6 Security Scams Set to Sweep This Summer

6 Security Scams Set to Sweep This Summer

Experts share the cybersecurity threats to watch for and advice to stay protected.

We look forward to summer’s warm weather, travel plans, and maybe some added relaxation. Cybercriminals look forward to summer’s new opportunities for scams and targeted attacks.

Seasonal threats aren’t new; for example, the holiday season typically brings phishing attacks in the form of fake package deliveries and fraudulent gift cards. Similarly, summertime, which drives an increase in flights and hotel stays, should put people on high alert for a wave of related scams.

Travelers taking time away from work and home are often too busy planning their vacations to protect their devices and data, but there’s no downtime for cyberattackers. Hackers are getting more advanced in their techniques to capture information, and they’re taking a closer look at the travel industry, targeting hotel chains and airlines with data breaches to capture loyalty program numbers, payment card data, and other personally identifiable information (PII).

But travel scams aren’t the only security threats to worry about this summer. Here, security experts weigh in on threats that should be top-of-mind for consumers and employees alike. Any threats you’re worried about that aren’t listed here? Feel free to share them in the Comments, below.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Travel Security: Confidence Is Higher Than Deserved

In research released late last month, IBM discovered a disconnect between survey respondents’ confidence in their security practices and their actual security habits while on the road. One-quarter say they are “very” or “extremely” confident in their abilities to protect themselves from cybercrime while traveling; 37% say they’re “somewhat” confident. Only 16% and 9% say they’re “a little” or “not at all” confident, respectively.

But when asked about their travel habits, 24% of these confident respondents admit to connecting to public Wi-Fi networks every time they travel on business; 22% do the same on all personal trips. More than 25% bring and use a device containing confidential or sensitive work-related data when they travel for work; 16% do the same when traveling for pleasure. Nearly 20% of seemingly security-savvy travelers charge devices via public USB ports or charging stations when traveling for business; 17% do the same when they’re on vacation.

More than 70% of Americans have engaged in a higher-risk travel behavior – connecting to public Wi-Fi, for example, or charging on a public USB station – regardless of whether they’re traveling for business or pleasure. Charles Henderson, global managing partner at IBM and head of X-Force Red, points to another trend: “Very often, consumers treat work information differently than they treat personal information,” he says.

In addition, people are more likely to protect their own data than corporate trade secrets, a common issue faced by CISOs, he says. It is worth noting respondents travel far more frequently for personal than business reasons. Only 26% report traveling for work, while 84% say they primarily travel for personal reasons.

Seasonal Scams Turn Political

It’s not new for cybercriminals to capitalize on major events with phishing campaigns; we’ve previously seen this in Olympic Destroyer and World Cup-themed attacks. It is helpful, however, to know which trends are top-of-mind. This summer, it’s the 2020 presidential campaign.

“Obviously, political alliances and political leanings are something that’s useful in trying to get people,” says Adam Kujawa, director of Malwarebytes Labs.

Leading into the 2020 campaign, we’ll likely see several attempts by cybercriminals locally based in the US or Western countries. Will disinformation manifest in social media campaigns, as it did during the 2016 elections? Not necessarily. After social media came under a harsh spotlight following the last presidential campaign, Kujawa thinks criminals spreading gossip and disinformation will turn to phishing.

“These are the kind of focused attacks we see more against consumers,” he adds. Still, it’s important for employees to be aware of threats that could potentially arrive in their inboxes.

Loyal to Fraud

Cybercriminals are ramping up with attacks against travel companies. In recent years we’ve seen massive breaches at Marriott/StarwoodCathay Pacific, and British Airways. “The travel industry as a whole has been targeted much, much more,” IBM’s Henderson says, because it “has the trifecta of data criminals care about.”

This includes PII (names, passports, driver’s license numbers, birthdates), payment card data, and loyalty numbers. It’s an emerging trend for cybercriminals, he explains. “Loyalty programs, and loyalty fraud, is huge,” Henderson says. Rewards numbers for airlines and hotels are located on boarding passes and baggage tags. Cybercriminals have their eyes peeled, as points can be cashed in for free flight tickets and hotel stays, Henderson explains.

And because rewards customers are considered VIPs, hotels and airlines try to avoid inconveniencing them and often don’t pressure them for details if they call in with a loyalty program number. This makes it easy for criminals, armed with a loyalty program number, to pretend to be someone else and walk away with free flights or hotel stays.

