Cybercriminals Recruiting Employees on the Dark Web to Assist with Fraud Schemes

Darkreading.com has issued a survey entitled: Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web which states that malicious insiders are responsible for 27 percent of all cybercrime. This statistic confirms that cybercriminals are increasingly recruiting insiders by using the dark web as a recruiting tool.

So not only do businesses have to worry about employees who make honest mistakes and cause security incidents, or disgruntled employees who steal company information, but now they have to worry about malicious insiders who are being recruited by criminals on the dark web.

The recruiters are plying criminals to take jobs at companies in order to steal personal and confidential business information, and to introduce malware and ransomware into the company’s system.

More and more companies are implementing security monitoring tools to assist with identifying malicious insiders who threaten the company. Other mitigation strategies include strong access control measures, encryption technology, log management, auditing tools and predictive analytics.

Protecting your organization from a cyber threat has many layers, and protection from insider threat continues to get more and more complex.

Use of Multifactor Authentication

This has been quite the year of O365 intrusions. The story seems to be almost identical in each security incident we investigate this year, and it goes like this:

Employee receives a pop-up message from Microsoft advising employee that s/he must change his or her password for security purposes. Employee types his or her user name and password into the pop-up message and provides “Microsoft” with the new information.

In fact, an intruder has penetrated the employee’s email box with a phishing email that has just compromised the employee’s email box. Once the intruder is in the email box, he places forwarding rules on every email the employee receives to a gmail account, and then watches the email traffic.

Once the intruder finds an opportunity, which frequently involves an outstanding invoice to a vendor, the intruder spoofs the vendor and cuts and pastes the vendor’s signature block and demands payment for the outstanding amount due. The employee believes it is the known vendor, and corresponds with the imposter as if he is the vendor. During the email correspondences back and forth, the imposter tells the employee that they are changing their payment methods to ACH and provides the wiring instructions. The employee sends the money according to the wiring instructions and believes the outstanding debt has been paid.

Days or weeks later, the employee receives a call or email from the real vendor requesting payment. When the employee tells the vendor that payment has already been made, the vendor says that it has not been paid and the employee forwards the correspondence where payment was made. It is usually then that it is discovered that the money has been sent to a fraudulent bank account. When the employee tries to get the money back from the bank, the account has been liquidated. Unfortunately, the vendor still needs to be paid, so the company now has to pay the vendor too.

When we retain a forensic firm to review the incident and mitigate the incident, the first thing done is to implement multifactor authentication and force password resets across the organization. In most instances, the initial intrusion could have been prevented if multifactor authentication had been implemented to start.

Multifactor authentication continues to be an important part of an organization’s risk management program, including when using O365.

Multiple Lawsuits filed Against Marriott After Data Breach – “One of the Largest Digital Infestations in History”

Calling the Marriott data breach “one of the largest digital infestations in history,” a putative class action was filed in Oregon this week seeking up to $12.5 billion dollars in relief. It should come as no surprise that soon after Marriott announced its massive data breach affecting potentially 500 million customers in the Starwood reservations database, several putative class actions were filed around the country and at least one in Canada. Lawsuits were also filed in Maryland and New York.

The Oregon suit alleges negligence, and also seeks injunctive relief. The suit seeks, among other relief, up to $12.5 billion dollars in relief, or $25 for each of the potentially 500 million customers whose privacy may have been compromised. The Maryland lawsuit alleges negligence, FTC violations, and generally faults Marriott for failing to protect its customers’ data. The Complaint also alleges that Marriott failed to take appropriate protective measures to protect and secure customers’ PII, that Marriott took four years to discover the breach, and that customer data is potentially out there on the dark web. The complaint was also critical of Marriott’s response to the breach and its offer to customers of a service that monitors data on the internet to determine if their data was sold or exchanged. There is already talk of multi-district litigation and sorting out how a breach of this magnitude could go unnoticed for four years will be critically important as we learn more about this “digital infestation.”

