Financial Services Information Sharing Group Warns of Increased Phishing Attacks

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has warned that financial services firms, and in particular smaller ones, are being attacked at an increased rate during the coronavirus pandemic.

According to FS-ISAC, phishing attacks against financial services firms increased by one-third in the first quarter of 2020. In that time period, FS-ISAC identified more than 1,500 websites using pandemic-related lending programs as bait to fool people into disclosing personal information. Although they were taken down, new ones appear in their place, much like Whack-a-Mole.

With bank, credit union and other financial service company employees working from home, additional precautions are necessary to combat the attacks. FS-ISAC rolled out a chat feature to assist financial service companies in identifying and responding to cyber attacks. With the knowledge that they are being targeted, financial services firms can warn, educate and assist their employees to help prevent them from becoming victims of these increased attacks.

Drone Pilot Boot Camp and FAA Part 107 Exam Prep – Is It for You?

Three companies – HeatSpring, Little Arms, and Unmanned Experts – joined forces to create a “Drone Pilot Boot Camp + FAA Part 107 Exam Prep.” This new offering is an unmanned aircraft commercial operations course designed specifically for engineering, construction and renewable energy firms. The course has been developed over the past few years by a former combat pilot for the British Royal Air Force in tandem with leaders in drone technology and software.

One of the keys to this new course offering is logging flight time. The course includes training on Zephyr drone simulation software, which works across any platform and allows the instructors to review student progress and provide coaching to each individual student pilot. The idea behind the course is that the unmanned aircraft systems (UAS) industry is a constantly changing place, which requires effective and standardized training to help drive the industry forward.

While the course has a focus on engineering, construction and renewable energy firms, it is available for anyone who wants to become a drone pilot. The next course begins in April 2020. Check it out: https://www.heatspring.com/courses/drone-pilot-boot-camp-part-107-exam-prep.

Privacy Tip #238 – Coronavirus Charity Scams

I think that people in general are decent and good. There are always some bad apples, but during crises most people want to help others. During the coronavirus pandemic, many people are doing everything they can to help others, including assisting neighbors, family members, friends and health care workers. Charitable organizations have stepped up to assist those in need during the crisis as well. Generous people donate to charitable organizations to assist in their efforts. This is where the bad apples come in.

Bad apples know that most people are decent and good. They know people want to help others, and that people are generous and kind. And the bad apples take advantage of the goodness of others. During a crisis, like the one we are in now, bad apples spend every day trying to figure out how to do just that.

Coronavirus charity scams are such a problem that the Federal Trade Commission (FTC) issued a scam alert this week warning individuals to be careful about their charitable donations during this time and to confirm that they are giving to real organizations and not scammers.

According to the FTC Alert:

“No one wants their Coronavirus donation to go to a scammer, so before you give, do some research.

  • Search online for the charity’s name and the words “scam” or “fraud.”
  • Review ratings of the charity by these organizations.
  • Check the charity’s registration status with your local charity regulator. Are they registered to take donations in your state?

“Here are other things you can do to make sure a scammer is not taking advantage of your generosity:

  • Donate using a credit card. It’s the safest way to donate. Never donate by giving out gift card numbers or using a wire transfer. If someone asks you to donate that way, you can be sure it’s a scam.
  • Double check the name of the organization. Many fake charities try to trick you by using names similar to those of well-known organizations, but with one word different or a misspelled.
  • Ask lots of questions. What’s the charity’s website, address, and mission? How much of my donation will go to the program I want to help? How many people does the charity help, and how? If helping your community is important to you, ask how the charity spends money in your area. If you get vague answers, find another way to help.
  • Confirm that your donation will be tax deductible, if that’s important to you. Use the IRS’s Tax Exempt Organization Search to check. Know that donations to individuals are not tax deductible.
  • Don’t assume a donation request on social media is legitimate just because a friend liked it or shared it. Do your own research. Call your friends or contact them offline to ask them about the post they shared.

“Visit ftc.gov/charity for more tips on donating wisely. If you see a charity scam, report it at ftc.gov/complaint. Your report helps stop scammers and alert others about them.”

Sound guidance from the FTC to help ensure that our donations go to the causes we care about and we are really helping others.

Adult Streaming Site Leaves 7TB of Users’ Information Unsecured

Live adult streaming website CAM4 has reportedly not secured 7TB of users’ information, which may be able to be used for blackmail and identity theft purposes, according to researchers from Safety Detectives.

