.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: Norfund, a Norwegian state-owned Private Equity company.
The take: $10 million USD, diverted from a microfinance institution in Cambodia to a Mexican bank account.
The attack vector: Attackers gained access to Norfund’s e-mail system, likely via a phishing attack, and studied communication between Norfund and their partners. This allowed them to identify those responsible for money transfers, and create a false Norfund e-mail address to impersonate the individual authorized to wire large sums of money via their bank. The attackers diverted the payment intended for the Cambodian institute to a Mexican bank account, fraudulently created in the same name. The attackers delayed discovery of the fraud by over a month by continuing communication in both directions with both Norfund employees and the Cambodian institute, thereby ensuring that the banks would be unable to reverse the fraudulent transfer.
This is, unfortunately, yet another example of a sophisticated business e-mail compromise attack, wherein a very capable group of attackers used access to an internal system to learn the patterns, habits, and procedures of an organization and then proceeded to exploit them. Addressing complex threats like this one require complex and multi-levelled controls – user phishing training and two-factor authentication for e-mail accounts, monitoring of access to e-mail systems, and robust and layered controls around cash transfers that require multiple channels of verifiable communication.
The target: Small Business Administration (SBA), a US government agency that supports entrepreneurs and small businesses.
The take: Up to 8,000 applications for Economic Injury Disaster Loans may have been improperly exposed to other applicants, including such sensitive data as social security numbers, addresses, phone numbers, dates of birth, income and financial/insurance information.
The attack vector: A flaw in the caching configuration of the online loan application portal, implemented to accommodate increased demand, meant that when one applicant pressed the ‘back’ button in their web browser during the application process, they may have been served a page containing the application data belonging to another business.
Scalability of critical infrastructure is an essential component of web applications and electronic tools – sudden increases in demand for certain services are a reality in the face of the evolving COVID-19 pandemic. It is equally critical, however, that while considering system capacity, security controls are not weakened.
The target: Council of the City of Sheffield in South Yorkshire, England
The take: 8.6 million records of vehicle movements, labelled with license plate numbers and millions of photographs from the county’s 100 surveillance cameras.
The attack vector: The city’s Automatic Number Plate Recognition (ANPR) system was left exposed and publicly available to anyone with an internet connection – furthermore, the internal dashboard on this exposed system employed absolutely no password protection or other method of authentication. Anyone with the public IP address of the system could immediately access and search the system by license plate number, potentially allowing bad actors to recreate the travel patterns and movements of individual citizens, minute by minute.
As we have previously emphasized, security controls must be commensurate with the level of sensitivity of data being stored, and must travel with that data throughout its lifecycle. When personally identifiable information is being collected and processed, best practise would prescribe multiple compensatory layers of protection, as consequences for breaches of such data can include falling afoul of the GDPR and privacy legislation in other jurisdictions.
The target: Three large UK and Israeli-based Private Equity firms, among others, were targeted by an organized criminal enterprise dubbed ‘The Florentine Banker’ by security researchers.
The take: 1.1M GBP, transferred to fraudulent bank accounts – only half of which was able to be recovered.
The attack vector: The unnamed victims were targeted with a prolonged business e-mail compromise attack, where targeted phishing e-mails were sent to various employees, until eventually, attackers had access to multiple e-mail accounts. Over time, the attackers reviewed correspondence in these accounts to compile an overview of the structure of the firms, relationships with outside parties, and gained an understanding of the channels and procedures used to move money. From there, they added mailbox rules to redirect messages pertaining to wire transfers, and interjected themselves into those conversations using look-alike domains in order to intercept and redirect funds.
This story highlights the vital importance of compensatory controls and secondary validation steps around critical actions like transfer of cash (voice/video confirmation of the details of an e-mail request, for example). Furthermore, incidents like these serve to highlight the necessity of enabling (and enforcing) two-factor authentication on e-mail accounts and rigorous social engineering training and testing of staff to help prevent compromise. Ultimately, firms must nurture a culture of critical thought and encourage employees to question requests or actions which seem out-of-the-ordinary.
The target: General Electric, a Fortune 500 technology firm
The take: Personally identifiable information and documentation of current and former employees, as well as their beneficiaries – including direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, child support orders, and many others.
