Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2016

55+ Companies and Counting Fall to W-2 Phishing Scams

55+ Companies and Counting Fall to W-2 Phishing Scams

It’s officially an epidemic: More than 50 organizations have been successfully targeted by W-2 spear phishing attacks since January—and the list continues to grow, with Pivotal Software and Kentucky State University as the latest victims.

Companies in a wide range of industries from healthcare to storage manufacturing have been fooled by attackers into leaking their employees’ tax forms, including Snapchat, Nation’s Lending Corporation, Care.com and Sprouts grocery stores. Some attacks have exposed the confidential information of tens of thousands of people. Overall, the IRS said that it has seen a 400% surge in phishing and malware incidents so far this year, bent on stealing tax information.

In the Pivotal case, an unknown third party last week sent a fraudulent email message impersonating CEO Rob Mee to an employee requesting tax information about Pivotal employees. The company said in a notice [PDF] that the employee bought the ruse and responded to the request. No word on how many were affected, but Pivotal, a joint venture of EMC and VMWare, has less than 2,000 employees.

Kentucky State University meanwhile put 1071 employees in the hot seat after an employee last week inadvertently sent off KSU W-2s for 2015 and University identification information to criminals.

The scheme is fairly straightforward—using the whaling form of phishing, the attackers send an email to a finance department employee posing as a top executive. That email asks for employee W-2s—tax forms that contain everything an identity thief would need to file a fraudulent tax refund request, among other things. Given that this is tax season in the U.S., such a request from the supposed CEO/CFO is not outlandish, and usually the perpetrators spoof the email addresses to look legit.

“Since January, at least 55 companies have announced that they had fallen victim to a highly tailored spear phishing scheme,” said Tom Landesman, a researcher at Cloudmark Security, in a blog. “This scheme is responsible for stealing and compromising the W-2 U.S. tax records of every employee working for these companies during 2015.”

The first step, he said, begins with a bit of research about a company. Scraping popular forms of public data, such as LinkedIn and Twitter, often yields the names and titles of many employees in a company.

“Then, a quick search for the company’s website will often provide the name of the domain used in their email,” he explained. “With these items in hand, attackers now have their target’s email address as well as the email of a higher ranking member of the company — often a CEO or CFO.”

The fallout from the epidemic is likely to be serious. W-2 documents have a wide range of sensitive information that can be used for various forms of identity fraud, including stealing victims’ tax returns. This has become a shockingly vibrant cottage industry.

“Rapper J-Creek has a song on YouTube about the need for a money mule (or ‘drop hoe’) to collect fraudulent tax refunds,” Landesman said. “There are even reports of classes on how to file fraudulent tax returns being held in church basements.”

But, there are other things that can happen too. “Criminals harvesting W-2 information by spearphishing will probably not exploit them directly,” he added. “These compromised data sets will probably be sold off on underground, Silk Road-like forums to a number of different small operators who will file fraudulent tax returns in the name of the victims.”

Obviously the gaping issue here is employee awareness. At the very least, when confronted with an email requesting that amount of sensitive personal information, payroll employees should verify the request with a phone call.

Photo © M. Luevanos

Source: Information Security Magazine

Verizon Customer Info Database Found Wide Open on the Internet

Verizon Customer Info Database Found Wide Open on the Internet

Hard on the heels of Verizon Enterprise Solutions’ data breach of 1.5 million customer contact details, the news comes that an open database of 50 GB of Verizon customer data has been discovered, completely unprotected by any password or authentication.

MacKeeper security researcher Chris Vickery discovered the DB back in December and disclosed it to Verizon. All that was needed in order to access it was a MongoDB client and the IP address.

Yet, even after a back-and-forth with Verizon’s director of cybersecurity, Jim Matteo, Verizon did little to fix the issue—prompting Vickery to go public. After notifying Verizon of his intention, he received a response this week.

“I had not heard back from Jim until March 28th, 2016 when the Verizon PR staff heard that I was planning to post this article,” he said, in a blog.

