Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

Scam Service Attempts to Bypass Multi-factor Authentication

A scam operation called “Estate” has attempted to trick nearly a hundred thousand people into handing over multi-factor authentication codes over the past year, according to Zack Whittaker at TechCrunch.

The scammers target users of Amazon, Bank of America, Capital One, Chase, Coinbase, Instagram, Mastercard, PayPal, Venmo, Yahoo and more.

“Since mid-2023, an interception operation called Estate has enabled hundreds of members to carry out thousands of automated phone calls to trick victims into entering one-time passcodes,” Whittaker writes.

“Estate helps attackers defeat security features like multi-factor authentication, which rely on a one-time passcode either sent to a person’s phone or email or generated from their device using an authenticator app. Stolen one-time passcodes can grant attackers access to a victim’s bank accounts, credit cards, crypto and digital wallets, and online services.”

Allison Nixon, Chief Research Officer at Unit 221B, told TechCrunch, “These kinds of services form the backbone of the criminal economy. They make slow tasks efficient. This means more people receive scams and threats in general. More old people lose their retirement due to crime — compared to the days before these types of services existed.”

Multi-factor authentication offers a crucial layer of defense against hackers, but users need to be aware that social engineering attacks can still bypass these measures.

“While services that offer using one-time passcodes still provide better security to users than services that don’t, the ability for cybercriminals to circumvent these defenses shows that tech companies, banks, crypto wallets and exchanges, and telecom companies have more work to do,” Whittaker says.

Blog post with links:

[Beware] Ransomware Targets Execs’ Kids to Coerce Payouts

Just when you think bad actors cannot sink any lower, they find a way to.

In a recent chilling evolution of ransomware tactics, attackers are now also targeting the families of corporate executives to force compliance and payment.

Mandiant’s Chief Technology Officer, Charles Carmakal, highlighted this disturbing trend at RSA 2024 this month: criminals engaging in SIM swapping attacks against executives’ children.

The attackers then use the children’s phone numbers to make threatening calls directly to the executives, creating a highly stressful negotiating environment.

This tactic is a troublesome shift in ransomware “operations” from merely disrupting company operations to attempting to directly target their families. By exploiting personal connections, attackers amplify the psychological impact, forcing executives to make decisions under extreme stress.

Ransomware attacks have mutated over time, in parallel with the strains of the code itself. The landscape keeps changing, with some of the recent tactics including:

  • Direct threats to executives and their family members, often at their own homes
  • Disruptive actions against critical services, such as diverting ambulances and accessing sensitive health information

For organizations in mission-critical industries and sensitive sectors like healthcare, the stakes are higher than ever. These organizations, which handle vast amounts of personal and health-related information, find themselves facing not just operational disruptions but also ethical dilemmas about whether to comply with extortion demands, especially when these involve sanctioned entities.

“And it can be an impossible choice,” Mandiant’s head of global intelligence Sandra Joyce added. “If it’s an OFAC or sanctioned country that you’re paying a ransom to, that’s a violation. But if you don’t pay, and there’s a business disruption or personal, private information [is leaked]. It’s the worst day of their career having to deal with something like that.”

May 1, 2024, UnitedHealth CEO Andrew Witty told tell US lawmakers: “As chief executive officer, the decision to pay a [$22 million] ransom was mine,” as Witty put it in written testimony [PDF] he delivered to the House Energy and Commerce Committee. “This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Making sure this does not happen to your own org boils down mostly to these three things:

  1. Patch all known software vulnerabilities ASAP
  2. Step all staff from the mailroom to the boardroom through new-school security awareness training
  3. Use phishing-resistant MFA

CISA also recommend the very same things, see their #StopRansomware May 10 advisory regarding Black Basta:

Blog post with links:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.