Cybersecurity News of the Week, December 18, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Our lead story this week is a new quarterly report from the nonprofit Anti Phishing Working Group (APWG). The report shows reported phishing attacks continuing to climb with the 3rd-quarter being the highest monthly total APWG has seen. One of the easiest things we can all do to help the APWG help us is simply forward phishing attacks to APWG is our Cybersecurity Nonprofit of the Week.

  • APWG Q3 2022 REPORT: Phishing Reaches New Quarterly High in Late 2022: The APWG’s new Phishing Activity Trends Report reveals that in the third quarter of 2022, APWG observed 1,270,883 total phishing attacks — the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG. … Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. … The rise in Q3 2022 was attributable, in part, to increasing numbers of attacks reported against several specific targeted brands. These target companies and their customers suffered from large numbers of attacks from persistent phishers. Anti Phishing Working Group, December 14, 2022

How Hackable Are You? Take our test. Number 1: Have you frozen your credit? Find out how hackable you are and download our free 8-step guide. Tighten your defenses. Then reach out and help others.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Cyber Humor

Cybersecurity Nonprofit of the Week … The Anti Phishing Working Group (APWG)

Kudos this week to the Anti Phishing Working Group (APWG) on the release of their 3rd-quarter phishing trends report (see our Top-of-the-News). APWG unifies the global response to common cybercrimes and related infrastructure abuse through technical diplomacy; curation of a real-time clearinghouse of internet event data; development of applied research; and deployment and maintenance of global cybersecurity awareness campaigns. Like SecureTheVillage, APWG is a fellow-member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: It’s the holiday season. Here come the scammers. Join Julie and me as we discuss the challenges of cybercrime against the backdrop of 40 years of Internet activity. While some security defenses are deeply sophisticated, there’s much ordinary users can do to stay safe; the cyber-equivalent of wearing your seat belt and stopping at red lights. These are our individual data care responsibilities. Take our How Hackable Are You? Quiz and find out how well you’re doing on the basic five.

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

Cybercrime stories about Zelle fraud, romance scams, and how the lack of privacy supports Venmo fraud. Let’s be careful out there.

  • Greenacres small business owner warns others after falling for Zelle scheme: The owner of a medical and psychiatric services clinic called Contact 5 after losing $40,000 when her Zelle account was hacked by someone claiming to be with Chase Bank. … “It was on a Wednesday. I receive a text message that appeared to be from Chase because it had all the Chase messages in it, asking me if I was trying to make a transaction – $60,000 to someone, I believe, in Ohio,” Acelise Alexis, owner of KA Comprehensive Medical and Psychiatric Services, told Contact 5. … Worried someone had stolen her information, Alexis said she trusted the person on the other line. WPTV, West Palm Beach, December 12, 2022
  • Another class-action lawsuit involving Zelle filed in Charlotte:  Another person is suing Bank of America in federal court in Charlotte, claiming it did not do enough to protect customers against Zelle scams. … The plaintiff says someone pretending to be with the bank called her and claimed someone was trying to steal money out of her account, and that they could help. … The plaintiff says the caller walked her through a series of steps and tricked her into transferring the scammer money. … The plaintiff says she notified the bank quickly, but that the bank did not replace the money. WSOC-TV, December 12, 2022
  • Small Banks Warn They Might Have to Drop Zelle Over Scam Payment Costs: Credit unions, community banks say they might not be able to afford to repay targeted customers. … The company that runs Zelle said fraud and scam payments represent less than 0.1% of payments across the network. … Community banks and credit unions might drop out of partnerships with instant-payment apps like Zelle if required to reimburse customers who fall victim to scams, two industry trade groups said. … Facing pressure from lawmakers and regulators to do more to protect customers from fraud, the seven large banks that own Zelle are working on a plan to standardize refunds for customers duped into sending money. Scams using instant-payment apps like Zelle, Venmo and CashApp are expected to cost Americans $3 billion by 2026, up from $1.6 billion in 2021, according to a recent report by ACI Worldwide, a payments-software company. The Wall Street Journal, December 12, 2022
  •  A fake Romeo charmed more than 100 women with promises of romance, then scammed them. Now he’s going to prison: Patrick Giblin was like the American version of the “Tinder Swindler” – but without the private jets. … He wooed women with stories about his respectable family – his father was a judge, he said – and beachfront property in Atlantic City, New Jersey, where he said he worked in the casino industry, according to a federal criminal complaint. He told them he was ready to settle down and was more interested in a woman’s inner beauty than her outward appearance. … He vowed that distance was not an issue because he had access to discount flights and was even ready to move to a woman’s city to further their romance. … But federal officials say those were all lies, concocted to swindle women looking for love through dating sites. A review of plea agreements and federal complaints show that Giblin conned at least 100 women over two decades, coaxing them out of more than $250,000 with false promises followed by requests for short-term loans that were never repaid. CNN, December 10, 2022
  • I Know What You Did On Venmo: A team led by USC Viterbi researchers has discovered millions of “privacy leaks” on the mobile social payments app. … The bizarre request came from her husband at 2 a.m. … In May 2021, Keighley Woodard’s out-of-town spouse asked her to send him $195 on the Venmo payment app. He included an electronic note simply saying that he would explain later. … The hour of the request, coupled with her husband’s strange message, raised her suspicions. … What Woodard didn’t know is that several of her husband’s friends received the same request at nearly the same time. According to WSMV News4 in Nashville, Tenn., his friends assumed he had some sort of emergency and transferred money from their Venmo accounts to his. … The problem? They had unwittingly given money to a hacker who had cloned their friend’s Venmo account, complete with his real picture and name. USC Trojan Family, Winter 2022