According to reports, CAM4 users pay to watch live streamed explicit adult content from consenting amateur performers who film themselves and post the content for users’ view. CAM4 reportedly stored the content on a misconfigured and unsecured cloud database that allowed information of millions of users to be accessible without security measures in place.

According to the researchers, the unsecured database included almost 11 billion records, including 11 million emails. The information potentially accessible included users’ first and last names, country of residence, sexual orientation, chat and email transcripts, IP addresses and inter-user conversations. Several hundred users’ full names, credit card types and payment amounts may also have been compromised.

This compromise is reminiscent of the Ashley Madison incident that took place several years ago. The obvious risk in this incident, as with the Ashley Madison incident, is the possibility that cybercriminals can leverage the data leak to try to blackmail users to obtain money for a promise not to expose the individual’s use of the live streaming site to loved ones or the world at large.

ExecuPharm Data Stolen in Ransomware Attack Published on Internet

In a growing trend, pharmaceutical company ExecuPharm became the victim of a ransomware attack on March 13, 2020, by the CLOP ransomware group, which exfiltrated its data and then posted it on the Internet. Apparently, ExecuPharm didn’t pay the ransom, and then paid the price anyway by having its data compromised and posted by the ransomware group.

ExecuPharm reported to the Vermont Attorney General that the ransomware attack compromised Social Security numbers, financial information, drivers’ license information, passport information and other sensitive data.

It is being reported that the information CLOP posted on the Internet included emails, financial and accounting records and database back-ups. There is presently no known decryption tool for the CLOP ransomware.

Shade Ransomware Group Shuts Down

Some good news in the ransomware world, which is so rare these days.

The Shade (Troldesh) ransomware group has retired and is shutting down. When do you ever hear that a ransomware group is shutting down? According to reports, Shade has publicly announced that it is retiring (apparently it has made enough money to do so) and is releasing 750,000 decryption keys for victims to get their data back.

Kaspersky Lab is reported to be developing a tool to assist with the decryption for those who have files that were decrypted in the past. If businesses were affected by Troldesh and still have the database that was encrypted, they may be able to use the tool to decrypt and recover the data that were lost.

In retiring, Shade said “We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.” But they aren’t returning all of the money that they stole from victims.

Small Business Administration Loan Portal Compromised

Following the devastating impact of the coronavirus on small businesses, many small businesses applied for a disaster loan through the Small Business Administration (SBA) for relief.

Small businesses that qualify for the disaster loan program, which is different than the Paycheck Protection Program offered by the SBA, can apply for the loan by uploading the application, which contains their personal information, including Social Security numbers, into the SBA portal www.sba.gov.

Unfortunately, the SBA reported last week that 7,913 small business owners who had applied for a disaster loan through the portal had their personal information, including their Social Security numbers, compromised, when other applicants could view their applications on the website on March 25, 2020. On top of the turmoil the businesses have experienced from closure, owners now have to contend with potential personal identity theft.

The SBA has notified all affected business owners and is offering them free credit monitoring for one year. The notification letter indicates that the information compromised included names, Social Security numbers, birth dates, financial information, email addresses and telephone numbers.

If your business applied for a disaster relief loan and your personal information was compromised in the incident, you will receive notification from the SBA, which is recommending that you sign up for the free credit monitoring being offered.

Privacy Tip #237 – Nintendo Users: Change Your Password and Enable MFA

Nintendo has shut down some NNID logins and has told Switch owners to lock down their accounts following a series of fraudulent attacks. Nintendo has confirmed that it suffered an attack by hackers who accessed some accounts and are using PayPal accounts linked to the accounts to purchase items fraudulently.

According to Nintendo, approximately 160,000 accounts have been compromised, including users’ nicknames, email addresses, gender, and dates of birth. Some PayPal accounts have apparently been compromised as well.

Nintendo is urging customers to enable two-factor authentication on their accounts and has agreed to refund any fraudulent purchases made during the incident.

If you are a Nintendo user, heed Nintendo’s guidance and lock down your account and enable multi-factor authentication going forward.

New York Department of Financial Services Issues Guidance Regarding Heightened Cybersecurity Awareness During COVID-19 Pandemic

The New York Department of Financial Services (DFS) recently issued guidance to its regulated entities regarding heightened cybersecurity awareness as a result of the COVID-19 pandemic. DFS described three primary areas of heightened risk during this time: remote working, increased instances of phishing and fraud, and third-party risks.

