Email and Other Fraud - It Gets Personal: Cyber Security Today for Monday, December 9, 2024 - Cybersecurity Today

Summary5 min read

Cybersecurity Today: Email and Other Fraud - It Gets Personal
Episode Release Date: December 9, 2024
Host: Jim Love

Introduction

In this episode of Cybersecurity Today, host Jim Love delves into the escalating threats posed by sophisticated email fraud and the broader implications for both individuals and businesses. The discussion highlights recent incidents, provides expert recommendations, and underscores the persistent challenges in safeguarding digital communications.

Recent Email Fraud Attempts

Jim begins by recounting personal experiences with convincing hacking attempts targeting his organization. He shares three notable incidents from the past week:

Fake Invoice Payments:
Jim describes two separate fraudulent invoice requests. The first involved an email chain that appeared authentic, complete with interactions involving a senior employee’s authorization. However, the scammers made critical mistakes:
- Overcharging: "They asked for too much," Jim notes ([00:02]).
- Inadequate Service Description: "They spent too little time on the description of the services in their fake," he adds.
These errors ultimately raised red flags within his company’s frugal corporate culture, preventing the scams from succeeding.
Accountant Follow-Up Scam:
A second invoice was for a smaller amount but included a follow-up from the company’s accountant, which initially seemed credible. Jim emphasizes, "It wouldn't have slipped through our approval process because we're cheap and everything gets questioned" ([00:02]).
Employee Bank Account Fraud:
The third attempt involved an email requesting a change in an employee’s banking details for payroll. Fortunately, vigilant staff members questioned the legitimacy, allowing the company to verify and thwart the fraud.

Impact on Businesses

Jim highlights the broader impact of such sophisticated scams on larger organizations:

City of Hamilton Ransomware Attack:
The city suffered significant data loss due to a ransomware attack, after which it fell victim to phony invoices, losing an estimated $800,000 or more. This underscores how disruptions can create vulnerabilities that scammers exploit.

Jim stresses the importance of robust approval processes, especially for businesses that may not have the same level of scrutiny as his own, where "some of these are getting through, especially when there's some disruption" ([00:02]).

Enhancing Security Measures

In response to these threats, Jim outlines several measures his company has implemented:

Encrypted Communication Channels:
To prevent email-based fraud, the company has adopted a secure, encrypted communication method exclusively for payment approvals among their small team.
Cumbersome but Necessary Procedures:
While these new processes are less efficient, Jim asserts, "We can't do that by email anymore" ([00:02], referring to email approvals).
Endpoint Protection and Spam Filtering:
Despite using cloud email services with strong spam and phishing filters, Jim acknowledges, "More gets through than you think" ([00:02], quoting his friend David Shipley), emphasizing the need for continuous vigilance.

Jim advises other organizations to review and potentially overhaul their email approval processes, suggesting the adoption of safeguards akin to a "safe word" in the age of deepfakes.

Google’s Security Warning

Jim shifts focus to recent warnings from Google regarding Gmail account security:

Session Cookie Theft:
Google is urging users to secure their accounts against increased threats of session cookie theft and other methods that allow hackers to lock legitimate users out of their accounts.
Account Recovery Challenges:
Once an account is compromised, hackers can rapidly change passwords and recovery options, leaving users with only a seven-day window to reclaim their accounts—if at all possible ([00:02]).

Jim explains the tactics used by attackers, including phishing, malware, and exploiting session cookies that keep users logged in without re-entering passwords.

Recommendations from Google

Google provides several strategies to mitigate these threats:

Immediate Action on Suspicion:
If users suspect their account is compromised, they should use Google's account recovery tool immediately, ensuring all backup information is up-to-date.
Enhanced Security Measures:
- Two-Factor Authentication: Implementing additional layers of security.
- Physical Security Keys or Passkeys: For stronger protection against unauthorized access.
Avoiding Public WiFi:
Public networks can expose session cookies, making it easier for attackers to hijack sessions. Jim advises, "Avoid public WiFi, open networks can expose your session cookies to attackers" ([00:02]).
Vigilance with Emails:
Users should remain cautious with email links and attachments, even from familiar sources, and ensure they fully log out of email sessions to prevent unauthorized access.

Jim reiterates the importance of these measures not just for Gmail users but across all email platforms, emphasizing that "proactive measures can save you from some devastating breaches" ([00:02]).

