Scam Of The Week: New FBI and IRS Alerts Against W-2 Phishing
There is a wave of W-2 phishing attacks going on. We see these coming in through thousands of reported scam attempts via our Phish Alert Button. The FBI and the IRS have repeatedly posted warnings that these attacks have started early and that the volume has gone up significantly this year.
Remember those Nigerian prince emails? They are also called ‘Nigerian 419’ scams because the first wave of them came from Nigeria. The ‘419’ part of the name comes from the section of Nigeria’s Criminal Code which outlaws the practice. Well, those gangs have all “growed up” and they are now behind many of today’s W-2 scams. It is surprisingly easy to do a little bit of research and send a spoofed email that looks like it is from the CEO.
These W-2 scams are hitting everywhere, even a cybersecurity contractor was hit with one of these. On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company fell for a W-2 spear phishing attack.
Here are five steps to prevent an incredible amount of hassle and possible damage:
- If you receive any email requesting any kind of W-2 tax information, pick up the phone and verify that request before you email anything to anybody.
- File your taxes at the state and federal level as quickly as you can, or file for an October 16 extension early, before the bad guys can file a bogus claim.
- Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cyber criminals haven’t tried to file a bogus tax return in your name, virtually every American’s data has been stolen which can lead to your identity being stolen.
- Every 4 months, get a free once-a-year credit report from the three major credit bureaus. Get them on your calendar (cycle through them) and dispute any unauthorized activity.
- Place a “security freeze” or “credit freeze” on your files with all three credit bureaus to prevent ID thieves from assuming your identity and open up a line of credit in your name.
Darkreading – Intro to Cyber Insurance: 7 Questions to Ask
Cyber insurance is a growing field putting business and security leaders to the test as they navigate the often tricky process of researching and purchasing policies. Technology is quickly changing, and so is risk.
Insurance for cybersecurity is different from other types of insurance because the nature of threats is constantly changing. A hurricane doesn’t change intensity because a building code changes, but cybercriminals will change their strategies as technology and risk evolve.
These changes make it harder for underwriters and companies to stay abreast of the landscape. During the tricky process of buying cyber insurance, you’ll ask and answer questions about your company, security posture, and other factors to determine which policy is best for you, and how much coverage you should buy.
A key step in buying cyber insurance is figuring out what to protect. This goes beyond the common concerns around customer and employee data to include things like brand reputation.
If a data breach hits, your business will need to worry about more than IT damage. The cost of public relations expertise, to recover a brand name following an attack, may not be covered under a cyber insurance policy.
- Cyber insurance is data breach insurance, right?
Oftentimes companies perceive cyber insurance as “data breach insurance”. It’s important to understand breaches make up one portion of cyber insurance coverage. Policies also cover the cost of forensics, legal fees, business interruption, and a whole variety of expenses incurred related to a cyber incident.
Where do my exposures lie?
Many companies struggle to purchase insurance because they don’t know where their weaknesses are. Risk assessments help them identify their exposures, where their greatest vulnerabilities lie, and which assets are most vulnerable. Where does sensitive data reside? For multi-national firms, how large and varied is your attack surface? Are you protected in all the areas where sensitive data is stored?
- What is the potential damage?
Once you determine your most critical assets and where your vulnerabilities lie, it’s important to gauge the likelihood and potential cost of an attack. Which scenarios do you care about? How much will it cost if your most valuable information is exposed to cybercrime? This number is likely to change as businesses adopt new technologies like cloud, mobile, and IoT — all of which will increase the attack surface and potential cost of a breach.
- How does the size of my business affect my insurance policy?
Small companies undergo a simple insurance application process, the two experts note. They may answer four to five questions that don’t require investigation; for example, “Do you have a firewall?” “Do you encrypt at-risk data?” Inquiries won’t go much deeper than that and smaller businesses will be given a fixed price for their risk.
The process gets more complicated for mid-size organizations, which typically answer a questionnaire about the security controls they have in place. They will provide information about firewalls and other data protection policies, data access and recovery, outsourcing, and compliance.
Larger businesses have to do the most work in developing information for underwriters. Insurers typically require an audit of most big organizations. Underwriters have to speak with CISO, CIO, and IT teams, making the process burdensome and complex.
- Where are there gaps in my policy?
Given the range of cyber insurance policies, businesses need to put in their due diligence to determine which one is right for them. One of the biggest problems with cyber insurance is organizations don’t have a firm grasp of what is and isn’t covered. Many make the mistake of not buying the correct amount of the insurance that best suits their needs.
Different types of businesses face different threats. Misunderstanding your policy can lead to some unfortunate outcomes. What happens if a hacker breaks into a medical device and causes physical harm? Is bodily injury covered under your insurance policy? It’s understandable to think so, but this isn’t included in many plans.
