Sounds like cyber-war! Is it the Russians? Hackers are crawling all over the US Department of Defense’s websites – and DoD officials are quite happy about the whole thing. It’s pen-testing, baby.
Black Hills Information Security, and owner John Strand are examples of the best that cybersecurity and penetration testing are all about. Living in the Midwest, I have been privileged to see John at the podium at several cybersecurity seminars. Here is a story from Wired magazine, and an accompanying YouTube video from 2020 RSA Conference in San Francisco.
Would you send your mom in to do a penetration test? Well, John’s mother broke into a prison posing as a Health Inspector using what turned out to be awesome social engineering skills. This is her story.
Rachel Louise Ensign wrote a great story for the WSJ about CEO fraud, also known by the FBI as Business Email Compromise.
In 2018, Frank Krasovec took on a 1 million dollar personal line of credit from PlainsCapital Bank. A few months later, he went on a business trip. When he returned, 450K was missing. Mr. Krasovec, the chairman of Dash Brands Ltd., which owns Domino’s Pizza Inc. franchises in China, said he soon learned that someone had hijacked his email and asked his assistant to wire the money to a Hong Kong account.
Fraudsters are stealing billions of dollars each year through this type of scam, which combines sophisticated hacking with wire transfers, an old-fashioned but efficient way to move money overseas. Banks and law-enforcement officials are struggling to curb the problem, while victims like Mr. Krasovec say they are finding it nearly impossible to get their money back.
A 22-year-old Instagram and YouTube influencer named Kayla Massa has been arrested after allegedly convincing her followers to assist her in a fraud scheme, Quartz reports. Prosecutors say Massa posted on Instagram, Snapchat, and Facebook using social engineering to tell her followers to DM her if they lived in New Jersey and wanted to make money.
When someone responded, Massa would offer to pay them to let her friend use their bank account to temporarily store some money as a tax write-off. She allegedly assured them it was legal, and told them to empty the account so they didn’t suspect she was trying to steal their money.
Once Massa and her associates had access to a victim’s bank account, they would allegedly deposit counterfeit money orders and fraudulent checks into the account and then withdraw it as cash. They would then block the victim on social media and leave them with an empty bank account. When the victim’s bank realized the money orders and checks were fraudulent, it would recall the money and the victim’s account would be thousands of dollars in the red.
Did you hear about Shark Tank’s Barbara Corcoran falling victim to a BEC attack? Last week, her firm lost $400K when an employee wired the money to a rogue operator. In this case, the Corcoran organization got lucky and their bank was able to freeze the wire transfer – but most organizations are not that lucky. Since this is such a common tactic – the FBI estimates that BEC and EAC attacks have cost organizations more than $26 billion since 2016 – I wanted to take the opportunity to share some resources on how to stop these types of attacks.
Our latest Domain Fraud Report details BEC tactics, domain spoofing trends, and how to protect your organization against attacks that involve fraudulent domains. Please take a read, share with your users.
Original release date: March 5, 2020
The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting Point-to-Point Protocol Daemon versions 2.4.2 through 2.4.8. A remote attacker can exploit this vulnerability to take control of an affected system. Point-to-Point Protocol Daemon is used to establish internet links such as those over dial-up modems, DSL connections, and Virtual Private Networks.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC’s Vulnerability Note VU#782301 for more information and apply the necessary patches provided by software vendors.