Fraud & Cybersecurity

Nov. 22, 2024: Fraud & Cybersecurity Articles

Now Hackers Are Using Snail Mail in Cyber Attacks—Here’s How

Davey Winder, Forbes

In what I can only describe as a first in my decades of real-world experience covering cyber attacks of all shapes and sizes, cyber criminals have turned to decidedly old technology to distribute malware according to this new warning from the Swiss National Cyber Security Centre: snail mail.

Yes, you read that right. It appears that good old-fashioned paper letters posted in envelopes with stamps on them, are being used as the starting point in a bunch of new phishing cyber attacks. Here’s what we know.

Hackers Are Using Printed QR Codes Sent By Snail Mail In Latest Swiss Cyber Attacks
As first reported by The Register, the Swiss National Cyber Security Center has issued a warning to citizens of Switzerland after cyber attacks employing the physical postal service were uncovered. The letters, posted using what we used to call snail mail in the early days of email, purport to have been sent by MeteoSwiss, the Swiss Federal Office of Meteorology and Climatology. The letters are, of course, fake. However, the QR code that is printed on them with so-called advice to download a severe weather warning app, is very real indeed. As is the threat posed to anyone who should do so.

The app itself is designed to look similar to the genuine Alertswiss app that comes from the Swiss Federal Office for Civil Protection. However, rather than alert the user to danger, the app is the danger in and of itself. The QR code, if scanned using the recipient’s smartphone, will download malware by the name of Coper, also known as Octo2. Once installed, this will attempt to steal sensitive data from apps already loaded on the device, including banking apps, the Swiss NCSC said. Read more

An Interview with the Target & Home Depot Hacker

Krebs on Security

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

Mr. Shefel, who recently changed his legal surname to Lenin, was the star of last year’s story, Ten Years Later, New Clues in the Target Breach. That investigation detailed how the 38-year-old Shefel adopted the nickname Rescator while working as vice president of payments at ChronoPay, a Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement drugs and knockoff pharmaceuticals.

Mr. Shefel did not respond to requests for comment in advance of that December 2023 profile. Nor did he respond to reporting here in January 2024 that he ran an IT company with a 34-year-old Russian man named Aleksandr Ermakov, who was sanctioned by authorities in Australia, the U.K. and U.S. for stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. Read more

Phishing Emails Increasingly Use SVG Attachments to Evade Detection

Lawrence Abrams, Bleeping Computer

Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection.

Most images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a specific color value, and together, these pixels form the entire image. SVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created through lines, shapes, and text described in textual mathematical formulas in the code.

Using SVG attachments to evade detection
The use of SVG attachments in phishing campaigns is nothing new, with BleepingComputer reporting about their usage in previous Qbot malware campaigns and as a way to hide malicious scripts. However, threat actors are increasingly using SVG files in their phishing campaigns according to security researcher MalwareHunterTeam, who shared recent samples [1, 2] with BleepingComputer.

These samples, and others seen by BleepingComputer, illustrate how versatile SVG attachments can be as they not only allow you to display graphics but can also be used to display HTML, using the <foreignObject> element, and execute JavaScript when the graphic is loaded.

This allows threat actors to create SVG attachments that not only display images but also create phishing forms to steal credentials. As shown below, a recent SVG attachment [VirusTotal] displays a fake Excel spreadsheet with a built-in login form, that when submitted, sends the data to the threat actors. Read more

Fintech Giant Finastra Confirms It’s Investigating a Data Breach

Carly Page, TechCrunch

Finastra, a London-based financial software company that serves most of the world’s top banks, has confirmed it’s investigating a data breach after a hacker claimed a compromise of the company’s internal file-transfer platform.

In a statement given to TechCrunch, Finastra spokesperson Sofia Romano confirmed the fintech giant detected what it calls “suspicious activity” related to an “internally hosted Secure File Transfer Platform (SFTP)” on November 7.

News of the breach, first reported by cybersecurity journalist Brian Krebs, comes after someone claimed on a known cybercrime forum to be selling stolen files allegedly belonging to Finastra’s largest banking clients. In a since-deleted forum posting, the hacker said they were in possession of 400 gigabytes of data from Finastra, including client files and internal documents.

In an incident disclosure shared with customers, obtained by Krebs, Finastra confirmed data was exfiltrated from its systems. Finastra’s spokesperson, who declined to share a copy of the disclosure with TechCrunch, said the company first communicated the incident to customers on November 8 and has been “keeping them informed about what we do and do not yet know about the data that was posted.” Read more

Nov. 15, 2024: Fraud & Cybersecurity Articles

The Biggest Inhibitor of Cybersecurity: The Human Element

Essential steps such as security awareness training, MFA, and Zero Trust identity management help organizations reduce the human element and stay ahead in the cybersecurity curve.

Torsten George, Security Week

Global spending on information security is projected to reach $212 billion in 2025, reflecting a 15.1% increase from 2024, according to Gartner’s latest forecast. Despite this surge in investment, breaches remain rampant, as seen in recent incidents such as the ransomware attack on Change Healthcare and a brute-force campaign exploiting vulnerabilities in various Cisco products. While technology plays an essential role in fortifying organizations against cyber threats, adversaries continue to exploit the weakest link in the defense chain: the human element. According to the 2024 Verizon Business Data Breach Investigations Report (DBIR), the human element was a component of 68% of all data breaches. It is often said that the most sophisticated security controls can be undermined by a single click from an uninformed or careless employee. This highlights an urgent question: how can organizations strengthen this vulnerable link in cybersecurity?

The Current Threat Landscape
Despite advancements in cybersecurity tools, strategies, and AI, the human element remains a constant vulnerability. As fallible beings, people are susceptible to phishing and social engineering tactics that attackers use to infiltrate IT environments. The 2023 ransomware attack on MGM Resorts is a case in point: it began with social engineering when a threat actor tricked a help desk attendant into resetting a password without proper verification.

Inadequate password practices and accidental data leaks further expose fortified networks to cyber threats. Increasingly, attackers do not have to “hack in”; they simply log in using weak, default, stolen, or otherwise compromised credentials.

Many of these breaches are preventable through basic cyber hygiene. However, organizations often allocate the majority of their security budgets toward protecting network perimeters rather than implementing measures to counteract the human element—a crucial oversight. Read more

Gmail Users Beware—Link Hovering Attacks on The Up

Davey Winder, Forbes

Cybersecurity awareness month has now been and gone, but hopefully, the lessons learned during October will remain with users for some time.

One of those cybersecurity awareness lessons is never to trust links you see in your email, as they could easily be malicious and part of a phishing campaign. The general consensus of security opinion is that, at the very least, you should always hover your mouse pointer over a link so as to reveal the actual URL destination rather than just the link text that could say anything at all. But what if hovering over a malicious URL showed you the same fake link details as the link text? Cyber criminals are using a relatively simple technique to obfuscate the true destination of a malicious link for Gmail users who look to the web client rather than an app for their email. Here’s what we know about this attack tactic.

Is It Safe To Hover On Links, Gmail User Asks—The Answer Is Complicated
My attention was drawn to the Gmail subreddit when a poster on Nov. 06 posed the question: “Is it safe to hover on attachments (without actually clicking/downloading it)? The question asker was concerned as they had hovered on an attachment and then deleted it without clicking or downloading but worried the act of hovering may have triggered a malicious execution of some kind. The answers were valid and expected, essentially agreeing it’s safe to hover as long as you don’t click.

