FBI + CISA Issue Joint Alert on Vishing Attacks

When the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get together to issue an alert to warn us about a security threat, you can bet that the threat is real, and that they have seen it used successfully at an alarming rate.

The joint advisory issued on August 20, 2020, “Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign,” warns companies of the increased use of vishing attacks by cyber criminals. The advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward” [see related Privacy Tip].

People are always amazed at how much time and effort cyber criminals take to get the big pay-off. I always say this is how they make their living. We go to work every day and get a lot of work done in a legal way, while they go to work every day to figure out how to steal from us. They are spending the same amount of time on strategy, development and implementation to work out the details of the crime as we are in making an honest living. What they are doing in cyber crime is no different than planning for a bank robbery. They have to plan carefully and then execute the crime. That’s what the cyber criminals have done with their vishing campaign.

The vishing campaign referred to in the advisory started with the criminals registering domains and creating phishing pages that duplicate a company’s internal VPN (virtual private network) login page, including the requirement for two-factor authentication or a security passcode. They then obtained SSL (Secure Socket Layer) certificates for the registered domains, including support(victim company name), ticket(victim company name), employee(victim company name), or (victim company name)support. The point is that they are using the actual company name in combination with IT support to lure the victims and convince them into thinking the domain is real. It certainly looks very real.

The criminals then do online research on potential company victims, and according to the alert, “compile dossiers” on employees of the companies “using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” This is publicly-available information about companies and their employees that the criminals use to implement the crime. They aggregate the publicly available information and then start calling the employees on their cell phones. When an employee answers, they engage them in conversation as if they know them (from social engineering—including name, address, position in the company) to get them to believe they are from IT support. They advise the employee that the company has changed the VPN and that a link to the new login will be sent, which includes multi-factor authentication, and that they will need to log in to reset the VPN. During the call, they assist the employee in logging in to the VPN and in the process, they gain access to the employee’s log in credentials and now have access to the employee’s account.

Once in the employee’s account, the criminals have access to other potential victims in the company using the same tactics, and are able to “fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert acknowledges that this old scam, previously used on telecommunications and internet service provider employees, has now expanded to all industries because of the transition from work at the office to work from home during the pandemic. Companies need to be aware of the campaign, alert their employees, and provide them with resources and tips to avoid falling victim to it.

ABCmouse Pays $10 Million to Settle FTC Enforcement Action

On September 2, 2020, Age of Learning, Inc. (operating as ABCmouse), a children’s online educational company, settled with the Federal Trade Commission (FTC) for $10 million for its alleged misrepresentations and failure to disclose important information to consumers.

The FTC’s complaint alleged that ABCmouse unfairly billed users without their authorization and also made it very difficult to cancel memberships. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said, “ABCmouse didn’t clearly tell parents that their subscriptions would renew automatically, and then the company made it very difficult for them to cancel. People are relying more than ever on remote learning and other online services, and companies need to be up-front about automatic renewals and get permission before charging customers.” This is certainly a warning for other online educational companies operating during the pandemic – transparency is key.

ABCmouse records between 2015 and 2018 indicate that hundreds of thousands of consumers who attempted cancellation nevertheless remained subscribed and billed.

In addition to the $10 million penalty, the settlement order requires ABCmouse to:

  • Stop making any misrepresentations related to negative options (i.e., that a good or service is “free,” “trial,” “sample” or “no obligation” when a consumer must act in order to avoid later charges);
  • Disclose important information to consumers when it offers negative option plans (i.e., how to cancel the plan, the total amount they will be charged if they don’t cancel the plan, and the deadlines by which they must cancel the plan);
  • Explain clearly key terms associated with negative option plan offers BEFORE they get a consumer’s billing information;
  • Obtain consumers’ informed consent BEFORE enrolling the consumer in any automatic billing programs; and,
  • Provide cancellation mechanisms for its subscriptions.

To read the proposed settlement order, click here.

Cisco Working on Zero-Day Vulnerability

Cisco warned its customers last weekend that it has become aware of a zero-day vulnerability that it is working to fix by developing a patch. The flaw involves Cisco’s iOS XR Software, an operating system for carrier-grade routers and networking devices used by telecommunications and data-center providers.

