Phishing – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: W-2 Theft, BEC Scams, and SEC Guidance

The FBI is once again warning organizations that there has been an increase in phishing campaigns targeting employee W-2 information. In addition, this week saw new breach notifications related to W-2 theft, as well as reports of a threat actor targeting Fortune 500 companies with business email compromise (BEC) scams in order to steal millions of dollars.

The recent breach notification from Los Angeles Philharmonic highlights how W-2 information is often targeted during the tax season: attackers impersonated the organization’s chief financial officer via what appeared to be a legitimate email address and requested that the W-2 information for every employee be forwarded.

“The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization,” the FBI noted in its alert on W-2 phishing scams.

In addition, researchers said that a threat actor, which is likely of Nigerian origin, has been successfully targeting accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers and steal millions of dollars. The examples observed by the researchers highlight “how attackers used stolen email credentials and sophisticated social engineering tactics without compromising the corporate network to defraud a company.”

The recent discoveries highlight the importance of protecting against BEC and other types of phishing scams. The FBI advises that the key to reducing the risk is understanding the criminals’ techniques and deploying effective mitigation processes, such as:

limiting the number of employees who have authority to approve wire transfers or share employee and customer data;
requiring another layer of approval such as a phone call, PIN, one-time code, or dual approval to verify identities before sensitive requests such as changing the payment information of vendors is confirmed;
and delaying transactions until additional verification processes can be performed.

Other trending cybercrime events from the week include:

Spyware companies hacked: A hacker has breached two different spyware companies, Mobistealth and Spy Master Pro, and provided gigabytes of stolen data to Motherboard. Motherboard reported that the data contained customer records, apparent business information, and alleged intercepted messages of some people targeted by the malware.
Data accidentally exposed: The University of Wisconsin – Superior Alumni Association is notifying alumni that their Social Security numbers may have been exposed due to the ID numbers for some individuals being the same as their Social Security numbers and those ID numbers being shared with a travel vendor. More than 70 residents of the city of Ballarat had their personal information posted online when an attachment containing a list of individuals who had made submissions to the review of City of Ballarat’s CBD Car Parking Action Plan was posted online unredacted. Chase said that a “glitch” led to some customers’ personal information being displayed on other customers’ accounts.
Notable data breaches: The compromise of a senior moderator’s account at the HardwareZone Forum led to a breach affecting 685,000 user profiles, the site’s owner said. White and Bright Family Dental is notifying patients that it discovered unauthorized access to a server that contained patient personal information. The University of Virginia Health System is notifying 1,882 patients that their medical records may have been accessed due to discovering malware on a physician’s device. HomeTown Bank in Texas is notifying customers that it discovered a skimming device installed on an ATM at its Galveston branch.
Other notable events: The Colorado Department of Transportation said that its Windows computers were infected with SamSam ransomware and that more than 2,000 computers were shut down to stop the ransomware from spreading and investigate the attack. The city of Allentown, Pennsylvania, said it is investigating the discovery of malware on its systems, but there is no reason to believe personal data has been compromised. Harper’s Magazine is warning its subscribers that their credentials may have been compromised.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

Cyber Risk Trends From the Past Week

The U.S. Securities and Exchange Commission (SEC) issued updated guidance on how public organizations should respond to data breaches and other cybersecurity issues last week.

The document, titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” states that “it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The SEC also advised that directors, officers, and other corporate insiders should not trade a public company’s securities if they are in possession of material nonpublic information — an issue that arose when it was reported that several Equifax executives sold shares in the days following the company’s massive data breach. The SEC said that public companies should have policies and procedures in place to prevent insiders from taking advantage of insider knowledge of cybersecurity incidents, as well as to ensure a timely disclosure of any related material nonpublic information.

“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” said SEC Chairman Jay Clayton. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

The SEC unanimously approved the updated guidance; however, Reuters reported that there was reluctant support from democrats on the commission who were calling for much more rigorous rulemaking to be put in place.

Weekly Cyber Risk Roundup: Bitcoin Attacks Dominate Headlines, New Phishing Warnings

Several cryptocurrency exchanges were among the week’s top trending cybercrime targets due to a variety of different currency thefts, data breaches, and warnings from researchers.

The most impactful incident occurred at the bitcoin mining platform and exchange NiceHash, which said on Wednesday that its payment system was compromised and the bitcoin in its wallet was stolen. NiceHash said it is “working to verify the precise number of BTC taken”; however, news outlets reported that a wallet linked to the attack obtained around 4,736 bitcoin, which is valued at more than $72 million based on Saturday’s price. The company has not released many details about the attack other than that it began after an employee’s computer was compromised.

In addition, researchers warned this week that the increased valuation of bitcoin has led to it becoming one of the top 10 most targeted industries for DDoS attacks. On Monday, Bitfinex said that its services were disrupted by a DDoS attack. On Thursday, Coinbase warned that the explosion of interest in digital currencies was creating “extreme volatility and stress” on its systems and warned its users to invest responsibly as any future downtime could impact their ability to trade.

News outlets also reported that some Bittrex customers who go through the company’s manual verification process but are rejected have received customer support emails that contain the passports details and photographs of other users, although Bittrex has not confirmed the reports.

