Netizen Cybersecurity Bulletin: 22 August 2018 Edition

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Caller ID Spoofing
  • USBHarpooning and Bad USBs
  • FBI Warns Real Estate Industry is a Target for Cybercrime
  • How can Netizen Help?

Caller ID Spoofing

Have you ever received a call where the caller said that you called them when you have not, then your number was most likely spoofed by another person. There are many phone scams that use Caller ID spoofing to hide their identity because Caller ID spoofing makes it impossible to block the number.  Sometimes the numbers are easy to spot, with invalid area codes ‘132’, or numbers with all zeroes.   More and more, however, the fraudsters are getting more devious.

There are online tools that enable anyone to spoof their outbound Caller ID.  While these services are meant to protect the caller’s number from being displayed and claim they aren’t intended for malicious activities, there’s little to prevent someone from abusing these fee-based services.

Businesses are often wasting time answering calls from spoofed customers; in June 2018, a business received an estimated 300 phone calls in one hour, overloading the call center and preventing calls from legitimate customers from getting through.

On the other end of the spectrum, Spoofed Caller IDs have been used to falsely report to police crimes that are occurring in innocent people’s homes, resulting in a waste of law enforcement resources and at least one accidental shooting death.

Recommendations:

Fraudulent calls may be reported to the FCC, which will impose a fine of up to $10,000 to anyone illegally spoofing a number. https://www.fcc.gov/consumers/guides/spoofing-and-caller-id

USBHarpooning and Bad USBs

It is no secret that USB drives can be turned malicious when in the wrong hands. Attacks could range from planting malware to allowing remote code execution from the attacker themselves. In a strange twist of ingenuity, security experts have discovered and thus created a malicious version of a USB charging cable dubbed USBHarpoon. The controller chip of the drive can be reprogrammed to appear to the victim’s computer as a human interface device (HID); more colloquially known as a peripheral. Peripherals include anything from a keyboard to a network card. Attack vectors could include the issuing of commands to modifying the system’s DNS settings to redirect traffic.

Now, the attack is only successful when the computer has been unlocked where it can then launch commands that can download and execute a payload; Windows, Mac, and Linux could all be affected. As of right now, the attack is not a hidden process. Upon insertion of the USB, the malicious activity is visible on the screen, however attempts have been made to activate when the user is not around. What makes the USBHarpoon attack so dangerous is that while many people are aware of harmful USB drives, most are trusting of the ubiquitous charging cable.

Recommendations:

While USBs can be necessary for business purposes, like anything, steps should be taken to prevent or at least mitigate a breach:

  • If feasible, disallow the use of removeable media. If you have no need for USBs, do not even introduce that attack vector.
  • Be cognizant of your cable manufacturer and seller. Off-brand and foreign sellers have a higher possibility of having malicious cables and drives.
  • If you need to use USBs, ensure that all devices are checked for malware before they are connected to the network—especially if it is new and not trusted.
  • Set limits on allowed USB devices and file types based on the user’s role in the organization.
  • Avoid direct plug-ins. Utilize a USB security system like that of a malware scanning kiosk to securely transfer allowed files.
  • Regularly train employees on the importance of adhering to strict USB security practices and policies.

FBI Warns Real Estate Industry  is a Target for Cybercrime

The FBI Internet Crime Complaint Center (IC3) reported that the real estate industry has become especially susceptible to business email compromises (BECs) and email account compromises (EACs).

The attraction to Real Estate goes beyond the large sums of money involved in such transactions, it also goes to the desire of those involved in the sales of homes to get the transactions done.   Home sales can involve numerous people, all dealing with largely electronic documents containing sensitive information.

These scams are frequently carried out when a hacker compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques, such as a malicious message containing a link to a rogue website.

The scam may not always be associated with a request for transfer of funds, as a compromised account can be used to access stored documents (or request new documents) containing Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.

The FBI reported hackers have used information that is publicly available on real estate listing sites to target victims. This may include homes that are for sale and the progress of the sale such as “under contract” as well as the contact information of the real estate agent.

FBI  Recommendations:

Title Companies report establishing new procedures when processing legal documents requiring all changes in payment type and/or location to be verified prior to distributing funds.

If you discover a fraudulent transfer, time is of the essence. First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds. Second, contact your local FBI office and report the fraudulent transfer. Law enforcement may be able to assist the financial institution in recovering funds. Finally, regardless of dollar loss, file a complaint with http://www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov. The IC3 will be able to assist both the financial institutions and law enforcement in the recovery efforts.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

ISO

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s