Two stories describe steps you can take to better protect your online privacy.

  • Your iPhone And iPad Have An Awesome New Security Feature. Here’s Why You Need To Turn It On Now.: On Tuesday, Apple launched iOS 16.2, a new version of the software that runs your iPhone and iPad. One of the most important features in the update is a tiny switch that makes data that you back up in iCloud a lot more secure. … The new feature, which Apple calls Advanced Data Protection, adds end-to-end encryption for backups of your Apple devices stored on iCloud. This means that only you can access the data those backups contain. If a hacker breaches Apple’s servers, for instance, they can’t get your stuff. If a law enforcement agency demands that Apple hand over your backup data, Apple can’t give it because not even Apple is able to look at anything in your backups. Advanced Data Protection is currently available in the US, and Apple users around the world will get it sometime in 2023. … The privacy community is cheering. The FBI, which has previously demanded personal data from Apple, is pissed. … Even if you’re not a privacy wonk or completely paranoid, you should turn on Advanced Data Protection, just because encrypting your personal data is good security hygiene. Buzzfeed News, December 14, 2022
  • If You Value Your Online Privacy, Change These Browser Settings ASAP: You can give your online privacy a major boost by taking five minutes to adjust a few settings in Chrome, Safari, Firefox, Edge or Brave. CNET, December 9, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

Two stories on the political and legal front, both involving the protection of children online.

  • Pelosi backs adding TikTok government device ban to funding bill:  U.S. House Speaker Nancy Pelosi supports adding legislation passed by the Senate this week, which would bar federal government employees from using Chinese-owned TikTok on government-owned devices, to a government funding bill. … A spokesman for Pelosi said she supports including the TikTok provision in legislation to fund the government that the House of Representatives is set to take up next week. … Pelosi’s support, along with that of Representative Kevin McCarthy, the top House Republican, significantly boosts the chances the provision will be adopted next week. Reuters, December 16, 2022
  • Tech industry group sues to block California law designed to protect kids online over free speech concerns: Tech industry group NetChoice is suing the state of California to block its new Age-Appropriate Design Code Act, which it claims violates the First Amendment. … The group’s members include Amazon, Google, Meta, TikTok and Twitter. … NetChoice previously sued Texas and Florida over their social media laws that seek to poke holes in the tech industry’s broad liability shield for content moderation. … Modeled off standards in the U.K., the California law aims to establish rules that make the internet safer for kids. It requires the highest privacy settings to be turned on by default for minors and says that online services targeting kids under 18 must assess the risk of harm to those users that could come from potentially harmful messages or exploitation. CNBC, December 14, 2022

Several cybercrime stories are in the news this week. These include a breach of the FBI’s InfraGard Network, a data theft at the CA Department of Finance, and an attack on Rackspace that has already resulted in class action lawsuits being filed.

  • FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked: InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself. … On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members. Krebs on Security, December 13, 2022
  • LockBit ransomware crew claims attack on California Department of Finance: A notorious and prolific ransomware operation claimed on Monday to have stolen 76 gigabytes of data from the California Department of Finance. … In a statement on its website posted early Monday, LockBit — a group the U.S. Department of Justice describes as one of the “most active and destructive ransomware variants in the world” — announced that it targeted systems belonging to the California Department of Finance and gave the agency a Dec. 24 deadline, when the group is threatening that it will publish the stolen files. … The California Governor’s Office of Emergency Services said in a statement that the California Cybersecurity Integration Center (Cal-CSIC) is “actively responding to a cybersecurity incident involving the California Department of Finance.” The statement noted that “no state funds have been compromised,” but did not address whether records were accessed and, if so, which ones. Cyberscoop, December 12, 2022
  • Rackspace Hit With Lawsuits Over Ransomware Attack: At least two lawsuits have been filed against Texas-based cloud company Rackspace over the recently disclosed ransomware attack. … Rackspace’s Hosted Exchange environment started experiencing problems on December 2. The firm revealed one day later that it was dealing with a security incident that forced it to shut down its hosted Microsoft Exchange service. … Shortly after, it confirmed that the incident was a ransomware attack, but it did not provide any details. It’s unclear which ransomware group is behind the attack, whether any customer or other data has been compromised, or if Rackspace plans on paying a ransom. … On Thursday, Rackspace warned customers that scammers and other cybercriminals — other than the ones behind the attack — might be trying to take advantage of the incident. Customers have been warned that they might receive malicious emails, or phone calls designed to trick them into handing over their information. Security Week, December 12, 2022
  • Cybercriminals’ latest grift: powdered milk and sugar by the truckload: Cybercriminals are increasingly targeting companies in the food and agriculture sector with business email compromise (BEC) schemes, resulting in truckloads of products ending up in scammers’ hands. … In a joint Cybersecurity Advisory from the FBI, Food and Drug Administration and U.S. Department of Agriculture released on Thursday, officials warned of the prevalence of BEC scams, in which threat actors send emails impersonating employees of a legitimate company to place fraudulent orders. In the cases cited in the advisory, the criminals used email addresses with slight differences from those they were imitating. The Record, December 16, 2022
  • FuboTV says World Cup streaming outage caused by a cyberattack: FuboTV has confirmed that a streaming outage preventing subscribers from watching the World Cup Qatar 2022 semifinal match between France and Morocco was caused by a cyberattack. Bleeping Computer, December 15, 2022

The Department of Justice has been active this week with the takedown of 48 web domains that were used to launch powerful Distributed Denial of Service (DDoS) attacks and the arrest of six men who ran them.

  • Six Charged in Mass Takedown of DDoS-for-Hire Sites: The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services. … The DOJ said the 48 domains it seized helped paying customers launch millions of digital sieges capable of knocking Web sites and even entire network providers offline. Krebs on Security, December 14, 2022

On the privacy front, Meta is warning Facebook users of continued spyware threats.

  • Meta warns spyware still being used to target people on social media: Meta has warned that the use of spyware to indiscriminately target people – including journalists and activists – is a persistent threat because surveillance-for-hire companies continue to adapt and change tactics in the face of efforts to shut down their capabilities. … A report by Facebook’s parent company described efforts by the social media group to remove a number of firms, including two linked to Russia, one based in Israel, and an entity in China, all of which were alleged by Meta to have been used to “scrape” Facebook and Instagram for users’ private information in an attempt to compromise users’ accounts. … In one case, Meta said it removed more than 100 accounts on Facebook and Instagram linked to a company called Avalanche in Russia, which it said sold access to a platform that allows spying across the internet. Meta said a host of individuals and groups were targeted using the Russian network, from environmental activists, members of the media, NGOs in the US and politicians. Other companies that were removed from Meta platforms include a New York-based company called Social Links, which was originally based in Russia, and Cyberglobes, based in Israel. The Guardian, December 15, 2022

This next story is one we’ve never seen before as prosecutors in Albania are urging the arrest of the IT personnel who are accused of enabling a breach by failing to keep the antivirus software on government computers up-to-date.