Finally, the SEC announced that it obtained an emergency asset freeze to halt the Initial Coin Offering PlexCorps after it raised up to $15 million from thousands of investors by falsely promising a 13-fold profit in less than a month’s time.

Other trending cybercrime events from the week include:

TIO Networks announces breach: PayPal announced a breach at TIO Networks, a payment processor it acquired in July, that affects approximately 1.6 million customers. City Utilities (CU) and Duke Energy have since notified customers that their personal information was compromised due to the breach, as TIO was the provider of the operating system for CU’s payment kiosks and mobile payment app, in addition to being used to process Duke Energy’s in-person payments.
Payment card breaches: The Image Group is notifying customers of a temporary vulnerability on its eCommerce platform, Payflow Pro, that made some payment card numbers susceptible to interception while in transit to PayPal. JAM Paper & Envelope is notifying customers of a payment card card breach affecting its website due to unauthorized access by a third party. A payment card breach involving the Royal National Institute for the Blind’s web store affects as many as 817 customers, and around 55 individuals have already reported fraudulent activity as a result of the incident.
Extortion attacks: The Alameda County Library is notifying its users that their personal information may have been compromised after it received an extortion email that claimed hackers had gained access to the library’s entire database of users and may sell that information if they weren’t paid a five bitcoin ransom. The Mecklenburg County government in North Carolina said that its computer systems were infected with ransomware that is demanding $23,000 for the encryption key. Mad River Township Fire and EMS Department in Ohio said that years of data related to residents who used EMS or fire services was lost due to a ransomware infection. The fertility clinic CCRM Minneapolis said that nearly 3,300 patients may have had their information compromised due to a ransomware attack.
Other notable incidents: The Center for Health Care Services in San Antonio is notifying 28,434 patients that their personal information was stolen by a former employee. The County of Humboldt is notifying current and former employees that the Humboldt County Sheriff’s Office recovered payroll documents from the county. Pulmonary Specialists of Louisville is notifying patients their information may have been compromised due to possible unauthorized access. Virtual keyboard developer Ai.Type, bike sharing company oBike, Real Time Health Quotes, and Stanford University all had data breaches due to accidental data exposure. Baptist Health Louisville, Sinai Health System, and The Henry Ford Health System notified patients of employee email account breaches.
Law enforcement actions: Authorities reportedly shut down Leakbase, a service that sold access to more than two billion credentials collected from old data breaches. The Justice Department announced a software developer at the National Security Agency’s Tailored Access Operations has pleaded guilty to removing classified NSA data and later having that data stolen from his personal computer by Russian state-sponsored actors. A Michigan man pleaded guilty to gaining access to the Washtenaw County computer network and altering the electronic records of at least one inmate in an attempt to get the inmate released early. A Missouri man has been sentenced to six years in prison for hacking his former employer, American Crane & Tractor Parts, in order to steal trade secrets.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Phishing concerns were highlighted once again this past week due to a newly announced vulnerability that allows malicious actors to spoof emails, as well as warnings that phishers are making efforts to appear more legitimate.

A researcher has discovered a collection of bugs in email clients, dubbed “Mailsploit,” that circumvents spoofing protection mechanisms and, in some cases, allows code injection attacks. The vulnerabilities were found in dozens of applications, including Apple Mail, Mozilla Thunderbird, Microsoft Outlook 2016, Yahoo! Mail, ProtonMail, and others.

The bug has been fixed in 10 products and triaged for 8 additional products, the researcher said. In addition, Mozilla and Opera said they won’t fix the bug as they consider it to be a server-side problem; however, Thunderbird developer Jörg Knobloch told Wired that a patch would be made available. DMARC spoofing protection is not attacked directly using Mailsploit, the researcher said, but rather bypassed by taking advantage of how the clients display the email sender name.

In addition, researchers said that nearly a quarter of all phishing websites are now hosted on HTTPS domains, up from three percent a year ago. The increase is due to both an increased number of HTTPS websites that can be compromised and used to host malicious content, as well as phishers registering HTTPS domains themselves due to their belief that the “HTTPS” designation makes a phishing site seem more legitimate to potential victims. An informal poll conducted by PhishLabs found that more than 80% of the respondents incorrectly believed the green padlock associated with HTTPS websites indicated that a website was either legitimate or safe — when in reality it only means that the connection is encrypted.

Individuals and organizations should be aware that malicious actors continue to leverage exploits like Mailsploit along with more secure-looking websites in order to dupe potential victims via phishing attacks with the goal of installing malware, gaining access to networks, or stealing sensitive data.

Weekly Cyber Risk Roundup: Bad Rabbit’s Parallel Attack, Paradise Papers Fallout

October’s Bad Rabbit ransomware attacks were back in the news this week due to a report that a series of phishing attacks occurred at the same time as the Bad Rabbit outbreak, and the parallel attacks may have been carried out by the same group.

The discovery also suggests that Ukraine may have been a key target of the attacks, despite Russian victims being more heavily targeted by Bad Rabbit.

The phishing attacks targeted users of Russian-designed 1C software with emails that appeared to be from the developer, the head of the Ukrainian state cyber police told Reuters. 1C products, including accounting software, are widely used in Ukraine.

The official said that 15 companies reported they were compromised by the attack, and it is possible that more people or organizations may have been affected due to 1C software’s wide use. The official also said the main theory is that both the Bad Rabbit and 1C phishing attacks were carried out by the same perpetrators with the goal of getting remote and undetected access in order to steal financial and confidential information. 1C’s developers did not respond to Reuters’ requests for comment about the phishing attacks, but a Ukrainian distributor confirmed that its users were targeted and that it warned them to take extra precautions.

Some researchers have suggested that the Bad Rabbit attacks were carried out by the same group behind June’s NotPetya outbreak. The NotPetya attack leveraged a back door that had been inserted into the M.E.Doc accounting software, which Reuters reported is used by 80 percent of Ukrainian companies. The use of popular Ukrainian accounting software during both NotPetya and attacks potentially linked to Bad Rabbit is yet another shared connection between the two events.

Other trending cybercrime events from the week include:

Data breach announcements: Verticalscope, which manages popular Web discussion forums, confirmed that it discovered an intrusion that provided access to the individual website files of six websites. Tween Brands is notifying customers that their personal information may have been compromised due the discovery of unauthorized access to a server. HumanGood is notifying customers that their personal information may have been compromised due to unauthorized access at a third-party benefits coordination vendor. North American Title Company is notifying customers that their personal information may have compromised due to an employee’s email account being accessed by an unauthorized third party. Wilbraham, Lawler & Buba and the East Central Kansas Area Agency on Aging announced ransomware attacks that could have also compromised personal information.
Data exposed: WikiLeaks released the source code for an alleged CIA hacking tool called “Hive,” and the release is just the first in a new series, dubbed “Vault 8,” that is intended to publish the source code from the variety of hacking tools described in the series of “Vault 7” publications earlier this year. A flaw in the website of the Australian Securities and Investments Commission (ASIC) exposes the search records and purchased documents of users such as investigative journalists and finance industry professionals. The website of the Scottish Appropriate Adult Network, which works with mentally impaired individuals that need help with the justice system, was shut down after it was found to be exposing the personal information of about 50 people. Klinger Moving Company is notifying employees that their personal information was briefly exposed due to a file that was stored on a company server being browsable via search engines.
Other notable incidents: NIC Asia Bank said that malicious actors initiated $4.4 million worth of fraudulent money transfers via the SWIFT messaging system last month; however, the bank was able to recover all but $580,000 of the funds. The anime streaming service Crunchyroll said that intruders planted a fake homepage that pushed a malicious “CrunchyViewer” program to its viewers for several hours. Approximately 800 school websites hosted by SchoolDesk displayed a pro-ISIS video after the company was hacked and a file was injected that redirected those websites to the video. Valley Family Medicine said that two now-former employees printed a mailing list of 8,450 patient names and addresses and used the list to make postcards informing them of a new practice.
Legal actions: A Pennsylvania man has been indicted for illegal trading via more than 50 hacked online brokerage accounts, which caused the firms servicing the accounts to lose more than $2 million. A former Minnesota resident has been charged with purchasing a year’s worth of DDoS attacks against his former employer Washburn Computer Group, as well as the networks of the Minnesota Judicial Branch, Hennepin County, and several banks. The UK’s Information Commissioner’s Office is warning employees to obey strict privacy laws on the heels of a charity worker at Rochdale Connections Trust being prosecuted for sending spreadsheets containing the personal information of 183 people to his personal email address.

Cyber Risk Trends From the Past Week

The hack of a large cache of sensitive documents from the offshore law firm Appleby, which was first reported several weeks ago, has already begun to have potentially wide-reaching ramifications.

The International Consortium of Investigative Journalists (ICIJ), which also drove the reporting around the 2016 “Panama Papers” leak, has dubbed the new leak the “Paradise Papers.”

The Guardian reported that the now-exposed Appleby documents contain information related to numerous prominent individuals and organizations, such as Donald Trump’s commerce secretary Wilbur Ross, Queen Elizabeth II and Prince Charles, associates of Canadian Prime Minister Justin Trudeau, social media platforms Twitter and Facebook, corporations Apple and Nike, a variety of wealthy private individuals, and hundreds more.

Appleby reiterated this week that the theft of its data was not a leak by an insider, but “a serious criminal act” carried out “by an intruder who deployed the tactics of a professional hacker.” The company has previously stated that it had “thoroughly and vigorously investigated the allegations” from the ICIJ and was “satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients.”

The BBC reported that although the 2016 Panama Papers were larger is size, the way the Paradise Papers “lifts the lid on sophisticated, upper-end offshore dealings” is unprecedented. For example, Gabriel Zucman, a professor of economics at the University of California, Berkeley, wrote in The New York Times that $70 billion, or close to 20 percent of all U.S. corporate tax revenue, is lost every year due to shifting corporate profits to tax havens.

The ICIJ and nearly 100 media groups are continuing to dig through the 13.4 million documents spanning seven decades that make up the Paradise Papers. The BBC said the papers include 6.8 million documents related to the Appleby breach, 6 million documents from corporate registries in mostly Caribbean jurisdictions, and a smaller amount from the Singapore-based international trust and corporate services provider Asiaciti Trust.

Dozens more stories related to the Paradise Papers will likely be published in the near future, although it remains to be seen what political, economic, or reputational fallout will accompany the organizations and individuals impacted by the leak.

Scammers Already Taking Advantage of Hurricane Harvey, Registering Domains

The physical damage from Tropical Storm Harvey is expected to spread further in the coming week as the storm continues to move along the Gulf Coast. At least 10 people in Texas have been killed related to the storm, local officials said, and the continuing rainfall could total as much as 50 inches in some areas by the end of the week. On Monday, a day after Louisiana Gov. John Bel Edwards called on the federal government for assistance, President Donald Trump declared a state of emergency in Louisiana. Texas Gov. Greg Abbot described the storm as “one of the largest disasters America has ever faced,” and FEMA administrator Brock Long said the agency is gearing up for the years-long recovery process that will follow.

Naturally, people want to help the victims with that recovery process, and scammers are already capitalizing on that goodwill to defraud individuals and carry out other malicious activity, several agencies have warned.

The Better Business Bureau said it has already seen sketchy crowdfunding efforts and expects the coming months to see the usual flood of “storm chasers” — ranging from legitimate contractors looking for business to scammers attempting to take advantage of those who’ve already been victimized by the storm. In addition, US-CERT is warning users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.”

SurfWatch Labs also noted in a recent customer alert that we have observed hundreds of new domains being registered containing “harvey,” many of which will likely be used for scams related to the storm.

SurfWatch Labs alert on Hurricane Harvey scams.

Scams following national disasters like Harvey have come to be the norm, as malicious actors will attempt to exploit any event or news story that grabs the collective consciousness of a large group of people. For example, researchers recently discovered that the Chinese group APT 17 was leveraging the popularity of Game of Thrones in spear phishing emails designed to infect their targets with malware by teasing potential victims with the headline, “Wanna see the Game of Thrones in advance?”

Similar attack vectors leveraging users’ natural curiosity tend to follow nearly every major news story; however, with natural disasters people are more willing to hand over their payment information and make a donation, so there is more profit — and more incentive — for fraudsters to capitalize on such events. These attack vectors include:

email phishing designed to steal personal and financial information;
fake websites and crowdfunding pages impersonating legitimate charities;
in-person and phone scammers, such as fake contractors or government officials that offer services or aid with no intention of following through;
and social media posts designed to entice users to either visit a malicious site, download malware, provide personal information, or perform acts that will earn the fraudster money.

Fake videos like this one observed by Malwarebytes following the disappearance of a Malaysian Airlines flight are often spread via social media and lead to surveys that harvest personal information or earn affiliate cash for the scammers.

With the National Weather Service describing Harvey as “unprecedented” and “beyond anything experienced,” it is likely that relief efforts will continue for years into the future. As SurfWatch Labs noted after Hurricane Matthew, those who wish to help or are seeking aid should be cautious about who they provide information to in order to avoid falling victim to these social engineering scams. Some tips include:

Never click on links or open attachments unless you know who sent it and what it is. Malicious email attachments and links are among the most common ways for cybercriminals to spread malware and steal information.
Never reply to emails, text messages, or pop-ups that ask for personal information.
Cybercriminals may use a combination of fraudulent emails and phone numbers to increase their appearance of authority. Always verify that communication is valid by contacting the organization directly before providing any sensitive information.
If donating to a charity, make sure it is one you know and trust. The FTC recommends checking out charities via the Better Business Bureau’s (BBB) Wise Giving Alliance, Charity Navigator, Charity Watch or GuideStar.

Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations

Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when malicious actors were able to gain access to employee accounts containing sensitive data.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote an attorney in one breach notification letter. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

The extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, but that at least five organizations have received letters from Equifax about a series of incidents over the past year, Krebs reported. Those included defense contractor giant Northrop Grumman, staffing firm Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In addition to those companies, an IRS official said that 870 organizations reported receiving a W-2 phishing email over the first four months of 2017, and about 200 of those companies lost data as a result. That was a significant rise from 2016’s numbers, which included about 100 reports and 50 confirmed breaches. The official said that the increase was driven by progress made against identity theft, which has pushed cybercriminals to need more personal data to able to impersonate taxpayers. As a result, there has been a shift towards targeting those in the payroll industry.

Other trending cybercrime events from the week include:

Men plead guilty to trade secret theft: A Chinese national has pleaded guilty to economic espionage and theft of a trade secret in relation to the theft of proprietary source code from his former employer, an unnamed U.S. company. As a developer, the man had access to a clustered file system developed and marketed by his employer as well as its underlying source code, the DOJ wrote. The man attempted to use the stolen source code to start a large-data storage technology company, according to communication he had with undercover officers. An engineer at a defense contractor has pleaded guilty to selling sensitive satellite information stolen from his employer to a person he believed to be an agent of a Russian intelligence service. In a series of meetings between February and July of 2016, the man sought and received thousands of dollars in cash payments for the trade secrets.
New data breaches announced: Williamson County Schools in Tennessee said that approximately 33,000 current and former WCS students had their usernames, encrypted passwords, and email addresses compromised due to a breach at third-party vendor Edmodo, a free classroom tool that allows students and teachers to share files and assignments. A data breach at the Florida Department of Agriculture and Consumer Services has exposed the names of 16,190 concealed weapon licensees as well as the Social Security numbers of 469 individuals. Approximately 3,000 individuals had their information compromised due to unauthorized access to a city computer in Stillwater, Oklahoma. UW Health said that 2,036 patients had their personal information compromised due to an unauthorized individual gaining access to an employee’s email account. The Canada Revenue Agency has fired an employee for improperly accessing the accounts of 1,302 taxpayers. A breach at Blackburn High School led to the theft of personal information of families, and that information was then used to send phishing emails to parents asking them to provide their payment card details.
Russia targeted Pentagon employees’ Twitter accounts: Russia sent more than 10,000 phishing messages to Defense Department officials with the goal of getting the officials to click a malicious link and, ultimately, gain control of their devices and Twitter accounts. The efforts took place after the 2016 presidential election and were disclosed in in a March report to U.S. counterintelligence officials investigating Russian interference efforts. The compromised accounts could have been used to spread false information, as has been done in the past by Russian hacking groups.
Hacking groups arrested: Twenty members of the Russian hacking group behind the Android Trojan “Cron” have been arrested. The group managed to infect over one million mobile devices and stole approximately $800,000 from Russian banks. Twenty-seven individuals tied to a series of ATM “Black Box” attacks across Europe have been arrested. A “Black Box” attack is a method of ATM jackpotting where criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect an unauthorized device that sends commands directly to the ATM cash dispenser in order to “cash-out” the ATM. Sixteen individuals have been arrested related to the theft of a copy of Baahubali 2 and subsequent ransom attempt from the movie’s producers, Arka Mediaworks Entertainment Ltd.

Cyber Risk Trends From the Past Week

It is now less than one year until the EU General Data Protection Regulation (GDPR) goes into effect, yet some organizations are either unaware of the upcoming privacy changes or believe they will have issues meeting next year’s deadline, according to recent research.

The GDPR was approved by the EU parliament in April 2016, and the new regulation will be fully enforceable on May 25, 2018. Among the most talked about changes from the upcoming regulation is the increase in potential fines for data breaches. Breached organizations can be fined as much as 4% of their annual global turnover or €20 million, whichever is greater, when it comes to serious violations. Lesser violations are subject to half the maximum penalty — up to €10 million or 2% of turnover. As the NCC Group noted, those new numbers mean that last year’s ICO fines could have been 79 times higher: £69m rather than £880,500 in total.

“TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR,” The Register noted last month. “Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.”

It is important to note that the new regulations generally apply to any organization that offer of goods or services to individuals in the EU, so the GDPR has global implications. However, a recent study of 500 organizations in the UK, Germany, France, and the U.S. found that 75% of organizations indicated they will struggle to be ready for next year’s deadline. According to the Varonis survey, the top three challenges facing organizations around GDPR include:

Article 17 (“Right to be forgotten”), where they must discover and target specific data and automate removal when requested by the consumer
Article 30 (Records of processing activities), including identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted
Article 32 (Security of processing), which means ensuring least privilege access, implementing accountability via data owners, and providing reports that policies and processes

For organizations looking to learn more about preparing for GDPR, ICO has a 12-step guide available.

Weekly Cyber Risk Roundup: Ashley Madison Blackmail Returns, Facebook and Google Victims of Fraud

An old data breach came back to life this week as Ashley Madison users who had their data compromised back in July 2015 are once again being blackmailed — this time by an extortion group threatening to launch a public website and contact people in victims’ social media networks. The website will allegedly be launched on Monday, at which point it will be clear if the threat is just a ploy to extort victims who are low-hanging fruit or if the group will actually carry out their attempt at public shaming.

“On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families,” a group using a Ukrainian top level domain recently wrote in an email to some Ashley Madison users. “We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if do not pay to opting out.”

Robin Harris wrote on ZDNet that the email he received quoted his personal Ashley Madison profile and that the blackmail price for “opting out” of the Cheaters Gallery website was around $500. Of course, paying that blackmail won’t accomplish much unless the victims are willing to keep paying ransoms in an endless game of extortion whack-a-mole. The breached Ashley Madison data has been circulating for 20 months now — ever since the account details of around 32 million users were published on the dark web — and numerous other actors have attempted to extort the victims in the past via extortion emails and letters sent to victims and their spouses. The repeated blackmail campaigns indicate that either victims are paying up and the campaigns are profitable or that the actors behind them at least believed they would be worth the investment.

Seeing another round of Ashley Madison blackmail threats nearly two years after the breach is a reminder that once data is exposed, it remains exposed forever. As SurfWatch Labs noted in a report last year, the pool of compromised data never empties; it only grows. That means that malicious actors can use, reuse, build upon, and find new ways to monetize that expanding pool of data now and in the future.

Other trending cybercrime events from the week include:

More payment card breaches: Chain restaurant Chipotle said that it is investigating a possible point-of-sale breach after detecting “unauthorized activity on the network that supports payment processing for purchases made in our restaurants.” The investigation is focusing transactions that occurred at locations from March 24, 2017 through April 18, 2017. Trading card dealer Blowout Cards announced a data breach due to “an exploit in the form of a modified payment .php file” that allowed the intruders to skim payment card information as customers checked out via its website. As a result, those who used credit and debit cards to check out via the site’s shopping cart between January 2017 and April 20, 2017, had their information compromised.
Espionage groups behind South Korea, Israel attacks: Iran’s OilRig hacking group is behind a series of targeted attacks against 250 individuals in government agencies, high-tech companies, medical organizations, and educational institutions such as the renowned Ben-Gurion University. The attacks took place between April 19 and 24 and employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. Two cyber-espionage groups linked to China have been observed launching a variety of attacks against South Korea’s government, military, defense companies, and a big conglomerate involved in deploying Terminal High-Altitude Area Defense, or Thaad, a U.S. missile-defense system designed to protect South Korea from a North Korean missile threat.
FIN7 campaign uses social engineering: The FIN7 group (also known as Carbanak) is targeting large restaurant chains, hospitality, and financial service organizations with spear phishing messages centered around complaints, catering orders, or resumes. The group has also been observed calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process, as it has done in previous campaigns.
Phishing leads to fraud, data breaches: Fraudsters were able to convince more than 500 University of California students to hand over their health information, and that information was used to steal almost $12 million from the university by writing fake medical prescriptions in the students’ names. The Iowa Veterans Home is notifying 2,969 people that their medical and financial information may have been compromised after three IVH employees fell for phishing emails that compromised their email account credentials.
Other notable cybercrime events: A vulnerability in a popular third-party library used by HipChat.com led to a data breach. The email addresses and unique IMEI numbers from Ciphr phone users have been dumped online, and Ciphr claims that the leak was carried out by a rival secure phone company. A hacker claims to have compromised the forums of R2 games. Concordia University said that approximately 9,000 students may have been affected by unauthorized access to its online course systems. The information of 8,000 Home Depot customers who had lodged complaints with its MyInstall program was found exposed online. Ransomware infected some City of Newark computers. WikiLeaks has published the user guide for the “Weeping Angel” tool allegedly developed by the CIA.

Cyber Risk Trends From the Past Week

Facebook and Google confirmed this week that they were the victims of the $100 million phishing scheme announced by the Department of Justice of last month.

The scheme was carried out by Evaldas Rimasauskas, a Lithuanian man who allegedly impersonated the large Taiwan-based manufacturer Quanta Computer in order to dupe the companies into making a series of fraudulent payments. According to the indictment, Rimasauskas, registered and incorporated a company in Latvia with the same name as Quanta Computer and then forged email addresses, invoices, and corporate stamps in order to convince the accounting departments at the two tech companies to make transfers worth tens of millions of dollars over a two year span, stealing $100 million in total.

Facebook and Google both told Fortune that they have since recovered the bulk of the funds.

Acting U.S. Attorney Joon H. Kim said in a DOJ press release that “this case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

That same concern was echoed in a report from the Association for Financial Professionals published in early April. According to the report, 74 percent of finance professionals reported that their organizations were victims of business email compromise (BEC) scams in 2016, a 10-percentage point increase from the previous year.

Likewise, in December 2016 the FBI warned of a dramatic increase in BEC scams, which attempt to assume the identity of a person of authority within the company or — in the case of the Facebook and Google thefts — a trusted vendor before asking to initiate a fraudulent wire transfer.

Weekly Cyber Risk Roundup: JobLink, $100 Million BEC Scam and Other Breaches

Third-party cybersecurity issues were once again front and center this past week as America’s JobLink, a web-based system that links jobs seekers with employers, was compromised by a malicious actor, leading to a series of data breach announcements from states that use the system.

“On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system,” the company wrote. “The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers.”

Millions of individuals may have been affected by the vulnerability, which was introduced in an AJL system update in October 2016. When exploited, it allowed the malicious actor to view the names, Social Security numbers, and dates of birth of job seekers in the AJL systems of up to ten states: Alabama (600,000), Arizona, Arkansas (19,000), Delaware (200,000), Idaho (170,000), Illinois (1.4 million), Kansas, Maine (conflicting media reports on total number affected), Oklahoma (430,000), and Vermont (186,000).

Vermont Gov. Phil Scott said at a Thursday press conference that the state was looking into the contract with ALJ, which has been in effect for about 16 years, and may potentially pursue legal recourse. At the same press conference Vermont Department of Labor Secretary Lindsay Kurrle noted potential AJL issues that may have compounded the breach, such as older Joblink accounts not being deleted.

Third-party cybersecurity issues continue to be one of the most pressing challenges facing organizations, as the numerous breaches in this roundup each week demonstrate. Despite the challenges, the digital footprints of organizations continue to grow: an issue that Adam Meyer, chief security strategist with SurfWatch Labs, and Kristi Horton, senior risk analyst with Gate 15 & Real Estate ISAC, will discuss on a Webinar tomorrow.

Other trending cybercrime events from the week include:

WikiLeaks’ dump brings legal issues, more CIA documents: Julian Assange criticized companies for not responding to WikiLeaks’ request that they comply with certain conditions in order to receive technical information on the leaked CIA exploits; however, multiple tech companies said the issue is caught up in their legal departments. WikiLeaks also continued to leak more CIA data by publishing documents that “explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” The documents are mostly from the last decade, except for a couple that are dated 2012 and 2013.

Variety of issues lead to oversharing, data breaches: The UK’s Information Commissioner’s Office is investigating reports that data sharing options in SystmOne may have exposed the medical records of up to 26 million patients. The system’s “enhanced data sharing” option, which doctors turned on so that medical records could be seen by local hospitals, also allowed those records to be accessed by thousands of other workers. Mobile phone company Three is investigating a technical issue that led to some customers who logged into their accounts seeing the personal data of other customers. Med Center Health in Kentucky announced a data breach due to a former employee accessing encrypted patient billing information by falsely implying it was needed for job-related reasons.

Bots lead to gift card fraud, stock manipulation: Nearly 1,000 customer websites were targeted by a bot named “GiftGhostBot” that automatically checks millions of gift card numbers to determine which card numbers exist and contain balances. Recent pump-and-dump spam messages from the Necurs botnet falsely claimed that InCapta was about to be bought out for $1.37 per share and that people could buy shares for less than 20 cents before the buyout would be announced.

Malware spread via Ask.com toolbar: For the second time in a one month period, malicious actors were able to compromise the Ask Partner Network (APN), creators of the Ask.com toolbar, in order to spread malware that was signed and distributed as though it were a legitimate Ask software update. The first attack was discovered in November 2016, and in December 2016 researchers discovered that the “sophisticated adversary” was continuing its earlier activity “to deliver targeted attacks using signed updates containing malicious content.”

Other notable cybercrime events: Hackers going by the name ‘Turkish Crime Family’ claim to have access to a large cache of iCloud and other Apple email accounts and say they will reset accounts and remotely wipe devices on April 7 unless Apple pays a ransom. The McDonald’s India app leaked the personal information of more than 2.2 million users, and data is still allegedly being leaked despite the company’s claims that it fixed the issue. Lane Community College health clinic is notifying approximately 2,500 patients that their personal information may have been compromised due to one of its computers being infected with malware. A gang of hackers-for-hire tried to steal Baidu’s driverless car technology. The FBI believes that North Korea is responsible for the February 2016 theft of $81 million from Bangladesh Bank, and U.S. prosecutors are building potential cases that may both formally accuse North Korea of directing the theft and charge alleged Chinese middlemen

Cyber Risk Trends From the Past Week

One of the most profitable cybercriminal tactics is business email compromise scams, which has accounted for several billion dollars worth of actual and attempted losses over the past few years.

A reminder of that ongoing threat surfaced this past week when the Department of Justice announced the arrest of a Lithuanian man on charges that he had successfully duped two U.S.-based companies into wiring a total of over $100 million to bank accounts that he controlled.

The DOJ noted in its press release that the case “should serve as a wake-up call” to even the most sophisticated companies that they may be the target of advanced phishing attempts from malicious actors.

Evaldas Rimasauskas, the arrested Lithuanian man, allegedly registered and incorporated a company in Latvia with the same name as an Asian-based computer hardware manufacturer, and then opened and maintained various bank accounts using that copycat company name. He then is alleged to have sent fraudulent phishing emails to employees of companies that regularly conducted multimillion-dollar transactions with the hardware manufacturer, asking that those companies direct payments for legitimate goods and services to the bank accounts using the copycat name. The indictment also alleges that Rimasauskas submitted forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

As the FBI and others have repeatedly warned, the lure of multi-million dollar payout leads to cybercriminals going to great lengths to successfully social engineer companies. This includes more time spent researching things such as the roles of employees and their language in written communications, as well as company authority figures, policies and procedures, and supply chains. This allows the social engineers to craft a message, or series of messages, that fits within the expected culture and communication patterns of an organization — increasing their chances of a large, fraudulent payday.

Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

Security researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

Other trending cybercrime events from the week include:

Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.

Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”

More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.

Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.

Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

Cyber Risk Trends From the Past Week

The past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

A simple backstory – The malicious actors utilize the built-in story of tax season.
Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

W-2 Breach Count Hits 24, Rising Fast as More Organizations Get Phished

Tax season has begun, and with it comes renewed opportunity for cybercriminals to steal W-2 information in order to file fraudulent tax returns or sell employee data on the dark web. The past two weeks have seen at least 24 organizations publicly tied to W-2 data breaches — and more breach announcements will likely be made in the coming months.

The simple but effective phishing emails used by malicious actors mirror last year’s wave of successful W-2 thefts. The scammers impersonate an executive and use that authority, along with the timeliness of tax season, to dupe payroll and human resource employees into handing over entire rosters of W-2 information at once.

W-2 breaches and other tax-related cybercrime has peaked in the early part of the past few years, according to SurfWatch Labs’ cyber threat intelligence data, and it will likely peak again in early 2017. The spike in CyberFacts in May 2015 is largely attributed to the announcement of the theft of taxpayer information from the IRS’ “Get Transcript” service.

Numerous organizations have fallen for the ruse so far in 2017, including:

School districts such as Argyle Independent School District in Texas, Belton Independent School District in Texas, Davidson County Schools in North Carolina, Dracut Public Schools in Massachusetts, Lexington School District Two in South Carolina, Mercedes Independent School District in Texas, Morton School District in Illinois, Odessa School District in Missouri and Tipton County School District in Tennessee.
Healthcare-related organizations such as Campbell County Health, eHealth, Kuhana Associates, Persante Health Care and Pointe Coupee General Hospital.
A variety of businesses in other sectors such as online ad management platform Marin Software, furniture company Mitchell Gold + Bob Williams, solar financing company Renovate America, restaurant chain Scotty’s Brewhouse, residential solar company SunRun, translation services company TransPerfect, and UGI Utilities.

In addition to those organizations, Brian Krebs reported that an actor on the dark web is selling stolen W-2 information tied to more than 3,600 individuals. Information purchased by a source revealed data from Kirai Restaurant Group in Fort Lauderdale and an unnamed doctor’s office in Boca Raton. However, both of those organizations told Krebs that they used a third-party payroll management firm called The Payroll Professionals. That company said it is “aware of the potential hacking” but has yet to make a public announcement.

Altogether that means 24 distinct organizations have been tied to W-2 breaches so far this year, plus any additional clients that may be tied to the incident at The Payroll Professionals.

At least seven of the victims so far have been in the education group, and there have been reports of an even larger number of school districts being unsuccessfully targeted with similar phishing emails. This falls in line with trends from last year’s threat intelligence data.

2017-02-02_taxgroups2016 — Education topped the list of industry groups publicly tied to W-2 breaches and other tax-related cybercrime in 2016, and schools are being heavily targeted once again in 2017.

The IRS issued an alert last week warning organizations to be on the lookout for these types of phishing scams, which may include requests in the email body such as:

Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The scam relies on tricking employees into emailing sensitive information. The best way to combat these types of threats is to ensure that employees are aware of ongoing phishing campaigns and that those employees are properly trained on the best ways to defend against social engineering.

Organizations should use a combination of user-awareness/education and anti-phishing tools to keep employees continually informed of evolving phishing campaigns and to have some mitigation and policy enforcement in place. By creating a culture where employees are encouraged to question unusual requests and confirm those requests via a secondary communications channel, organizations can greatly reduce the risk of employees falling for these types of scams.

Recent Campaigns Highlight Evolving Social Engineering Tactics

Over the past month, researchers have observed several new phishing campaigns that demonstrate a more sophisticated and targeted approach to social engineering by threat actors.

For example, on Monday Trustwave wrote about the Carbanak gang targeting the hospitality and restaurant sectors. The actors began the attack by using public tools such as LinkedIn to find the names of company department heads or other key employees. Then they called the organization’s customer service line and claim that they were having difficulties with the online registration system and ask to send the information via email. They would spend a significant amount of time on the phone with the employee — often dropping those researched names in order to build trust — until the employee eventually opened the malicious Word document attached in the email.

Finally, the organization would be infected with malware capable of stealing system information, taking desktop screenshots, and downloading additional tools such as point-of-sale malware.

Targeted Social Engineering Becomes Less Direct

Other threat actors are shifting towards similarly indirect paths of compromise — beginning their attacks with a message, or several messages, designed to build trust before attempting to cause harm. This is the case with recent business email compromise (BEC) scams, which the FBI has repeatedly warned is a growing problem for organizations.

“In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions,” SurfWatch Labs noted in a blog post about the FBI’s July alert. “The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.”

However, Symantec recently warned that BEC scams had shifted to a less urgent approach. Instead, most BEC scams now begin with a simple introductory message before requesting a fraudulent wire transfer, as this email exchange demonstrates:

An actor using an informal introduction before going on to a more traditional wire transfer request, as shown by Symantec.

In June, shortly before the FBI’s last BEC warning, just 20 percent of BEC emails began by inquiring about the recipient’s availability — with the rest directly requesting a wire transfer, according to Symantec. By October, 60 percent of the emails began with the more indirect approach of inquiring about the recipient’s availability.

A Look at SurfWatch Labs’ Threat Intelligence Data

Warnings of targeted attacks like the ones described above have led to spear phishing being the most common practice tag related to social engineering over the past 90 days, according to SurfWatch Labs’ data.

A wide variety of industry groups have been tied to spear phishing threats over the period. However, the most talked about cybercrime stories of the past month may have been the hacking and publication of emails from the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta, as well as what role those breaches had in shaping the recent US presidential election.

In those cases, the leaks have been tied to spear phishing emails from Russian hacking group Fancy Bear, one of the most prominent hacking groups related to spear phishing over the past 90 days, behind only Peter Romar, a 37-year-old Syrian national who recently pled guilty to his role in the Syrian Electronic Army.

Those Fancy Bear attacks used a particular tactic: the use of shortened URLs. As Esquire’s Thoma Rid wrote explained, those shortened URLs both tricked users into clicking malicious links at an alarming rate and, ultimately, helped researchers uncover the actors behind those targeted attacks:

To manage so many short URLs, Fancy Bear had created an automated system that used a popular link-shortening service called Bitly. The spear-phishing emails worked well—one in seven victims revealed their passwords—but the hackers forgot to set two of their Bitly accounts to “private.” … Between October 2015 and May 2016, the hacking group used nine thousand links to attack about four thousand Gmail accounts, including targets in Ukraine, the Baltics, the United States, China, and Iran. … Among the group’s recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell, and John Podesta—Hillary Clinton’s campaign chairman—and, of course, the DNC.

These breaches highlight some of the ways in which social engineering has continued to affect organizations across all sectors and how new techniques are incorporated in order to make it harder for individuals to detect suspicious activity.

That’s why training and awareness is often touted as the most important and cost effective step in combating social engineering, as we noted in a prior social engineering blog. Having the proper tools and training, along with up-to-date threat intelligence to inform them of the latest threats, can help organizations and their employees provide a better front line of defense against the evolving techniques used by threat actors.