systems.”

However, the outlet also reports that cybercrime intelligence firm Hudson Rock says that 2,500 computers of employees and partners were compromised in the ransomware attack. Another firm, Cyble, claims to have seen a ransom demand of $50 million for six terabytes (TB) of stolen data.

What is Accenture’s response?

At the time of reporting, Accenture had not confirmed the details of the ransomware attack to Infosecurity. When asked to provide further details, a spokesperson told Infosecurity: “We aren’t providing any more comment other than the statement.

However, from what we do know from multiple news sources, Accenture is downplaying the attack, saying it has had “no impact” on the business.

According to ZDNet, the consultancy firm provided a statement which says: "There was no impact on Accenture's operations or on our clients' systems."

However, the outlet also reports that cybercrime intelligence firm Hudson Rock says that 2,500 computers of employees and partners were compromised in the ransomware attack. Another firm, Cyble, claims to have seen a ransom demand of $50 million for 6 terabytes (TB) of stolen data.


Categories: Cyber Risk News

NCSC Launches Microsoft Office 365 Button to Report Business Email Spam

Info Security - Thu, 08/12/2021 - 10:54
NCSC Launches Microsoft Office 365 Button to Report Business Email Spam

UK employees can now use one single click to flag scam emails to the National Cyber Security Centre (NCSC), with the organization already receiving 6.5 million reports from the public since its original launch.

Launched today, the NCSC says it has made it easier than ever for employees in the UK to join the fightback against email scams targeting their organizations. Guidance has been published on how IT administrators can add a new reporting tool to their organizations’ Microsoft Office 365 accounts.

According to its announcement today, the NCSC, part of GCHQ, says that by clicking the new button, employees can report “potential scams directly to the NCSC’s Suspicious Email Reporting Service (SERS). It will also report the scam to the organization’s IT team.

Since its launch in April 2020, the NCSC says that its SERS has received over 6,500,000 reports from the public. The reports have resulted in the removal of over 87,000 scam URLs. In July, it took four hours on average to remove malicious URLs in phishing emails reporting to the SERS, according to the NCSC.

“Opportunistic scams during the pandemic have demonstrated how cyber-criminals constantly find new ways to target us,” says Dr. Ian Levy, technical director, NCSC. “The good news is that you can help protect your workplace by forwarding suspected scam emails to the [SERS] from your work email account at the click of a button.

“This simple technical innovation could enable millions more people to join our mission to stop scam emails from ever reaching UK inboxes.”

According to the NCSC, typical phishing URLs identified by its experts that target business organizations include: malware, clone login pages and enterprise software spoofs. Businesses in the financial services industry are expecting email-borne attacks to increase, as reported by Infosecurity, says a report by Mimecast.

This action by the NCSC is part of its Active Cyber Defence programme. It is also working in partnership with the City of London Police and has committed to protecting organizations from cybercrime, which it says cost them over £5 million in the last 13 months.

Mike Cherry, national chair of the Federation of Small Business, welcomes this innovation: “[These] are crucial to calling time on business crime. Small achievable steps will go a long way to protect thousands of small firms from cyber attacks.

“Every year, there are almost 4 million cases of cyberattacks against small businesses in the UK, and more than 50% of these come from phishing,” he continues. “We’d encourage as many small firms as possible to look further into this NCSC tool and see how they can implement it to protect employees as well as businesses from harm. And anyone can take part, any small business, employee or self-employed person can forward attempted scam emails to [email protected]

Categories: Cyber Risk News

Smartsearch Finds 10% Of Regulated Businesses Do No Checks on Business Customers

Info Security - Thu, 08/12/2021 - 10:22
Smartsearch Finds 10% Of Regulated Businesses Do No Checks on Business Customers

A regulatory technology (RegTech) company has launched a new campaign to encourage UK organizations to ditch manual “outdated” identification and verification methods for regulated businesses.

SmartSearch, based in West Yorkshire, UK, launched its Electronic Verification Uncovered campaign to raise awareness of the dangers of manual ID checks. As part of the campaign, it has published its SmartSearch Index report, conducted by 3Gem Market Research, to highlight the ongoing threat of money laundering in the UK.

The research, which surveyed 500 regulated businesses in the UK in June 2021, found more than a third (34%) of regulated businesses across the financial services, legal and property sectors still make manual checks when onboarding new customers. In the legal sector, manual verification methods are still preferred, says the report, with 42% of the firms saying it’s their preference. Whereas a third (33%) of financial services, banks and estate agents confirmed they relied on manual checks.    

SmartSearch also found that almost one in ten (8.5%) firms in the property agency sector said they do not verify customer ID at all, with 10% of all firms in the report saying they carry out no checks on business customers.

John Dobson, chief executive officer, says, “It’s really important for regulated businesses to realize that when it comes to secure methods of customer ID verification, documents are high risk and should be at least supplemented with reliable low-risk electronic verification. This is not only because of the increase in money laundering and financial crime we’ve seen since the start of the pandemic but also the increasing cost of manually complying with regulations.

