A North Korea-linked hacking group responsible for multiple financial and destructive attacks is believed to be the most serious threat against banks, security firm Kaspersky Lab says.
The need to maintain security over the supply chain has been confirmed by alerts issued at the end of last week by both IBM and Lenovo. IBM has been shipping malware-infected initialization USBs for its Storwize storage systems which are used by Lenovo.
A group of hackers has threatened to leak unreleased TV shows and movies belonging to Netflix and various television networks after breaching the systems of a production company. The incident once again underscores the security risks posed by third-party vendors.
The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if — at settlement — your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here’s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing.
It was late November 2016, and Jon and Dorothy Little were all set to close on a $200,000 home in Hendersonville, North Carolina. Just prior to the closing date on Dec. 2 their realtor sent an email to the Little’s and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.
An attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm’s logo and some bank account information that was represented as the seller’s account number. The Little’s realtor sent the wire on Thursday morning, the day before settlement.
“We went to closing at 1 p.m. on Friday, and after we signed all the papers, we asked the lawyers if we were going to get back the extra money we had sent them, because they hadn’t be able to give us an exact amount in the wiring instructions. At that point they told us they had never gotten the money.”
After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information (see screen shot above).
The owner of the Bank of America account appears to have been a willing or unwitting accomplice — also know as a “money mule” — recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.
Fortunately for the Littles, the FBI succeeded in having the resulting $180,000 wire transfer frozen once it hit the TD Bank account. However, efforts to recover the stolen funds were stymied immediately when the Littles’ credit union refused to give Bank of America a so-called “hold harmless” agreement that the bigger bank wanted as a legal guarantee before agreeing to help.
Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said banks have a fiduciary duty to their customers to honor their requests in good faith, and as such they tend to be very nervous legally about colluding with another bank to reverse payment instructions by one of their own customers. The “hold harmless” agreement is usually sought by the bank which received a fraudulent wire transfer, Castagnoli said, and it requires the responding bank to assume any and all liability for costs that the requesting bank may later incur should the owner of account which received the fraudulent wire decide to dispute the payment reversal.
“When it comes to wire fraud cases the banks have to move very quickly because once the wires make it outside the U.S. to foreign banks, the money is usually as good as gone,” Castagnoli said. “The receiver or transferee usually insists on a hold harmless agreement because they’re moving the money on behalf of their own account holder, kind of going against their own client which is a big ‘no-no’ when you’re a fiduciary.”
But in this case, the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement, because doing so would stipulate that the credit union affirms the victim (the Littles) hadn’t willingly and knowing initiated the wire, when in fact they had.
“I talked to the wire dept multiple times,” Mr. Little said of the folks at his financial institution, Atlanta, Ga.-based Delta Community Credit Union (DCCU). “They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.”
The Littles had to cancel the contract on the house they were prepared to occupy in December. Most of their cash was tied up in this account that the banks were haggling over, and so they opted to get a heavily mortgaged small townhome instead, with the intention of paying off the mortgage when their stolen funds are returned.
“We canceled the contract on the house because the sellers really needed to sell it,” Jon Little said.
The DCCU has yet to respond to my requests for comment. But less than a day after KrebsOnSecurity reached out to the credit union for comment about the Littles’ story, the bank informed the Littles that the other bank would soon have its hold harmless letter — freeing up their $180,000 after more than four months in legal limbo.
The Littles’ story has a fairly happy ending, however most of the other few dozens stories previously featured on this blog about wayward mortgage, escrow and payroll payments wound up with the victim losing six figures at least.
One of the more recent advertisers on this blog — Ninjio — specializes in developing custom, “gamified” security awareness training videos for clients. “The Homeless Homebuyer,” one of the videos Ninjio produced for a government client seems appropriate here: It features an animated FBI agent breaking the bad news to some would-be homeowners that their money is gone and so are their dreams of a new home — all because everyone blindly trusted unsecured email for what is essentially a high-risk cash transaction.
I like the video because its message is fairly stark and real: You could get screwed if you don’t take this seriously and proceed carefully, because once the money’s gone it usually stays gone. Check it out here:
So here’s what you need to know if you or anyone you know, love or even like are about to buy or sell a home: Never wire money based on the say-so of one party to the transaction made via email. You simply don’t know if their account is hacked, so from a self-preservation standpoint it’s best to assume it is.
Agree in advance who will contact whom — preferably by phone — on settlement day to receive the wiring details, and who will manage the wiring process. Never trust bank account details and payment instructions sent via email. Always double or even triple check any instructions for wiring money at settlement. Confirm all wiring instructions in person if possible, or else over the phone.
By the way, these same precautions can help make organizations less susceptible to CEO fraud schemes, email scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster.
The Federal Bureau of Investigation (FBI) has been keeping a running tally of the financial devastation visited on companies via CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.
Castagnoli said many credit unions and small banks don’t have the legal staff with the clearance to make calls on whether to issue a hold harmless agreement, and so they usually try to punt on that when requested. Were she in The Littles’ position, Castagnoli said she would have called the head of the credit union and demanded assistance.
“If the head of the bank wouldn’t do it, I’d call my congressperson or a state banking regulator,” she said.
If you’re selling or buying the home yourself and somehow also in charge of wiring money, consider using a Live CD approach (all of these “live” Linux distributions will just as happily run on USB-based flash drives). I have long recommend Live Linux usage as a smart option for small businesses to avoid paying dearly when a Windows banking trojan snarfs their business banking credentials.Source: KREBS ON SECURITY
A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users.
Adam Mudd of Hertfordshire, U.K. admitted to three counts of computer misuse connected with his creating and operating the attack service, also known as a “stresser” or “booter” tool. Services like Titanium Stresser coordinate so-called “distributed denial-of-service” or DDoS attacks that hurl huge barrages of junk data at a site in a bid to make it crash or become otherwise unreachable to legitimate visitors.
According to U.K. prosecutors, Mudd’s Titanium Stresser service was used by others in more than 1.7 million denial-of-service attacks against victims worldwide, with most countries in the world affected at some point. He originally built the booter service at the age of 15, earning more than $300,000 in ill-gotten gains from it. Also during his interviews, he admitted security breaches against his own college while he was there studying computer science.
Mudd pleaded guilty to three offences under the U.K. Computer Misuse Act and a further offense of money laundering under the Proceeds of Crime Act in October 2016.
“Today, he was sentenced to 24 months imprisonment for his own DDoS attacks, nine months for running a titanium stressor service and 24 months for money laundering the proceeds made from the stressor service, all to run concurrently,” reads a press release issued by the Eastern Region Special Operations Unit (ERSOU), an anti-cybercrime unit that worked with the U.K.’s National Crime Agency to investigate Mudd.
Detective Chief Inspector Martin Peters of the ERSOU’s Regional Crime Unit recalled that at sentencing the judge said the defendant likely would have received six years if he’d been tried as an adult and if he had no medical issues. Mudd had been slated to be sentenced last week, but that hearing was delayed until today after the court heard medical testimony on Mudd’s apparent struggles with autism.
The Mudd case is the latest in a string of law enforcement actions in the U.K., U.S. and elsewhere targeting booter service operators and their customers. In December 2016, federal investigators in the United States and Europe arrested nearly three-dozen people suspected of patronizing booter services. That crackdown was part of an effort by authorities to weaken demand for booter and stresser services and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.
In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have run booter services tied to the “Lizard Squad” hacking group. That same month the sprawling discussion forum Hackforums — once the most bustling marketplace on the Internet where people could compare and purchase booter and stresser service subscriptions — announced that it was permanently banning the sale and advertising of booters.
Last month, authorities in Israel said they were preparing a case against two 18-year-old Israeli men who investigators there say operated the wildly popular “vDOS” booter service. The proprietors of vDOS were in business for four years prior to being exposed by KrebsOnSecurity. During just two of those four years in operation vDOS made more than $600,000 helping paying customer coordinate hundreds of thousands (if not millions) of DDoS attacks.
The detail about Mudd having attacked the very same school he was attending as a computer science student seemed both interesting and familiar. Then I remembered: This same dynamic was at work with a young man approximately Mudd’s age who lives in New Jersey and recently was implicated by many of his close associates and a great deal of circumstantial evidence as a co-author of the Mirai botnet computer code.
Mirai is a network worm that enslaves poorly secured “Internet of Things” devices like security cameras and digital video recorders for use in extremely powerful DDoS attacks capable of knocking almost any target offline.
After Mirai took my site offline for several days last year, I spent many hours trying to figure out who was responsible for writing and unleashing the malware. All signs pointed to a computer science student at Rutgers University who used a large Mirai botnet to attack the university repeatedly — all the while using his hacker alter ego to taunt the university in online interviews.
The authorities in the U.K. say they are hoping to make an example of Mudd as part of a broader education effort to divert talented, smart kids away from malicious hacking and toward more productive endeavors.
“Adam Mudd’s case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others,” the ERSOU press release observes. “We want to make clear it is not our wish to unnecessarily criminalise young people, but want to harness those skills before they accelerate into crime. It is important that this case sends out a clear message to others who may be tempted by committing cybercrime or who are already engaging in cyber scams from the comfort of their own bedrooms, to consider what they are doing and it is for parents to know and understand what your children are doing online.”Source: KREBS ON SECURITY