Tag Archives: cyber criminal

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

IRS Is Stepping Up Anti-Fraud Measures

The Internal Revenue Service is taking as long as 21 days to review tax returns, according to research from fraud prevention vendor iovation, a clear sign that Uncle Sam has stepped up anti-fraud measures.

Even so, tax return scams that pivot off stolen identity data continue to rise for the third consecutive tax season. The latest twist: Tax scammers are increasingly targeting vulnerable populations—low-income, children, seniors and homeless—as well as prisoners, overseas military personnel and the deceased, according to an FBI alert.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

And criminals have gotten very creative about conducting phishing campaigns to fool individual consumers—and key employees at targeted companies—into handing over personal tax-related information, useful for filing fake returns.

Tax software vulnerable

The FBI also says criminals often use online tax software to commit the fraud. That’s particularly troubling, considering what the Online Trust Alliance found in a recent audit of free e-filing services approved by the IRS. Of the 13 services audited, about half failed somewhat basic security protocols, such as email authentication and SSL configurations.

craig
Craig Spiezle, Online Trust Alliance executive director

Craig Spiezle, executive director of Online Trust Alliance, says some of the vulnerabilities, such as unsecure sites, are obvious to the casual person, let alone criminals.

“These sites are such high targets, you’d expect 100% of these to be like Fort Knox,” he says. “There’s no perfect security, but you would expect not to see (simple) vulnerabilities.”

Some e-filing sites, for example, had simple server misconfigurations or didn’t have current secure protocols; one provider failed to adopt an extended validation (EV) SSL certificate, leaving it open to spoofing.

Although not everyone is eligible for the free e-filing services that OTA audited, Spiezle says many of the paid e-filing services are run by some of the same parent companies, and thus use much of the same lightly protected infrastructure. He says it would be fair to assume that many of the paid e-filing sites would have the same 46% failure rate as the free e-filing services audited by OTA.

Personal information trades on black market

Even if cyber criminals don’t use stolen tax-related data for filing fraudulent returns, that information is highly valuable on the black market. Spiezle points out that it’s the only place where this type of rich information—such as income, employer, number of dependents, Social Security numbers and even bank accounts—is available all in one swoop.

“All that data that’s amassed is a treasure chest,” he says. “If you want to create a persona of someone’s identity, you have all the data in one place.”

The IRS expects that, this year, 80% of the estimated 150 million individual tax returns will be prepared with tax software and e-filed—and that’s music to fraudsters’ ears.

One typical avenue for cyber thieves is to file returns as early as possible, claiming refunds as large as $1,000 to $4,000 on untraceable prepaid debit cards. They can fly under the radar by filing very generic returns, and those multiple refunds turn into a lucrative operation.

“They have immediate access to that cash, as opposed to credit card fraud where the value is not as high and the delivery is through a retailer, so they have to figure out what to do with those goods,” says Scott Olson, vice president of product at iovation, a provider of device authentication and mobile security solutions.

Phishing, malware skyrocket

According to the Government Accountability Office, the IRS prevented $24 billion in fraudulent tax refunds related to identity theft in 2013, while paying out $5.8 billion in fraudulent refunds that it didn’t discover until a year later. And the number of fraud attempts is on the rise: As of March 25, the IRS reported a 400% increase in phishing and malware incidents related to the 2016 tax season.

Email phishing campaigns include links to web pages requesting personal information, useful for filing fake returns.

These fake pages often imitate an official-looking website, such as IRS.gov or an e-filing service, and also may carry malware, which can turn over control of the victim’s computer to the attacker. This January alone, the IRS counted 1,026 email-related fraud incidents, compared with 254 a year earlier.

Phishing scams also are targeting employers—because criminals know that’s where they can find large caches of income-related information. One growing trend is the so-called business email compromise (also known as “CEO fraud”), a variation of spear phishing. The phisher does deep research on a targeted company, then impersonates a senior executive to get a subordinate to do something.

vidur

Vidur Apparao, chief technology officer at Agari, which offers an email security platform, says malicious attachments and URLs compromised the bulk of spear phishing emails in the past. But what his company is seeing now is phishing ruses aimed at specific employees that leverage trust to get the recipient to take a specific action. Such attacks do not carry any viral attachments or bad URLs that can be detected. Yet they have proven to be very effective at duping the recipient into forwarding files containing employees’ W2 forms.

“Criminals are leveraging the cloud at three separate points, in ways they couldn’t before: developing social engineering content, sending out spear phishing attacks and getting back a response,” he says.

Basic security helps

According to the OTA, 92% of the publicly reported breaches in 2015 could have been prevented. Take email authentication. It’s almost a basic security tool that prevents emails from being spoofed. Those OTA-audited e-filing services that didn’t use it are contributing to the breaches.

“The lack of email authentication or the slow adoption in some cases has led to the prevalence of this easy type of attack,” Apparao says.

Spiezle says people need to be aware that emails and other tactics are becoming more sophisticated, and protect themselves accordingly.

“The problem is that we are all moving so fast, and we have all these devices and desktops—we are multitasking,” he says. “And the criminals play off that, and they’re getting more precise.”

This article was written by Third Certainty’s Rodika Tollefsen.

Cyber Threats to Watch This Year

2015 was a year in which cyber criminals continued to innovate and expand their activities. As 2016 commences, look for insider threats to take center stage and for leading companies to respond. Meanwhile, cybersecurity and privacy issues will continue to reverberate globally. Here are a few predictions for the coming year:

Ed note_Edward Stroz

Cyber threats and elections– Threat actors targeted the websites and emails of presidential candidates in 2008 and 2012. Campaign websites continue to be used to raise money, making them targets for hacktivists and cyber criminals alike. Expect to see U.S. primary frontrunners and eventual nominees successfully targeted and to see at least one campaign undermined by a data breach.

IoT spurs new rules– This will be the year consumers awaken to security and privacy concerns attendant to the Internet of Things. A major physical disruption — through the breach of a connected car or medical device or weak security in a connected toy — will spur regulators and consumers to demand action. Expect companies to spend untold amounts on testing and retrofitting IoT devices to meet hastily approved “privacy and security by design” rules.

Insider threats get addressed– Insider threats — current or ex-employees with knowledge of, and access to, the corporate network — will take center stage in 2016. This will push human resources leaders onto cross-functional cybersecurity teams in many organizations. Expect leading-edge companies to invest in technologies that identify and, in some cases, prevent insider threats before they cause material damage.

International data flows narrow– Uncertainty arising from the demise of the EU-U.S. Safe Harbor pact will disrupt international data flows. Expanding European nationalism, distrust of U.S. surveillance and subpoena power, the prospect of triggering huge fines for transborder transfers and political disputes over alternatives will drive some U.S. companies to avoid doing business with Europe altogether. Meanwhile, other multinationals will opt to segregate business functions geographically by building local cloud services and data centers that protect them from penalties.

Boardroom shuffle– With concern mounting over cyber risks, organizations will evaluate fresh approaches to ensure boards are well-informed and comfortable making strategic decisions. Expect the appointment of specialist, non-executive cyber directors and the formation of dedicated cyber-risk committees (similar to audit committees) with independent advisers. Regulators may also pursue the concept of “cyber competent” people as a requirement for boards.

Cyber insurance spike– Demand for cyber liability coverage will continue to rise. Expect premiums to also rise because of constantly evolving threats, immature risk models and an underdeveloped reinsurance market. This will affect retailers, healthcare providers, banks and others that are considered high risk. Uncertainty about the concentration of exposure will lead regulators to impose cyber incident “stress testing.” This is a way to model the impact of multiple, simultaneous incidents on cyber insurance carriers — and potentially stop those that fail these tests from writing new policies.

What’s in Store for Blockchain?

Blockchain, blockchain, blockchain! What does that mean for insurance? No one knows yet, but that doesn’t stop blockchain from being one of the hottest topics in the insurance industry right now. This week, I take a look at the direction this puck is heading.