The Verizon PR team claimed that the MongoDB was only a test environment with fictitious customer data, non-sensitive reference material, unique encryption keys and solely used passwords specific to that test environment. That was a claim that Vickery disputed, being in possession of 50 gigs of data (now purged), with at least some of the database tables actually marked as being production (i.e. not test data).

“Companies, when caught with their pants down, almost always claim that the exposed data is fictitious, or just a test environment,” Vickery said. “It’s an easy excuse that, if believed, gets them out of a lot of potential embarrassment and liability. I’d say that 90% of the breaches I find are initially denied as just ‘test data.’ But I’d also say that the vast majority of those do indeed turn out to be real breaches in the end.”

Verizon’s Matteo later told Vickery that he was right, and that the situation amounts to a “hybrid breach” scenario.

“It turns out that there was indeed production data here in somewhat of a test environment,” said Vickery. “There had been some kind of service disruption in one of Verizon’s network services around November 6th, 2015. That’s when this test environment was put together and populated with, at least some level of, production data. It was used to troubleshoot and resolve the errors, but then wasn’t properly taken down after the problems were fixed.”

Last week, another MongoDB of VES customer info, including for some of the top Fortune 500 companies, was found up for sale on an underground cybercrime forum, with a price tag of $100,000. Independent security researcher Brian Krebs ran across the information on the Dark Web. He said that while interested parties could buy the whole package, the seller also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Also for sale: information about security vulnerabilities in Verizon’s website.

Though the latest disclosed issue shows no signs that criminals accessed it, “it took them a month to plug the hole,” Vickery said. “It never made the news, but now I wish that I had made a bigger deal out of it. Maybe that would have spurred some changes which could have prevented the breach that Krebs wrote about.”

Source: Information Security Magazine

USA and UK set to Contest Nuclear War Games

USA and UK set to Contest Nuclear War Games

The USA and UK are to resume critical infrastructure testing later this year, with simulated cyber-attacks taking place on a nuclear power plant.

Designed to test the readiness of the government and utility firms, US Government sources said the two countries plan to cooperate on exploring the resilience of nuclear infrastructure to a terrorist attack, according to The Guardian.

While the exercise was not triggered by any credible intelligence about the threat of such an attack, the source said that it was about “prudent planning”. In March 2011 and November 2013, the UK financial sector faced stress tests in the Waking Shark exercises.

David Kennerley, senior manager for threat research at Webroot, said: “While financial organizations are prime targets because of the monetary value of the data they hold, it’s great that governments are now realizing that the energy sector is also a high-risk area. These ‘cyber-war games’ will provide nuclear plants the opportunity to evaluate their ability to anticipate an attack and develop the comprehensive cyber-warfare protection they need."

“This simulation is set to be the most sophisticated ever undertaken and will give the industry the checks it needs to test the protection and the processes it has in place. Applying gaming principals to security problems is a great way to improve security knowledge across companies through real engagement. The bottom line is that the more you practice and prepare for an attack, the better you will respond when encountering the real thing.”

In November 2015, Chatham House spoke of how the UK’s nuclear facilities are at risk of a major cyber-attack, due to a lack of awareness among senior executives and an increasing trend towards digitization, according to its report Cyber Security at Civil Nuclear Facilities: Understanding the Risks.

This report pointed to serious deficiencies in the supply chain, meaning equipment at nuclear plants could be compromised at any stage. Also highlighted were an overly reactive approach to cybersecurity, a lack of staff training, and communication breakdowns between engineers and security personnel.

Bryan Campbell, senior security researcher, enterprise and cybersecurity for UK & Ireland at Fujitsu, said: “Recent high-profile ‘incidents’ on critical national infrastructure such as the one against the US Dam, and the Ukraine power facility have highlighted the need to perform operational activities at a heightened level."

“Historic attacks such as Stuxnet and Duqu have demonstrated the potential damage that can be caused to ICS, or Control & Data acquisition systems. A grasp of would-be hacker targets is more a concern in relation to ‘why’ the UK would be a target to nation-state hackers."

“Regular exercises in this area will strengthen the national posture on resilience in the face of an emerging and persistent threat.”

Source: Information Security Magazine