The attack vector: While their own systems were not compromised, GE were notified by a service provider of a breach affecting their data. Canon Business Process Services reported that one of their employee’s email accounts was breached by an unauthorized party for a period of just under two weeks in February of this year. This employee had processed data on behalf of GE and the attackers gained access to a litany of confidential information.
Service provider relationships continue to pose increasing challenges for firms in today’s security landscape, as subcontracted entities may handle a firm’s sensitive data – be that business-critical data or the PII of their employees. A firm is ultimately responsible for their data regardless if they or a subcontractor are the ones handling it, and as such, a firm’s own security controls must follow that data and extend to third party processors.
The target: MCA Wizard, a now defunct mobile app for loaning money to small business owners developed jointly by Advantage Capital Funding and Argus Capital Funding in 2018.
The take: 425GB of data comprising over 500,000 documents, including credit reports, bank statements, contracts, legal paperwork, driver’s licenses, purchase orders & receipts, tax returns, social security information and more.
The attack vector: Even though the app itself was pulled from both Google Play and the App Store, the data behind it remained online, stored in an unsecured AWS S3 bucket which was accessible without a password. Security researchers noted that while the app was no longer available, new documents were being added to the database right up until its removal, suggesting that another application or service could have been using the same bucket.
While this is yet another example of a misconfigured storage bucket, it also raises the issue of security controls and management of the lifecycle of data. If an app or service reaches its end of life, there is absolutely an onus on the responsible firm to manage any sensitive data collected or processed by that app through to secure deletion.
The target: Virgin Media, a British telephone, television and internet provider
The take: ‘Limited contact information’ of 900,000 customers, including names, home and e-mail addresses, and phone numbers along with some birth dates and technical and product information.
The attack vector: A misconfigured marketing database left the information exposed for nearly a year, and was confirmed to have been accessed ‘on at least one occasion’ by an outside party.
This incident highlights the need to ensure regimented security controls are established and verified anywhere that an organization stores personally protected information. Security controls must always be commensurate to the type of data being stored, and they must travel with that data to protect the firm and it’s clients from a data breach.
The target: Angeles Investment Advisors, an asset manager based in Santa Monica, California
The take: The e-mail account of Michael Rosen, Chief Investment Officer, was compromised and used to send a bogus ‘bid for proposal’ link to his contacts.
The attack vector: While details have not been published at this time, it is likely that the initial compromise of Rosen’s account was as a result of a targeted phishing attack. Once attackers had control of his e-mail account, they were able to send a malicious attachment to his contact list, and even responded to individuals who questioned the legitimacy of the e-mail – assuring them that attachment was safe, and that they should open it post-haste.
One of the most insidious risks in an e-mail compromise is that the compromised account will be used as a pivot point, and that the trust in that individual will be exploited for criminal gain. These attacks highlight not only the need to ensure that technical controls are in place to prevent accounts from being compromised in the first place – but also the need to train staff to think critically about the content of messages they receive, and to confirm any suspicious communications or requests via a separate channel of communication.
The target: C3UK, a provider of Free WiFi at railway stations across the UK
The take: Personal data of more than 10K rail passengers including dates of birth, email addresses and travel plans
The attack vector: A security researcher discovered that C3UK had left a database backup publicly exposed on an Amazon Web Services storage device with no password protection.
While security controls around production systems and databases are missions critical, care must also be taken when storing and transferring backups and duplicate copies of production data. Security controls must always be commensurate to the level of sensitivity of data being handled, and must travel with that data throughout its lifecycle.
The target: Buchbinder, a German car rental company
The take: Personally Identifiable Information of 3.1 million customers including: names, emails, phone numbers, addresses, dates of birth, license numbers, bank details and payment info. In total, over 5 million files were exposed, with some of them being passwords belonging to employees which were stored in plain text.
The attack vector: An unsecured backup database which was completely unprotected by any credentials and was freely accessibly to anyone with an internet connection. The database was discovered as part of routine scanning for unprotected databases.
This type of data is a prime target for threat actors seeking to carry out targeted phishing campaigns and BEC (business email compromise) attacks. Failure to implement robust practices can leave firms open to violations of data protection standards, and highlights the fact that protecting user data is the same as protecting the firm.