My interest was piqued, however, as the “hover don’t click” message is often preached as part of the gospel of good security when it comes to dealing with links in email. By hovering over a link you can quickly see where it’s actually taking you rather than where the link text says it is taking you. This ploy is a perennial favorite among the phishing fraternity and has been for decades now. Read more

Deepfake Ecosystem Develops Around Apps, Services as Detection Fights to Keep Pace

Joel R. McConvey, Biometric Update

Detection, prevention efforts require resources equal to those invested in crime

Deepfakes are the topic du jour in the biometrics and identity verification industries, which are increasingly involved in the global effort to detect deepfakes and prevent the serious harms they can cause to individuals and social structures. Convening a number of experts from industry and government, the Detecting Deepfakes Summit is the latest forum to peer under the hood when it comes to deepfakes, and how the world can adequately prepare to face the threat.

“This is such a difficult problem,” says panelist Kay Chopard, executive director of the Kantara Initiative. The issue is global and touches everything from the courts and the world of organized crime to Hollywood stars to the online lives of women and children being victimized by abusers.

Among regulators, researchers and private firms, efforts are ongoing to contain the spread of harmful deepfake content. But often, a deepfake only needs to be shared for a brief time to reach many people, and its impact can reverberate even after it is taken down. Meanwhile, standards and legislation lag behind the technological development of generative AI and other tools for creating ever-more sophisticated deepfakes.

“We really have to have ways to come together,” Chopard says. “We have to find ways to agree.”

Finding consensus on a topic as complex and dynamic as deepfake abuse is difficult. Money and resources earmarked for defense and deepfake detection are not proportional to the investments being made on the criminal side. As the upward curve of deepfakes appearing in daily life rises and the accompanying regulatory curve slopes much more slowly, the problem will only become more urgent. Read more

Major Breach at American Debt Services Firm Exposes Data of Over a Million Customers

Sead Fadilpašić, Tech Radar

Set Forth reportedly lost sensitive information on many customers

  • Set Forth confirms suffering a data breach in May 2023
  • Roughly 1.5 million people were affected by the incident
  • Set Forth offers 12 months of identity theft protection

American debt services company Set Forth has confirmed suffering a data breach incident in which sensitive information on more than a million people was stolen.

In a data breach notification letter sent to affected customers, the company said it identified “suspicious activity” on its systems on May 21 2024.

After implementing its incident response protocols, and engaging third-party forensic experts which investigated the incidents, the company determined that some personal information from its customers, as well as their spouses, co-applicants, or dependents, was stolen.

Defending the premises
The data stolen in the attack includes people’s names, postal addresses, birth dates, and social security numbers. In a subsequent filing with the Office of the Maine Attorney General, Set Forth confirmed that 1.5 million people were affected by this breach. Read more

Nov. 8, 2024: Fraud & Cybersecurity Articles

DocuSign Exploit Lets Hackers Send Fake Invoices

Lars Daniel, Forbes

In a recent cyber threat development discovered by the Wallarm security firm, attackers are exploiting DocuSign’s API capabilities to deliver fake invoices that are bypassing traditional security measures.

By leveraging legitimate DocuSign accounts and API access, threat actors are sending carefully crafted invoices directly to targets’ inboxes, with messages that look convincingly authentic.

How Attackers are Using DocuSign’s API to Evade Detection
DocuSign, a widely used digital platform for managing secure electronic agreements, has inadvertently become a tool for scammers through its API environment.

APIs, or Application Programming Interfaces, allow developers to integrate DocuSign’s services into other applications and automate document workflows. By gaining access to DocuSign’s API, attackers with legitimate accounts can create and send documents that appear to be genuine invoices or payment requests.

This phishing technique is particularly dangerous because of its strategic design:

  • No Malicious Links or Attachments: Many phishing attempts are detected by email filters looking for suspicious links or attachments. In this scheme, however, attackers send invoices that contain no direct links or attachments—just seemingly legitimate payment instruct them harder to flag as suspicious.
Deepfake Detectives Lay Out Types of Deepfakes and Common Attack Points

Joel R. McConvey, Biometric Update

The existence of deepfake detection implies the existence of deepfake detectives. That’s arguably the role of the Kantara DeepfakesIDV discussion group, a collaborative industry effort focused on addressing the threat of deepfakes and related attacks in digital ID verification systems.

Via Paravision’s blog, a new article from the group breaks down “Deepfake Threats and Attack Vectors in Remote Identity Verification.” Led by Paravision’s Chief Product Officer, Joey Pritikin, and based on work from industry experts including Daniel Bachenheimer and Stephanie Schuckers, the article explores methods and attack points for deepfake attacks, with a focus on “deepfake threats and attack vectors in the scope of remote identity verification.”

Attackers, the piece says, “may use deepfake technology to present falsified identities, modify genuine documents, or create synthetic personas, exploiting weaknesses in the verification process.” The deepfake toolkit continues to grow with elements such as face swaps, expression swaps, synthetic imagery and synthetic audio. Attacks may come in the form of physical presentation attacks, injection attacks or insider threats.”Understanding these threats,” say the deepfake detectives, is “crucial for developing robust defenses against the manipulation of identity verification systems.” Read more

Ten Best Practices to Protect Your Organization Against Cyber Threats

Alexander Koskey & Matthew White, Baker Donelson

The conclusion of Cybersecurity Awareness Month is a reminder of the importance for organizations to implement robust security measures and promote good cyber hygiene. As we noted in our State of the Cyber Landscape webinar, cyber threats are continually evolving with malicious actors exploiting new vulnerabilities and more sophisticated attacks each day. Organizations of all sizes must adopt comprehensive strategies to guard against these threats and mitigate the extensive operational, financial, reputational, and legal risk presented by such threats. Below are ten essential best practices that all organizations should implement as foundational components of their cybersecurity framework.

1. Review and Update Your Incident Response Plan
An organization’s incident response plan is a critical document that outlines a step-by-step response to cybersecurity incidents. Its effectiveness lies in its clarity, timeliness, and adaptability to evolving threats. An outdated plan can lead to confusion, extended downtime, regulatory penalties, and significant reputational damage. As threats continue to evolve and new cyber reporting regulations become effective, organizations must review and update their plan to align with these evolving threats, new regulations, and any changes in the organization’s processes and technology.

2. Conduct Tabletop Exercises
In conjunction with updating their incident response plan, organizations should test that plan with a tabletop exercise. A tabletop exercise is a simulated, scenario-based environment where key stakeholders across various departments are tested on how they would respond to a cyber incident in real time. These exercises are often facilitated by outside legal counsel and enable organizations to identify weaknesses, enhance coordination, and implement necessary updates to their incident response plan before an actual crisis occurs. Read more

FBI Warns Gmail, Outlook Users Of $100 Government Emergency Data Email Hack

Davey Winder, Forbes

Following the offer for sale of high-quality government email addresses, with full credentials, on an underground cybercrime forum, with instructions on using them as part of an emergency data request attack for an additional $100, the Federal Bureau of Investigation has issued a warning to all email users.

Suggesting that the credentials could be used for everything from espionage to data extortion or ransomware, the threat actor said that stolen subpoena documents enabling an attacker to pose as a law enforcement officer could also be purchased.

Compromised Government Email Credentials For Sale
The Federal Bureau of Investigation gas released a Private Industry Notification, PIN 20241104-001, warning of an ongoing cyber attack trend that uses compromised U.S. and foreign government email addresses. The attack modus operandi involves the use of fraudulent emergency data requests, which can request information to be supplied immediately by a business while bypassing additional reviews of the request for legitimacy, courtesy of their urgent nature, in order to expose sensitive information.

The threat type itself, even as a particularly sophisticated and somewhat complex twist on simpler phishing attacks, is not new but the increased volume of postings offering both the compromised credentials themselves and the knowledge required to exploit them is.

