Just an observation about the so called “cybersecurity/DFIR talent shortage”: When I look at the job listings for just about any related position on Indeed or LinkedIn, it seems the vast majority of jobs are located in Northern Virginia, New York city, or Northern California. A suggestion for all of the companies that lament their inability to fill security positions - maybe offer positions in locations where people are willing to move - or go remote. Experienced professionals don’t want to relocate their families to D.C., New York, or San Francisco.
Dog Fraud. Who would have ever thought fraudulent dog sales would be so lucrative to the cyber-criminal? I’m not sure of why it is so, but people getting scammed trying to buy a dog online has become a regular call for my agency. It’s safe to say that if you are attempting to purchase a french bulldog or yorkiepoo there is a really good chance the offer is a scam. And if they want you to prepay through the Cash App - it’s definitely a scam!
Local Justice
I’d like to give a shout out to the agents of the Pennsylvania Attorney General’s Office who arrested three Harrisburg men for the theft of over 140K in pandemic relief funds. These cases are complex, time consuming, and require complete dedication to bring to prosecution. Well done! https://www.pennlive.com/news/2021/07/three-dauphin-county-men-charged-with-stealing-over-140k-in-pandemic-unemployment-funds-ag.html
Gift Cards…p’sh
Recorded Future released the report “The Business of Fraud: Online Retail Fraud in the Criminal Underground”. Guess what is prominent? Gift cards. The gift, err fraud, that keeps giving. The report is well written and insightful. Definitely worth your time to read. https://go.recordedfuture.com/hubfs/reports/cta-2021-0726.pdf
Check before you invest
The Securities Exchange Commission (SEC) issued an investor alert warning about fraudsters posing as legitimate brokers or investment advisors. Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams. To quickly and easily check if someone offering you an investment is currently licensed or registered, use the search tool on Investor.gov. https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/fraudsters
Familiar
A Guyanan, by way of New York City, is pending deportation back to Guyana after pleading guilty to a scheme that stole 1.3 Million dollars in Apple iPhones from Sprint. The scheme was described as: “Personal identification information was obtained and used to create false Sprint accounts, open service contracts and obtain counterfeit driver’s licenses and college student IDs. Pre-paid gift cards were used for down payments or sales taxes required to activate the accounts. Phones were shipped to residences, many of which were for sale. Tracking numbers were used to determine when the phones would be delivered so they could be picked up.” We’ve had this scheme occur in dozens of cases over the past few years and not just with Sprint. The article doesn’t credit which law enforcement agency conducted the investigation - but kudos to you, whoever you are! https://www.pennlive.com/news/2021/07/deportation-likely-for-man-involved-in-scheme-to-defraud-sprint-out-of-iphones-worth-13m.html
The Rest…
CISA published a list of the “Top Routinely Exploited Vulnerabilities”. Print the PDF out and hand it to your security people to make sure your systems aren’t on the list. https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf
A new bank fraud malware has infected thousands of Android devices, so says security firm ThreatFabric. https://arstechnica.com/gadgets/2021/07/new-bank-fraud-malware-called-vultur-infects-thousands-of-devices/
Red Canary provides practicable recommendations to immediately improve your organizations security posture. Start by reading the article. https://redcanary.com/blog/recommendations-to-improve-security/
Push Security explains the “consent phishing” attack that can bypass two-factor authentication protections. https://pushsecurity.com/blog/consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa/?
IBM claims the cost of a data breach to a company has reached an all-time high of 4.2 millions dollars per incident on average. https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic
Cool Tool
While not a new tool, the Gizmodo article demonstrates “12 things you didn’t know you could do with Dropbox”. https://gizmodo.com/12-things-you-didnt-know-you-could-do-with-dropbox-1847358746
Find the difference between two blocks of text: https://www.diffchecker.com/
“NO ONE WAS QUALIFIED WHEN THEY STARTED. STOP OVERTHINKING AND JUST JUMP”. - someone smarter than me.
Thank you reading another issue.
Matt