Cybersecurity News of the Week, June 23, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Corner

As America gets closer to the 2024 elections, opportunities for disinformation and fraud are rising. Simply put, don’t believe everything you read. Search the web for related stories. Take your time. Pay particular attention to stories that seem to confirm your biases.

And make it a rule to make no donations, political or otherwise, from texts, voicemails, or emails. If you want to donate, do so from the organization’s web site.

  • Deluge of ‘pink slime’ websites threaten to drown out truth with fake news in US election: US sites pushing misinformation are proliferating, aiming to look like reliable sources as local newspapers close down. … Political groups on the right and left are using fake news websites designed to look like reliable sources of information to fill the void left by the demise of local newspapers, raising fears of the impact that they might have during the United States’ bitterly fought 2024 election. … Some media experts are concerned that the so-called pink slime websites, often funded domestically, could prove at least as harmful to political discourse and voters’ faith in media and democracy as foreign disinformation efforts in the 2016 and 2020 presidential elections. … According to a recent report from NewsGuard, a company that aims to counter misinformation by studying and rating news websites, the websites are so prolific that “the odds are now better than 50-50 that if you see a news website purporting to cover local news, it’s fake.” … NewsGuard estimates that there are a staggering 1,265 such fake local news websites in the US – 4% more than the websites of 1,213 daily newspapers left operating in the country.
  • Trump 2024 Campaign Fund Sparks Wave Of Crypto Scammer Frauds: Cybersecurity researchers say two developments involving the Trump 2024 presidential fundraising campaign have left the door open for fraudsters to strike fast and smart. According to a new report from Netcraft, the important dates were May 21, when the Trump campaign said it would accept donations using cryptocurrency, and May 31, when Trump was convicted of 34 felony charges in the Stormy Daniels hush money case. A huge surge in donations has resulted in a new wave of convincing scams from criminals looking to profit from the publicity. … The Netcraft report, “Trumped Up Crypto Scams – Criminals Deploy Trump Donation Scams,” published June 18, warns that cybercriminals had already registered multiple online domains the day before the Trump 2024 crypto donations announcement.

From SecureTheVillage

  • Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
  • IT Service Provider / MSP? Take your client’s security to the next level. Apply Now!  If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the IT security management they need.
  • The LA Cybersecure Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
  • Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 
  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
  • Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM

Cybersecurity Nonprofit of the Week  …  The Center for Internet Security

Our kudos this week to the Center for Internet Security (CIS®). CIS® is a community-driven nonprofit responsible for the CIS Controls®, CIS Benchmarks™, and CIS Hardened Images®. … The Center released its newest publication, “A Guide to Defining Reasonable Cybersecurity” at this year’s RSA Conference. … Strong proponents of collaboration and innovation, CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). … SecureTheVillage is a recipient of a grant from the Center’s Allen Paller Laureate Program to support our launch of a Pilot Program to measurably improve the cybersecurity of small and midsize organizations.  … The Center for Internet Security is one of the founders of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.

Cyber Humor

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

This week’s scam stories. Another sad suicide following a pig butchering scam. And a Good Samaritan story that saved a victim $40,000.

  • Killed by a scam: A father took his life after losing his savings to international criminal gangs. He’s not the only one: Sitting at the kitchen table, Matt struggles to recount the events of the past few months. “As soon as I found out that it was a suicide, I was 100% sure that it was the scam,” he says. … “Our father was, from the day I was born until six months ago, always a positive, happy person. This was literally the only thing in his life that had happened, to where it changed him, and it just crushed him.” … On a horse farm in northern Virginia, surrounded by sprawling fields and stables, the family gathers at their younger sister Adrianne’s house – something they’ve done a lot in the three months since their father took his own life after falling victim to a so-called “pig butchering” scam.
  • Texas cop and Good Samaritan save woman, 84, from sending $40,000 to scammer claiming to be bank employee: When Myndi Jordan spotted an elderly woman desperately trying to feed $100 bills into a Bitcoin ATM at a Texas gas station, she knew something suspicious was going on. … She approached the woman in a Chevron gas station off the I-30 in White Settlement and found her with wads of cash in her purse. … The confused senior was on a video call with a man claiming to be a Chase Bank security team member who was urging her to deposit thousands of dollars into a Bitcoin machine.

