Cyber Actors and Criminals: Two Cybersecurity Updates from the FBI

The COVID-19 pandemic has led to a spike in businesses teleworking to communicate and share information over the internet. With this knowledge, malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities. While telework software provides individuals, businesses, and academic institutions with a mechanism to work remotely, users should consider the risks associated with them and apply cyber best practices to protect critical information, safeguard user privacy, and prevent eavesdropping.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Public Service Announcements from the Federal Bureau of Investigation

Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services, Costing US Businesses More Than $2 Billion

[April 6, 2020] Cybercriminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling more than $2.1 billion in actual losses from BEC scams using two popular cloud-based email services. While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Users can better protect themselves from BEC by taking advantage of the full spectrum of protections that are available.

Definitions

Cloud-based email services are hosted subscription services that enable users to conduct business via tools such as email, shared calendars, online file storage, and instant messaging.

Business Email Compromise is a sophisticated scam targeting businesses that perform electronic payments such as wire or automated clearing house transfers. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques resulting in an unauthorized transfer of funds.

Background

Over the last decade, organizations have increasingly moved from on-site email systems to cloud-based email services. Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013. BEC scams have been reported in all 50 states and in 177 countries. Small and medium-sized organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense.

Threat

There are a number of BEC scam variants. One of the most effective types is initiated through phishing emails designed to steal email account credentials. Cybercriminals use phishing kits that impersonate popular cloud-based email services. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cybercriminal to target victims using cloud-based services. Upon compromising victim email accounts, cybercriminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.

Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments be redirected to fraudulent bank accounts. Cybercriminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can pivot to multiple victims within an industry.

Depending upon the provider, cloud-based email services may provide security features such as advanced phishing protection and multi-factor authentication that are either not enabled by default or are only available at additional cost.

Recommendations for End Users

  • Enable multi-factor authentication for all email accounts.
  • Verify all payment changes and transactions in person or via a known telephone number.
  • Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.

Recommendations for IT Administrators

  • Prohibit automatic forwarding of email to external addresses.
  • Add an email banner to messages coming from outside your organization.
  • Prohibit legacy email protocols, such as POP, IMAP, and SMTP, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity, such as foreign logins.
  • Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.
  • Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
  • Disable legacy account authentication.

What to Do If You Are A Victim

If you discover unauthorized payments, contact your financial institution immediately to request recall of the funds. Report attempted or actual fraudulent financial transfers to the Internet Crime Complaint Center at www.ic3.gov or to your local FBI field office, which can be found at www.fbi.gov/contact-us/field. The FBI may be able to assist financial institutions in the recovery of lost funds.

Read the original public service announcement at Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services


Cyber Actors Take Advantage of COVID-19 Pandemic To Exploit Increased Use of Virtual Environments

[April 1, 2020] The FBI anticipates cyber actors will exploit increased use of virtual environments by government agencies, the private sector, private organizations, and individuals as a result of the COVID-19 pandemic. Computer systems and virtual environments provide essential communication services for telework and education, in addition to conducting regular business. Cyber actors exploit vulnerabilities in these systems to steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion.

As of March 30 2020, the FBI’s Internet Crime Complaint Center (IC3) has received and reviewed more than 1,200 complaints related to COVID-19 scams. In recent weeks, cyber actors have engaged in phishing campaigns against first responders, launched DDoS attacks against government agencies, deployed ransomware at medical facilities, and created fake COVID-19 websites that quietly download malware to victim devices. Based on recent trends, the FBI assesses these same groups will target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and new Business Email Compromise schemes.

Telework Vulnerabilities

The FBI advises you to carefully consider the applications you or your organization uses for telework applications, including video conferencing software and voice over Internet Protocol (VOIP) conference call systems. Telework software comprises a variety of tools that enable users to remotely access organizational applications, resources, and shared files. The COVID-19 pandemic has led to a spike in businesses teleworking to communicate and share information over the internet. With this knowledge, malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities. While telework software provides individuals, businesses, and academic institutions with a mechanism to work remotely, users should consider the risks associated with them and apply cyber best practices to protect critical information, safeguard user privacy, and prevent eavesdropping. Cyber actors may use any of the below means to exploit telework applications.

Software from Untrusted Sources

  • Malicious cyber actors may use legitimate-looking telework software—which may be offered for free or at a reduced price—to gain access to sensitive data or eavesdrop on conversations.
  • Cyber actors may also use phishing links or malicious mobile applications that appear to come from legitimate telework software vendors.

Communication Tools

  • Malicious cyber actors may target communication tools (VOIP phones, video conferencing equipment, and cloud-based communications systems) to overload services and take them offline, or eavesdrop on conference calls.
  • Cyber actors have also used video-teleconferencing (VTC) hijacking to disrupt conferences by inserting pornographic images, hate images, or threatening language.

Remote Desktop Access

  • Some telework software allows for remote desktop sharing, which is beneficial for collaboration and presentations; however, malicious cyber actors historically have compromised remote desktop applications and can use compromised systems to move into other shared applications.

Supply Chain

  • As organizations seek to obtain equipment, such as laptops, to enable teleworking, some have turned to laptop rentals from foreign sources. Previously used, improperly sanitized equipment potentially carries preinstalled malware.

Education Technology Services and Platforms

Today’s rapid incorporation of education technology (edtech) and online learning could have privacy and safety implications if students’ online activity is not closely monitored. For example, in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student personally identifiable information on social media, and stated how the release of such information could help child predators identify new targets. Additionally, parents and caretakers should be aware of new technology issued to children who do not already have a foundation for online safety. Children may not recognize the dangers of visiting unknown websites or communicating with strangers online.

Business Email Compromise (BEC)

BEC is a scam that targets both individuals and businesses who have the ability to send wire transfers, checks, and automated clearing house (ACH) transfers. In a typical BEC scheme, the victim receives an email purported to be from a company the victim normally conducts business with; however, the email requests money be sent to a new account, or for standard payment practices be altered. For example, during this pandemic, BEC fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19. The FBI advises the public to be on the lookout for the following:

  • The use of urgency and last-minute changes in wire instructions or recipient account information;
  • Last-minute changes in established communication platforms or email account addresses;
  • Communications only in email and refusal to communicate via telephone;
  • Requests for advanced payment of services when not previously required; and
  • Requests from employees to change direct deposit information.

Tips to Protect You and Your Organization

Teleworking Tips:

Do:

  • Select trusted and reputable telework software vendors; conduct additional due diligence when selecting foreign-sourced vendors.
  • Restrict access to remote meetings, conference calls, or virtual classrooms, including the use of passwords if possible.
  • Beware of social engineering tactics aimed at revealing sensitive information. Make use of tools that block suspected phishing emails or allow users to report and quarantine them.
  • Beware of advertisements or emails purporting to be from telework software vendors.
  • Always verify the web address of legitimate websites or manually type it into the browser.

Don’t:

  • Share links to remote meetings, conference calls, or virtual classrooms on open websites or open social media profiles.
  • Open attachments or click links within emails from senders you do not recognize.
  • Enable remote desktop access functions like Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) unless absolutely needed.

Education Technology Tips:

School districts across the United States are working to address a dynamically changing learning environment. The FBI acknowledges everyone is adjusting to these demands, but the FBI encourages parents and families to:

Do:

  • Closely monitor children’s use of edtech and online services.
  • Research edtech service user agreements about data breach notifications, marketing, and/or selling of user data, data retention practices, and whether users and/or parents can elect to have student data deleted by request.
  • Conduct regular internet searches of children’s information to monitor the exposure and spread of their information on the internet.
  • Consider credit or identity theft monitoring to check for any fraudulent use of their child’s identity.
  • Research parent coalition and information-sharing organizations available online for those looking for support and additional resources.
  • Research school-related, edtech, and other related vendor cyber breaches, which can further inform families of student data and security vulnerabilities.

Don’t:

  • Provide exact information on children when creating user profiles (e.g., use initials instead of full names, avoid using exact dates of birth, avoid including photos, etc.)

BEC Tips:

Do:

  • Check for last-minute changes in wiring instructions or recipient account information.
  • Verify vendor information via the recipient’s contact information on file—do not contact the vendor through the number provided in the email.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.
  • If you discover you are the victim of a fraudulent incident, immediately contact your financial institution to request a recall of funds, and contact your employer to report irregularities with payroll deposits. As soon as possible, file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov or, for BEC and/or email account compromise (EAC) victims, BEC.IC3.gov.

Cyber Crime Vulnerability Tips: The following tips can help protect individuals and businesses from being victimized by cyber actors:

Do:

  • Verify the web address of legitimate websites and manually type them into your browser.
  • Change passwords for routers and smart devices from default setting to unique passwords.
  • Check for misspelled domain names within a link (for example, confirm that addresses for government websites end in .gov).
  • Report suspicious activity on work computers to your employer.
  • Use multi-factor authentication (MFA) when accessing organizational sites, resources, and files.
  • Practice good cybersecurity when accessing Wi-Fi networks, including use of strong passwords and Wi-Fi Protected Access (WPA) or WPA2 protocols.
  • Ensure desktops, laptops, and mobile devices have anti-virus software installed and routine security updates are applied; this includes regularly updating web browsers, browser plugins, and document readers.

Don’t:

  • Open attachments or click links within emails received from senders you do not recognize.
  • Provide usernames, passwords, birth dates, social security numbers, financial data, or other personal information in response to an email or phone call.
  • Use public or non-secure Wi-Fi access points to access sensitive information.
  • Use the same password for multiple accounts.

If private sector partners have additional questions, you can reach out to local FBI Field Office Private Sector Coordinators. If you have evidence your child’s data may have been compromised, if you are the victim of an internet scam or cybercrime, or if you want to report suspicious activity, please visit the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Read the original public service announcement at Cyber Actors Take Advantage of COVID-19 Pandemic To Exploit Increased Use of Virtual Environments


Additional Reading

Source: ComplexDiscovery



 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

The results of the recent Summer 2020 eDiscovery Business Confidence Survey present the unfortunate and continuing impact of COVID-19 on the business of eDiscovery. However, for these pandemic-driven results to be fully understood, they should be viewed through the contextual lens of the results of all nineteen surveys that have been administered to eDiscovery professionals since the inception of the eDiscovery Business Confidence Survey in early 2016.



Check Out the Observations Now!

Interested in Contributing?

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

eDiscovery Mergers, Acquisitions, and Investments in Q3 2020

From HaystackID and NightOwl Global to Reveal Data and NexLP, the...

Mitratech Acquires Acuity ELM

According to Mike Williams, CEO of Mitratech, “We came to the...

Veritas Acquires Globanet

“By integrating Globanet’s technology into our digital compliance portfolio, we’re making...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Revisions and Decisions? New Considerations for eDiscovery Secure Remote Reviews

One of the key revision and decision areas that business, legal,...

A Macro Look at Past and Projected eDiscovery Market Size from 2012 to 2024

From a macro look at past estimations of eDiscovery market size...

An eDiscovery Market Size Mashup: 2019-2024 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Festive or Restive? The Fall 2020 eDiscovery Business Confidence Survey

Since January 2016, 2,189 individual responses to nineteen quarterly eDiscovery Business...

Casting a Wider Net? Predictive Coding Technologies and Protocols Survey – Fall 2020 Results

The Predictive Coding Technologies and Protocols Survey is a non-scientific semi-annual...

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

Based on the aggregate results of nineteen past eDiscovery Business Confidence...

A Growing Concern? Budgetary Constraints and the Business of eDiscovery

In the summer of 2020, 56% of respondents viewed budgetary constraints...

eDiscovery Mergers, Acquisitions, and Investments in Q3 2020

From HaystackID and NightOwl Global to Reveal Data and NexLP, the...

Mitratech Acquires Acuity ELM

According to Mike Williams, CEO of Mitratech, “We came to the...

Veritas Acquires Globanet

“By integrating Globanet’s technology into our digital compliance portfolio, we’re making...

An eDiscovery Holiday Season Down Under? Macquarie Prepares Nuix for IPO

According to John Beveridge, writing for Small Caps, Macquarie holds a...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

Five Great Reads on eDiscovery for August 2020

From predictive coding and artificial intelligence to antitrust investigations and malware,...

Five Great Reads on eDiscovery for July 2020

From business confidence and operational metrics to data protection and privacy...

Five Great Reads on eDiscovery for June 2020

From collection market size updates to cloud outsourcing guidelines, the June...