This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
FBI Internet Crime Complaint Center (IC3) Releases Annual Internet Crime Report: The IC3 received a total of 800,944 complaints in 2022, with losses exceeding $10.3 billion. Phishing schemes were the number one crime type with 300,497 complaints, and for the first time, Investment schemes, reported the highest losses to victims, totaling over $3.3 billion. In 2022, the IC3 received 88,262 complaints from victims over the age of 60 with losses in excess of $3.1 billion.
- BEC complaints ranked the second largest dollar losses reported to IC3 at over $2.7 billion. The Report highlights the continued success of the Recovery Asset Team, assisting in freezing over $433 million in funds for victims who made transfers to US accounts under fraudulent pretenses.
- Crypto-investment scams saw unprecedented increases in the number of victims and the dollar losses to these investors. In 2022, investment scam losses were the most (common or dollar amount) scheme reported to the IC3. Investment fraud complaints increased from $1.45 billion in 2021 to $3.31 billion in 2022, which is a 127%. Within those complaints, cryptocurrency investment fraud rose from $907 million in 2021 to $2.57 billion in 2022, an increase of 183%.
- Ransomware incidents, although smaller reporting numbers with 2,385 complaints identified as ransomware, the adjusted losses were more than $34.3 million. The IC3 received 870 complaints that indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack.
- Illegal call centers defraud thousands of victims each year. Two categories of fraud reported to the IC3, Tech/Customer Support and Government Impersonation, are responsible for over $1 billion in losses to victims. Almost half the victims report to be over 60 (46%), and experience 69% of the losses (over $724 million).
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Cyber Humor
Cybersecurity Nonprofit of the Week … The CyberPeace Institute
Our kudos this week to the CyberPeace Institute on the launch of the Humanitarian Cybersecurity Center (HCC). The HCC provides expert support and practical free cyber assistance to non-governmental Organizations (NGOs), tailored to their needs and located anywhere in the world. Some of these activities, like their CyberPeace Builders program, have already been running for over a year and are being scaled through the Center. At its mature state, the Center will provide a vast array of free cybersecurity services to protect any humanitarian NGO in cyberspace, and the relevant ecosystem of beneficiaries, partners and donors. Like SecureTheVillage, the CyberPeace Institute is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits including SecureTheVillage.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
Live on Cyber with Dr. Stan Stahl: (Video) (Podcast): The White House released its National Cybersecurity Strategy last week. The most controversial part of the strategy revolves around the needs for shifting liability for software products and services. … Join Stan and Julie as they riff on the need to shift responsibility – and liability – for security mishaps to those best positioned to do something about it, and how doing so will require building security and privacy into how we manage technology. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
South Carolina scam victim fights Congress for more protection: (WSPA) — A year ago, the story of a Seneca grandmother who lost $20,000 dollars to a sophisticated scam was released. … The Oconee County woman’s story turned out to be just the beginning of a journey that would take her all the way to the nation’s capital. WBTW, News 13, January 22, 2023
California unveils new crypto tracker website to combat scams: The California Department of Financial Protection and Innovation launched the Crypto Scam Tracker, a new website designed to help Californians spot and avoid crypto scams. … Launched on Feb. 16, the tracker is a database searchable by company name, scam type or keywords so Californians can learn more about the complaints the department has received about specific cryptocurrency websites. KTLA 5, February 24, 2022
Police are prosecuting abortion seekers using their digital data — and Facebook and Google help them do it: Police make requests for social-media user data to aid prosecution after a crime has been committed. … Sometimes, the crime is abortion and social apps are turning over user chat logs and search history. … Platforms may cooperate with police even when they’re not legally required to. Business Insider, March 4, 2023
Section 3 – Cybersecurity News for the Cyber-Concerned.
The US has announced its National Cybersecurity Strategy: Here’s what you need to know: Earlier this month, President Joe Biden released a new National Cybersecurity Strategy, which outlines steps the government is taking to secure cyberspace and build a resilient digital ecosystem that is easier to defend than attack — and that is open and safe for all. … “When we pick up our smart phones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure,” Biden wrote in the framework’s preface. … The strategy is part of a larger effort by the Biden administration to strengthen cyber and technology governance. This included efforts to increase accountability for tech companies, boost privacy protections and ensure fair competition online. World Economic Forum, March 9, 2023
Biden admin’s cloud security problem: ‘It could take down the internet like a stack of dominos’: The Biden administration is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers. … The cloud has “become essential to our daily lives,” Kemba Walden, the acting national cyber director, said in an interview. “If it’s disrupted, it could create large potentially catastrophic disruptions to our economy and to our government.” … In essence, she said, the cloud is now “too big to fail.” … The fear: For all their security expertise, the cloud giants offer concentrated targets that hackers could use to compromise or disable a wide range of victims all at once. The collapse of a major cloud provider could cut hospitals off from accessing medical records; paralyze ports and railroads; corrupt the software that help financial markets hum; and wipe out databases across small businesses, public utilities and government agencies. Politico, March 10, 2023
TSA issues aviation regulations for airlines, airports facing ‘persistent cybersecurity threat’: The agency’s new cybersecurity rules issued on Tuesday followed the Biden administration’s national cybersecurity strategy. … In the latest move from the Biden administration to strengthen cybersecurity protections for critical infrastructure operators, the Transportation Security Administration on Tuesday announced regulations to compel airports along with aircraft owners and operators to improve their digital defenses in the face of growing threats. CyberScoop, March 8, 2023