After being shamed by fake nudes, kudos to teenager Elliston Berry who reached out to Congress for a bill to criminalize ’deepfake’ nonconsensual image.

  • ‘I Felt Shameful and Fearful’: Teen Who Saw AI Fake Nudes of Herself Speaks Out: The Texas teenager joined Sens. Ted Cruz, Amy Klobuchar and other lawmakers in pushing for a bill to criminalize ’deepfake’ nonconsensual images. … Elliston Berry woke up on a Monday morning last October to some alarming text messages. Friends were asking if she had seen nude photos of herself that were circulating among students at her Texas high school. … One sent a screenshot. She was shocked. The image showed her face…but it wasn’t her body. … A male classmate, she would later learn, had taken at least two photos from her private Instagram account and rendered her naked using artificial-intelligence-powered clothes-removal software. Two of her friends were also victims of the photo manipulation.

The Wall Street Journal has an in depth story of how scammers are using AI to steal your money. Pay heed.

  • AI Is Helping Scammers Outsmart You—and Your Bank: Artificial intelligence is making scammers tougher to spot.  … Gone are the poorly worded messages that easily tipped off authorities as well as the grammar police. The bad guys are now better writers and more convincing conversationalists, who can hold a conversation without revealing they are a bot, say the bank and tech investigators who spend their days tracking the latest schemes. … ChatGPT and other AI tools can even enable scammers to create an imitation of your voice and identity. In recent years, criminals have used AI-based software to impersonate senior executives and demand wire transfers.

Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.

National cybersecurity news, including continued fallout from ProPublica’s Microsoft story.

  • Government and military officials fair targets of Pegasus spyware in all cases, NSO Group argues: The manufacturers of the powerful commercial spyware Pegasus argued in a Friday court filing that it is appropriate for its global clients to target any high-ranking government or military official with the technology because their jobs categorically make them “legitimate intelligence targets.”
  • Nine Takeaways From Our Investigation Into Microsoft’s Cybersecurity Failures: What you need to know about how a whistleblower repeatedly tried to get the software giant to fix a security flaw that left millions of Microsoft users exposed.
  • The Software Licensing Disease Infecting Our Nation’s Cybersecurity: Forcing Microsoft to compete fairly is the most important next step in building a better defense against foreign actors. … COMMENTARY This month, Microsoft president Brad Smith was confronted by the US House Committee on Homeland Security, in a hearing over the cybersecurity woes that have plagued the government as a direct result of the company’s security shortcomings. These issues, however, don’t just come down to insecure products. They’re symptoms of a larger disease — a lapse in market and competition policy that has allowed Microsoft to dominate virtually all of the public sector technology market. And the US government’s failure to properly diagnose the deeper cause puts us all at risk. 
  • CISA leads first tabletop exercise for AI cybersecurity: The Biden administration-led exercise featured 15 companies and several international cyber agencies.  … Looking to build its incident response muscles before artificial intelligence becomes an even greater threat, the federal government on Thursday held its first tabletop for the burgeoning technology, bringing in partners from across the country and abroad for the exercise. … The Cybersecurity and Infrastructure Security Agency led the tabletop under the Joint Cyber Defense Collaborative, the operational arm of the cyber defense agency that is focused on working with industry, alongside 50 AI experts from 15 companies and several international cyber defense agencies.

More bad cybersecurity news about Microsoft.

  • Security bug allows anyone to spoof Microsoft employee emails: A researcher has found a bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets.  … As of this writing, the bug has not been patched. To demonstrate the bug, the researcher sent an email to TechCrunch that looked like it was sent from Microsoft’s account security team.

Two more companies hit with cybersecurity violations of the “False Claims Act.”

  • Federal contractors pay multimillion-dollar settlements over cybersecurity lapses: Two federal contractors have paid a total of $11.3 million in civil penalties to the U.S. government after admitting they failed to properly test the cybersecurity of a system for providing financial assistance to low-income people in New York during the COVID-19 pandemic.  … The Department of Justice said Monday that the agreement with Guidehouse Inc. and Nan McKay and Associates resolves allegations that they violated the False Claims Act, a law more than a century old that is intended to protect the government from contractors who misrepresent the quality of their services.

This week in cybercrime. Breaches destroy privacy. 15,000 auto dealers working with paper and pencil. Snowflake attack ensnares LAUSD. Accenture hit?

  • Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans: Change Healthcare has confirmed a February ransomware attack on its systems, which brought widespread disruption to the U.S. healthcare system for weeks and resulted in the theft of medical records affecting a “substantial proportion of people in America.” … In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack. … The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans
  • Pharma giant’s data breach exposes patients’ sensitive information: U.S. pharmaceutical giant Cencora has been affected by a data breach. 
  • The company is notifying affected individuals that their personal and highly sensitive medical information was stolen during a cyberattack and data breach earlier this year. … This includes patient names, postal addresses, dates of birth as well as information about their health diagnoses and medications.
  • Advance Auto Parts Says Hacker Selling Personal Data of Employees: Retailer says it believes that some files contain information such as Social Security numbers and other government identification numbers. … Advance Auto Parts said a hacker had accessed and was selling certain data that may contain Social Security numbers of job applicants and employees. … The retailer said in a regulatory filing Friday that the unauthorized activity in a third-party cloud database containing company data was identified May 23. Advance Auto Parts said it believes that some files contain information such as Social Security numbers and other government identification numbers, specifically those of current and former job applicants and employees of the company.
  • Cyberattack on CDK Global stymies work at car dealerships across US: A cyberattack on a major software provider for the automotive industry has made it almost impossible for thousands of car dealerships to conduct their work.  … The billion-dollar firm CDK Global began experiencing outages on Tuesday and investigated the incident on Wednesday. They were forced to shut down most of their systems, according to spokeswoman Lisa Finney. … More than 15,000 car dealers across North America use CDK Global’s systems for nearly every aspect of their operations — including facilitating car sales, repairs, registration and more.
  • Los Angeles Unified School District confirms vendor data stolen in Snowflake cyberattack: The Los Angeles Unified School District confirmed that one of its vendors had its data compromised in the recent cyberattack against the cloud storage provider Snowflake.  … The Los Angeles Unified School District, the second-largest public school system in the U.S., this week confirmed that at least one of its vendor using data storage services from Snowflake had its data stolen. The announcement follows a May 27 cyberattack against the Boston cloud data services provider, in which hackers accessed customer accounts using single-factor authentication.
  • Ransom demands issued to Snowflake users amid alleged third-party contractor breach: The number of companies facing ransom payments for data stolen in a campaign targeting Snowflake Inc. users is believed to be as many as 10 as a hacker claims to have gained access by compromising a third-party contractor. … A report from Google LLC’s Mandiant on June 10 found that at least 165 organizations were targeted in the hacking campaign. … Today Austin Larsen, a senior threat analyst at Mandiant, told Bloomberg that as many as 10 companies breached in the campaign had received demands for payments of between $300,000 and $5 million to those behind the hacks not to publish stolen data. … As Mandiant was sharing data on the extent of the extortion attempts against victims, the hacker or hacking group known as ShinyHunters, which has claimed responsibility for the attacks, told Wired that it obtained access by first breaching a Belarusian-founded contractor that works with the breached customers.
  • Security firm Accenture breached, claim cybercriminals: Private data allegedly belonging to more than 30,000 employees of multinational IT company Accenture is being sold by cybercriminals. The company denies the breach. … On June 19th, a threat actor listed a dataset for sale on a notorious hacker forum. The dataset allegedly belongs to Accenture, a US multinational IT services and consulting company. … The leaked database allegedly contains data on 32,826 current and former employees. Reportedly, the company has approximately 742,000 employees worldwide. … The private data leaked included emails, names, and broadcast dates. The dataset may also be related to an internal tool called Media Exchange, which allows for advanced video calling.

Section 4: Helping Executives Understand Why and Know How.

  • Business owners increasingly worry about payment fraud, survey finds: Small businesses are increasingly concerned about payment fraud. That’s according to a small business survey from regional bank KeyBank. Nearly 2,000 small-to-medium size business with annual revenue of less than $10 million were surveyed. … The top concern among survey participants was payment fraud of various types. Forty-four percent were worried about unauthorized transactions or unauthorized electric fund transfers; 37% were concerned about identity theft; 28% said malware and ransomware attacks were their biggest concern; and 27% were worried about phishing and email scams.

Section 5:  Securing the Technology.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge