Cyber Intelligence Weekly (Oct 17, 2021): Our Take on Three Things You Need to Know

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Away we go!

1. Clicking the F12 Button Considered ‘Hacking’ Per Missouri Governor

Reporter Josh Renaud of the St Louis. Post-Dispatch responsibly disclosed a vulnerability on a website maintained by the state’s Department of Elementary and Secondary Education that allowed anyone to view social security numbers of Missouri school teachers, administrators and counselors just by viewing the HTML source of the website (aka hitting the F12 button).

Rather than thanking the journalist for exposing a flaw that has been exposing public employee data for who knows how long, Missouri Governor Mike Parson decided it would be better to shoot the messenger and threaten them with prosecution.

This case unfortunately is not unique, see HERE, HERE and HERE. However, this is clearly further evidence that there is a general lack of understanding of cybersecurity matters at the highest levels of government. The cybersecurity communities have been saying for a long time that there ought to be standard responsible disclosure laws and rules nationwide that allow journalists and other ethical figures to look for and report issues like the one found here. If responsible actors aren’t out there doing, the bad actors surely are.

2. Deep Fakes Gaining Steam in Elaborate Social Engineering Attacks

As if social engineering wasn’t already a tough enough problem to combat on a daily basis, there are new threats on the horizon that are quickly gaining steam. This Forbes article outlines a case from a bank in the United Arab Emirates where a bank manager received a call from what sounded like a customer of theirs, however, it was an artificial intelligence enabled fake voice on the other end of the call.

Through an elaborate pretext of an exciting acquisition their company was about to make, which was corroborated by a supporting fake email from an attorney that they usually deal with, the thieves made off with approximately $35 million dollars. Court documents dug up by the Forbes writer reveal that, “The Emirati investigation revealed that the defendants had used “deep voice” technology to simulate the voice of the Director.”

Back in 2019, there was a similar case reported by the Wall St. Journal, although much less lucrative. In this case, a German executive was impersonated by deep fake voice technology to transfer a couple hundred thousand dollars to criminals.

Some may remember the Tom Cruise deepfake video from earlier this year. This Verge article outlines just how difficult it was to put that together, however, when $35 million dollars is at stake, there doesn’t seem to be a limit to the length at which criminals will go to carry out their misdeeds.

3. Phishers Getting Tricky with Coinbase Fraud

A recent Brian Krebs article called out a massive phishing campaign targeted at Coinbase users in Italy. The article explains how the fraudsters were trying millions of email addresses to identify legitimate Coinbase accounts as well as the lengths that they were going to also try and steal one-time passwords (OTP) from users through an elaborate fraudulent email and phishing website. As they would get victims on the hook, they would then siphon off funds from their accounts.

This example, as well as the deep fake examples above show that criminals will go to great lengths to execute their attacks. For examples like the Coinbase one, the power is in the end-users’ hands as the last line of defense against these attacks. One should never click on links that come in emails or text messages that try and make us respond quickly and not think logically about what may be happening. It is always advisable to visit the website in question directly through a browser or search engine rather than clicking the link in question.

The Coinbase story also calls into question the monitoring capabilities of organizations like these and how Coinbase can work to monitor the internet for these types of attacks and look-a-like infrastructure that can be harbingers of these types of frauds. I would argue that companies like Coinbase have a responsibility to monitor the internet space as well as their own systems for these types of frauds on a persistent basis to protect consumers of their services.