Netizen Cybersecurity Bulletin 09 January 2019
In This Issue:
In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.
- Law Firm Loses Money to Cyber Criminals
- Singapore Airlines Exposes Personal Data of Frequent Flyers
- Update: The Marriot Breach
- Phish Tale of the Week
- How can Netizen help?
Law Firm Loses Money to Cyber Criminals
A law firm unknowingly transferred €97,000, roughly $124,000, to cyber criminals. The unnamed law firm had been targeted on two separate occasions. In the first attack, the firm was to redeem a mortgage with the money payable to a fund. The email the firm had received was requesting that the money be sent to a bank account in Turkey with the account name of “Bitcoin Concept”. In this first case, the practice was able to identify the request as a fraud and therefore did not act on the email; verification steps were made to determine whether or not the bank account details were correct before transfer.
The second attack proved to be more fruitful for the cyber criminals as the attempt was successful. Once again, an email came through asking to redeem a mortgage from an organization. The practice received an email from one of the staff members of said organization which included legitimate bank account details. Verification steps were still involved to ensure legitimacy, however, when the information was sent for final approval, the email was intercepted, and the bank account details were changed to another fraudulent bank account. The transfer was made, and money was withdrawn by the cyber criminals.
Law firms and the financial sector in general are often targeted for the potential profit they can provide to cyber criminals. We recommend the following for transferring critical or sensitive material to others:
Verify. Verify. Verify. You will want to verify the individual or organization you are making a transfer or sending information to via phone call, face-to-face, or other means.
Email is not the most secure medium to send extremely critical information like that of bank account details whereas a letter or fax would be safer, however if needed, ensure that all emails containing sensitive information are well encrypted before sending. It would be good too, to not conduct entire transactions over email.
Have an email security policy that is communicated and reviewed actively.
For banks or firms, check statements regularly for any transactions that you do not recognize.
Conduct continuous monitoring for unusual activity on accounts.
If you feel you are receiving fraudulent emails, change your passwords just to be safe.
Singapore Airlines Exposes Personal Data of 285 Frequent Flyers
Singapore Airlines, an international airline serving 19 million passengers annually, experienced a glitch in their software that exposed 285 of their Krisflyer frequent flyer program members. The glitch appeared after a recent website update which allowed the data of the frequent flyers to be exposed. This glitch is the most recent incident in a slue of security breaches among the airline industry, and people are calling for change on how the airlines approach security.
In the case for the airlines, these companies should putting in stricter policies similar to today’s tech companies. This breach can be a wake up call to all businesses that delve into the online realm and handle personal data. Companies should be thinking about “who we need to secure” rather than “what we need to secure”, and those measures will help protect the customers who trust a company to protect their private information. Whether it be a software glitch or data breach, companies need to mitigate the damage from exposed data by leveraging new technologies to correctly identify customers by their behavior online rather than by credentials that have been stolen.
Update: The Marriot Breach
Netizen alerted its clients and readers in November about the data breach affecting Marriot International’s Starwood reservation database, exposing personal information of 500 million people.
The reported details of the November breach included dates of birth and credit card numbers, as well as contact information such as mailing addresses and email addresses. Initially, Marriot acknowledged the breach included passport numbers for more than 25 million guests. However last week the company acknowledged for the first time that 5.25 million of those passport numbers were unencrypted — or not coded to prevent unauthorized access. There has been no confirmation that the hackers accessed the master encryption key needed to decrypt those passport numbers.
Since the initial reporting, the total number of affected users dropped to 383 million, but that many affected users would still rank this as the largest in history. Marriott said it had not yet determined how many of the 383 million records are duplicates involving the same guest.
If you have been a guest at Marriot properties since 2014, monitor your credit report and look for any suspicious activity. Credit card industry experts recommend freezing your credit so that, if your info was stolen, criminals are unable to open new lines of credit in your name. If you do decide to freeze your credit, you must contact the three major credit bureaus individually. Marriott has sent emails to those affected and has provided guests free enrollment in WebWatcher for a year, they have set up a website for affected guests here: https://answers.kroll.com/.
Phish Tale of the Week
The year is still too new for any fresh phish, so we’ll simply remind you of our recommendations to stay secure:
A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
- Do not give out personal or company information.
- Review both signature and salutation.
- Do not click on attachments.
- Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
- Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.