Welcome to Issue 42. I trust everyone had a relaxing and enjoyable Labor Day Weekend.
I like to exasperate telemarketers… I wrote about it here…with a little cybersecurity twist.
Sextortion
Digital sextortion is easy to do, profitable, and devastating to its victims. I have seen some young men absolutely crushed with regret and embarrassment. And it’s almost impossible to identify the person on the other end of the video stream. And it is on the increase - as of July 31, the FBI’s Internet Complaint Center has already received 16,000 sextortion complaints in 2021. Warn your young male family, friends, and colleagues, to be weary of the fraud when using dating and “hook-up” apps AKA Tinder. And yes, the victims are almost always males between 16 and 30. In fact, I’ve never heard of a female victim. https://www.ic3.gov/Media/Y2021/PSA210902
Better late than never…
It’s good to see the SEC active and involved in serious enforcement actions, even if the charges come three years after the offense. As they say, justice isn’t always swift. The SEC charged BitConnect, an online crypto lending platform and its founder Satish Kumbhani, alleging that they defrauded retail investors out of $2 billion. The SEC alleges that instead of deploying investor funds for trading, the defendants siphoned the funds off for their own benefit by transferring those funds to digital wallet addresses controlled by them. https://www.sec.gov/news/press-release/2021-172
Perfecting their craft
Attackers who engage in Business Email Compromise (BEC) fraud are some of the most dedicated of all fraudsters and continuously work to be better. Unfortunately, sometimes outworking those that are supposed to defend against them. This article details how BEC threat attackers refine their tactics for continued maximum effectiveness. https://www.bankinfosecurity.com/attackers-keep-refining-business-email-compromise-schemes-a-17432
One alert employee is all it takes…
One alert employee noticed a strange anomaly in student aid applications and uncovered a scam that could have cost the California Community College System hundreds of millions of dollars. The student aid official, with the help of some new computer software, uncovered 65,000 fake applications for student aid. https://www.latimes.com/california/story/2021-09-01/california-college-financial-aid-scam-fake-students
KAAI - Kill All Access Immediately
I never understand how organizations terminate employees and let them walk out the door while their access credentials are still valid. In this case, the employee was never shown the door as she was remote, but the results were the same. Her credentials were not revoked and she ended up deleting 3500 directories containing over 20,000 files. The victim Credit Union claims a miscommunication between HR and IT. Hopefully, the credentials of whoever dropped the ball were revoked simultaneously as they were shown the door. https://www.bleepingcomputer.com/news/security/fired-ny-credit-union-employee-nukes-21gb-of-data-in-revenge/
The Rest…
This writer claims that Roblox is “rife with scams and abuse”. It is, but maybe not for all the reasons he lists. https://thefederalist.com/2021/09/03/the-massive-online-gaming-platform-roblox-is-rife-with-scams-and-abuse/
Former weather forecasting company HR employee who created flexible spending accounts for herself and others resulting in 88K in fraud is sentenced to one year and one day in prison. https://www.pennlive.com/news/2021/08/ex-accuweather-employee-sentenced-to-prison-ordered-to-pay-restitution-of-more-than-80k.html
Supporting the call for a move to a zero-trust security posture, the Salesforce email service has been compromised and attackers are using it to send phishing emails. If you’re a Salesforce user, the email system is going to send the message right through. https://www.esecurityplanet.com/threats/salesforce-email-service-used-for-phishing-campaign/
A new report from the federal watchdog overseeing the trillions in approved coronavirus relief funds says several relief programs potentially disbursed nearly $100 billion in fraudulent relief money. https://abcnews.go.com/Politics/government-watchdog-finds-pandemic-relief-fraud-potentially-worth/story?id=79751204
Proofpoint lays out the blueprint for a current advanced fee fraud. And guess what? It involves gift cards! https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-advance-fee-fraud
Cool Tools
Where have I seen that guy before? Find the matching profile pic: https://pimeyes.com/en
In last weeks issue (41), I made the mistake of mentioning the previous week’s issue (40) had the largest number of views in the history of publication. The humblebrag was all for naught, since the issue (41) had one of the lowest open/view rates of all issues. Karma, I guess.
“DON’T BE ASHAMED OF YOUR MISTAKES. YOU WOULDN’T BE WHERE YOU ARE NOW WITHOUT LEARNING FROM THEM.” - someone smarter than me.
Thanks for taking the time to read this weeks issue. See you next Tuesday!
Matt