What’s happening: After breaking into the computer systems of a payroll processing company, cybercriminals sent emails to the company’s customers. Users who clicked on a link in the email had their computers taken over by the attacker resulting in the theft of their user-ids and passwords. According to the Post, the malware used to break into the payroll processing company is poorly detected by most anti-virus products.
What it means: First the top-echelon of cybercriminals has become very focused and targeted. While random attacks are still common, companies are increasingly coming under targeted attack. Second, we continue to see malware that’s able to slip through anti-virus products. Third, phishing attacks are also becoming very targeted; emails used in this attack were addressed to recipients by name and included portions of their passwords.
What to do: This is another example of what we’ve already written. Senior management must proactively manage security of sensitive information through policies, awareness training, oversight of the IT security management function, etc. They should also strongly consider replacing their current ant-virus / anti-spyware product with an intrusion detection / prevention solution. Users must follow the mantra of an earlier blog: “Trust no one.”
From Brian Krebs; Washington Post: Hackers Breach Payroll Giant, Target Customers
Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm’s customers in a scheme to steal passwords and other information.
What’s happening: Several not-for-profit health care providers have been hit with the same kind of online bank fraud that’s affecting businesses and schools. Banks are resisting returning the stolen money claiming they follow “commercially reasonable practices.”
What it means: Every organization must assume that they will come under attack and prepare accordingly. As our post from August 27 says: Trust No One.
What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing anti-virus / anti-spyware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email your attorney our Guide: An Emerging Information Security Minimum Standard of Due Care.
From Brian Krebs; Washington Post: Cyber Gangs Hit Healthcare Providers
Organized cyber thieves that have stolen millions from corporations and schools over the past few months recently defrauded several health care providers, including a number of non-profit organizations that cater to the disabled and the uninsured.
What’s happening: U.S.-CERT has issued an alert stating: “attacks arrive via an unsolicited email message and may contain a subject line of ‘Notice of Underreported Income.’ These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code” designed to steal bank account credentials.
What it means: Users who fall for this scam are (1) giving control of their computers to cybercriminals; (2) exposing their organizations to online bank fraud.
What to do: Continue training users not to fall for phishing attacks. Take all the other steps to protect yourself from online bank theft that we’ve already discussed. Strongly consider replacing current ant-virus / anti-spyware product with an intrusion detection / prevention solution.
From Brian Krebs; Washington Post: New IRS Scam E-mail Could Be Costly
The Department of Homeland Security’s Computer Emergency Readiness Team is warning Internet users to be on guard against a convincing e-mail virus scam disguised as a message from auditors at the Internal Revenue Service. According to one victim interviewed by Security Fix, falling for the ruse could cost you or your employer tens of thousand of dollars.
What’s happening: Cybercriminals have learned how to steal money from business bank accounts even when bank security controls include second-factor authentication.
What it means: Most banks and businesses believe online banking is safe when protected with what’s known as 2nd-factor [or multi-factor] authentication. While second-factor authentication is a step-up over single-factor, it is still not fail-safe. Take a look at our blog posting about a $447,000 cybertheft from a company that uses second-factor authentication. The two stories below describe the ease with which cybercriminals are bypassing second-factor authentication. After bypassing inadequate protection of the IT infrastructure, the cybercriminals succeed by taken advantage of untrained unaware staff.
What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing antvirus / antimalware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.
From ZDNet: Modern banker malware undermines two-factor authentication
Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years. http://blogs.zdnet.com/security/?p=4402
From MIT Technology Review: Real-Time Hackers Foil Two-Factor Security. One-time passwords are vulnerable to new hacking techniques. http://www.technologyreview.com/computing/23488/
What’s happening: Another corporate victim of cybertheft goes public; sues bank over sophisticated online bank heist
What it means: This is our 9th posting on online bank theft in the last month. It illustrates how the world of cybercrime has changed. Cybercriminals are targeting small and medium-size organizations, hacking into their computer systems and stealing money. Banks are reluctant to return the money, claiming that they are following “commercially reasonable” practices. In the case of the bank in the article, they appear not to have been following commercially reasonable practices. Even when banks are following commercially reasonable practices, that may not be sufficient; see our discussion of T. J. Hooper v. Northern Barge in our Guide An Emerging Information Security Minimum Standard of Due Care where Judge Learned Hand wrote: in most cases reasonable prudence is in fact common prudence; but strictly it is never its measure … there are precautions so imperative that even their universal disregard will not excuse their omission.
What to do: Management must get on top of this problem. Check bank transactions daily. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider a separate PC used only for on-line banking. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.
From Brian Krebs; Washington Post: Maine Firm Sues Bank After $588,000 Cyber Heist
A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.