Cyber Defense Tip of the Week
Business E-Mail Compromise: The FBI and the Internet Crime Complaint Center (IC3) offer the following tips to businesses to avoid being victimized by Business Email Compromise (a more detailed list of strategies is available at www.ic3.gov):
- Verify changes in vendor payment location and confirm requests for transfer of funds.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create spam and intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Be wary of using free, web-based e-mail accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
Ashley Madison founder and chief executive Noel Biderman quits following hack: The founder and chief executive of cheaters’ dating website steps after personal details of millions of users are posted online. The Telegraph, August 28, 2015
Who Hacked Ashley Madison?: AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack. KrebsOnSecurity, August 26, 2015
Leaked AshleyMadison Emails Suggest Execs Hacked Competitors: Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggests that AshleyMadison’s top leadership hacked into a competing dating service in 2012. KrebsOnSecurity, August 24, 2015
Ashley Madison sued for emotional distress in potential class-action lawsuit: The infidelity website Ashley Madison and its parent company are being sued in US federal court by a man who claims that the companies caused him emotional damage by failing to adequately protect personal and financial information from theft. The Guardian, August 25, 2015
Extortionists Target Ashley Madison Users: People who cheat on their partners are always open to extortion by the parties involved. But when the personal details of millions of cheaters get posted online for anyone to download — as is the case with the recent hack of infidelity hookup site AshleyMadison.com — random blackmailers are bound to pounce on the opportunity. KrebsOnSecurity, August 21, 2015
‘;–have i been pwned?: Check if you have an email account that has been compromised in a data breach. haveibeenpwned.com
Ashley Madison Users Face Threats of Blackmail and Identity Theft: First, members of the adultery website Ashley Madison had their personal information unveiled to the world by hackers. Now, a bigger threat looms. The New York Times, August 28, 2015
Business E-Mail Compromise: An Emerging Global Threat: The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details. FBI.gov, August 28, 2015
FBI: $1.2B Lost to Business Email Scams: The FBI today warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. KrebsOnSecurity, August 27, 2015
Advertising malware rates have tripled in the last year, according to report: Ad networks have been hit with a string of compromises in recent months, and according to a new report, many of the infections are making it through to consumers. A study published today by Cyphort found that instances of malware served by ad networks more than tripled between June 2014 and February 2015, based on monthly samples taken during the period. Dubbed “malvertising,” the attacks typically sneaking malicious ads onto far-reaching ad networks. The networks deliver those malware-seeded ads to popular websites, which pass them along to a portion of the visitors to the site. The attacks typically infect computers by exploiting vulnerabilities in Adobe Flash, typically triggered as soon as an ad is successfully loaded. TheVerge, August 25, 2015
Fake EFF site serving espionage malware was likely active for 3+ weeks: A spear-phishing campaign some researchers say is linked to the Russian government masqueraded as the Electronic Frontier Foundation in an attempt to infect targets with malware that collects passwords and other sensitive data. ars technica, August 28, 2015
Iranian hackers are getting desperate and sloppy, report finds: Bungling Iranian hackers who seem to be low on patience have developed a new scheme for trying to trick targets into granting access to their online accounts, according to a new report from the University of Toronto’s Citizen Lab. The Washington Examiner, August 28, 2015
Hackers revive Word macro malware in AutoIT RAT attack: In a blog post by Cisco’s Talos security group, criminals have been discovered launching a targeted attack on organisations using AutoIT to install a Remote Access Trojan (RAT) and “maintain persistence on the host in a manner that’s similar to normal administration activity”. AutoIT is a well known freeware administration tool for automating system management in corporate environments. SC Magazine, August 27, 2015
Cyber Security Management
Cyber Threats and Regulations Top List of Challenges for Information Security Officers: Faced with escalating cyber threats and increasingly complex regulatory mandates, chief information security officers (CISOs) are experiencing growing pressure to protect critical information and infrastructure assets, while also embracing strategic business initiatives to integrate a comprehensive enterprise approach to cybersecurity That’s according to Big 4 consultancy Deloitte, which also provides cyber risk advisory services. CPA Practice Advisor, August 26, 2015
Cyber Security Management – Cyber Defense
BitTorrent patches reflective DDoS attack security vulnerability: A vulnerability which could divert traffic to launch cyberattacks has been mitigated two weeks after public disclosure. ZDNet, August 28, 2015
Even ‘super hackers’ leave entries in logs, so prepare to drown in data: The 1990s called. It wants its breach classification system back. The Register, August 24, 2015
Phone and laptop encryption guide: Protect your stuff and yourself: The worst thing about having a phone or laptop stolen isn’t necessarily the loss of the physical object itself, though there’s no question that that part sucks. It’s the amount of damage control you have to do afterward. Calling your phone company to get SIMs deactivated, changing all of your account passwords, and maybe even canceling credit cards are all good ideas, and they’re just the tip of the iceberg. ars technica, August 23, 2015
Cyber Security Management – Cyber Awareness
Google Study Finds Most People Aren’t Protecting Their Data Properly: A study by Google finds that most people don’t have a good understanding of the best ways to keep their tech gadgets secure. Inc.com, August 24, 2015
Secure the Village
Facebook updates ThreatExchange info, says gov’t agencies not welcome: Facebook is expanding its ThreatExchange through new features and the opening of applications to join the platform, the company wrote in a six-month update blog post. SC Magazine, August 21, 2015
Wyndham Must Face Hacker Suit as Court Upholds FTC Power: In a case testing regulators’ authority to police companies’ cybersecurity practices, a U.S. appeals court said Wyndham Worldwide Corp. must face a suit in which it’s accused of failing to secure its computers from Russian hackers. Bloomberg, August 24, 2015
INFORMATION SECURITY TALENT SHORTAGE IS AT THE SENIOR LEVEL, SURVEY FINDS: The real problem with the perceived talent shortage in information security is retention and churn at the higher levels, according to a survey by IT and security executive networking firm T.E.N. and International Data Corporation. Staffing Industry Analysts, August 28, 2015
Car information security is a complete wreck — here’s why: Sean Gallagher’s long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer’s season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet. boingboing, August 23, 2015
Highway to hack: Why we’re just at the beginning of the auto-hacking era: Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong? ars technica, August 23, 2015
Six Nabbed for Using LizardSquad Attack Tool: Authorities in the United Kingdom this week arrested a half-dozen young males accused of using the Lizard Squad’s Lizard Stresser tool, an online service that allowed paying customers to launch attacks capable of taking Web sites offline for up to eight hours at a time. KrebsOnSecurity, August 28, 2015