The Email Compromise Crime Timeline
The FBI noted that the first sales in relation to an emergency data request notification hacking scam was more than a year ago in Aug. 2023. At this time the detailed instructions were being offered for $100 on the dark web. Read more

Nov. 1, 2024: Fraud & Cybersecurity Articles

When Cybersecurity Tools Backfire

Yvonne Dickinson, Dark Reading

Outages are inevitable.
Our focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is about keeping bad actors out while maintaining stability and reliability.

COMMENTARY
In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples.

The Fine Line Between Protection and Disruption
Cybersecurity solutions are essential in our interconnected world, helping businesses and governments protect sensitive data, infrastructure, and user privacy. However, when improperly handled, even the best tools can turn from protectors into sources of failure.

Known for its strong cybersecurity offerings, CrowdStrike rolled out a threat intelligence update to its Falcon platform in July that inadvertently caused a major global outage, affecting airlines, banks, and hospitals. This incident, which resulted from a software glitch during the delivery of its “Rapid Response Content” threat signatures, left critical services temporarily offline, reminding us that even the most advanced security systems aren’t infallible. Read more

How Diversity Can Help Bolster Your Financial Crime Defenses

Rabihah Butler, Thomson Reuters Institute

Given the variety of clients served, it’s logical that the groups dedicated to preventing and examining fraudulent activity should be equally diverse to safeguard the integrity of the financial institution.

Financial crimes, such as money laundering, fraud, and corruption, pose a serious threat to the stability and integrity of the global financial system. Indeed, the estimated amount of money laundered globally in one year is roughly between 2% and 5% of global GDP, or about US$800 billion to US$2 trillion.

Combating these criminal activities necessitates the deployment of robust and effective systems and controls by financial institutions, financial technology (fintech) companies, and other customer-facing financial organizations. This involves undertaking risk evaluations, executing due diligence on clients, scrutinizing transactional activities, and ensuring comprehensive reporting protocols are adhered to. While regulatory requirements offer a solid foundation, these measures alone are not enough. It’s equally important to have a diverse and inclusive team to bring a range of perspectives, expertise, and insights to the fight.

How diversity can help prevent and detect financial crimes
Neil Sternthal, the CEO of ACAMS, a membership organization dedicated to fighting financial crime, explains that diversity enhances financial institutions’ capacity to tackle financial crime in several ways, including… Read more

U.S. Banks Face Gap in Financial Crime Detection, Study Finds

The Paypers

A recent report by RedCompass Labs has revealed that US banks believe they are significantly behind criminals when it comes to detecting financial crimes.

On average, banks estimate they are about eight months behind, with some of the largest institutions stating that the gap could be as wide as 23 months. Despite this lag, 75% of banks express confidence in their ability to close the gap, while 25% are more uncertain.

The research underscores that many banks are underestimating the adaptability of criminals. Survey respondents believe that criminals need around four months to adjust after a new financial crime detection method is introduced. However, the report suggests that cybercriminals can exploit vulnerabilities within hours or even days.

Main survey findings
The study, titled ‘Financial Crime Detection: What Holds Banks Back?’, is based on responses from 300 senior payments professionals at US banks. It examines how financial institutions are addressing the ongoing financial crime challenges and highlights that only around 1% are successfully prosecuted.

Banks are facing pressure as they try to manage resources across a growing number of financial crime types. The research found that emerging crimes such as ‘pig butchering’ scams are now a significant focus, with 27% of banks prioritising them, nearly equal to drug trafficking, which is at 28%. Other crimes, including proliferation financing (33%), drug trafficking (31%), and cybercrime (30%), remain the most challenging for banks to detect, largely due to a lack of understanding of the individuals involved. Read more 

2024 Looks Set to Be Another Record-Breaking Year For Ransomware — And It’s Likely Going To Get Worse

Carly Page, TechCrunch

The ransomware industry is thriving, not losing.

Despite various law enforcement wins against ransomware actors, like the sweeping takedown of LockBit and the seizure of Radar, hackers continue to reap the rewards of these data-theft attacks — and 2024 looks set to be their most profitable year to date.

That’s according to Allan Liska, a ransomware expert who serves as a threat intelligence analyst at cybersecurity firm Recorded Future. In an interview with TechCrunch in London earlier this month, Liska confirmed that 2024 is on track to be another record-breaking year for ransomware — with equally record-breaking ransoms paid by victims to hackers.

“The curve is going to flatten a little bit, which I guess is good news. But a record-breaking year is still a record-breaking year,” Liska told TechCrunch. “We’ve also this year, for the first time that I’m aware of, had four eight-figure ransoms paid.”

One of these eight-figure sums was the $22 million ransom that Change Healthcare paid to the Russian cybercrime gang ALPHV following the theft of highly sensitive medical data related to hundreds of millions of Americans. What followed, Liska said, was rampant in-fighting between the ransomware group and its affiliate, who carried out the hack on ALPHV’s behalf. “If you wanted a reality show, this was it,” said Liska.

This apparent scrappiness is only likely to worsen as younger threat actors join the ransomware foray, as we’ve seen with highly skilled and financially motivated hackers like Lapsus$ and, more recently, Scattered Spider. Read more

Oct. 18, 2024: Fraud & Cybersecurity Articles

Bank of America: Cybercrime Could Be ‘World’s Third-Largest Economy’

PYMNTS.com

The cost of cyberattacks is reportedly growing alongside the increases in digitization and artificial intelligence (AI).

“If cybercrime damage were a state, it would be the world’s third-largest economy,” Bank of America said in a Thursday investor note, Seeking Alpha reported Thursday (Oct. 10).

The financial institution’s note added that 60% of organizations were hit by ransomware in 2023, the average payment increased fivefold compared to the previous year, and the average cost of a data breach has risen 10% in 2024, according to the report. This report came a day after Fidelity Investments disclosed a data breach that affected 77,099 customers.

In that incident, customers’ Fidelity accounts were not accessed, but unspecified personal information was obtained by a third party, the company said in a notice of data breach letter sent to consumers and posted online by the Office of the Maine Attorney General.

“Between August 17 and August 19, a third party accessed and obtained certain information without authorization using two customer accounts that they had recently established,” Fidelity Investments said in the letter. “We detected this activity on August 19 and immediately took steps to terminate the access.”

In another, separate development announced Wednesday (Oct. 9), the Federal Trade Commission (FTC) said it plans to require Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement a comprehensive security program after the company suffered three large data breaches from 2014 to 2020.

The data breaches spotlighted by the FTC include one that began in June 2014, went undetected for 14 months and affected 14,000 Starwood customers; another that began around July 2014, went undetected for over four years and saw fraudsters access 339 million Starwood guest accounts; and a third data breach that began in September 2018, went undetected until February 2020 and saw fraudsters access 5.2 million Marriott guest records. Read more

Why Banks Remain So Vulnerable to Cybersecurity Risks — and How to Plug the Leaks

Scott Weinberg, Neovera/Financial Brand

Some basics — like devising the strongest passwords and training and testing against social engineering attacks — should already be in place in your bank. An expert offers more than a dozen advanced steps you should be asking your experts about.

As more regional and community banks attempt to scale up to become more competitive, that growth can challenge their ability to effectively secure all their systems and data. This in turn can create lapses that result in critical cybersecurity issues.

The risks go beyond simple growth. Other factors that can contribute to vulnerabilities include outdated legacy systems and disruption from M&A system issues.

Weaknesses that Enable Outside and Inside Threats
Based on feedback from hundreds of penetration tests, Neovera has identified the weaknesses most likely to be exploited by attackers from outside the organization — as well as inside, from those who may already have limited access to the network.