With respect to remote working, DFS noted several areas of risk created by the shift to remote working. The prospect of more remote workers means additional security risks for all businesses. The DFS guidance focused on reminding regulated entities to use secure connections for remote workers – including the use of multi-factor authentication and VPN connections – to use secure wireless devices, and to provide guidance to employees regarding the secure use of wireless devices and other remote video conferencing tools.

DFS noted that there has been a significant increase in online fraud and phishing attempts and stated that the FBI has reported the use of fake emails purporting to be from the Center for Disease Control and Prevention (CDC), looking for charitable contributions or offering COVID-19 relief checks. DFS stated, “Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity.”

The third area DFS focused on was third-party risks. DFS suggested that regulated entities should coordinate with critical vendors to determine how they are adequately addressing new risks.

Finally, DFS issued a reminder that under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest.

Privacy, Security and Data Loss Prevention

I always enjoy hosting and participating in the CISO Executive Network meetings. The meetings offer Chief Information Security Officers (CISOs) the opportunity to discuss together ways they can improve security in their organizations, get ideas from each other on strategies and products, and vent with colleagues about particular issues and complaints. It gives me great insight into what they are experiencing so I, in turn, can help others, and to stay on the cutting edge of products and services available to assist with data security.

This week, the meetings centered on data privacy, which is of course, my thing. It was interesting to hear how organizations handle data governance and management, data loss prevention, compliance and minimizing risk.

Here are my thoughts on the topic.

First, I think it is important that the data privacy and security functions work together closely and not in a vacuum. Privacy and security cannot work in silos apart from each other, as the goals and functions are intertwined. It is hard to work as a team and to have a coordinated attack on data protection when there is no communication or collaboration about what data is being collected by the organization, why they are being collected, and how is the data are being used and protected.

Second, organizations may wish to consider having a council or committee that is tasked with the overall privacy and security of data that the organization maintains. The council would be the centralized location of responsibility for determining what data is collected, how they are used, how they are classified and protected and who has authorized access, and would advise on compliance and risk. What often happens is a business unit starts collecting data, then tells the security folks to protect the data. There is no central business decision-making around the collection of data in the first place, and protecting the data falls on the CISO without any input from the beginning.

Third, it is important for organizations to start thinking about data ethics. What I mean by data ethics is the ability of the organization to have a centralized approach and process of which data are actually collected by the organization, and to only collect the data necessary for the product or service that is being offered to the consumer. Instead of grabbing all the data and determining how to use or monetize it, organizations would be able to differentiate themselves in the market by determining ahead of time which data they will collect, how they will use and disclose the data, and be transparent with the consumer about its collection and use. They also could offer consumers incentives so they can monetize it themselves, deciding who it is disclosed to and for what purpose, and how long it is retained. When thinking about the relationship between the consumer’s rights to their own data, and the organization’s ability to use it while also being transparent with the consumer will naturally assist with compliance standards and risk and liability. Consumers are getting fed up with finding out that their data has been breached or misused by companies that they didn’t even know had their data in the first place.

Fourth, compliance shouldn’t drive privacy and security decisions. Data ethics and sound business decisions around the collection and use of data should drive the privacy and security program of an organization.

Fifth, secure data retention and destruction are key to minimizing risk and are important parts of a data privacy and security program. Many companies have outdated and irrelevant data retention and destruction programs that are not being used in a comprehensive and systematic way. Updating and following a data retention and destruction program will dramatically assist an organization with compliance and reduction of risk.

Sixth, companies can buy and use data loss prevention (DPL) tools until they are blue in the face. There are vendors that will sell you all sorts of shiny new DPL objects. Many of them are good – but that they are not a panacea. You can have all the DPL tools in place and an employee might still click on a link that will cause a security incident. Employee education remains super important, especially in these times of working at home. Continue to push alerts out to employees about security tips and data loss so they can stay abreast of new tactics, even if they are working in their day jammies. No matter how good your data security or DPL tools are, you can’t completely prevent an incident, many of which are caused by employee error or insider threat.

Finally, just as organizations have used the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assist with data security, consider using the NIST Privacy Framework to think about data collection in a different way and to employ Privacy Impact Assessments when developing a new product or service.

Consumers are starting to demand that companies consider their privacy rights before collecting and using their data. Changing the thinking of data collection, and the ethics of collecting, using and disclosing individuals’ data is the new norm. If you do the right thing, regulators don’t have to make you do it, and compliance comes naturally.

LexBlog