“They don’t want to be the inconvenient travel airline or hotel,” says Henderson, who points to a need for industry standards around traveler protection with respect to loyalty programs. He also advises companies in the travel industry to test what a breach looks like, so they can more effectively detect and respond to incidents when they occur.

Summertime Employment Scams

Job hunters should be aware of multiple variations of employment scams during the summer months, says Adrien Gendre, chief solution architect at Vade Secure. These impersonate companies of all sizes and industries, and while they happen year-round, they’re most prevalent during the summer months and at year’s end when people are job hunting.

Some scams arrive in the form of fake job offers appearing to come from recruiters at large companies. They invite recipients to join a job search database by downloading a free application, which is laced with malware. Others are deceptive spam emails, which claim to offer available jobs but redirect recipients to a fraudulent site. There are also LinkedIn phishing attempts, which try to manipulate people into sharing data or downloading malware.

“The topics of LinkedIn phishing emails range from bogus connection requests to fake job offers, with the goal of harvesting credentials and other personal information or installing malware,” Gendre says.

He advises employees to be logical: If something seems too good to be true, it likely is. “For instance, large, well-known companies typically have candidates flocking to them, so why would they need to blindly email people who may or may not have the necessary experience?” he says.

Further, think twice if an alleged recruiter demands an immediate response. Yes, you have to move quickly to land a dream job – but that’s exactly what the attacker wants.

Watch Your Wi-Fi

Travelers have a nasty habit of hunting down free Wi-Fi before and after their flights. Attackers are taking advantage, IBM’s Henderson says, and using this behavior to inform their strategies. Many have started to bring their own Wi-Fi hotspots and/or sting rays (fake cell towers designed to intercept data between devices and the Internet) into airports, hoping travelers will connect. While cybercriminals target travel companies year-round, they’re more likely to target travelers during peak times of the year.

“If you notice a behavior in travelers, you’re going to target it in the form of crime,” he explains. The airport is an interesting place because people who are getting off a flight and didn’t want to pay for in-flight Wi-Fi want to catch up with the world as soon as they land. Similarly, people whose devices are running low on battery are quick to plug into any USB charging port without stopping to think the connection could be malicious.

Malwarebytes Labs’ Kujawa also points to the risks associated with not only rogue hotspots, but public Internet. “Public Wi-Fi, combined with auto-connecting on devices, is a huge security vulnerability, in my opinion,” he says.

Travelers should be aware of when their devices connect to public Wi-Fi networks at Starbucks or McDonald’s, which can happen without their agreement. “That’s an easy way to not even be aware the information’s traveling over the network,” he adds.

Targeted in Transit

More than half of the respondents in IBM’s research are “very” or “extremely” concerned their credit cards or other sensitive information will be stolen while traveling, while about 31% say they are similarly concerned about this type of data theft at home. Nearly 40% say they put “a great deal” or “extreme amount” of effort into protecting digital data while traveling, 32% say they put “some” effort into their protection, and 19% say they put in “not much” or no effort at all.

But data is in demand, and Henderson encourages travelers to recognize this. “Understand that your data is valuable,” he says. “That’s something that a lot of consumers miss.” If people accept their data has value, he continues, they’re more likely to protect it.

“Luckily, it’s very easy to try and avoid that stuff happening anymore,” says Kujawa, who recommends prepaid credit cards for those worried about having numbers stolen on the road. But that’s not all travelers can do to protect their data: Malwarebytes advises travelers to buy shields for contactless payment cards so they can transport them without leaking information. It’s also smart to back up data on all devices coming on the journey; this way, if anything is stolen, the information isn’t lost.

(Image: James Thew – stock.adobe.com)

Lone Wolf Scammer Built a Multifaceted BEC Cybercrime Operation

Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation

A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

This wasn’t the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agari’s software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.

Agari researchers played along with the scammers as they had done in the August incident, impersonating the CFO’s administrative assistant and stringing them along for about a month, gathering intel on the people and operation behind the November emails. The researchers were able to identify the BEC attackers as a Nigeria-based cybercrime gang they nicknamed Scattered Canary, a group of some 35 individuals they believe may be a subgroup of an even larger criminal organization.

They discovered that this group wasn’t just sending BEC emails to make money. Scattered Canary also conducts romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, and tax schemes, among other online cons.

“What we recognized when we looked at this group … was that BEC is just one type of attack these guys use at any given time. There can be dozens of [different] scams they can be doing [simultaneously],” says Crane Hassold, senior director of threat research at Agari.