The Top External Attacks:

1. Susceptible Users. Pretexting, phishing or other social engineering tactics can lure users into entering their passwords on a fake website. Another common cause: Running or opening malicious files sent via email.

2. Weak Passwords. Despite years of admonitions about the need for strong passwords, we still commonly see passwords such as “Test1234” or “Summer2024!”. These can be guessed quickly without generating lockout alerts. Read more

Over 62% of UK Cite Mobile App Fraud as Top Concern

FinExtra

62.1% of UK consumers see mobile app fraud as a top concern, with 50% also citing hacking as a fear, according to findings from the Open Worldwide Application Security Project (OWASP) and Appdome.

“Banks and fintechs are worried about fraud happening to them because of the implications from a regulatory perspective and obviously, a financial loss perspective, and so are consumers,” said Chris Roeckl, chief product officer at Appdome, speaking to finextra.

Of the 2,500 UK respondents who were interviewed, 41.3% had first or second hand experiences with cyber-attacks, mobile malware, or mobile fraud. A further 26.9% said they or someone they know has experienced a social engineering scam.

Findings showed a growing awareness of social engineering scams, with 55.1% reporting “vishing” as top risk. Vishing is where scammers trick victims into revealing personal information on phone calls.

Roeckl stated that “what consumers are saying is they want proactive measures so that these fraud attacks actually don’t happen in the first place.” The report saw 94.7% of UK customers expecting mobile apps to protect them from fraud and 80.3% expecting pre-emptive anti-fraud measures.

The survey also showed serious considerations for an app’s reputation. 70.6% of respondents said that on discovering a brand had experienced a breach, they would abandon their app and encourage their friends to do the same.

There is a developing lack of trust, with 25.2% of consumers stating they believe “developers don’t care” about protecting them against fraud or security threats, a rise from 9.3% in 2021.

Looking to how to solve this problem for consumers, Roeckl said they need start “making the system smarter” by “taking information that is coming through the actual activity in the app.”

New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed

Davey Winder, Forbes

Google has implemented increasingly sophisticated protections against those who would compromise your Gmail account—but hackers using AI-driven attacks are also evolving. According to Google’s own figures, there are currently more than 2.5 billion users of the Gmail service. No wonder, then, that it is such a target for hackers and scammers. Here’s what you need to know.

The Latest AI-Driven Gmail Attack Is Scary Good
Sam Mitrovic, a Microsoft solutions consultant, has issued a warning after almost falling victim to what is described as a “super realistic AI scam call” capable of tricking even the most experienced of users.

It all started a week before Mitrovic realized the sophistication of the attack that was targeting him. “I received a notification to approve a Gmail account recovery attempt,” Mitrovic recounts in a blog post warning other Gmail users of the threat in question. The need to confirm an account recovery, or a password reset, is a notorious phishing attack methodology intended to drive the user to a fake login portal where they need to enter their credentials to report the request as not initiated by them.

Unsurprisingly, then, Mitrovic wasn’t falling for this and ignored the notification that appeared to originate from the U.S. and a missed phone call, pertaining to be from Google in Sydney, Australia, some 40 minutes later. So far, so relatively straightforward and easy to avoid. Then, almost exactly a week later, the fun started in earnest—another notification request for account recovery approval followed by a telephone call 40 minutes later. This time, Mitrovic didn’t miss the call and instead picked up: an American voice, claiming to be from Google support, confirmed that there was suspicious activity on the Gmail account. Read more

 

Oct. 11, 2024: Fraud & Cybersecurity Articles

FinCEN Reports Check Fraud Amounting to $688 Million Over Six-Month Period

Kristen E. Larson, Money Laundering News/Ballard Spahr

The Financial Crimes Enforcement Network (“FinCEN”) issued last month an in-depth report on check fraud stemming from mail theft (“Report”). This is a pernicious and expanding problem. The Report follows upon a joint alert issued by FinCEN and the U.S. Postal Service (“USPS”) in February 2023, on which we blogged.

Mail theft-related check fraud is the fraudulent negotiation of checks stolen from the U.S. mail. Check fraud refers to any use of paper or digital checks to fraudulently obtain funds, including alterations, counterfeiting, and fraudsters signing checks not belonging to them.

While mail theft often consists of mail being stolen from USPS mailboxes or personal mailboxes, the U.S. Postal Inspection Service reported that 412 mail carriers were robbed on duty between October 2021 to October 2022, and 305 were robbed in the first half of Fiscal Year 2023.

The Report analyzed data received from 15,417 Bank Secrecy Act (“BSA”) reports on mail theft-related check fraud received during the six month period from February 27, 2023 and August 31, 2023. FinCEN identified three primary outcomes after checks were stolen from the U.S. mail: (a) 44% of checks were altered and then deposited; (b) 26% of checks were used as templates to create counterfeit checks; and (c) 20% of checks were fraudulently signed and deposited. The check fraud was reported in every state, with large urban areas reporting more incidents.

Mail theft-related check fraud negatively impacts financial institutions because they typically have liability for check fraud losses as a paying bank for counterfeit checks and fraudulent signatures and the collecting bank for altered checks. Read more

Are You Prepared for Cybersecurity Month?

Emily Claus, CUSO Magazine

Well, readers, it felt like Summer would never end, but it tragically has, just as all good things do. Now, as we mark the start of Autumn with the changing of the leaves, get our spooky decorations out of the closet, and try on costumes, it’s important to remember that trips to the pumpkin patch and Halloween aren’t the only events of the season.

The start of October also marks the start of Cybersecurity Awareness Month, a time dedicated since it’s inception in 2004 to the purpose of educating both individuals and companies on how they can limit cybersecurity risks. As credit unions, this month is not only a great opportunity to educate members on how they can be more vigilant, but to re-examine your own credit union’s cybersecurity precautions, staff awareness, and potential risks.

Crime never sleeps
As always, Cybersecurity Month can never come too soon. At the risk of sounding like a broken record, the reality is that cybercrime increases every year, as does the number of people affected. Despite new technology, security protocols, and increased awareness, cyberattacks are higher than ever. While it feels as though we say that every year, the sad reality is, it’s true.

Even in just one year, from 2022 to 2023 the average ransom demand from a ransomware attack reached $1.54 million, nearly double the amount in 2022. In fact, in just the first 6 months of 2023, ransomware extortion totaled $176 million more than in all of 2022, according to a report from Chainalysis.  Read more

Gmail Hackers Have Control of 2FA, Email, and Number? Here’s What to Do

Davey Winder, Forbes

Search any of the Gmail support forums online, from social media platforms such as the Gmail subreddit or the official Gmail community help from Google itself, and one question comes up time and time again: my Gmail account has been hacked, how can I recover it?

Disregarding the inevitable dodgy attempts at uncovering some magic way to hack into someone else’s account, the majority are still likely to be genuine requests for help. Take this example, published to the Gmail subreddit Oct. 06, which is analogous to many: “A friend of mine’s Google account got stolen. The hacker changed the recovery phone number and email address.” The poster explains that the friend in question had enabled two-factor authentication and asks if anything can be done to recover the account now, “or is he cooked?”

The good news is that it’s still entirely possible to recover a Google account even if, as in this case, the hacker has managed to evade or change most, if not all, the security and recovery protections that were in place. Even if, as the poster replied to one suggested solution, “whoever stole the account changed the recovery email and phone number to their own and disabled all other recovery methods.” Read more

Fidelity Says Data Breach Exposed Personal Data of 77,000 Customers

Carly Page, TechCrunch

Fidelity Investments, one of the world’s largest asset managers, has confirmed that 77,000 customers had personal information compromised during an August data breach.