- I’m lost. How can I make sure I’m doing this right?
Consult a broker when things get difficult, but choose with caution. There are some excellent brokers in the field, but many are so new they don’t have enough experience to effectively advise clients.
“Work with a broker who has domain expertise in cyber insurance,” he says. “This is important because cyber insurance policies vary from carrier to carrier. Auto policies, for example, are generally similar. Cyber varies in language and policies.”
Most major brokerage operators have on-staff experts who know enough to work with large businesses purchasing cyber insurance policies. Small companies buying via local agents or brokers, in contrast, may find those don’t have the level of expertise they need.
SecurityMagazine – Three Senators Introduce Bill to Enhance Cybersecurity
U.S. Senators John Cornyn (R-TX), Patrick Leahy (D-VT), and Ted Cruz (R-TX) have introduced the National Cybersecurity Preparedness Consortium Act to authorize the U.S. Department of Homeland Security to work with the National Cybersecurity Preparedness Consortium (NCPC) to help prepare for and respond to cybersecurity risks at the national, state, and local levels.
“Cybersecurity is an imperative for us all. From large corporations to small businesses and individual Vermonters, to government agencies, our digital security is increasingly at risk,” said Sen. Leahy. “I have long supported the National Cybersecurity Preparedness Consortium to educate our communities to defend and recover from cyberattack. The bipartisan legislation we are introducing today will help to ensure continued collaboration between cybersecurity expertise developed at our nation’s finest educational institutions and state and local governments. I am proud to support this bipartisan effort.”
Security Bulletins from the FBI and DHS
FBI – Joint Intelligence Bulletin
A Joint Intelligence Bulletin (JIB) titled "FBI Arrests Missouri-Based Individual for Attempting to Provide Material Support and Resources to the Self-Proclaimed Islamic State of Iraqand ash-Sham" has been posted.
Scope: This Joint Intelligence Bulletin (JIB) is intended to provide information on the 17 February 2017 arrest of Missouri-based Robert Lorenzo Hester, Jr. by the FBI Kansas City Division, Kansas City Joint Terrorism Task Force (JTTF). Hester was arrested for attempting to provide material support and resources to the self-proclaimed Islamic State of Iraq and ash-Sham (ISIS), a designated foreign terrorist organization (FTO). This JIB is provided by the FBI and DHS to support their respective activities and to assist federal, state, local, tribal, and territorial government counter terrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks against the United States.
DHS – Early warning system for DDoS cyberattacks
Researchers from the Competence Center for IT Security, CISPA, at the Saarland University have developed a kind of early warning system for mass cyberattacks. Details and first results will be presented by the scientists at the computer fair Cebit in Hannover. These mass cyberattacks, known as Distributed Denial of Service (DDoS) attacks, are considered to be one of the scourges of the Internet.
Because they are relatively easy to conduct, they are used by teenagers for digital power games, by criminals as a service for the cyber mafia, or by governments as a digital weapon. According to the software enterprise Kaspersky, some eighty countries were affected in the last quarter of 2016 alone, and counting. Last October, for example, several major online platforms such as Twitter, Netflix, Reddit, and Spotify were unavailable to Internet users in North America, Germany, and Japan for several hours. A new type of DDoS attack, a so-called amplification attack, was found to be the source of these outages.
Google Chrome – Will distrust Symantec SSLs for Mis-issuing 30,000 EV Certificates
Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years.
The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again.
Sophos – USB pen-testing stick: what happens if it falls into malicious hands? (Thx to Ryan Lieving for the article)
Back in September, many tech publications highlighted a killer stick: a USB stick marketed to pen testers and law enforcement that could be used to test the surge protection circuitry of electronics.
Test, or, as the case may be for devices lacking surge protection, zap to death.
The so-called USB Killer – which comes from a Hong Kong company – looks like a standard USB drive, but it’s actually filled with capacitors.
Once you plug it in, the USB Killer rapidly charges all those capacitors from the USB power supply. Then, once it’s full, it turns around and electro-vomits all that power back into the drive. It works in a fraction of a second, frying circuits in laptops, PC monitors, photo booths, kiosks, or even cars.
The charge/discharge cycle is repeated many times per second, until the USB Killer is removed, leaving about 95% of all devices partially or permanently damaged. According to Bleeping Computer, the only products that could withstand USB Killer 2.0 were recent MacBook models, since they optically isolate the data lines on USB ports.
Cisco – A simple command allows the CIA to commandeer 318 models of Cisco switches (Thx to Stephen Bishop for the article)
Cisco Systems said that more than 300 models of switches it sells contain a critical vulnerability that allows the CIA to use a simple command to remotely execute malicious code that takes full control of the devices. There currently is no fix.
Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.
"An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections," the advisory stated. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."