Two law firms were among the latest victims of the GozNym malware attack that caused a combined loss of more than $117,000. Law enforcement authorities recently announced the dismantling of a cybercrime network that used this GozNym malware to attempt to steal an estimated $100 million from victims in the United States and around the world. GozNym malware was designed to steal personal and financial information from victims, sometimes starting with phishing emails to the affected companies.
According to a press release issued by the US Attorney’s Office for the Western District of Pennsylvania, an international law enforcement operation brought down the cybercrime network. An indictment names several victims; among them two law firms, a church in Texas, a furniture business in California, a casino in Mississippi, an association dedicated to providing recreation programs and other services to persons with disabilities in Illinois, a distributor of neurosurgical and medical equipment in Germany with a US subsidiary, an electrical safety device provider in Rhode Island, a contracting business in Michigan, a stud farm in Kentucky, a provider of cold pack shipping products in Pennsylvania, a bolt manufacturing company in Pennsylvania, and a Pennsylvania asphalt and paving business.
The two law firms were identified as a law firm in Washington D.C. and the other in Wellesley, Massachusetts. The indictment alleges that the Washington D.C. law firm was the victim of a phishing email that directed the recipient to click on a link in the email. That click led to the malware infecting the computer. As a result of the malware, the individuals listed in the indictment gained unauthorized access to the law firm’s bank account, using credentials captured by GozNym malware, which ultimately resulted in a $76,178.12 loss to the firm.
The Wellesley, Massachusetts law firm’s loss was as a result of an unauthorized electronic funds transfer in the amount of $41,000, which was the result of login credentials being captured by GozNym malware and then used by the individuals named in the indictment to transfer the funds to an account they controlled.
The losses reported in the indictment are unfortunately the tip of the iceberg, as the actual costs that companies face when hit by a cyber-attack are not confined to the theft of the funds. Forensic costs, legal expenses, costs for notification to affected individuals, and credit monitoring costs are all additional costs that companies face when they are the victims of a data breach. In addition, companies must also address regulatory compliance issues in the event that individual state laws trigger breach notification requirements.
Two lessons to learn from GozNym that may help to protect companies from cyber-attacks: train your employees to recognize what a phishing email is and how to avoid the latest scams, and talk to your broker to determine whether your business is protected with appropriate and sufficient cyber liability insurance coverage.