David Shipley (0:00)

Microsoft reports increasingly sophisticated tax Themed Phishing A Minnesota cybersecurity and computer forensics expert faces questions about his credentials and an inquiry from the FBI. Australian retirement funds raided in cyber attacks that leave some customers panicked. This is Cybersecurity Today and I'm your host David Shipley. With tax day rapidly approaching in the United States on April 15 and April 30 in Canada, criminals are once again ramping up their tax themed phishing campaign volumes and sophistication. Microsoft's Threat Intelligence team is reporting that they've seen campaigns using QR codes and URL of web link shortener services and they posted examples and thorough analysis, including images of the kinds of tax themes that they're seeing. These campaigns lead to phishing pages delivered via the raccoon O365 phishing as a Service platform, remote access Trojans, and other forms of malware. Example email subjects include Notice IRS has flagged issues with your tax filing, unusual activity detected in your IRS filing, and important action required IRS audit It's crucial to note that the IRS does not initiate contact with taxpayers by email, text or messages on social media to request personal or financial information. Now, typically this kind of campaign would be great to replicate with a phishing simulation to help people learn from experience in a safer way. However, the IRS has taken a particularly stern stance on phishing simulations that use its name or logos and has warned major phishing simulation providers and their customers that not to use them or they may face significant legal consequences. Government agencies in many countries have additional legal protections for their name, likeness and logos. If you are determined to do a tax themed phishing simulation, avoid using government agency real names or logos. That may make the simulation less compelling in some cases, but it can save you a world of grief. Think Internal Tax Agency or Canada Tax Service instead of using names like IRS or cra. In past conversations with an IRS agent about this very issue, the agent explained that tracking down phishing simulations reported to them by recipients was taking away too much of their valuable resources from investigating real phishing attacks. Now, you may not agree with that take, but I can guarantee you that it's not worth getting into a fight with a US Federal government agency. You can still educate your employees about tax themes, which can help both protect themselves at home and at work. Think about deploying educational modules, not just relying on phishing simulations or having a lunch and learn virtually or in person and sharing the examples that Microsoft has provided. Cybersecurity journalist Brian Krebs has a jaw dropping story this week about a Minnesota cybersecurity and computer forensics expert whose testimony has been featured in thousands of courtroom trials over the past 30 years, facing questions about his credentials and an inquiry from the Federal Bureau of Investigation, according to Krebs. Mark Lanterman, a former investigator for the U.S. secret Service's Electronic Crimes Task Force, founded the Minneapolis consulting firm Computer Forensic Services, or cfs. Krebs has reported that the CFS website had claimed that Lanterman's 30 year career included seeing him testify as an expert in more than 2,000 cases with experience in cases involving sexual harassment, workplace claims, theft of intellectual property and trade secrets, white collar crime and class action lawsuits. That information was removed from the CFS website last month, with the removal coming after the Hennepin County's Attorney's office said it was notifying parties to 10 pending cases that they were unable to verify Lanterman's educational and employment background. The county also said the FBI is now investigating Allegations around Lanterman's credentials were first raised by Sean Harrington, an attorney and forensics examiner based in Prescott, Wisconsin. Harrington alleged that Lanterman had lied under oath in court on multiple occasions when he testified he has a bachelor of science and a master's degree in computer science from the now defunct Uppsala College and that he had completed his postgraduate work in cybersecurity at Harvard University. Legal experts say this issue could be grounds to reopen a number of adjudicated cases in which the expert's testimony may have been pivotal. Krebs has also reported alleged shocking statements by Lanterman and behavior by CFS regarding putting claims or liens on client data and offering up client data for auction if invoices that clients had objected to weren't paid. This story could have massive repercussions and raises questions about the need for potentially professional standards bodies and reliable accreditation for cybersecurity expertise, especially when it's relied on by the courts. There's a reason why lawyers, doctors and engineers and many more have mandatory professional associations and regulations around their professional conduct. At a minimum, certain highly specialized roles like cyber forensics should absolutely be held to the same high professional standards as other fields. Several of Australia's largest superannuation providers have been swept up in what appears to be a highly orchestrated cyber scam taking hundreds of thousands of dollars from members retirement funds. Rest host + insignia, Australian retirement and Australian super have all been flagged as targets, but so far the biggest impact seems to be at Australian Super. Reportedly, attackers had timed the account takeovers to occur in the early morning hours when people would be asleep, less likely to be able to see or act in a timely fashion to prevent the theft. As the nation's largest super fund, Australian super manages over Australian 365 billion, or about US$223 billion on behalf of 3.5 million members. In this breach, a handful of those members saw a collective Australian $500,000 or US $305,000 siphoned off. The fund says it's working with authorities to track down the missing money, but has yet to confirm it will fully compensate affected members. One significant question remains did the compromised accounts have mandatory multi factor authentication on logins or fund transfer authorization? In many cases, financial institutions, including retirement funds, are often very reluctant to add features like MFA for fear it could drive customers to competitors who are seen as more convenient. Additionally, absent any regulations to make financial services more secure and require mfa, many won't and will reduce their risk simply by holding customers accountable or liable for losses. This story is one of many that highlight the need for a shared risk and shared responsibility model between financial institutions and customers. Financial services providers must be required to offer MFA and ideally they should only allow customers to choose from MFA methods, not to be able to opt out completely from mfa. But even the best multi factor authentication can still be socially engineered. That's where the customer comes in. Customers must be required to take basic security awareness about their financial services account and that training must indicate clearly that they have certain responsibilities. And they need to also indicate clearly they understand those responsibilities and including the need to protect usernames, passwords and to avoid authorizing MFA requests that they didn't start we're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.