US Telecom Industry Breach

The episode also covers a significant breach within the US telecommunications sector:

Salt Typhoon Group:
Chinese-backed hackers have infiltrated eight major US telecom providers, exploiting vulnerabilities in legacy systems. Their activities include spying on high-value targets such as government officials and journalists.
Challenges with Legacy Systems:
Many telecom infrastructures use outdated equipment, some nearly half a century old, complicating efforts to secure networks. Jim highlights, "Fixing these vulnerabilities requires patching probably every device from outdated routers to employee computers" ([00:02]).
Case Study: T-Mobile’s Resilience:
T-Mobile, with its fully wireless 5G-based network, was better positioned to detect and block intrusions quickly, unlike other providers reliant on older, more complex infrastructure.

Expert Insights and Federal Recommendations

Experts cited in the episode attribute many breaches to basic security lapses, such as:

Unpatched Devices: Neglecting to update hardware and software can leave systems vulnerable.
Weak Authentication Practices: Implementing only basic authentication measures increases risk.

Federal agencies have urged telecom companies to adopt stricter security protocols, including:

Multifactor Authentication: Adding layers beyond just passwords.
Comprehensive Activity Logging: Monitoring all activities to detect and respond to breaches swiftly.

However, even with these defenses, nation-state actors like Salt Typhoon continue to develop advanced methods to bypass security, making the fight to secure US telecoms an ongoing battle.

Jim concludes by reflecting on the broader implications of such breaches, questioning the sufficiency of measures like excluding certain foreign equipment vendors and emphasizing the need for comprehensive security strategies.

Conclusion

Jim Love wraps up the episode by reiterating the critical need for both individuals and organizations to stay informed and proactive in their cybersecurity efforts. He encourages listeners to share their solutions and ideas, fostering a community-driven approach to combating cyber threats.

For more detailed reports and information discussed in this episode, listeners are directed to the show notes at technewsday.com and invited to provide feedback via email at editorialechnewsday.ca.

This summary captures the key discussions and insights from the December 9, 2024 episode of Cybersecurity Today, offering actionable advice and highlighting the ongoing challenges in the cybersecurity landscape.

