FBI: Email Scams Take $3.1 Billion Toll on Businesses

Article03_01

Business-related inbox scams are reaching epidemic levels with the total cost to business reaching a whopping $3.1 billion. The dire warning comes from the FBI that says skyrocketing losses represent a 1,300 percent increase since January 2015.

Identified by the FBI as business e-mail compromise (BEC) crimes, the scams attempt to trick email recipients into money wire transfers, forwarding sensitive employee data such as W-2 data, paying fake invoices, or hijacking employee email accounts in order to use stolen email identities to win the confidence of scam targets.

The FBI has stepped up its BEC awareness campaign less than a month since it released its annual Internet Crime Complaint Center (IC3). In that report, the FBI reported U.S. businesses were hit hardest by BEC scams in 2015 with 7,838 complaints and losses of more than $263 million.

On Tuesday, the FBI refreshed those BEC numbers reporting 22,143 worldwide BEC victims representing $3.1 billion in losses since January 2015. Closer to home the FBI reports 14,032 U.S. BEC victims representing $961 million dollars in losses between October 2013 and May 2016.

The FBI data shows U.S. businesses are disproportionately affected by BEC crimes with 88 percent of all worldwide victims being U.S.-based and 90 percent of losses coming from U.S. companies.

“The BEC scam continues to grow, evolve, and target businesses of all sizes,” wrote the FBI. “The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.”

Security experts say these types of cybercrimes are difficult to protect against. “With BEC attacks there is no malware involved. You are exploiting human trust and business processes that involve email,” said Ryan Kalember, SVP cybersecurity strategy at the security firm Proofpoint in an interview with Threatpost reacting to the May IC3 report.

Despite the low-tech email attack vector, the FBI warns business e-mail compromise attacks can be extremely sophisticated. Attackers can lie in wait for extended periods of time studying whom a business does business with and what the business protocols are for wire transfers.

Security experts tell Threatpost they are seeing an uptick in elaborate and sophisticated ruses that involve CEOs, CFOs, COOs, HR departments and accounting. Attacks are become more sophisticated involving criminals going so far as monitoring a CEO’s social media feed to best time and color a fake request for a wire transfer.

The FBI says that BEC can also be springboards to other types of crimes with victims reporting romance, lottery, employment, and rental scams as well. In some instances, the FBI warns, victims are unwittingly drawn into becoming “money mules.” In these instances, money is transferred into target account and then directed to quickly transferred to a second offshore account or shell corporation.

Tips for steering clear of becoming a BEC victim, according to the FBI, include:

  • Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchical information, and out of office details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures, including the implementation of a 2-step verification processes for out of band and communication
  • Consider implementing two factor authentication for corporate e-mail accounts.
  • Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.

[source: FBI: Email Scams Take $3.1 Billion Toll on Businesses]

Netgear Router Update Removes Hardcoded Crypto Keys

Article02_01

Netgear on Friday released firmware updates for two of its router products lines, patching vulnerabilities that were reported six months ago.

Users should update to firmware version 1.0.0.59, which includes fixes for an authentication bypass vulnerability and also addresses a hard-coded cryptographic key embedded in older versions of the firmware.

A vulnerability note published by CERT operating at the Software Engineering Institute at Carnegie Mellon University said Netgear router models D6000 and D3600 running firmware versions 1.0.0.47 and 1.0.0.49 are affected. CERT cautions that other models and firmware versions could also be susceptible to the same issues.

The flaws pose a risk to the privacy and security of data moving through the networking gear.

“A remote unauthenticated attacker may be able to gain administrator access to the device, man-in-the-middle a victim on the network, or decrypt passively captured data,” CERT said in its note.

Netgear warned in a support note that an attacker on the network or remotely if remote management enabled, could exploit CVE-2015-8288, and gain access to a hard-coded RSA private key and a hard-coded x.509 certificate and key.

“An attacker with knowledge of these keys could gain administrator access to the device, implement man-in-the-middle attacks, or decrypt passively captured packets,” CERT said in its note.

The authentication bypass flaw, CVE-2015-8289, can expose password security keys if the password recovery feature is disabled, Netgear said.

“A remote attacker able to access the /cgi-bin/passrec.asp password recovery page may be able to view the administrator password in clear text by opening the source code of above page,” CERT said in its note.

CERT suggests that a workaround that includes restricting network access to the router’s web interface over HTTP.

Researcher Mandar Jadhav of Qualys privately reported the flaws in December. His disclosure came on the heels of a critical authentication bypass vulnerability in Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300-1.1.0.28_1.0.1.img that had been publicly disclosed and exploited before a patch was available.

Attackers had been able to exploit the flaws to redirect DNS queries to their servers. With full access to the admin page and settings, an attacker could man-in-the-middle network traffic, reconfigure DNS settings to redirect traffic to a third-party server, or downgrade SSL communication using a number of available tools such as SSLstrip developed by Moxie Marlinspike.

Less than a week later, Netgear published new firmware that addressed the vulnerability. Router models JNR1010v2, WNR2000v5, JWNR2010v5, WNR614, WNR618, WNR1000v4, WNR2020, and WNR2020v2 were affected, and researchers estimated that 10,000 routers had been taken over.

[source: Netgear Router Update Removes Hardcoded Crypto Keys]

BEC scams: What you need to know

BEC scams: What you need to know

Ransomware attacks hitting businesses and institutions might be the latest trend, but they are just one of the threats these organizations have to protect themselves against.

Another prominent one is the Business Email Compromise (BEC) scam.

BEC scammers can target anybody, but have shown a particular predilection for businesses working with foreign partners, as they regularly perform wire transfer payments, often of very large sums.

They overwhelmingly target businesses based in the USA, the UK, and Australia, although companies in other countries are also hit occasionally (e.g. Belgian bank Crelan and Austrian airplane systems manufacturer FACC).

Businesses that fit these criteria would to well to teach their employees about the danger and how to avoid it, especially the employees from companies’ finance department.

In over 40 percent of the cases, it’s the company CFO who will receive the fake email urging for the transfer of funds. Finance directors and controllers are also often targeted:

Article01_01

In a variation of the BEC scam, which surged earlier this year and saw attackers go after employee payroll information, the newly hired CFO of the security awareness training company KnowBe4 foiled the attack by identifying a BEC email for what it was.

The request, which was made to look like it was coming from the company’s CEO, was initially sent to the firm’s financial controller, but he or she didn’t have access to the payroll info and forwarded the request to the CFO.

According to Trend Micro researchers, employees should be particularly wary of emails (seemingly or actually) sent by the company’s CEO, President, or Managing Director, asking for an urgent wire transfer.

The attackers are betting on the assumption that requests by those at the top of the company’s food chain will be complied with without question, even if they seem “off.”

The subjects of these emails are prevalently simple and vague, at times composed only of one word, such as “Transfer,” “Request,” “Urgent,” or “Request For {day} {month}, {year}.”

They can come from the CEO’s real email account, which was compromised with the help of keyloggers or backdoors, or can be email accounts made to look like the CEO’s.

BEC scammers use widely available tools to prepare for and perform the attacks:

Article01_02

So far, BEC scammers have made off with over $2.3 billion from over 17,000 organizations around the world – and that’s as far as we know. There are likely victims who never notified the authorities of such a theft, thinking perhaps that the trust in their company might take a hit they could never recover from.

The huge returns this type of scam offers make it unlikely that they will cease any time soon.

Companies should invest in employee awareness trainings, but also implement things like verifying any changes in vendor payment location by using a secondary sign-off by company personnel, and verifying suspicious requests through means other than email (and never use the contact information provided in the email).

[source: BEC scams: What you need to know]