Hype or reality?

Last September, the World Economic Forum published a report titled, Deep Shift – Technology Tipping Points and Societal Impact. The report is based on surveys with more than 800 executives and experts about new technologies and innovations. The point of the report is to identify deep shifts in society that result from new technologies. These include areas such as 3D printing, driverless cars, wearables and artificial intelligence.

I was drawn to shift No. 16, simply called “Bitcoin and the blockchain.” By 2025, 58% of these experts and executives believed we would hit the tipping point for Bitcoin and blockchain. This was defined as:

“10% of global gross domestic product will be stored on blockchain technology.”

To put that into context, the total worth of Bitcoin today in the blockchain is about 0.025% of today’s $80 trillion global GDP.

Also of interest, especially given that it looks like Tunisia will be the first country to issue a digital currency on a blockchain, shift No. 18 was called “Governments and the blockchain.” Here, almost three out of four in the survey group expected that “governments would collect tax via a blockchain by 2023.”

It’s a reality then!

It’s certainly looks that way. And $500 million of venture capital money in 2015 can’t be wrong, can it?

The prospect of a seismic shift on a par with the impact of the Internet is compelling. That explains all the attention, predictions and excitement about blockchain. But, if we use the evolution of the Internet as a benchmark, the development of blockchain today for commercial use is equivalent to the Internet in, say, the mid-1990s, at best.

The debates on Bitcoin, on whether private or public blockchains will be used, on Sybase vs Oracle (oops, wrong century) are yet to play out. The ability of the Bitcoin blockchain to scale to handle massive volumes at lightning speed remains unproven.

Now, just as it was in 1995, blockchain technology is at an embryonic stage. Still finding its way, it has yet to prove it is a viable, industrial-strength, large-scale technology capable of solving world hunger.

That is why I am going to focus on the use case for insurance rather than the technology itself. (For one explanation of how blockchain works, go to Wired.)

The smart insurance contract

This is getting the most attention right now. The notion of automating the insurance policy once it is written into a smart contract is compelling. The idea that it will pay out against the insurable event without the policyholder having to a make a claim or the insurer having to administer the claim has significant attractions.

First, the cost of claims processing simply goes away. Second, the opportunity for fraud largely goes away, too. (I hesitate here simply because it is theoretical and not yet proven.) Third, customer satisfaction must go up!

One example being used to illustrate how these might work came from the London Fintech Week Blockchain Hackathon last September. Here, a team called InsurETH built a flight insurance product over a weekend on the Ethereum platform.

The use case is simple. In the 12 months leading up to May 2015, there were 558,000 passengers who did not file claims for delayed or canceled flights in and out of the UK. In fact, fewer than 40% of passengers claimed money from their insurance policy.

InsurETH built a smart contract where the policy conditions were held on blockchain. Using the Oraclize service to connect the blockchain with the Internet, publicly available data is used to trigger the insurance policy.

In this case, a delayed flight is a matter of fact and public record. It does not rely on anyone’s judgement or individual assessment. It is what it is. If a delayed flight occurs, the smart contract gets triggered, and the payout is made, automatically and immediately, with no claims processing costs for the insurer and to the satisfaction of the customer.

Building on this example and applying it to motor, smart contracts offer a solution for insurers to control claims costs after an accident. A trigger that there has been an accident would come to the blockchain via the Internet from a smartphone app or a connected car. Insurers are always frustrated when customers go a more expensive route for repairs, recovery and car hire. So, with a smart contract, insurers could code the policy conditions to only pay out to the designated third parties (see related article by Sia Partners).

So long as the policy conditions are clear and unambiguous and the conditions for paying are objective, insurance can be written in a smart contract. When the conditions are undeniably reached, the smart contract pays. As blockchain startup SmartContract put it, “Any data feed trusted by a counterparty to release payment or simply complete an agreement can power a smart contract.”