Loading summary

Transcript1 lines

[00:03]
Jim Love
A personal encounter with email and other fraud. Google warns of email takeovers. And the US telco industry continues to reel from the impact of a massive infiltration by Chinese hackers. This is Cybersecurity Today. I'm your host Jim Loft. This week we've been hit by three very convincing hack attempts. Two relating to emails related to invoice payments and another much more clever. One of these freaked me out totally. It was a company looking for payment on an old invoice. It came with a long email chain showing their interactions with a previous and very senior employee, including his authorization of these charges. They made two mistakes, actually. Three, if you know how frugal our corporate culture is, so nobody would spend a significant amount of money without us discussing it. But they asked for too much and they spent too little time on the description of the services in their fake. But otherwise everything else was unbelievably believable. A second invoice came in for another smaller amount the same week and it actually had our accountant following up with the company to ask questions about the amount due. Again, it wouldn't have slipped through our approval process because we're cheap and everything gets questioned. But for those who aren't in the publishing business and who actually make money with their companies or have bigger organizations, some of these are getting through, especially when there's some disruption. For instance, the city of Hamilton, struck by ransomware that took out a lot of their files and backups, are estimating that they've been scammed out of $800,000 or more through phony invoices or similar schemes. I mentioned there were three of these hack attempts. Last week we got an email from one of our employees asking us to have their pay sent to a new banking number. It was very well done. Now we have a small company. So one of our people questioned it and of course we verified it with the employee and found out it was a fraud. Net net. With how well these email scams are done, we've set up a separate and encrypted means of communication just between the small group of us to be used for approvals. The impact we've had to set up a cumbersome and less efficient means of issuing approvals for payment. We can't do that by email anymore. Now, for a company of our size, even a relatively small amount is a big deal. And by the way, we have endpoint protection and we use a cloud email that has a great blocking for spam and phishing emails. But as my friend David Shipley, Fisher King, as I like to call him will always say more gets through than you think. So if you haven't done so, you might want to take a step back and review your own email approval processes. Maybe like you should have with your kids. In an era of deep fakes, you might need the equivalent of a safe word. Love to hear your solutions and ideas about this, please send them to me. Yeah, I know Cy by email at editorialechnewsday Ca and still on the subject of email, Google is urging Gmail users to act swiftly to secure their accounts as attackers are increasingly exploiting session cookie theft and other methods to lock out legitimate users. And once hackers take control, they can change passwords, recovery options, even add their own security measures, leaving account owners with just seven days in the case of Google to reclaim their access, if they can do it at all. Now the hackers often rely on phishing, emails, malware or session cookie theft to access these Gmail accounts. Session cookies, which keep users logged in without re entering passwords, are particularly vulnerable when devices are compromised. Once inside, attackers move quickly, changing the account credentials and recovery methods, effectively locking out the rightful owner. Once an account is taken over, Google, as we mentioned, provides only a seven day window to reclaim it before attackers can entrench their control and this makes swift action crucial, preventing permanent loss of access. And as all too many users will find out, when and if your email is compromised, you're not going to be able to talk to a person at Google unless you have a huge company and some great influence. What you have is some help, text and a prayer. So here's what Google recommends. Google emphasizes the importance of immediate action. If you suspect your account is compromised, they say to visit their recovery page and use their account recovery tool. You should provide backup info ensuring recovery. Email addresses and phone numbers are updated and accessible so that you can recover your account. They say to monitor for changes, review recent account activity and update your settings and enable added security measures. Two factor authentication or physical security keys or pass keys for stronger protection. But this warning isn't limited to Gmail users. Session cookie theft, which allows attackers to bypass passwords and two factor authentication is on the rise on all email platforms. This method lets hackers hijack existing sessions, giving them full access without triggering alerts in many cases, and it's increasingly important for users to take additional care. Many of the steps are the same as we recommend it for Google. Adopting phishing resistant security, checking your recovery options, but also, and this is something that might be applicable to all, is to avoid public WiFi, open networks can expose your session cookies to attackers. And of course advising our users to stay vigilant, being cautious with email links, attachments, even from familiar sources. I've also been advising people to fully log out of their email sessions when they're done leaving their email open or checking those Remember me boxes that extend the life of session cookies. Probably not a good idea, regardless of how convenient it is. And I know a large part of our audience work in corporate security and many of the things I've said are obvious, but they're things that we should be getting across to our user community. And something you probably also know is when these email hacks come in through a user's private email account, there are still potential implications for our corporate accounts, as email remains the cornerstone of personal and professional communication. This has got to be a wake up call for users and corporate security people to help strengthen defenses. Whether you're a Gmail user or on another platform, the proactive measures can save you from some devastating breaches and the fallout continues as the scope of what can only be called the total infiltration of the US Telecom providers. As telcos and regulators come to terms with the difficulty of how to evict Chinese backed hackers from their networks, the group known as Salt Typhoon has exploited vulnerabilities in legacy systems to spy on high value targets, including government officials and journalists, and the breach underscores the difficulty of securing these vast and aging networks. Salt Typhoon has infiltrated eight major US Telecom providers and remains embedded in some systems, according to federal officials. The attackers exploited legacy equipment, some of it nearly 50 years old, and wiretap systems required for law enforcement access. Fixing these vulnerabilities requires patching probably every device from outdated routers to employee computers and a massive logistical challenge. T Mobile, as we mentioned last week, fared better than other providers thanks to its fully wireless 5G based network. With no legacy landline system, the company was able to quickly detect and block an attempted intrusion through a wireline partner. However, other providers are facing greater risks due to their reliance on older, more complex infrastructure. Experts say many breaches come down to basic security lapses like unpatched devices or weak authentication, and federal agencies have urged telecoms to implement stricter security measures, including multifactor authentication and comprehensive activity logging. But even with these defenses, nation state actors like Salt Typhoon are highly skilled at covering their tracks and finding new ways in so the fight to secure US Telecoms is far from over. But it makes you think not too long ago, a number of countries decided not to have HUAWEI equipment as part of their networks because they were afraid that China could use it to spy on their network. Probably a good decision, but apparently not the only step they needed to take. And that's our show for today. You can find links to reports and other details in our show notes@technewsday.com we welcome your comments, tips and the occasional bit of constructive criticism@editorialechnewsday.ca. i'm your host, Jim Love. Thanks for listening.