The researchers kept in touch with Scattered Canary for a couple more months and were able to obtain from them eight mule accounts, which they then passed on to law enforcement as well as to financial organizations to help shut down the money-laundering.

Agari traced back the group’s founding, which began in 2008 when a lone individual, who they dubbed “Alpha,” ran rudimentary but lucrative Craigslist scams that duped victims into wiring him money or mailing him cashier’s checks for items sold on the forum. Alpha then expanded into romance scams and brought on a fellow fraudster (“Beta”). The pair laundered their pilfered funds via money mules and then ultimately set their sights on bigger targets, mainly businesses and government agencies via BEC scams, the centerpiece of the group’s operation today. In the past two years, the group doubled in size as it harvested new mule accounts and expanded into other crimes, such as tax return fraud.

Scattered Canary’s scams are rooted in pure social engineering: no malware required.

“We’ve not seen Scattered Canary using malware,” says Ronnie Tokazowski, senior threat researcher at Agari. “They are using compromised RDP [remote desktop protocol] credentials and compromised websites to host phishing kits,” but they don’t have a full-blown hacking infrastructure per se, he explains. Scattered Canary mostly employs specific scam scripts and templates they copy and paste in emails they send to their targeted victims.

BEC and email compromise scams have been on the rise worldwide: The FBI Internet Crime Complaint Center last year received more than 20,000 reports from victims who lost more than $1.2 billion to these scams. Interestingly, in the US, half of BEC victims actually recovered 99% of their money, according to Verizon’s “Data Breach Investigations Report.” Barely 10% of them didn’t recover any of their money in the scams. But it only takes a few successful hits to be lucrative. As Verizon points out in its report, even if just 1% of 1,000 BEC attacks are successful, the BEC scammer can still net thousands of dollars.

London Blue Calling
Prior to the November incident, Agari researchers turned the tables on a BEC scam on Aug. 7, 2018, when their email security platform caught a BEC email sent to CFO Lim that posed as Agari CEO Ravi Kahtod. The team was able to extract enough information from their email interactions with the attackers to pinpoint the physical location of two of the main operators of the gang, who live and work in London.

London Blue at the time had 20 to 25 individuals, including 17 money mules spread around the US and Western Europe.

But Scattered Canary is a much larger operation than London Blue, according to Agari. “Scattered Canary is likely an arm of a bigger entity. We are still trying to research that a little more heavily,” Hassold notes.

Scattered Canary over time had adjusted and reset its tactics. For example, after years of spoofing a targeted company’s domain, the group began employing webmail or other email accounts in the fall of 2016. They also take advantage of how Google doesn’t spot periods in email addresses — badscammer007@gmail.com and bad.scammer.007@gmail.com, for example, are seen by Gmail as the same address, according to Agari’s report. “This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website,” the company states in its recently published report on Scattered Canary.

A recent Cisco Systems report found that two-thirds of BEC scams employ free webmail and 28% use registered domains.

Meanwhile, starting in July 2018, Scattered Canary shifted from wire transfers to gift cards as a way to cash out its stolen funds. They duped business victims with emails purportedly from the CEO asking them to purchase Amazon and Apple iTunes gift cards. “Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful,” Agari wrote in its report on the gang. Scattered Canary was able to get 132 gift cards from victims valued at two bitcoin apiece on Paxful, or some $12,000 to $14,000.

The BEC gang halted the gift card cashout approach in November 2018 when the price of bitcoin dropped.

Hassold says it’s possible well-established cybercrime organizations in Eastern Europe and Russia could pivot to BEC scams as well. Given their size and resources, those gangs could perform even more convincing attacks.

“The ROI for BEC is significantly higher than any of the other more technical cyberattacks. I think that’s going to be the next step. We’ll see other groups move into this space,” Hassold says, which will mean more professional and difficult-to-spot BEC emails.

Cybercriminals already have been moving away from pricey zero-day attacks to lower-tech, cheaper weapons, such as malware-laden file attachments. “They’re going back to basics. I don’t need to develop an 0-day if I can put a macro in a Word file and a victim will click on it,” Agari’s Tokazowski notes. Hassold recommends that organizations include social engineering in their cyberthreat training and conversation in order to defend against BEC and other email-borne scams targeting businesses today.

“These nontechnical type attacks are now the predominant mode of cyberattacks today,” he says. “This is the type of attack employees will see, so they should include them in education and awareness training.”

Related Content


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … 

Baltimore Ransomware Attack Takes Strange Twist

Tweet suggests possible screenshot of stolen city documents and credentials in the wake of attack that took down city servers last week.