According to the advisory, the vulnerability, dubbed CVE-2020-3566, allows the attacker to send maliciously-crafted Internet Group Management Protocol (IGMP) traffic. “[A]n attacker can exploit this vulnerability by sending crafted IGMP traffic to an affected device…A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”

Cisco rated the severity of the vulnerability “high,” with a Common Vulnerability Scoring System tally of 8.6 out of 10. Although the advisory says that nothing can be done to fix the vulnerability prior to the development of a patch, it provides measures that administrators can take to mitigate the effects. The advisory can be accessed here.

Australian Defence to Use Swarms of Tiny Autonomous Underwater Vehicles, Highlighting a Global Trend

Last week, the Australian Department of Defence announced that it will begin research and development for the use of swarms of tiny autonomous underwater vehicles (AUV) (i.e., underwater drones) to detect and clear naval mines. This research and development project will cost approximately $15 million and span over five years in partnership with Australia’s Trusted Autonomous Systems Defence Cooperative Research Centre and Thales Australia.

The goal of the project will be to assess researchers’ design, development and testing of various teams of micro AUV swarms as well as autonomous surface vessels (AUS) in order to develop new systems of defense. Teams of AUV and AUS could survey an area before manned vessels are deployed. This type of undertaking will include the ability to autonomously collect environmental data in order to conduct mine countermeasure missions. It relies heavily on artificial intelligence, big data and connectivity.

This type of investment and involvement with underwater and surface drones will surely continue to grow across the globe. In January 2020, the U.S. Navy partnered with L3Harris Technologies to test underwater drones for undersea missions. Just last month, L3 Harris Technologies received a contract from the U.S. Navy as part of a $281 million program for medium unmanned surface vehicles.

Privacy Tip #250 – Beware of Vishing

The Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning the public about vishing campaigns [see related post]. Vishing is defined by the FBI as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.”

Vishing basically means that cyber criminals are gathering publicly-available information on companies and employees so they get to know a lot about them, and then they call employees on their cell phones to try to get them to believe that they are from IT support and that a new VPN (virtual private network) is being used. They then assist the employee with activating the new VPN and in the process obtain the employee’s credentials to access the company’s system and look for new victims.

We all know not to give our credentials to strangers via email. We also know not to give our credentials or personal information to anyone over the telephone. That said, the joint alert makes it clear that people who are working from home are falling victim to this campaign as there is no face-to-face authentication, and the criminals have gathered so much information on the individual employee that the employee believes it is a co-worker calling to assist.

Beware of giving any information to anyone over the telephone (or via email for that matter).

The Alert gives the following “End-User Tips”:

  • Verify that web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis  of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, refer to the CISA Security Tips below.

U.S. Organizations Doing Business in China Warned of Malware in Tax Software

The Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Flash Alert to U.S. based businesses doing business in China about a remote targeting campaign whereby the tax software that Chinese domestic banks require foreign companies to install is loaded with malware.

Trustwave researchers warned in June 2020 that they had discovered a backdoor in the required tax software used by the Chinese domestic banks dubbed GoldenSpy. The backdoor reportedly could not be removed and allowed remote installation of additional malware.

Not only did the required tax software install malware into U.S. companies’ systems, but when Trustwave researchers detected the malware, several days later, the Trustwave researchers found that the GoldenSpy authors attempted to secretly load uninstaller software on the affected systems to remove the backdoor because they got caught!

The FBI and CISA is warning companies that security teams should be utilized to remove the malware as the attackers are attempting to evade industry standard network security rules.

“The FBI assesses that the cyber-actors’ persistent attempts to silently remove the malware is not a sign of resignation. Rather, it is an effort to hide their capabilities. Organizations conducting business in China continue to be at risk from system vulnerabilities exploited by the tax software and similar supply chains.”

Is this City Monitoring Me?

In Coral Gables, Florida, a judge refused to dismiss a lawsuit over the city’s use of automated license plate readers to scan license plates. This technology has faced a number of lawsuits over concerns about the collection and storage of data. The Coral Gables lawsuit stemmed from a Miami suburb resident who filed a request with the city to see what information it had on her movements. That resident discovered that the city had over 80 pages of documents and images showing him at various locations around town.

The American Civil Liberties Union (ACLU) says that this technology is concerning because its feeding data about individuals into gigantic databases filled with billions of private details about those individuals’ movements, associations and patterns of life. Further, those databases do not have strong safeguards for protecting that data, nor judicial oversight or retention limitations. With the rise in data breaches across the country, there is also a high risk for this data to end up in the wrong hands.

Many cities across the U.S. are using this automated license plate reader technology. In order to combat some of the inherent issues with this type of data collection, experts recommend that the cities and towns that install this technology be transparent with residents, limit the type of activity that will trigger alerts and data recordings, as well as only store the data for a short amount of time. For example, in Maryland, over a six-month period, these scanners scanned 29 million license plates but only 0.2 percent of them were flagged for illegal activity.

This may be the time to push for new laws related to automatic license plate readers or, at the very least, the databases that house this sensitive data.

Financial Brokers Warned by FINRA of Imposter Websites

The Financial Industry Regulatory Authority (FINRA) recently warned financial professionals that imposters are attempting to collect personal information of investors by spoofing financial professionals’ websites, reaching out to investors, and directing them to the fake websites.

The spoofers are able to go on a financial professional’s website or page, copy and paste the picture of the professional, the background of the professional and the experience and educational background of the professional. Once they copy the information, they set up a new website and paste the information into the fake website.

Investors are contacted and directed to the fake website, and they believe that it is real. Once the investor is directed to the fake website, the spoofer requests that the investor provider personal information through the website, which will be used to commit fraud.

FINRA suggests that financial professionals frequently check for websites using their name, or the name of their employees and preemptively warning investors. If a fake website is located, the firm or individual should contact the FBI, Securities and Exchange Commission and FINRA.

Transitioning from On-Site Audits to Zoom/Teams Audits

Auditors have to continue doing their job of auditing, but with the pandemic, audits now are rarely on-site. Many auditing firms are using remote technology to conduct audits, and companies are either forwarding files electronically, using cloud-based portals or meeting with their auditors over technology meeting platforms such as Zoom and/or teams.

There are risks associated with moving audits from in-person reviews on-site in conference rooms to using remote meeting technology or cloud-based products. Those risks, to name a few, include the potential transmission of highly sensitive or personal information via insecure email, the ability to take screen shots or record technology sessions such as Zoom and/or teams, and the capture of information electronically that was never captured before, and the storage and potential of access to highly sensitive information or personal information by cloud vendors.

In assessing these risks, companies may wish to consider redacting sensitive information before pdf’ing or emailing documents to auditing firms, sending all sensitive information using encryption software, no allowing any screen shots, photographs or recording to take place on Zoom and/or teams calls if sensitive information is being shared, and performing due diligence on cloud-based software that auditing firms propose to use, including privacy and security measures taken by the cloud-based vendor and what access the vendor has to company data.

Finally, whether audits are completed in person or remotely, review and consideration of requiring contractual language to include data privacy and security, indemnification and responsibilities regarding data loss and/or unauthorized access is an important risk management tool in the event that a security incident occurs.

Will Flying Cars Replace the Cars on our Highways?

The authors of the book, “The Future is Faster than You Think,” Peter H. Diamandis and Steven Kotler, conducted a survey to determine whether Americans are ready for the technological changes that are rapidly approaching.

The survey included 10 multiple choice questions and 2,663 participants. The survey results:

  • 7 out of 10 Americans do not believe flying cars will be transporting people in downtown cities in their lifetime;
  • Half of Americans do not believe that artificial intelligence will be smarter than humans in their lifetime;
  • Only 30 percent of Americans believe that in their lifetime a brain will be connected to a computer information cloud so that they could Google information by merely thinking.

These views contradict the reality according to the authors -flying cars and virtual malls will likely become a reality within the next 10 years. Disruption and democratization of technologies like artificial intelligence and virtual reality will lead to extraordinary growth and transformation.

Accelerating technologies will reinvent many areas of our lives, from transportation, retail, advertising, education, health, entertainment, food and finance. For now, we can look to the highways for our transportation, but it may be sooner than we think that our cars hit the skies.

LexBlog