The Boston, Mass.-based investment firm said in a filing with Maine’s attorney general on Wednesday that an unnamed third party accessed information from its systems between August 17 and August 19 “using two customer accounts that they had recently established.”

“We detected this activity on August 19 and immediately took steps to terminate the access,” Fidelity said in a letter sent to those affected, adding that the incident did not involve any access to customers’ Fidelity accounts.

Fidelity confirmed that a total of 77,099 customers were affected by the breach, and its completed review of the compromised data determined that customers’ personal information was affected. It is not immediately clear how the creation of two Fidelity customer accounts allowed access to the data of thousands of other customers.

The financial giant hasn’t yet said what types of personal data were compromised, and no information about the breach was found on the company’s website at the time of writing. When reached, Fidelity spokesperson Michael Aalto told TechCrunch that the incident did not involve access to Fidelity customers accounts “or funds.” Fidelity declined to answer our specific questions about the incident.

According to Fidelity, the company has more than 51 million individual investors as customers, counting some $14.1 trillion in total customer assets as of June 2024.

Oct. 4, 2024: Fraud & Cybersecurity Articles

How Shifts in Cyber Insurance Are Affecting the Security Landscape

David Bennett, Object First/Dark Reading

Ultimately, the goal of businesses and cyber insurers alike is to build more resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them.

The rising cost of cyberattacks, including downtime, investigations, lawsuits, ransoms, and more are prompting cyber insurers to re-examine underwriting and encourage greater cyber resiliency in their customer bases. With the influx of cyber-insurance claims stemming from the CrowdStrike IT outage and the exorbitant price of recovering from data breaches — $4.88 million, on average, according to IBM — the cyber-insurance industry will continue to self-correct and evolve to fit market needs while maintaining profitability.

Insurers will come away from July’s widespread IT outage relatively unscathed, as the outages were caused by a vendor error, not a cyberattack, and because it was fixed fairly quickly. Still, insurer Parametrix estimates insured losses from US Fortune 500 companies will total $540 million to $1.08 billion, not even including Microsoft. Now, imagine this is a cyberattack that goes through a third-party software-as-a-service (SaaS) provider and takes down a similar swath of business, but recovery is slower, and companies must pay ransoms to recoup their data. How many billions of dollars will cyber insurers be out then?

Because cybersecurity is still a relatively new corner of the insurance market, ambiguity remains around what should be covered, the role cyber insurance plays in potentially encouraging ransom payments, etc. There’s no doubt that it’s still finding its footing, figuring out in real-time and on a world stage how to insure companies against rapidly changing and advancing cybersecurity threats.

This evolution will be what finally causes businesses to face reality and prioritize cyber resiliency to ensure data is always recoverable in the event their primary network is taken offline or data is held for ransom. Companies may not take it upon themselves to invest in better data protection practices, and the cyber-insurance market ultimately will force their hand. Read more

iPhone, Android Users Warned After 50,000 Message Email Bomb Attack

Davey Winder, Forbes

There are all sorts of cyber threats that we have to be wary of, whether they come via our smartphone or laptop screens. The email bomb attack, however, remains one of the most dangerous and little-reported, but ignorance could be very costly indeed. Here’s what you need to know.

What Is An Email Bomb Attack?
An email bomb attack is when a malicious actor floods your email account with messages with nefarious intent. That intent could be as simple as causing an annoyance, some kind of revenge for perceived or actual harm to them, but it is more likely to be in order to hide something much more dangerous and costly: fraud.

Imagine waking up to a notification screen that has gone off the charts, an email inbox that has thousands of new unread messages when ordinarily you might expect a couple of dozen. Imagine this flood of email messages just doesn’t stop. That’s an email bomb in action.

Earlier this year, a data scientist at a fraud prevention company, Katherine Wood, awoke to just such a scenario. Their email inbox, described as usually being “today and tranquil” was a hot mess of English, Chinese, Japanese, Russian and Polish language messages from people they didn’t know and related to account creation on sites they had never visited and subscriptions to newsletters they had never heard of. This was, it quickly became apparent, more than just a spam filter that had stopped working. This was an email bomb. “I was under some kind of attack,” Wood wrote, the purpose of which was “to bury evidence of an unauthorized transaction through sheer, overwhelming volume.” In Wood’s case the fraud was discovered to be the purchase of a new iPhone 15 from the Apple Store, a purchase made using the victim’s email address and credit card number. Read more

Court Data Exposed by Vulnerabilities in Software Used by U.S. Government

Eduard Kovacs, Security Week

A cybersecurity researcher claims to have discovered potentially serious vulnerabilities in several e-filing and record management systems used by government organizations in the United States.

The researcher, Jason Parker, has been responsibly disclosing his findings to the impacted organizations and software vendors for the past year, and he is now making public details on the various vulnerabilities he discovered. The security holes exposed court records and other types of information. The products in which he found vulnerabilities are used in Georgia, Florida, Ohio, Arizona, South Carolina, and other states.

A majority of the vendors alerted by the researcher seem to have addressed the vulnerabilities, although some did a poor job when it came to communicating, according to Parker. One report describes vulnerabilities found in several public court record platforms, which allowed unauthorized access to “sealed, confidential, unredacted, and/or otherwise restricted case documents”. The security holes impacted products from Catalis, Henschen & Associates, and Tyler Technologies, as well as several platforms developed internally by county courts.

Sensitive court data was also exposed by a vulnerability in the Thomson Reuters C-Track eFiling product.

In Granicus’ eFiling product and the company’s GovQA public records management solution the researcher discovered several vulnerabilities. The eFiling weaknesses allowed access to all case filings, and enabled attackers to obtain user information and tamper with user accounts. The GovQA flaws leaked usernames and emails, enabled attackers to reset any password, and exposed confidential records.

In Catalis’ EZ-Filing e-filing platform the researcher found vulnerabilities exposing contact information and documents containing confidential medical information, but exploitation required authentication. Read more

CFOs Suite Up for Cyberwar as Risk Management Evolves

Managing risk effectively is one of the best ways to unlock business growth.

Risks range from financial and macro events to geopolitical and supply chain disruptions, and chief financial officers are tasked with stepping up to keep their organizations secure. Traditionally focused on financial risks, CFOs are now finding themselves not only managing funds but also protecting the company’s assets from fraud and other threats. Ecosystem dangers like cyber threats, data breaches and more pose risks to organizations’ financial stability and reputation.

The shift toward digital transformation has exposed companies to new vulnerabilities, making cybersecurity a strategic imperative — and making CFO buy-in crucial for standing up an effective defense that enables sustainable business growth. In today’s operating environment, leadership in cybersecurity is no longer confined to the IT department but requires a collaborative effort across the organization.

CFOs Elevate Cybersecurity in Strategic Risk Management
As stewards of financial integrity and custodians of sensitive data, CFOs must navigate a landscape of cyber threats, regulatory requirements and third-party risks.

By proactively addressing these challenges, CFOs can not only protect their organizations from financial loss and reputational damage but also position themselves as key leaders in the ongoing battle for cybersecurity resilience. “CFOs are always playing offense, but you’re also playing defense,” DailyPay CFO Ken Brause told PYMNTS in May. “And that plays into risk management.”

Embracing a collaborative approach can involve CFOs working closely with chief information officers and chief information security officers to ensure that cybersecurity measures are not only in place but are also aligned with the overall business strategy. This alignment is important for managing and mitigating risks effectively. The PYMNTS Intelligence report “Middle-Market CFOs Tag Competitive Positioning Among Top Drivers of Uncertainty” examined the priorities and concerns that are top-of-mind for CFOs, particularly those in the middle market. Read more 

 

Sept. 27, 2024: Fraud & Cybersecurity Articles

U.S. Discusses Ethics of Biometric Travel

Masha Borak, Biometric Update

As U.S. lawmakers debate the Traveler Privacy Protection Act, government agencies, including the Transportation Security Administration (TSA), are working on dispelling ethics and privacy concerns around biometrics in border control.

Transparency about the technology’s efficiency, error rate and data use is critical, says Arun Vemury, director of the U.S. Department of Homeland Security Science & Technology Directorate’s Biometric and Identity Technology Center.

“We need to make sure we can do some public reporting so that people understand and have greater confidence in how the data is being handled, not only by the government but by the private sector as well,” says Vemury, adding that sharing biometric data needs to have limits.

Officials, however, warn that the state must do its own share in keeping up legislation and standards with the advancement of biometric technology. Legislation, industry and academia need to collaborate to prevent the use of defective algorithms while Congress should consider providing unique legislation on biometric data, according to experts quoted by federal IT trade publication GovCIO.

Meanwhile, some stakeholders believe some of the legislation currently proposed by U.S. lawmakers will introduce hurdles to adopting biometrics in airport security. The Traveler Privacy Protection Act would require TSA to end its biometric traveler verification program and acquire congressional approval before deploying facial recognition. Read more

U.S. Capitol Hit by Massive Dark Web Cyber Attack

Theo Burman, Newsweek

Personal information of more than 3,000 congressional staffers has been leaked across the dark web in a wide-ranging cyberattack on the Capitol, according to reports. Internet security firm Proton found over 1,800 passwords used by staffers in Congress available on the dark web, through an investigation of exposed accounts among U.S. political staffers, according to The Washington Times.

Proton, which is based in Switzerland and worked with U.S.-based firm Constella Intelligence on the investigation, estimated that almost 1 in 5 congressional staffers had personal information available on the dark web. Proton said the leaks came from several sources, including social media, dating apps, and “adult websites.”

In one instance, the report found that a single staffer had 31 passwords exposed online. The full report said that around 3,191 staffers were affected by the leaks overall.

“Many of these leaks likely occurred because staffers used their official email addresses to sign up for various services, including high-risk sites such as dating and adult websites, which were later compromised in data breaches,” Proton told The Washington Times. “This situation highlights a critical security lapse, where sensitive work-related emails became entangled with less secure, third-party platforms.” Read more

Half The World Has Fallen Victim to Cyberattacks

StudyFinds.org

The Internet can be a dangerous place, and a new global survey is revealing that billions of people have likely been the target of cybercriminals at some point in time. The survey found that nearly half of all respondents have fallen victim to a cyberattack or scam.

In a poll of 20,000 employed adults from around the world, 45% reported that their personal data, such as banking or email account information, has been compromised by a hacking attempt or scam. In fact, almost half admitted that they’re reactive to cyber threats, rather than proactively protecting against them, in their personal lives (45%) and at work (44%).

According to respondents, online scams and phishing attempts have become more sophisticated (72%) and successful (66%) due to artificial intelligence. In time for Cybersecurity Awareness Month in October, Yubico commissioned this global survey, with respondents from the United States, United Kingdom, Australia, India, Japan, Poland, Singapore, France, Germany, and Sweden, to investigate the global impact of cyber insecurity, both personally and in the corporate realm.

Half of respondents (50%) disclosed that they’ve been exposed to a cyberattack at work in the last year. Of those, not even a quarter (23%) said the company they work for responded by requiring cybersecurity training going forward. Of those whose personal data has been hacked, 20% reported that a cyberattacker successfully hacked one or more of their personal accounts, including bank or email accounts. Read more 

Expert Tips on How to Spot a Phishing Link

The Hacker News

Phishing attacks are becoming more advanced and harder to detect, but there are still telltale signs that can help you spot them before it’s too late. See these key indicators that security experts use to identify phishing links:

1. Check Suspicious URLs #
Phishing URLs are often long, confusing, or filled with random characters. Attackers use these to disguise the link’s true destination and mislead users. The first step in protecting yourself is to inspect the URL carefully. Always ensure it begins with “HTTPS,” as the “s” indicates a secure connection using an SSL certificate. However, keep in mind that SSL certificates alone are not enough. Cyber attackers have increasingly used legitimate-looking HTTPS links to distribute malicious content.

This is why you should be suspicious of links that are overly complex or look like a jumble of characters. Tools like ANY.RUN’s Safebrowsing allow users to check suspicious links in a secure and isolated environment without the need to manually inspect every character in a URL.

Example:

One of the recent cases involved Google’s URL redirect being used several times to mask the real phishing link and make it difficult to trace the true destination of the URL.

Complex URL with redirects

In this case, after the initial “Google” in the URL, you see 2 other instances of “Google,” which is a clear sign of a redirection attempt and misuse of the platform. Read more

 

Sept. 20, 2024: Fraud & Cybersecurity Articles

Starling Warns of Rise in Voice Cloning Scams

FinExtra

Voice cloning scams – where fraudsters use AI technology to replicate the voice of a friend or family member – could be set to catch millions out, according to new research from Starling Bank.

The study found that over a quarter (28%) of UK adults say they have been targeted by an AI voice cloning scam at least once in the past year.

Starling says faudsters can now use voice cloning technology to replicate a person’s voice from as little as three seconds of audio, which can easily be captured from a video someone has uploaded online or to social media.

Scam artists can then identify that person’s family members and use the cloned voice to stage a phone call, voice message or voicemail to them, asking for money that is needed urgently. In the survey, nearly 1 in 10 say they would send whatever they needed in this situation, even if they thought the call seemed strange.

Despite the prevalence of this attempted fraud tactic, just 30% say they would confidently know what to look out for if they were being targeted with a voice cloning scam.

To help combat the fraudsters, Starling Bank has launched the Safe Phrases campaign, in support of the government’s Stop! Think Fraud campaign, encouraging the public to agree a ‘Safe Phrase’ with their close friends and family that no one else knows, to allow them to verify that they are really speaking to them. Read more

OCC Hits Wells Fargo with AML Enforcement Action

Caitlin Mullen, Banking Dive

The newest order for the bank introduces questions around whether it could affect the lifting of Wells’ asset cap, or if other big banks might face AML orders.

The Office of the Comptroller of the Currency has issued an enforcement action against Wells Fargo over flaws related to its anti-money laundering internal controls and the bank’s financial crimes risk management practices, the regulator said Thursday.

The agency said it found deficiencies in several areas of the San Francisco-based lender’s controls and practices, including suspicious activity and currency transaction reporting, customer due diligence and Wells’ customer identification and beneficial ownership programs, according to a news release.

The agreement requires Wells to enhance its AML and sanctions risk management practices, get the OCC’s acceptance of the lender’s program that assesses AML and sanctions risks of new offerings, and notify the regulator before expanding some of those offerings, the bank said.

In a statement on the formal agreement with the OCC, the bank said it has “been working to address a substantial portion of what’s required in the formal agreement, and we are committed to completing the work with the same sense of urgency as our other regulatory commitments.” Read more 

Study Finds Increase in Ransomware Attacks in the U.S.

Tom Nawrocki, Payments Journal 

Ransomware is a worldwide phenomenon, with some of the most dangerous malefactors coming from regions like Russia. Unsurprisingly, many cybercriminals often target U.S. victims.

Data from Trustwave SpiderLabs found that the percentage of reported ransomware attacks involving U.S. organizations increased from 51% last year to 65% in 2024. Brazil and Canada followed as the second and third most affected countries.