To understand this better, I asked Joshua Davis, the technical architect and co-founder at blockchain p2p InsurTech Dynamis, to explain. He said:

“You need well-qualified oracle(s) to establish what ‘conditions’ exist in the real world and when they have been ‘undeniably reached.’  An oracle is a bridge between the blockchain and the current state of places, people and things in the real world.  Without qualified oracles, there can be no insurance that has any relation to the world that we live in.

“As far as oracles go, you can use either a single trusted oracle, who puts up a large escrow that is lost if they feed you misinformation, or many different oracles who don’t rely on the same POV [point of view] or data sources to verify that events occurred.

“In the future, social networks will be the cheapest and most used decentralized data feeds for various different insurance applications.  Our social networks will validate and verify our statements as lies or facts.  We need to be able to reliably contact a large enough segment of a claimant’s social network to obtain the truth.  If the insurance policy can monitor the publishing or notification of our current status to these participants and their responses accurately confirm it, then social networks will make for the cheapest, most reliable oracles for all types of future claims validation efforts.”

Is this simply too good to be true?

Personally, I don’t think it is. Of course, a smart contract doesn’t have to be on the blockchain to deliver this use case.

However, what the blockchain offers is trust. And it offers provenance. The blockchain provides an immutable record and audit trail of an agreement. The policyholder does not have to rely on the insurer’s decision to pay damages because the insurer has broken its promise to keep the client safe from harm. As the WEF report states, this is an “unbreakable escrow.” The insurer will pay before it even knows what happened.

There’s another reason for going with the blockchain: cybersecurity!

With the blockchain sitting outside the corporate firewall and being managed by many different and unconnected parties, the cyber criminal no longer has a single target to attack. As far as I’m aware, blockchain is immune to all of the conventional cyber threats that corporations are scared of.

What happens when you put blockchain and P2P insurance together?

In December, I published a two-part article on Peer 2 Peer Insurance (here are Part 1 and Part 2). When you put the P2P model together with the blockchain, this creates the potential for a near-autonomous, self-regulated insurance business model for managing policy and claims.

Last year, Joshua Davis wrote an interesting white paper called “Peer to Peer Insurance on the Ethereum Blockchain.” He presents the theory behind blockchain and the creation of decentralized autonomous organizations (DAO). These are corporate entities with no human employees.

The DAOs would be created for groups of policyholders, similar to the P2P group model with the likes of Guevara and Friendsurance. No single body or organization would control the DAO; it would be equally “controlled” by policyholders within each group. All premiums paid would create a pool of capital to pay claims.

And because this is a self-governing group with little or no overhead, any float at the end of the year would be distributed back among the policyholders. Arguably, this makes the DAO a non-profit organization and materially increases the capital reserve for claims costs.

The big question mark for this model is regulation. There still is no answer to who will maintain the blockchain code within each DAO when regulations change. But, what does seem a dead certainty is that someone, somewhere is figuring out how to solve this.

Blockchain offers the potential for new products and services in a P2P insurance model. It should also open insurance to new markets, especially those on or near the poverty line.

For now, we must watch to see what comes from the likes of Dynamis, which is using smart contracts to provide supplementary employment insurance cover on Ethereum.

Innovation will come from new players

It has been my belief for some time that, in the main, incumbent insurance firms will not be able to materially innovate from within. As with Fintech, the innovation that will radically change this industry will come from new entrants and start-up players, such as:

Dynamis

SmartContract

Rootstock

Everledger (see previous article on Daily Fintech)

Tradle

Ethereum Frontier

Codius (Ripple Labs) (update: Codius discontinued)

This is particularly true with blockchain in insurance. These new age pioneers are unencumbered by corporate process, finance committees, bureaucracy and organizational resistance to change.

Besides, the incumbent insurance CIOs have heard this all before. For decades, software vendors have promised nirvana with new policy administration, claims and product engines. So, why should they listen to the claims that blockchain is the panacea for their legacy IT issues? But,  that is a subject for another post … watch this space!

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”