The Daring Ruse That Exposed China’s Campaign to Steal American Secrets: How the downfall of one intelligence agent revealed the astonishing depth of Chinese industrial espionage. … In March 2017, an engineer at G.E. Aviation in Cincinnati whom I will refer to using part of his Chinese given name — received a request on LinkedIn. Hua is in his 40s, tall and athletic, with a boyish face that makes him look a decade younger. He moved to the United States from China in 2003 for graduate studies in structural engineering. After earning his Ph.D. in 2007, he went to work for G.E., first at the company’s research facility in Niskayuna, N.Y., for a few years, then at G.E. Aviation. The New York Times, March 8, 2023
There is a Chinese Spy Balloon in Our Pockets — TikTok: Europeans and American share concerns about Chinese surveillance. Both are moving to crack down on the social media network TikTok. How far will they go? … With millions of monthly users, TikTok’s network could send a massive treasure trove of information flows back to Beijing. No guarantee exists against the misuse of this vast amount of personal data. This flow seems at least comparable in value and quantity with the information that could have been collected by the famous spy balloon. … Both the US and Europeans are moving fast to limit TikTok’s reach. EU institutions and the US government recently banished the app on work phones. Many US states and EU countries are following suit. TikTok may be forced to sell out to a Western buyer. On March 7, a bipartisan group of US Senators introduced the RESTRICT Act, which would “create a process” for screening companies operated by foreign adversaries. … Yet don’t expect a total ban — politicians don’t want to upset young voters and seem ready to accept some sort of guarantee to store TikTok data inside Europe and the US. … TikTok’s collection of information outlines interests and behaviors – that is, what is most intimate of a community. In the hands of a state actor such as the Chinese Communist Party, such data represent a precious treasure. It could be used to fuel information operation campaigns, influence political debates, and promote extremism. Center for European Policy Analysis, March 10, 2023
Thousands of pro-Trump bots are attacking DeSantis, Haley: Over the past 11 months, someone created thousands of fake, automated Twitter accounts — perhaps hundreds of thousands of them — to offer a stream of praise for Donald Trump. … Besides posting adoring words about the former president, the fake accounts ridiculed Trump’s critics from both parties and attacked Nikki Haley, the former South Carolina governor and U.N. ambassador who is challenging her onetime boss for the 2024 Republican presidential nomination. … When it came to Ron DeSantis, the bots aggressively suggested that the Florida governor couldn’t beat Trump, but would be a great running mate. AP News, March 6, 2023
FBI, Pentagon helped research facial recognition for street cameras, drones: Internal documents released in response to a lawsuit show the government was deeply involved in pushing for face-scanning technology that could be used for mass surveillance. … The FBI and the Defense Department were actively involved in research and development of facial recognition software that they hoped could be used to identify people from video footage captured by street cameras and flying drones, according to thousands of pages of internal documents that provide new details about the government’s ambitions to build out a powerful tool for advanced surveillance. … The documents, revealed in response to an ongoing Freedom of Information Act lawsuit the American Civil Liberties Union filed against the FBI, show how closely FBI and Defense officials worked with academic researchers to refine artificial-intelligence techniques that could help in the identification or tracking of Americans without their awareness or consent. The Washington Post, March 7, 2023
Federal Authorities Seize Internet Domain Selling Malware Used to Illegally Control and Steal Data from Victims’ Computers: LOS ANGELES – As part of an international law enforcement effort, federal authorities in Los Angeles this week seized an internet domain that was used to sell computer malware used by cybercriminals to take control of infected computers and steal a wide array of information. Department of Justice, March 9, 2023
An international sting brings another win against ransomware gangs: An international police sting against a prolific ransomware gang is the latest blow to a form of cybercrime that’s showing signs of slowing down. … Police in Germany, teaming with the FBI and Europol as well as law enforcement in Ukraine and the Netherlands, announced that they had targeted the gang known as DoppelPaymer. Europol said the criminals had taken more than $40 million from U.S. victims alone. The Washington Post, March 7, 2023
Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers: A persona dubbed Sara Shokouhi recycled photos of a Russian psychologist and tarot card reader to pose as a Middle East-focused researcher. CyberScoop, March 9, 2023
Software firm Blackbaud to pay $3 mln for misleading disclosures on ransomware attack -SEC: WASHINGTON, March 9 (Reuters) – Software company Blackbaud Inc (BLKB.O) has agreed to pay $3 million to settle charges it made misleading disclosures about a 2020 ransomware attack that impacted over 13,000 nonprofit customers, the U.S. Securities and Exchange Commission said on Thursday. Reuters, March 9, 2023
This week in Cybercrime:
- DC healthcare exchange breach leaked sensitive data of Congress members, staff: A data breach involving Washington, D.C.’s healthcare exchange platform includes sensitive information of Congress members and staff, the legislative body was informed on Wednesday. The Record, March 9, 2023
- Mental health startup exposes the personal data of more than 3 million people: A mental health startup exposed the personal data of as many as 3.1 million people online. In some cases, possibly sensitive information on mental health treatment was leaked, according to a company statement and a Department of Health and Human services filing. CNN Politics, March 10, 2023
- Hackers Compromised Two Large Data Centers in Asia and Leaked Major Tech Giants’ Login Credentials: Hackers stole thousands of login credentials from major tech and Fortune 500 companies after breaching two large data centers in Asia. … Cyber security firm Resecurity discovered the breach in September 2021, but the incident only recently became public knowledge when a threat actor leaked the stolen login credentials on the hacking forum. CPO, March 8, 2023
- Acer confirms breach after 160GB of data for sale on hacking forum: Taiwanese computer giant Acer confirmed that it suffered a data breach after threat actors hacked a server hosting private documents used by repair technicians. Bleeping Computer, March 7, 2023
Section 4 – Managing Information Security and Privacy in Your Organization.
CISA: Do these three things to toughen up your network against hackers: Cybersecurity agency shares the lessons learned from a red team assessment of a critical infrastructure organization. ZDNet, March 10, 2023