These attacks continue to target the financial services industry, with banks being particularly vulnerable. The banking sector accounts for a fifth of all ransomware attacks in the U.S., while credit unions contribute an additional 8%. In December, more than 60 credit unions nationwide were hit by a ransomware attack, and earlier this year, a cyberattack shut down California’s Patelco Credit Union for weeks.

According to Trustwave SpiderLabs’ report, Defending Financial Services in 2024, Russia-based AlphV (also known as BlackCat) and LockBit are the predominant groups operating in this space. LockBit is responsible for about a quarter of all attacks this year, while AlphV accounted for 10% of attacks in 2023, but its share has increased to 24%.

There are reasons to believe that the increasing exposure of these organizations may help hasten their demise. AlphV was responsible for the most notorious ransomware attack of the year, forcing payments processor Change Healthcare to pay an estimated $22 million ransom. Read more

Geopolitical Tensions Fuel Growth in Cross-Border Fraud

Suparna Goswami, Bank Info Security

Geopolitical tensions are reshaping the fraud landscape. Cybercriminals and fraudsters are taking advantage of technological advances and regulatory gaps between countries to steal identities, commit scams and launder money. In fact, the European Banking Authority in 2022 found that the rate of cross-border fraud was nine times higher than domestic fraud.

Major players in these fraud schemes are state-sponsored cybercriminals with political agendas, said Shilpa Arora, head of anti-financial crime products and solutions at the Association of Certified Anti-Money Laundering Specialists.

“You see this everywhere. You do see state-enabled actors,” Arora said. “The Lazarus Group, linked to North Korea, is known for writing and deploying custom malware and social engineering tactics to steal cryptocurrency or access sensitive systems.”

In this video interview with Information Security Media Group, Arora also discussed:

  • How geopolitical tensions are accelerating new fraud tactics across borders;
  • How authorized push payment scams are exploiting regulatory gaps across regions;
  • The pivotal role of advanced technology in fraud prevention.

Arora is responsible for the strategy, content, performance and implementation of anti-financial crime training solutions for all client segments at ACAMS. She represents ACAMS by speaking at select major industry events and conferences and engaging proactively with industry leaders worldwide.

Sept. 13, 2024: Fraud & Cybersecurity Articles

New Regulation Intensifies Focus on IT Risk Management and Operational Resilience

Mick Brady, CIO

The Digital Operational Resilience Act puts pressure on IT services and capabilities that reduce risks and vulnerabilities. Here’s how to more easily comply with the regulation.

Digital transformation initiatives, for the most part, offer significant advantages—enhancing efficiency, agility, and innovation across the business. However, these initiatives can also introduce new challenges. As IT landscapes and software delivery processes evolve, the risk of inadvertently creating new vulnerabilities increases. Left unaddressed, these gaps can result in cyberattacks, system outages, and network intrusions.

These risks are particularly critical for financial services institutions, which are now under greater scrutiny with the Digital Operational Resilience Act (DORA). This comprehensive regulation applies to all financial institutions in the European Union (EU), as well as third-party providers of information and communication technology (ICT) services to financial entities. Only small firms are exempt from DORA—those with fewer than 10 employees or less than €2 million on their annual turnover and balance sheets.

A comprehensive regulatory reach
DORA addresses a broad range of ICT risks, including incident response, resilience testing, third-party risk management, and information sharing. To achieve compliance, financial institutions must implement robust controls, submit detailed reports, conduct regular penetration tests, and establish effective third-party risk management strategies, all while adhering to data privacy regulations and other requirements. With dozens of specific rules, DORA’s reach is extensive and far-reaching. Read more

Payment Gateway Data Breach Affects 1.7 M Credit Card Owners

Bill Toulas, Bleeping Computer 

Payment gateway provider Slim CD has disclosed a data breach that compromised credit card and personal data belonging to almost 1.7 million individuals.

In the notification sent to impacted clients, the company says that hackers had access to its network for nearly a year, between August 2023 and June 2024.

Slim CD is a provider of payment processing solutions that enables businesses to access electronic and card payments via web-based terminals, mobile, or desktop apps.

The firm first detected suspicious activity on its systems this year on June 15. During the investigation, the company discovered that hackers had gained access to its network since August 17, 2023.

“The investigation identified unauthorized system access between August 17, 2023, and June 15, 2024,” reads the notification to impacted individuals.

However, Slim CD says that the threat actor viewed or obtained access to credit card information this year for two days, between June 14th and 15th

“That access may have enabled an unauthorized actor to view or obtain certain credit card information between June 14, 2024, and June 15, 2024,” Slim CD says in the data breach notification. Read more

6 Ways Hackers Sidestep Your Two-Factor Authentication

Arne Arnold, PC World

To really protect your accounts, you should be aware of 2FA’s vulnerabilities.

Protecting an account with just a username and password is not very smart. Both can be stolen, guessed, or cracked too easily. This is why two-factor authentication (2FA) is recommended for all important access points. It has even been mandatory for online banking for years.

With 2FA, two factors are used to gain access to an account, a network or an application. One factor is a security feature that can come from three categories:

  • Knowledge (password, PIN)
  • Possession (smartphone, Fido2 stick, etc.)
  • Biometrics (fingerprint, facial recognition, etc.)

For 2FA to provide good protection, the two factors used must come from two different categories. If more than two factors are used, this is referred to as multi-factor authentication.

2FA is very secure, but not invulnerable. There are tricks and loopholes that hackers can exploit to take over an account. Read more 

Bug Left Some Windows PCs Dangerously Unpatched

Krebs on Security

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.

Satnam Narang, senior staff research engineer at Tenable, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited. Read more 

Sept. 6, 2024: Fraud & Cybersecurity Articles

Scammers Draining Cash Directly from ATMs, Emptying Bank Accounts Without Debit Cards in Sophisticated Scheme: Cybersecurity Researchers

Mark Emem, The Daily Hodl

Cybersecurity researchers say scammers have found a sophisticated way to drain bank accounts directly from ATMs – without needing a debit card in hand.

Experts at the cybersecurity software firm ESET say they’ve discovered a dangerous and unprecedented type of malware they’re calling NGate. To begin the attack, scammers deploy a phishing technique to embed the malicious software in victims’ mobile devices.

“Victims downloaded and installed the malware after being deceived into thinking they were communicating with their bank and that their device was compromised. In reality, the victims had unknowingly compromised their own Android devices by previously downloading and installing an app from a link in a deceptive SMS message about a potential tax return…After being installed and opened, NGate displays a fake website that asks for the user’s banking information, which is then sent to the attacker’s server.”

Some of the information the NGate banking malware asks for includes the victim’s date of birth, their banking client ID and the PIN code for their banking card. Once installed and opened, the NGate malware prompts victims to turn on their mobile device’s near-field communication (NFC) feature.

“Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card. What’s happening behind the scenes is that the NFC data from the victim’s bank card is being sent through a server to the attacker’s Android device. Essentially, this allows the attacker to mimic the victim’s bank card on their own device. This means the attacker can now use this copied card data on their Android device to make payments and withdraw money from ATMs that use NFC… This is the first time we have seen Android malware with this capability being used in the wild.”

If the attackers fail to carry out ATM transactions, their fallback plan is to transfer funds from the bank accounts of their victims to other accounts. Read more

FBI Issues Urgent Ransomware Attack Warning—Do These 3 Things Now

Davey Winder, Forbes 

Organizations have been warned that a new ransomware gang has been responsible for hundreds of successful cyberattacks since February 2024. In an urgent joint advisory published August 29, the U.S. Federal Bureau of Investigation along with the Cybersecurity and Infrastructure Security Agency confirmed that organizations across almost every conceivable industry sector have been targeted by the RansomHub ransomware-as-a-service actors.

