Threats Without Borders - Issue 125
Matt's Cyber-Financial Crime Newsletter, Week ending April 9, 2023
The user is the weakest link. Right? Empirical study and anecdotal experience back this up. Right? The bad guys know it too and exploit the user for maximum benefit. Right? The 2022 Verizon Database Breach report details that 82% of all cyber incidents involved human error. The user must be the weakest link.
It's so easy to blame the user. Oh, it is so easy. Who clicked the link? Who answered the phone? Who fell for the ridiculous story and sent the wire transfer? Certainly not a machine.
And they have received training. Well, if you consider that 10-minute lecture or 3-minute video they watched a training session. And don't forget about the video game thing. They loved that! Didn't they?
What if the security failures are the fault of the information security “professional”? The user is busy doing THEIR job. Important jobs like an administrative assistant, accounting, selling products your company makes, or even being a payroll administrator…making sure you get paid!
Maybe it is the infosec professional that is not doing THEIR job?
Oh damn, another email from IT security! I “have to” watch another training video. Luckily, I have my cell phone and I can play candy crush while this video plays. Oh, there are some stupid questions at the end? No problem, I can take the test until I get them correct.
Maybe as infosec professionals, we should end this. Maybe we should be creating personal training experiences that actually command the attention of the user and truly delivers the security message. Why are we taking the easy way out with videos and interactive games that no one pays attention to? Because mid-level managers love, absolutely LOVE, games.
I’m not saying that cute videos and "gamified" media don’t have a place. Some are excellent and provide a valuable reminder to the user. But, you can’t replace a thoughtful and well-designed message…delivered in person... by an engaged HUMAN. Throw in some food and drink too - coffee and pastries for a morning session or subs and soda for a lunch session. Imagine if we made security training something the user wanted to attend!
But, but, but, that costs money says the back-office budget watcher. Well, how much is a data breach going to cost? How much does an incident response firm charge to come in and clean up your network? How much is a wire transfer to a Chinese bank going to put you out? Ever tried to put a price on reputation harm?
On second thought, the user isn't the weakest link after all.
Who’s fault is this actually?
The Security and Exchange Commission (SEC) has charged the founder of Frank, a company that connects students to loan providers, with fraud for tricking J.P. Morgan Chase Bank into paying her 175 Million dollars. The bank believed Frank had a customer roll of 4.25 million when it actually had less than 300,000 “real”clients. I’m sensitive to victim blaming but, ah, um, it seems like some basic due diligence by J.P. Morgan Chase would have prevented this. Maybe? https://www.sec.gov/news/press-release/2023-74
Of course.
A few issues back, I questioned the federal governments ability to actually address cybersecurity concerns because, well, government. Exhibit Number 1: The Financial Post published this expose titled “How Biden’s Anti-Hacking Dream Team was Roiled in Internal Strife”. At least try to act surprised as you read this article. https://financialpost.com/pmn/business-pmn/how-bidens-anti-hacking-dream-team-was-roiled-by-internal-strife If you hit a paywall try: https://12ft.io/proxy?q=https%3A%2F%2Ffinancialpost.com%2Fpmn%2Fbusiness-pmn%2Fhow-bidens-anti-hacking-dream-team-was-roiled-by-internal-strife
Phishing creators
Youtube creators are being targeted with a new phishing attack - that actually comes from Youtube. The bad guys have figured out how to exploit the platform’s sharing system to send social engineering emails. The email includes a link to a Google drive and includes the password to open it. The creators are told they have only 7 days to review and respond or their channel access will be restricted. https://www.hackread.com/youtube-phishing-scam-authentic-email-address/
Lab leak…
Cobalt Strike is a security tool intended for use by penetration testing professionals to examine the security posture of an organization - professionally, some might say ethically. Like most good things, some have found it to be equally adept at doing bad things and Cobalt Strike has become a favorite tool of malicious threat actors. Fortra, the company that owns the legitimate code base for the tool, and licenses its usage, has teamed up with Microsoft to combat it’s illegal use. Great. Now what about Metasploit, Powershell Empire, and Brute Ratel? https://www.cobaltstrike.com/blog/stopping-cybercriminals-from-abusing-security-tools/
The Rest…
Avanan continues to examine BEC 3.0 https://www.avanan.com/blog/phishing-from-quickbooks
Recorded Future updated the Ransomware Tracker database. https://therecord.media/ransomware-tracker-the-latest-figures
Check fraud is back and Telegram is playing a vital role. https://www.cnbc.com/2023/02/06/criminals-use-telegram-to-recruit-walkers-as-americas-big-banks-see-an-84percent-increase-in-check-fraud.html
Mail Call
“You’re probably going to end up eating crow on that promise to never monetize the newsletter”. I have an entire cookbook on crow. I’m a crow Iron Chef. But I think I’m safe on this one.
Cool Tools
Who’s face is that? https://facecheck.id/
Find a corporate email by name. https://cultivatedculture.com/mailscoop/
Cool Job
Investigations Manager - Habitat for Humanity. https://www.habitat.org/about/careers/manager-investigations-8596br
Irrelevant
“Sir…put the duck, no beaver, no otter…whatever it is…down!” Police charge a man for stealing a platypus. https://thehill.com/blogs/blog-briefing-room/3937442-man-arrested-in-australia-charged-with-kidnapping-platypus/
Thank you for taking the time to read this weeks issue. Please consider using the Substack app on your smart phone or tablet. The app is the most reliable way to access the newsletter each week.
Matt
“STOP BEING OKAY WITH THINGS YOU ARE REALLY NOT OKAY WITH.”
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.