“Businesses need to make due diligence and Know Your Customer (KYC) obligations more efficient in terms of speed and cost, as well as remaining secure and accurate,” he continues. “That is not possible by relying on checking passports, driving licenses and council tax bills.”

When SmartSearch asked the business why they still used manual verification methods, one-third said they felt hard copy documents reassured them that the customer was genuine. “It’s that kind of belief that we are looking to overturn with our campaign, because increasingly when you’re inviting a customer to send copies of hard documents for verification, you’re actually inviting fraud in through the front door,” explains Dobson.

According to the research, businesses cite “Issues of compliance” to be behind their decisions to still use manual methods of verification. A quarter overall (24%) say it meets Anti Money Laundering (AML) obligations and a further 30% claim it’s the only way to guarantee a person’s identity.

Categories: Cyber Risk News

Prison for Software Firm Fraudster

Info Security - Wed, 08/11/2021 - 17:37
Prison for Software Firm Fraudster

A Virginia businessman who conned his victims out of more than a million dollars has been sentenced to prison.

Glen Allen resident Gordon G. Miller III was the owner and operator of software engineering company G3 Systems and of purported venture capital company, G3i Ventures, LLC.

From 2017, the 56-year-old began running multiple fraud schemes to prevent his companies from going bankrupt and to fund his lifestyle in the absence of legitimate income.

In one scheme, perpetrated between 2017 and 2018, Miller posed as an entrepreneur with a significant net worth in an online question-and-answer forum to solicit contracts. 

To win the confidence of investors, Miller falsely claimed that he had multiple advanced degrees, as well as expertise investing in technology companies. This scheme alone netted Miller approximately $1 million, defrauded from at least 10 individuals.

Miller lied again about the extent of his educational accomplishments when carrying out another fraudulent scheme to divert a federal subcontract to his company, G3 Systems. After winning the contract, Miller fraudulently obtained more than $300K by submitting false invoices and timesheets. 

While investigating the company owner for fraud, federal agents executed a search warrant at Miller's house, where they discovered child sexual abuse material (CSAM). A further search warrant was then obtained for Miller's electronic devices. 

On those devices, agents discovered more than 11,000 images or videos constituting the sexual abuse of children, including content Miller had obtained between August 2017 and September 2020.

On February 16, Miller pleaded guilty to wire fraud, engaging in an unlawful monetary transaction using fraud proceeds, and receipt of CSAM. On August 6, Miller was sentenced to 151 months in prison. 

“Not only did the defendant defraud innocent victims through a million-dollar investment fraud scheme designed to maintain his lifestyle, but he also painfully contributed to the exploitation of children by collecting thousands of materials depicting child sexual abuse,” said Raj Parekh, acting US attorney for the Eastern District of Virginia.

He added: "We are thankful to the FBI and USPIS for their thorough investigative efforts and close partnership with our Office to hold the defendant accountable for his appalling conduct.”

Categories: Cyber Risk News

Digital Fraud Up, but Targets Have Changed

Info Security - Wed, 08/11/2021 - 16:06
Digital Fraud Up, but Targets Have Changed

The financial services industry is no longer the primary target for cyber-fraudsters, according to a new report analyzing global digital fraud in the second quarter of 2021. 

Researchers from global information and insights company TransUnion found that threat actors seeking to profit from online fraud are now focused on attacking the gaming and travel and leisure industries. 

Senior director of customer success, global fraud solutions at TransUnion, Melissa Gaddis, theorized that a change in the public's spending patterns following lockdown easing may have triggered the switch.

She said, "People are spending more, which gives fraudsters an opportunity to take advantage." 

In the United States, suspected online fraud attempts in Q2 2021 compared to the same period in 2020 grew slightly more than the overall global average. While US cyber-fraud attempts increased by 17.1%, the global increase was 16.5%. 

Sharp spikes consisting of triple-figure percentages were observed in the industries that have become fraudsters' new primary targets. In the United States, cyber-fraud in the gaming industry grew by 261.9%. Globally, the figure was even higher at 393%.

The leisure and travel industry saw an increase in online fraud of 136.6% in the United States and 155.9% globally. 

TransUnion based its report on an analysis of billions of transactions carried out across more than 40,000 apps and websites in industries including health care, gaming, financial services, insurance, retail, travel and leisure, and gambling. 

The data was evaluated using the company's identity-proofing risk-based authentication and fraud analytics software, TruValidate.

"What we are seeing has been fairly consistent since the pandemic started," said Gaddis. "People perpetuating fraud go to where the money is and go to where the opportunity lies."

The report found that one in three consumers had been targeted by online fraud that embraces a theme relating to Covid-19. Of those potential victims, a third (33%) had been sucked in and defrauded. 

"It's important for people to know that if they do fall victim to a scam, they aren't alone," Gaddis said, adding that "it takes all of us to really be vigilant to help fight it."

Categories: Cyber Risk News