New Drone System Tested Without Use of GPS

The National Aeronautics and Space Administration’s (NASA) Langley Research Centers has taken on the challenge of using drones in GPS-deprived environments, so it gathered a group of students from the Massachusetts Institute of Technology (MIT) to help find a solution for that problem. Those MIT students came back to NASA with a plan for a fleet of drones that can autonomously fly through a thickly vegetated forest, communicate with one another and create a 3-D map of the environment without hitting a tree or using any GPS. How? The drones have onboard laser-range finders for positioning and planning their routes as they pilot themselves. The technique is called simultaneous localization and mapping (SLAM) which creates algorithms to guide the drones and map efficiently while also avoiding re-mapping already covered area. The data that is captured is sent back to a base station via WiFi where all the drones’ maps are stitched together into one comprehensive map.

One of the main goals of this group of MIT student researchers is to be able to train the drone system to spot missing hikers and send coordinates to a ground station (although that type of testing has not yet been done).

What does this mean for industries using drones? Well, this could be big for the construction business. John M. Russo, a surveyor and President of the U.S. Institute of Building Documentation says that this type of drone technology could be used to automate messy plenum space surveys or for 3-D laser scans of daily construction progress with the push of a button because one of the biggest problems with drones to quickly map a building is that there is often no GPS signal inside of a building. The data that a drone could collect inside of a newly constructed building could be used for pre-bid walks.

However, WiFi was the key to this fleet of drones ability to fly through the forest and map the land below during this testing. So what about areas where there is no WiFi either? The MIT student researchers plan to test adding a transmitter to the drone so that as soon as the drones are closed enough they can detect one another and establish a communication link to collaborate. This is another example of how drones are being used to collect new kinds of data to solve many different problems.

NYPD to Add Fleet of Crime-Fighting Drones

This week, the New York Police Department (NYPD) announced that it will be adding a fleet of crime-fighting drones to its ranks. The NYPD plans to roll out 14 drones as part of its technology “evolution.” Police Commissioner James O’Neill said, “As the largest municipal police department in the United States, the NYPD must always be willing to leverage the benefits of new and always-improving technology.” The hope is that these drones will enable the NYPD’s trained police officers to be even more responsive, effective and efficient. A NYPD spokesperson said that the drones will not be used for everyday police patrol, unlawful surveillance or to enforce traffic laws. Additionally, these drones will not be used as weapons or equipped with any weapons.

As part of this drone program, 29 NYPD police officers have been trained and licensed to operate drones. The fleet will consist of 11 DJI Mavic Pro quadcopters for tactical operations, and 2 DJI M210 RTK quadcopters for search and rescue missions, and 1 DJI Inspire 1 quadcopter for training other police officers. The drones will also be used for large-scale city events, hazmat investigations, hostage situations and for accessing hard-to-reach crime scenes.

Prior to implementing this program, the NYPD conferred with over 900 agencies across the country that are already using drones.

Privacy Tip #168 – USPS Security Vulnerability Affects More Than 60 Million

We previously commented on the risks around the United State Postal Service’s (USPS) “Informed Visibility” service, which allows customers to preview their mail to inform them when it will be delivered. Some security experts recommend that customers opt out of the program so an account cannot be opened in your name.

Last week, it was reported that an anonymous researcher discovered security vulnerabilities in the Informed Visibility service, an API that allowed anyone with a USPS account to view the information in other users’ accounts, and to potentially modify others’ accounts. This vulnerability is reported to have affected more than 60 million users.

The alarming part of the report is that criminals could potentially view and change the account details of users so that checks, statements, Social Security checks and other important documents that are sent through USPS could be diverted or picked up by fraudsters as soon as the mail is delivered.

Although USPS says it is not aware that any customer information was accessed, reviewing your account details and whether you want to participate in the program is prudent.

Recruiting Scams on the Rise

With more companies hiring, online recruiting scams have re-emerged to prey on job seekers and employers. The Better Business Bureau tracked more than 3,000 recruiting scams in the first 10 months of 2018 with losses in the million dollars.

