Netizen Cybersecurity Bulletin: 18 July 2018 Edition
In this issue:
In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.
- Business Email Compromise Costs $12B – FBI
- Sextortion Scam
- More Secure Wireless
- How can Netizen Help?
Business Email Compromise Costs $12B – FBI
The FBI’s latest warning reports the losses due to scams against business email accounts have risen 135% from December 2016 to May 2018.
New FBI data shows that business email compromise (BEC) and email account compromise (EAC) scam losses worldwide spiked 136% from December 2016 to May 2018.
The FBI tracks these attacks as either Business Email Compromise (BEC) or Email Account Compromise (EAC), and reports there were 78,617 BEC/EAC incidents reported between October 2013 and May 2018, resulting in $12 billion in losses. Of those incidents, 41,058 were in the US, resulting in $2.9 billion in losses. China and Hong Kong banks led the locations for receipt of fraudulent funds, while the UK, Mexico, and Turkey are emerging regions, the FBI report shows.
In its public service announcement, the FBI warns that the scams are evolving: “The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”
The real estate industry is the new hot target: from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims in that sector. However, no industry is immune to these scams.
Be cautious of any financial communication that is exclusively e-mail based and establish a secondary means of communication for verification purposes.
Employees should be wary of unsubstantiated phone conversations. The FBI reports victims have reported receiving phone calls from BEC/EAC actors requesting personal information for verification purposes. Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to defend against this fraudulent activity is to establish code phrases that would only be known to the two legitimate parties.
If you discover a fraudulent transfer, move fast.
- First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds.
- Contact your local FBI office and report the fraudulent transfer. Law enforcement may be able to assist the financial institution in recovering funds.
Hackers have been known to send threatening emails to scare users into sending money, most often in bitcoin, to an encrypted address. More recently there has been a spike in what are known as sextortion emails. Sextortion emails begin with an unsolicited message claiming to have photographic or video evidence of the user accessing pornographic material. The user is then blackmailed into sending money, lest the hacker release the photos/videos to the user’s mailing list (including coworkers, relatives, etc.).
The good news? It’s a scam. There is no video or photograph; the hacker is relying completely on fear and intimidation. Hackers have progressed in their scare tactics by enclosing legitimate usernames and password within the email. Reports have found that these passwords provided are in fact legitimate, they have been used before, but often these passwords were upwards of ten years old. It is likely that the hackers have discovered a stockpile of compromised passwords from previous data breaches and are thus utilizing them to make the threat more believable.
An example email follows below:
I am aware, xxxxxx, is your password. You do not know me and you’re most likely thinking why you’re getting this e-mail, correct?
Well, I actually installed a malware on the adult video clips (porno) web-site and do you know what, you visited this site to experience fun (you know what I mean).
While you were watching videos, your internet browser started operating as a RDP (Remote Desktop) that has a key logger which provided me with access to your display screen and web camera. Immediately after that, my software obtained your complete contacts from your Messenger, social networks, as well as email.
What exactly did I do?
I made a double-screen video. 1st part displays the video you were watching (you have ã good taste hahah), and 2nd part displays the recording of your web cam.
exactly what should you do?
Well, in my opinion, $2900 is a fair price for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
BTC Address: 1AioWDqwmRY8Ad7Vb6nSHtFcTqfW2Xj
(It is cAsE sensitive, so copy and paste it)
You now have one day to make the payment. (I have a specific pixel in this mail, and at this moment I know that you have read through this é mail). If I don’t receive the BitCoins, I will, no doubt send out your video recording to all of your contacts including close relatives, colleagues, and so on.
However, if I do get paid, I’ll erase the video immediately. If you really want evidence, reply with “Yes!” and I will certainly send out your video recording to your 10 friends. This is a non-negotiable offer, therefore please don’t waste my time and yours by replying to this email.
- Scrutinize your emails. If something does not feel right, it probably isn’t.
- Again, these emails convey fear and intimidation. Bottom line, don’t panic. If you receive an email that looks anything like the above, it is a scam. You should contact your supervisor or system administrator.
More Secure Wireless on the Way
The Wi-Fi Alliance has recently announced that the Wi-Fi Certified WPA3 protocol will be making it’s way into devices later this year. This new protocol is set to replace the decade old WPA2, by bringing more robust authentication, and increased encryption strength for more sensitive businesses.
This new way of securely connecting to wireless also brings with it replacements for WPA2’s flaws which include last year’s discovery that a victim’s device could be tricked into reusing an already in use key, along with replacing the flawed Wi-Fi Protected Setup (WPS) which is vulnerable to brute-force attacks.
WPA3 will come in both a personal and enterprise mode, capable of being resistant to dictionary and password-guessing attacks, with enterprise allowing for up to 192-bit encryption for secure data transmission.
This new protocol will take time to become fully adopted into new wireless networking devices, but nonetheless it is something that should be planned for upgrading to in the future.
- Continue to ensure you are using WPA2 encryption on your wireless device with a strong passphrase, and be sure to disable WPS as well.
- Ensure your wireless router or access point is not using default passwords.
- Change the default SSID Name, but ensure to not use any personally identifiable information.
- Enable the wireless MAC filter in order to bolster security, and deter attackers.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.