A mysterious and newly created Twitter account on May 12 posted what purports to be a screenshot of sensitive documents and user credentials from the city of Baltimore, which was hit late last week by a major ransomware attack.

Researchers at Armor who have been investigating the so-called Robbinhood ransomware malware used in the attack on the city discovered the post. They say it could either be from the attacker, a city employee, someone with access to the documents — or even be just a hoax. The city is still recovering from the May 7 attack, which has disrupted everything from real estate transactions awaiting deeds, bill payments for residents, and services such as email and telecommunications.

Ransomware attacks typically are all about making money: Attackers demand a fee to decrypt victims’ files they have accessed and encrypted. Whether the tweet came from the attackers trying to put the squeeze on the city to pay up or threatening to abuse the kidnapped information is unclear.

City officials previously have said they have no plans to pay the ransom. “I think the mayor was very clear: We’re not paying a ransom,” said City Council president Brandon Scott in an interview yesterday on a local CBS affiliate.

Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU), discovered the Twitter post appearing to taunt or threaten Baltimore officials. He says he’s not sure whether the tweet came from the actual attackers. “They are trying to make a statement … and to show that they not only were able to encrypt major portions of network of the city …. but they have a lot of internal access,” as well, if the documents in the screenshot are legitimate, Sifford says.

Armor today will post a blog with an obfuscated shot of the tweet and account to ensure the City of Baltimore gets the chance to change the posted usernames and passwords if, indeed, they are legit.

Dark Reading has viewed the full Twitter account and post but is only publishing the obfuscated information.

Source: Armor

Source: Armor

Meanwhile, the Robbinhood attackers in their ransom note demanded $17,600 in bitcoin per system — a total of about $76,280, according to analysis by Armor. The bitcoin wallet for the ransom for the city had not been used at this time, the researchers say, indicating the city has kept its vow not to pay.

Most of Baltimore’s servers were shut down as officials investigated the attack last week, but its 911 and 311 systems were not hit, according to reporting by The Baltimore Sun. When the attack was spotted, employees at City Hall were told to unplug Ethernet cables and shut down their computers and other devices to stem the spread of the malware, Baltimore city councilman Ryan Dorsey told the Sun

Sponsored Content

Tracking your Ever-Changing Internet EdgeYour organization’s Internet Edge is made up of all of the devices, infrastructure, and services that are Internet-exposed.

Brought to you by Expanse, Inc.

Efforts today to reach some Baltimore city officials, including the office of the city’s newly named mayor, Bernard C. Jack Young, were unsuccessful in several cases, in part because email is down for many employees, and several departments are instead using Google Voice voicemail to get messages.

A spokesperson for Baltimore City Council Member Zeke Cohen, with whom Dark Reading was able to contact, said Cohen’s office did not have any information on the tweet, nor could they verify whether the information and documents in the screenshot are from the information encrypted by the ransomware attackers.

Security expert John Bambenek, director of cybersecurity research at ThreatStop, says the tweet looks relatively legitimate. “Either someone spent real effort trying to find documents from public sources or it’s our guy. Either way, he just put himself on the menu for the FBI if he’s not,” Bambenek says.

‘Hurry Up!’
Armor said the Robbinhood ransom note also warns the city not to call the FBI, or risk the attackers going away and leaving the files encrypted. “We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the ransom note said, specifying payment within four days or the fee would increase. After 10 days, the data would no longer be recoverable, the note said, according to Armor.

“We won’t talk more. All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!” the note read, according to Armor.

The same ransomware recently hit the city of Greenville, N.C., as well as several power companies in India last month, according to the security firm.

Meanwhile, Baltimore’s ransomware attack is one of 22 against state and local government entities so far in 2019, Armor notes. Other victims including Washington, Pennsylvania; Amarillo, Texas; Cleveland Airport, Cleveland, Ohio; Augusta City Center, Augusta, Maine; Stuart, Florida; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Jackson County, Georgia; Schools System of Taos, New Mexico; Del Rio, Texas; Atlanta, Georgia; and Leominster, Massachusett

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Think Your Business Is Too Small to Get Hacked? Wake Up!

Think Your Business Is Too Small to Get Hacked? Wake Up!

digital security small business owners FISixty percent of small- to mid-sized businesses (SMBs) go bankrupt six months after suffering a cyberattack. The risk is simply too great. SMBs need to strengthen their digital security.