RansomHub Has Absorbed High-Profile Cybercriminals From Other Groups
The joint cybersecurity advisory, AA24-242A, considers the RansomHub ransomware operations to be both efficient and successful, despite only establishing itself in February. Formerly known by names such as Cyclops and Knight, RansomHub appears to have hit the ground running thanks to attracting criminal talent from well-known ransomware groups such as ALPHV and LockBit following law enforcement attention impinged upon their operations.

“Whilst there are rumors that they might be linked,” said Raj Samani, chief scientist at Rapid7, “we have to acknowledge the fact that ALPHV ransomware is written in the Rust language, whereas RansomHub is written in GoLang.” However, Samani added, the rise of RansomHub “also coincided with law enforcement making decryption keys available to keep LockBit at bay. It again shows that once you deal with one criminal enterprise, another will inevitably burst open in the ransomware space.”

The FBI said that RansomHub, which adopts the now-standard double-extortion methodology of encrypting and exfiltrating data, has successfully targeted at least 210 organizations. Victims of the cybercriminals cover industry sectors such as information technology, government services, healthcare, finance, transportation and even emergency services. The group is believed to be responsible for both the UnitedHealth Group ransomware attack and more recently the attack on the oil and gas services company Halliburton. Read more

The Biggest Data Breaches In 2024: 1 Billion Stolen Records And Rising 

Zack Whittaker, Tech Crunch

Thanks to UnitedHealth, Snowflake, and AT&T (twice)

We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do.

From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.

Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped.

AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers
For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.

In July, AT&T said cybercriminals had stolen a cache of data that contained phone numbers and call records of “nearly all” of its customers, or around 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn’t stolen directly from AT&T’s systems, but from an account it had with data giant Snowflake (more on that later). Read more

‘Time-Travelling’ Software Could Bankrupt Hackers

Hugh Cameron, Newsweek

A leading technology company says it has created a cutting-edge data storage system that allows users to “go back in time” and retrieve data held hostage by hackers.

Ionir is a cloud-based data services platform, with offices in New York and Tel Aviv, which provides “the new standard of data services and data management for a hybrid and multi-cloud world.”

In an interview with National Security News, Ionir’s Chief Executive Officer Jacob Cherian spoke about the company’s unique way of thwarting “ransomware” attacks, the employment of malware of malicious software by cybercriminals to restrict users’ access to their data unless the attackers’ demands are met.

These types of attacks will cost victims an estimated $265 billion annually by 2031, according to cybercrime research organization Cybersecurity Ventures, with attacks on individuals or organizations occurring every two seconds on average.

Significant damage has already been caused by such methods, including the 2021 Colonial Pipeline attack, which targeted America’s largest pipeline system for refined oil products.

This forced a six-day shutdown of the pipeline as the company attempted to fix the impacted computer systems, and caused President Joe Biden to declare a state of emergency in 17 states, during which regulations for drivers carrying gasoline and other fuels were relaxed in order to combat the resulting fuel shortages across the country. Read more 

Aug. 29, 2024: Fraud & Cybersecurity Articles

New Password Hacking Warning for Gmail, Facebook, and Amazon Users

Davey Winder, Forbes

Updated 08/29 with details of a phishing campaign that’s using particularly hard-to-detect attack methodologies.

New threat analysis from researchers at Kaspersky has revealed a dramatic rise in the number of password-stealing attacks targeting Amazon, Facebook and, most of all, Google users. Here’s what you need to know.

Amazon, Facebook And Gmail Are A Magnet For Password Hackers
It should come as no surprise that the likes of Gmail, Facebook, and Amazon account credentials are so sought after by malicious hackers. After all, such accounts can be used to complete the cybercrime triumvirate of data theft, malware distribution and credit card fraud respectively. Google accounts, in particular, are something of a skeleton key that can unlock a treasure trove of other account credentials and personal information to commit fraud. Just think about the information that is contained in your Gmail inbox, and the chances are high that you have one given how popular the web-based free email service is. And that’s before you consider how many organizations still send password change requests and second-factor authentication links to your email account.

Kaspersky analyzed a total of 25 of the biggest and most popular global brands in order to determine those that are targeted more by cybercriminals when it comes to phishing attacks. The researchers found, Kaspersky said, that there were around 26 million attempts to access malicious sites masquerading as any one of these brands in the first half of 2024 alone. That represents an increase of approximately 40% increase from the same period in 2023.

Phishing Attacks Against Google Increased By 243%
Sitting at the top of the phishing target pile, for all the reasons already mentioned, was Google. When it comes to attempting to steal credentials such as passwords, Google remains a firm favorite on the cybercriminal attack radar. Kaspersky said it had seen a 243% increase in attack attempts for the first six months of 2024, with some 4 million such attempts blocked by Kaspersky security solutions during this period. Read more 

National Public Data Published Its Own Passwords

Krebs on Security

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).

NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.

A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.

Ransomware Gang Targets Google Chrome Users in Surprise New Threat Twist

Davey Winder, Forbes

Updated 08/27 with additional ransomware threat information from Sophos X-Ops

Qilin, the Russia-linked cybercrime group thought to be behind the June attacks that caused chaos at a number of U.K. hospitals in June, has now been caught stealing credentials stored within Google Chrome browsers in a surprise new twist to the ransomware attack threat.

Although ransomware is not only a long-established but also increasingly costly threat to organizations, Qilin is a relatively new player in the nasty cybercrime game. Running a Ransomware-as-a-Service criminal operation, Qilin is known to date back only as far as October 2022. Researchers from the Sophos X-Ops team have now analyzed a recent attack by the Qilin operators and discovered a new and unusual tactic which they describe as providing “a bonus multiplier for the chaos already inherent in ransomware situations.” That tactic being the simultaneous theft of credentials from Google Chrome browsers found on a subset of the victim network’s endpoints, extending the potential reach of the attack beyond the original target.

The Sophos X-Ops Team Qilin Attack Analysis
The attack that the Sophos researchers analyzed took place in July 2024, after the London hospitals incident, but the victim has not been named. What we do know is that Qilin used compromised credentials to access a VPN portal that was not protected by the use of multi-factor authentication. It is highly likely that these credentials were obtained by way of an initial access broker, a threat actor who seeks such methods of access to ransomware groups through dark marketplaces. There was a period of no activity following the initial access of 18 days, which strengthens the initial access broker supply theory. Read more

Major Backdoor in Millions of RFID Cards Allows Instant Cloning

Ryan Naraine, Security Week

A significant backdoor in contactless cards made by China-based Shanghai Fudan Microelectronics allows instantaneous cloning of RFID cards used to open office doors and hotel rooms around the world.

French security services firm Quarkslab has made an eye-popping discovery: a significant backdoor in millions of contactless cards made by Shanghai Fudan Microelectronics Group, a leading chip manufacturer in China.

The backdoor, documented in a research paper by Quarkslab researcher Philippe Teuwen, allows the instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world. Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, Teuwen explained in the paper (PDF).

Teuwen said he discovered the backdoor while conducting security experiments on the MIFARE Classic card family that is widely deployed in public transportation and the hospitality industry. The MIFARE Classic card family, originally launched in 1994 by Philips (now NXP Semiconductors), are widely used and have been subjected to numerous attacks over the years.

Security vulnerabilities that allow “card-only” attacks (attacks that require access to a card but not the corresponding card reader) are of particular concern as they may enable attackers to clone cards, or to read and write their content, just by having physical proximity for a few minutes. Over the years, new versions of the MIFARE Classic family fixed the different types of attacks documented by security researchers. Read more