  • The Government Workers Facing Seven Years in Prison for Not Updating Software: It’s not unheard of for government officials to lose their jobs following high-profile breaches. For instance, when the U.S. Office of Personnel Management was breached in 2015, the OPM director Katherine Archuleta and chief information officer Donna Seymour later resigned their positions. … But it’s something else entirely for employees who did not deliberately help intruders breach their employers’ computer systems to be charged with any kind of crime purely because of security negligence. … That’s exactly what happened in late November, when Albanian prosecutors requested that five government IT officials in the public administration department be placed under house arrest for failing to update the antivirus software on government computers that led to an Iranian cyberattack that took down many of the government’s websites and online services. The Albanian IT officials are reportedly accused of “abuse of post,” which can carry penalties of up to seven years in prison, according to the Associated Press.  Slate, December 12, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations, and protecting privacy.

We’re covering four stories this week. Two stories on a surge of cyber attacks, the first an interview with FBI Supervisory Special Agent and SecureTheVillage friend, Michael Sohn. These are followed by two stories on the significant shortfall of cyber defenders. It all adds up to increased cyber risk for our businesses, nonprofits, schools, and others.

  • The FBI is worried about a wave of cyber crime against America’s small businesses: As more large businesses and corporations invest in cybersecurity tools, hackers are increasingly targeting small and medium-sized businesses, FBI Supervisory Special Agent Michael Sohn said at CNBC’s Small Business Playbook event on Wednesday. … In 2021, the FBI’s Internet Crime Complaint Center received 847,376 complaints regarding cyberattacks and malicious cyber activity with nearly $7 billion in losses, the majority of which targeted small businesses. … The losses from hacking incidents were up 64% year over year. CNBC, December 16, 2022
  • FINRA sees surge in ransomware attacks: The securities industry is facing a surge in ransomware attacks, and firms are increasingly willing to pay off their attackers and move on, reports the U.S. Financial Industry Regulatory Authority Inc. (FINRA). … In a notice to the industry, the U.S. self-regulatory organization said that ransomware incidents are becoming increasingly frequent and sophisticated, including attacks that involve the theft of client data and enable ongoing network access for the perpetrators. … “Ransomware attacks have proliferated due to, in part, increased use of technology and continued adoption of cryptocurrencies, which bad actors use to hide their identities when collecting ransom payments,” FINRA said in its notice — adding that the availability of attack services on the dark web have enabled attacks on a “much larger scale”. … Additionally, the targeting of smaller firms is growing more common. … “Bad actors using ransomware — including sophisticated cyber criminals, organized crime syndicates and state actors — have increasingly targeted small and mid-size firms,” it reported. Investment Executive, December 14, 2022
  • How The Talent Shortage Changes the Approach to Cybersecurity: There’s good news, and there’s bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Study, 4.7 million people currently work in a security-related job. … The bad news: the study also found a worldwide gap of 3.4 million cybersecurity workers. 70% of those surveyed also said they think their organization’s security team is understaffed, decreasing its effectiveness. … As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations need to get creative in their cybersecurity approach. It’s not enough to reset the parameters on building skill sets. We need to start reimagining what internal cybersecurity programs should look like from the ground up. IBM Security Intelligence, December 12, 2022
  • Business Roundtable Launches New Cybersecurity Workforce Corporate Initiative: Business Roundtable today announced a new initiative to help companies strengthen cybersecurity talent pipelines, with a particular focus on entry-level roles. The Cybersecurity Workforce Initiative will support companies in building a cybersecurity workforce both inside and outside their companies, addressing a skills gap in a critical discipline while expanding opportunity for workers. … The Cybersecurity Workforce Initiative will focus on establishing industry-recognized, skills-based career pathways from entry level through advancement, opening job opportunities in cybersecurity to those without four-year degrees. This initiative will also include expanding upskilling programs for the incumbent workforce, and outreach to the U.S. military veteran and military spouse population for cybersecurity roles. Business Roundtable, December 8, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge