This week:

3 – What have Revolut and WhatsApp got to do with Mary and Her Little Lamb?

2 – Your online accounts are more valuable than you think.

1 – How a 36-hour visit from a cybercrime gang cost one service provider over €25 million.

 

 

3 – What have Revolut and WhatsApp got to do with Mary and Her Little Lamb?

 

“Irish Revolut customers who fell foul of WhatsApp scams last year lost an average of €1,200”

 

What’s the story?

In 2024, Irish Revolut users were significantly impacted by WhatsApp scams, with an average loss of €1,200 per victim. Ireland ranked second in Europe for such frauds, with scams on the messaging platform surging by 65%.

Scams on Instagram also increased by 64%.

This report suggests all of us fraudsters are losing interest in Facebook, and targeting people where they may be more trusting of random messages posted by complete strangers. 

The report also points out that Google platforms (e.g. Gmail) accounted for less than 1% of all frauds.

 

So what?

Looking at the numbers, it looks like we are all aware of how scammers try to fool us with phishing emails, but may not be as aware of how we can also be targeted via WhatsApp or social media.

So, remember:

Just like Mary and Her Little Lamb..

Wherever we go, the scammers are sure to follow.

 

Source:

Irish Independent

 

 

2 – Your online accounts are more valuable than you think

 

“When people thought they were buying items from Sarah (and supporting her father), they were really paying a scammer who simply walked away with their money.”

 

What’s the story?

A recent story from the SANS OUCH! newsletter describes how scammers could use your social media account to fool your friends and family into sending them money.

In their story, the scammers take control of the Facebook account of “Sarah”. They then post a sad story about Sarah’s father needing to sell all of his prized belongings to pay some medical bills.

Needless to say, many of Sarah’s friends get in touch with “Sarah” through Facebook Messenger to offer their support. “Sarah” quickly responds with a link where her friends can send money to help her poor father.

Eventually, everyone finds out that this was not “Sarah” and their money is gone.

 

So what?

If someone gains control of your online account – They become you.

Once they get control, they usually lock you out of the account, so all you can do is watch from the sidelines as they scam your friends and family (and steal all your data too).

So, if you think your only important accounts are your financial ones, think again.

To reduce the risks:

  1. Use a strong (i.e. long) and unique password on each of your accounts (e.g. email; Facebook; LinkedIn; Instagram).
  2. Don’t just protect your account with a password. Enable Multi-Factor Authentication (MFA) on ALL of them*.

(*Guidance on how to do this for all of your online accounts should be easy to find online. But if you need help, you know where I am.)

 

Source:

SANS Ouch Newsletter (and shared by John Haren on LinkedIn)

 

 

1 – How a 36-hour visit from a cybercrime gang cost a service provider over € 25 million.

 

“We have fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.”

 

What’s the story?

 

The UK’s data protection regulator, the ICO, recently published a Penalty Notice, announcing that they were applying a fine of about GBP £3 million on a software and SaaS provider that has customers in the health care and legal sectors. The fine is associated with a cyber attack that the organisation suffered in August 2022.

 

The ICO report is very detailed, so I’ll summarise some of the key points.

 

How did the attack happen?

  1. The attackers gained access to a Citrix remote access server using a username and password.
  2. Once in, the attackers were then able to ‘escalate’ (i.e. increase their access) so they could take full control of the environment.
  3. From there, they disabled security tools and started to take copies of the organisation’s data.
  4. And then they launched their ransomware attack.

 

How long did the attack take?

  • 36 hours (From the moment the attackers first logged in at 8pm on a Tuesday to the moment they logged out at 8am on a Thursday).

 

How much data was stolen?

  • 19gb (including data relating to about 80,000 people)

 

How many computers were disabled by the ransomware?

  • 395.

 

How long did it take for the victim to recover all systems?

  • Some systems were back online after 2 weeks.
  • Others were offline for over 9 months.

 

According to the ICO report, where was the victim lacking ‘appropriate security measures’?

  1. The lock on the front door was weak: The Citrix server was the front door used by the attackers. To get through that door, they only needed a username and password. Multi-Factor Authentication was not in use on this front door.
  2. Patch Management was ad-hoc: At least one Windows server was missing a ‘patch’ (i.e. a software update) that had been released by Microsoft almost 2 years earlier, and had been widely-publicised at that time as a fix to address “one of the most serious, active vulnerabilities in existence”.
  3. Vulnerability Scanning was missing: There are automated tools that can scan systems and identify obvious security gaps (e.g. patches that need to be installed). While the organisation had noted that this was one of their highest priority security risks and they had these scanning tools for their internal corporate systems, they didn’t seem to have them running on all of the systems used by customers.

 

So what? 

The cost of a cyber attack is usually far higher than you’d think.

In this case, while the attackers were only logged into the organisation’s systems for 36 hours, the subsequent costs included:

  • Over £3 million of a penalty for failing to have appropriate security measures in place.
  • Over £21 million to recover from the attack (as quoted on page 43 of the Penalty Notice).
  • The unknown cost of the operational disruption to the organisation and its customers, causing numerous hidden knock-on costs (e.g. the cost of additional staffing for up to 9 months, plus the cost of senior executives being tied up in discussions with their legal advisors, customers, and regulator for almost 3 years).
  • And the minor issue that criminals now have medical information of 80,000 people.

(Let’s not mention the significant damage to the professional reputation of all involved.)

 

What’s my point?

The cost and hassle of putting appropriate security measures in place can be painful.

But it’s nothing like the pain and hassle if your lack of appropriate security measures leads to a security incident and a regulatory investigation.

I help regulated entities ensure that they, and their service providers, have appropriate security measures in place.

Learn more here

 

Source:

UK Information Commissioner’s Office Press Release