Wire transfer requests top the list of business email compromise (BEC) objectives, according to a study by Barracuda Networks. Additional objectives laid out by the report include duping users into clicking on malicious links, establishing rapport and stealing information, with the end goal of extorting millions of dollars from unsuspecting companies:
- Criminals use BEC attacks to obtain access to a business email account and imitate the owner's identity in order to defraud the company and its employees, customers or partners. In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information.
- In many cases, attackers pretending to be the CEO, CFO or another c-level executive send an email requesting an immediate wire transfer.
- In 2016, Trend Micro reported that the average BEC attack netted $140,000 in illicit profits.
- Last month, the FBI's Internet Crime Complaint Center (IC3), reported 41,058 total U.S. victims of BEC schemes collectively lost at least $2.9 billion between October 2013 and May 2018 while global losses were more than four times that amount.
- Unfortunately, the BEC cycle doesn't always end with a fraudulent wire transfer. Once an account has been compromised, criminals can leverage access to send phishing and other BEC messaging to the address book of the compromised account.
Source: Bank Info Security
Self-described as "The World's Favorite Airline," British Airways has confirmed a data breach that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks. The airline has been calling it data theft, rather than a breach, which could indicate someone with inside access may have stolen the information.
Threat management group RiskIQ determined the attack was perpetrated by MageCart, a group known for compromising other websites including Ticketmaster and Feedify. Similar to a physical credit card skimmer at an ATM, MageCart injects a malicious script onto a website’s payment page to skim credit card details from consumers:
- In a statement released by British Airways, customers booking flights on its website ba.com and the British Airways mobile app between August 21 and September 5, 2018 were compromised.
- The airline advised customers who made bookings during that 15 days period and believe they may have been affected by this incident to "contact their banks or credit card providers and follow their recommended advice."
- British Airways stated on its Twitter account that personal details stolen in the breach included their customers' names and addresses, along with their financial information, but the company assured its customers that the hackers did not get away with their passport numbers or travel details.
- The company also said that saved cards on its website and mobile app were not compromised in the breach. Only cards that had been used to make booking payments during the affected period were stolen.
Sources: The Hacker News and Bleeping Computer
A Fortune 500 Company recently found itself infected with a cryptocurrency miner using EternalBlue.
WannaCry, which infected upwards of 300,000 computers worldwide in May 2017, was potent because it used an exploit called EternalBlue that had been stolen or leaked from the U.S. National Security Agency.
The exploit took advantage of a Windows vulnerability, designated CVE-2017-0144, in Microsoft's Server Message Block protocol, which remained widely unpatched when WannaCry hit:
- Called WannaMine, it successfully stung a large company via EternalBlue. WannaMine mines for monero, a privacy-focused virtual currency that can still be mined using off-the-shelf hardware.
- The victim was one of the 500 largest U.S. corporationsbased on total revenue, and it was noted that WannaMine infected dozens of the company's domain controllers as well as about 2,000 of its endpoints.
- The unnamed company's problems began when attackers found a server that was still vulnerable to the EternalBlue exploit.
- Despite being discovered more than a year ago, WannaMine's infrastructure is still intact, noting that some of the IP addresses associated with the mining activity remain active.
Source: Bank Info Security
Government Payment Service Inc. has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
- Indianapolis-based GovPayNet, doing business online as GovPayNow.com, is used by approximately 2,300 government agencies in 35 states to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines.
- GovPayNow.com displays an online receipt when citizens use it to settle fees and fines via the site. Until this past September, it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.
- The company addressed the issue after being notified by a security journalist of the leak.
Source: Krebs on Security
Scan4You, a notorious cornerstone of the cybercrime-as-a-service economy that allowed malware developers to easily create code to bypass anti-virus defenses, has been dismantled and its Latvian technical administrator has been sent to prison.
While this is welcome news, in reality, it’s no more than a temporary reprieve; demand remains high and cyber criminals will look to set up an alternative to take its place:
- Ruslans Bondars, 38, a Latvian "non-citizen," meaning a citizen of the former USSR, was sentenced to serve 14 years in U.S. federal prison. He'd been residing in Riga, Latvia, until his arrest in April 2017 and extradition to the U.S. to face a four-count indictment.
- Bondars was charged with running Scan4You, an online service designed to counter anti-virus software that the U.S. Justice Department says had at least 30,000 users who collectively committed at least $20.5 billion in fraud.
- Bondars' partner in crime, Moscow-based Jurijs Martisevs, a Latvian citizen - and according to some reports, also a citizen of Russia - was also arrested in April 2017, when he was visiting Latvia, and extradited to the U.S.
- Scan4You operated from 2009 until at least October 12, 2016 and functioned like an illicit version of VirusTotal, allowing users to see if their malicious code might get flagged as such by AV engines.
- Unlike VirusTotal, Scan4You anonymized uploads and never shared samples.
- Court documents suggest that one Scan4You user hacked Target. The Department of Justice said that in the case of a "major retail store located in the United States," the service had been used to test malware.
Source: Bank Info Security
For more information about cyber risks or related issues, please contact us.