A quick Saturday digest of cybersecurity news articles from other sources.
Ethical hackers swarm Pentagon websites
Sounds like cyber-war! Is it the Russians? Hackers are crawling all over the US Department of Defense’s websites – and DoD officials are quite happy about the whole thing. It’s pen-testing, baby.
Adventures in Penetration Testing – Breaking into Prison
Black Hills Information Security, and owner John Strand are examples of the best that cybersecurity and penetration testing are all about. Living in the Midwest, I have been privileged to see John at the podium at several cybersecurity seminars. Here is a story from Wired magazine, and an accompanying YouTube video from 2020 RSA Conference in San Francisco.
Would you send your mom in to do a penetration test? Well, John’s mother broke into a prison posing as a Health Inspector using what turned out to be awesome social engineering skills. This is her story.
WSJ: “Losing 450K in Three Days: Hackers Trick Victims Into Big Wire Transfers”
Rachel Louise Ensign wrote a great story for the WSJ about CEO fraud, also known by the FBI as Business Email Compromise.
In 2018, Frank Krasovec took on a 1 million dollar personal line of credit from PlainsCapital Bank. A few months later, he went on a business trip. When he returned, 450K was missing. Mr. Krasovec, the chairman of Dash Brands Ltd., which owns Domino’s Pizza Inc. franchises in China, said he soon learned that someone had hijacked his email and asked his assistant to wire the money to a Hong Kong account.
Fraudsters are stealing billions of dollars each year through this type of scam, which combines sophisticated hacking with wire transfers, an old-fashioned but efficient way to move money overseas. Banks and law-enforcement officials are struggling to curb the problem, while victims like Mr. Krasovec say they are finding it nearly impossible to get their money back.
An Influence or Wire Fraud?
A 22-year-old Instagram and YouTube influencer named Kayla Massa has been arrested after allegedly convincing her followers to assist her in a fraud scheme, Quartz reports. Prosecutors say Massa posted on Instagram, Snapchat, and Facebook using social engineering to tell her followers to DM her if they lived in New Jersey and wanted to make money.
When someone responded, Massa would offer to pay them to let her friend use their bank account to temporarily store some money as a tax write-off. She allegedly assured them it was legal, and told them to empty the account so they didn’t suspect she was trying to steal their money.
Once Massa and her associates had access to a victim’s bank account, they would allegedly deposit counterfeit money orders and fraudulent checks into the account and then withdraw it as cash. They would then block the victim on social media and leave them with an empty bank account. When the victim’s bank realized the money orders and checks were fraudulent, it would recall the money and the victim’s account would be thousands of dollars in the red.
Proofpoint Releases Domain Fraud Report
Did you hear about Shark Tank’s Barbara Corcoran falling victim to a BEC attack? Last week, her firm lost $400K when an employee wired the money to a rogue operator. In this case, the Corcoran organization got lucky and their bank was able to freeze the wire transfer – but most organizations are not that lucky. Since this is such a common tactic – the FBI estimates that BEC and EAC attacks have cost organizations more than $26 billion since 2016 – I wanted to take the opportunity to share some resources on how to stop these types of attacks.
Our latest Domain Fraud Report details BEC tactics, domain spoofing trends, and how to protect your organization against attacks that involve fraudulent domains. Please take a read, share with your users.
Point-to-Point Protocol Daemon Vulnerability
Original release date: March 5, 2020
The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting Point-to-Point Protocol Daemon versions 2.4.2 through 2.4.8. A remote attacker can exploit this vulnerability to take control of an affected system. Point-to-Point Protocol Daemon is used to establish internet links such as those over dial-up modems, DSL connections, and Virtual Private Networks.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC’s Vulnerability Note VU#782301 for more information and apply the necessary patches provided by software vendors.
Share
MAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com