UberEquifaxYahoo…if you look only at the headlines, you’d probably think that digital attackers target just large corporations. Many small business owners are of this viewpoint. According to a 2017 survey by Paychex, more than two-thirds (68 percent) of small business owners are not worried about their business being hacked. Not only that, but the same study revealed that 90 percent of small business owners feel at least somewhat confident that their organization could recover from a security incident in the event one happened.

This perspective boils down to the fact that many SMBs don’t feel they’re important enough to suffer a digital attack. As the Huffington Post found in a survey, small businesses reasoned that they’re safe because they don’t store sensitive information. But more than half of organizations admitted to storing email addresses (68 percent), phone numbers (64 percent), and billing addresses (54 percent). Such a disconnect suggests that SMBs don’t understand the value of the personally identifiable information (PII) they currently store.

It also explains why SMBs just aren’t investing in their digital security. This reality became apparent in a 2015 small business technology survey conducted by Time Warner Cable Business Class (TWCBC). In the study, a third of small business owners said that they manage their own network security solutions, while 27 percent disclosed that they don’t use any security solution.

These findings are consistent with those of other studies, including the following:

  • The vast majority of businesses divulged to the Huffington Post that they’re doing little to prepare themselves against online threats. This lack of preparation extends to their dismissal of basic digital security hygiene. For example, just 38 percent of SMBs stated that they upgrade their security solutions and 22 percent encrypt databases.
  • Sixty-five percent of respondents to a 2017 Ponemon Institute report laid bare that they don’t strictly enforce their own password security policies.
  • PwC survey found that companies with less than $100 million in revenue actually reduced their digital security spending. They cut their budgets despite the fact that digital attacks themselves became more numerous than ever over the course of the year.

Clearly, many small- and mid-sized businesses have simply dismissed the notion that they need to worry about digital security. CloudEntr uncovered as much when 60 percent of SMBs said that recent data breaches had no impact on their security policies. It’s, therefore, no surprise that three-quarters of SMBs told IDT911 that they don’t have any cyber insurance. They don’t think they’ll suffer an attack themselves, so why waste resources in protecting themselves in the event that they suffer one?

The Consequences of Treating Digital Security as an Afterthought

Such an inadequate response to digital security threats has had a, well, predictable response. As the U.S. Securities and Exchange Commission found back in 2015, small businesses have increasingly become easier targets for digital attackers than enterprises, as SMBs possess fewer resources with which they can defend themselves against the same types of digital threats targeting large enterprises. This disparity makes SMBs softer targets for online criminals. Indeed, it’s no wonder why data compiled by SCORE showed that almost half of all digital attacks (43 percent) now target small businesses.

Not surprisingly, it’s also bad when one of these digital attacks is successful. Without proper digital security safeguards, bad actors can essentially run through a victim SMB’s network and do whatever they want. And without cyber insurance, SMBs have little chance of recovering from the costs associated with a data breach. That’s why 60 percent of small businesses go bankrupt just six months after suffering a digital attack, as reported by BankInfoSecurity.

The Future of Digital Security for SMBs

Small business owners – you really need to step up your game if you hope to adequately protect your business against digital threats. And we get it, that you wear many hats and security may not be one of them. But you don’t have to figure it all out yourselves and go it alone.

Most SMBs obviously aren’t large enough to have their own security teams, but you can look to the expertise and capabilities of a security services provider that can fulfill your digital security needs. Just don’t go with the first managed security services provider (MSSP) you find. It’s essential to do your research carefully and look for a company that uses an AI-based security solution to monitor the network for suspicious activity while helping its own analysts navigate the growing flood of alerts across their entire client base. Otherwise, as I said before, the volume of alerts will outstrip their capacity to investigate them, increasing the risk that an attack will get past their defenses and reach your business.

That’s where Lastline comes in. Unlike other AI solutions, Lastline blends network traffic analysis with sandboxing to monitor for anomalous behavior and to evaluate these findings for malicious indicators. This technique enables Lastline to provide high-fidelity insights into what’s truly going on without generating false positives that waste the MSSP analysts’ time.

We have selected and trained very high-quality MSSPs to use our software on behalf of their SMB customers. It’s a relationship that could save your business without requiring you to become a security expert so that you can continue to focus on all of the other parts of keeping your business running smoothly.

The post Think Your Business Is Too Small to Get Hacked? Wake Up! appeared first on Lastline.

*** This is a Security Bloggers Network syndicated blog from Blog – Lastline authored by Andy Norton. Read the original post at: https://www.lastline.com/blog/digital-security-is-your-business-is-too-small-to-get-hacked/