The old eventually becomes new again.
Old-fashioned paper-check fraud is rampant. I suspect the resurgence is due to the adoption of mobile banking and many financial institutions inability to secure it. Of course, it’s not the security practitioners fault. Leaders of the organization demand responsiveness to the customers needs and absolute dedication to making the customer experience as pleasant, and simple, as possible. I believe they call it “frictionless”. There is also some “keep-up-with-neighbors” at play. You can’t let your competition utilize the new thing without jumping in also. Even if it is going to cost you thousands and thousands of dollars in fraud.
And I don’t have time or space to hate on the lawyers who hamstring security and compliance departments.
I currently have a case where the check was stolen from a local business and then deposited through mobile deposit. The computer printed business-to-business check had the victim business name and address in the payee field. The bad guy just took an ink pen and wrote “Or John Doe” underneath. Of course, the name wasn’t John Doe but that of the depositing account holder.
This check would have never been accepted by a teller. But the mobile deposit app doesn’t care. Wait, no hold on withdrawing the funds? See above - the customer shall never be inconvenienced.
What was the name of the depositor - Mon E. Mule. Also known as Homeless Drug Addict. Maybe someone in legal can cover this loss for the institution.
What exactly happens?
The Securities and Exchange Commission (SEC) has charged 11 individuals for running a fraudulent cryptocurrency exchange that was effectively a Ponzi scheme. It is estimated the scam brought in over 300 millions US dollars during its time. What does being “charged” by the SEC actually entail? And what are the ramifications? Can you be sentenced to prison or is it purely a civil enforcement? I have so many questions. Regardless, it’s great to see an agency of the federal government that actually does what its supposed to do and seems to do it with fervor. https://www.sec.gov/news/press-release/2022-134
External threats become internal threats
A group of cybercriminals are wholesale copying resume’s from LinkedIn and Indeed in an effort to get hired at cryptocurrency companies. The group hopes to gather intelligence about upcoming trends, including those related to the Ethereum, non-fungible tokens (NFTs) and potential security vulnerabilities. I can see that copying someone else’s resume may get you an interview but wouldn’t it fall apart after that? At some point you’d have to do the work. I guess this is a case of fake-it-until-you-make-it, or at least until you can install a backdoor into the network. https://decrypt.co/106491/cybercriminals-plagiarize-linkedin-indeed-profiles-to-apply-crypto-jobs-report
Google wants to be better?
Google claims to be making changes to provide better search results. I have no doubt that they are, but it’s different to see the company admit they have a weakness, and need to change. I suspect this is coming from their realization that other search engines - DuckDuckGo- are providing equally effective results and not trampling all over our privacy while doing it. Competition drives the market and it’s good to see Google feeling the heat. https://blog.google/products/search/how-were-improving-search-results-when-you-use-quotes/
Where does all that money go
I guess not securing their own network. Cellebrite, the mobile device forensic software, and law enforcement agency extortionists, suffered a data breach and lost 4TB of proprietary company data. This is the second time the company has sustained a loss of data. https://www.hackread.com/anonymous-leaks-4tb-cellebrite-data-cyberattack/?
If you own a business
The Institute For Security and Technology (IST) has issued the report “Blueprint for Ransomware Defense” which is a step by step plan to assist small and medium businesses protect themselves from a ransomware attack. This is a solid plan built on a solid foundation of best practices, but most of the concepts are too complex for many small business owners. Telling someone who runs a restaurant or auto repair shop to “enact 2FA and then establish an access revoking process” is meaningless. Small business owners would be better suited to use the report to assist them in contracting with a security consultant. Ask the firm the steps they will take to secure your business and make sure it flows with the IST suggestions. https://securityandtechnology.org/wp-content/uploads/2022/08/IST-Blueprint-for-Ransomware-Defense.pdf
The Rest…
Intel471 explains why cyber-criminals are making Telegram their home. https://intel471.com/blog/telegram-cybercrime-underground-forums
President Biden signed the “Covid-19 EIDL Fraud Statute of Limitations Act of 2022” into law extending the time period for prosecution to 10 years. https://www.whitehouse.gov/briefing-room/legislation/2022/08/05/bills-signed-h-r-7334-and-h-r-7352/
Proofpoint’s found that 97% of the top universities in the United States, Australia, and the UK, are not taking appropriate measures to proactively block attackers from spoofing their email domains. https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-97-top-universities-us-uk-and-australia-putting-students-staff
The Emergency Alert System issues an alert - “we got problems”. https://content.govdelivery.com/accounts/USDHSFEMA/bulletins/3263326
Cool Job
Security Coordinator MLB Facilities and Intelligence - Major League Baseball https://www.mlb.com/careers/opportunities?gh_jid=4244201
Cool Tool
Thatsthem - Free people search engine https://thatsthem.com/
Watch Youtube videos frame-by-frame http://www.watchframebyframe.com/
Irrevalent
The news media, academics, and politicians can’t figure out where all the cops have gone! The activists know - it’s all going as planned. And the cops know - but aren’t allowed to talk about it and are entirely discredited if they do. https://apnews.com/article/gun-violence-covid-health-police-2b1f9d8dce1fe3acbb1c5e3910d39e09
Thanks for opening this weeks email and reading. Please consider sharing the newsletter to help us grow.
Matt
DeMyer’s Second Law – “Anyone who posts an argument on the internet which is largely quotations can be very safely ignored, and is deemed to have lost the argument before it has begun.”