The online recruiting scam works this way: the scammer fraudulently uses a company’s name and logo, and perhaps the names of the company’s employees handling recruiting or human resources, to solicit applications from job seekers for fake jobs. Many times the companies are household names or long established, which gives the scam an air of legitimacy. Sometimes the solicitation comes by email, but most often it is posted on a professional or recruiting website or social media platform. Like most phishing schemes, the scammer’s email address is similar to, but not the same as the legitimate company’s email address. Continue Reading

Marriott Announces Massive Data Breach—Illustrates the Importance of Cybersecurity in M&A Due Diligence

Marriott today announced a major data breach, perhaps one of the largest in history. This breach illustrates the often made point that breaches and intrusions happen and go unnoticed for months or years. Marriott’s breach involved an unauthorized party that copied and encrypted information in the Starwood reservations database back in 2014. When Marriott acquired Starwood in 2016, the breach went undetected as that merger went forward, only to be discovered in 2018. This breach should be a red flag for anyone involved in mergers and acquisitions that cybersecurity should be a top priority in the due diligence process.

The breach affects the Starwood guest reservation database for guests and reservations made at Starwood properties on or before September 10, 2018. Marriott stated that the database includes information on up to 500 million guests who made a reservation at a Starwood property. Initial reports from Marriott state that for up to 327 million people, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Marriott is also saying they can’t rule out whether credit card information was also compromised.  Marriott immediately directed customers to a dedicated website that offers information about the breach, worldwide call center contact information, and credit monitoring information. Marriott has also stated that customers affected will receive email from a specific email address: starwoodhotels@email-marriott.com.

IoT Security Challenges are Costly

Some analysts have predicted that by 2020, there will be 20 billion Internet of Things (IoT) connected devices worldwide, which could grow to over 80 billion by 2025. Sales of IoT devices were $80 billion in 2017, and are predicted to grow to $1.4 trillion by 2021. With the exponential growth of IoT devices, experts are concerned about the security of these devices, and companies and consumers are taking note.

A new report from DigiCert, called State of IoT Security, found that 82 percent of the 700 companies surveyed said that security was their primary concern when implementing IoT into the company system, and 78 percent cited privacy as a top concern. 83 percent of those surveyed said IoT was already important to their business while 92 percent said it will be important to their business by 2020. 2020 is only 13 months away. The report concluded that although security and privacy is a top concern today, and 2020 is looming, companies are struggling with the security of the IoT devices being introduced into the business.

According to DigiCert, organizations spend money due to either pain or opportunity. Some organizations are prioritizing IoT security “because they see and understand the risks of not doing it,” and others “have made the decision to not prioritize security or privacy.” Those organizations that have not experienced a data breach, ransomware or malware are more reluctant to spend money on security. Those that have suffered these consequences are prioritizing security and getting executive support to build a robust security program, which is key to developing a robust IoT security program. Those prioritizing security are the 25 percent of the companies that lost approximately $34 million in the past two years from security related issues, including financial damages, lost productivity, declining valuation, and loss of reputation.

DigiCert lists steps companies can take when developing an IoT security program, including security software-based encryption key storage, encrypting sensitive data at rest and in transit, scaling security measures and securing over-the-air updates.

The Financial Stability Board’s “Cyber Lexicon” – Global Jargon for a Global Mission

On November 12, the Financial Stability Board (FSB) published a Cyber Lexicon, designed to help financial institutions around the globe address “financial sector cyber resilience.” The Cyber Lexicon sets forth definitions for 54 “core terms related to cybersecurity and cyber resilience in the financial sector.”

“Cyber Resilience,” one of the 54 definitions, is defined as “The ability of an organization to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.”

Each definition in the Lexicon is accompanied by its source. In the case of “Cyber Resilience,” the definition was “Adapted from CERT Glossary (definition of “Operational resilience”). CPMI-IOSCO and NIST (definition of “Resilience”)”.

According to the accompanying FSB press release, the Cyber Lexicon is expected to support the work of the FSB, standard-setting bodies, regulatory authorities, and financial institutions in the following areas:

  • Cross-sector common understanding of relevant cybersecurity and cyber resilience terminology;
  • Work to assess and monitor financial stability risks of cyber risk scenarios;
  • Information sharing as appropriate; and
  • Work by the FSB and/or standard-setting bodies to provide guidance related to cyber security and cyber resilience, including identifying effective practices.

The FSB was established to coordinate at the international level the work of national financial authorities and international standard-setting bodies in order to develop and promote the implementation of effective regulatory, supervisory and other financial sector policies in the interest of financial stability. It brings together national authorities responsible for financial stability in 24 countries and jurisdictions, international financial institutions, sector-specific international groupings of regulators and supervisors, and committees of central bank experts.

LexBlog