ZDNet columnist Danny Palmer hit the nail directly on the head in his most recent article “Your biggest cyber crime threat has nothing to do with technology”. He accurately points out that the most prominent, and costly, cyber attack is the one that rarely gets any attention from the main-stream media - Business Email Compromise. The FBI’s Internet Crime Complaint Center tallies the loss from BEC from 2016 through 2021 to sit at 43 billion dollars. The loss was 2.4 billion dollars for just 2021!
“What makes BEC such a rich opportunity for scammers is there's rarely a need to be a highly skilled hacker. All someone really needs is a laptop, an internet connection, a bit of patience – and some nefarious intent.”
BEC attacks may be facilitated through technology but at the end of the day it’s a human problem. Security technology can only block emails from reaching their intended destination and its track record at that is 50/50. Technology is useless once the target opens that email. Only they, the human, can decide how to react to the message.
And a lot of time - they react poorly.
Oh Snap!
The FBI directly called out the Treasury Department and the Securities and Exchanges Commission (SEC) over their lax rules (and enforcement) of ransomeware payment and breach notifications. Bryan Vondran, assistant director of the bureau’s Cyber Division called the agencies rules vague, explaining “The guidance from Treasury on sanction payments is opaque. It is not clear. We have gone to Treasury and asked them to clear that up. They are comfortable with the language as is”. The Treasury Dept. declined comment when contacted but I’m sure this rebuke isn’t sitting well. https://therecord.media/fbi-pushing-for-changes-to-rules-around-treasury-sanctions-sec-cyber-incident-reporting/
And a side-order of card fraud
Attackers were able to successfully integrate Magecart web skimmers into three online ordering platforms used by thousands of American restaurants. It is estimated that 300 restaurants have been affected resulting in the compromise of 50,000 credit card numbers (so far). https://www.bleepingcomputer.com/news/security/hackers-steal-50-000-credit-cards-from-300-us-restaurants/
More Security than CyFi
Network security and endpoint protection company Trellix published the “Summer of 2022 Threat Report”. The work is more hard-edged cyber than financial crime but it’s a really good report and well worth the few minutes to review it. And it’s web-based format is pleasant to use. I wish more companies would publish like this rather than making you give away your email address to download a poorly designed PDF. https://www.trellix.com/en-us/threat-center/threat-reports/jul-2022.html
Paypal invoice - you just got phished - so simple
Avanan explains how attackers are using actual Paypal accounts to deliver phishing emails to hardened in-boxes. Most email security systems recognize Paypal as a legitimate service and allow emails from the company to pass through. The attackers simply create a Paypal account (free to do) and then start sending out fake invoices. It’s so simple. Ohh, how much are you paying for that email security software? https://www.avanan.com/blog/sending-phishing-emails-from-paypal
The Rest…
The Port of Los Angeles sustains 40 millions cyber attacks per month. 40 MILLION! https://gcaptain.com/port-of-la-calls-fbi-after-cyber-attacks-double/
Charges filed for “Cryptocurrency Insider Trading Tipping Scheme”, yeah, figure that one out. https://www.justice.gov/usao-sdny/pr/three-charged-first-ever-cryptocurrency-insider-trading-tipping-scheme
“Why aren’t the good guys winning the war on financial crime?” Because the bad guys don’t have to play by the rules. https://thepaypers.com/expert-opinion/why-arent-we-the-good-guys-currently-winning-the-war-against-financial-crime--1257655
Cool Jobs
Manager of Risk Operations - Greenlight. https://jobs.lever.co/greenlight/df750c32-7f21-4291-88f1-03a7213d8afe
Cool Tools
Phil Harvey’s Exif Tool (just updated 7/21/22) - https://exiftool.org/
Youtube Data Tools - https://tools.digitalmethods.net/netvizz/youtube/
Look-up a Mexican phone number - https://sns.ift.org.mx:8081/sns-frontend/consulta-numeracion/numeracion-geografica.xhtml (Google translate helps!)
Mail
“Forget fraud, the missing corn should be the priority. No corn here in Maryland either”.
“We have corn but its pricey. Pre-covid summer corn was $2 for half-dozen. I just paid one dollar per ear!”
Irrelevant
Someone stole jewelry from a Brinks truck parked at a struck stop. Could be 10 Million dollars worth, could be 100 Millions dollars worth. Depends on who you ask but all agree its gone. https://www.latimes.com/california/story/2022-07-22/who-stole-millions-in-jewels-in-brinks-heist-5-freeway-truck-stop
Thank You for reading. And a special note of thanks to those that share the newsletter each week!
Matt
“Ignore what others may be thinking of you, because they aren’t”