ISA is committed to keeping the security community up to date with the latest cybersecurity news. 

Details slowly emerge regarding Twitter hack

More information is coming to light about the Twitter hack on July 15. The social media giant suffered what is widely described as the most significant security breach in its history, with the accounts of some 130 users compromised. For 45 of those, the attackers were able to reset account passwords and send unauthorized tweets. Among the users affected were Barack Obama, Joe Biden, Bill Gates, Elon Musk, and Kanye West.

The hackers used the breached accounts to post messages offering to double followers’ money with a Bitcoin transaction. For example, a tweet from Bill Gates’ account enthused: “Everyone is asking me to give back. You send $1,000, I send you back $2,000.”

In total, it is estimated that the hackers made off with up to $120,000 (US) over the course of the attack, which was only shut down when Twitter took the extreme measure of suspending posting privileges and password change requests for all verified Twitter users across their network.

Early analysis suggests that hackers were able to compromise up to eight Twitter internal staff accounts, then use elevated admin credentials and tools to post tweets and comments even without the two-factor authentication that many of the affected users had in place. Some theories posit that an internal team-conferencing application may have been compromised to gain admin access, while other reports suggest that an insider may have been knowingly complicit in the breach. Twitter tweeted on the day of the incident, “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

Twitter was contrite and has vowed to report a continuing explanation of the incident as their analysis continues; meanwhile the FBI has become involved in the investigation as well, and U.S. lawmakers are demanding answers. A New York Times article suggests that their reporters have been in touch with at least some of the hackers, their interviews supporting the contention of a compromised insider as the means of attack.

As high profile as the attacks were, security analysts observe that the hackers could have done much more damage with the knowledge they possessed, yet chose only to operate a routine “two-for-one” scam when they had admin access to the entire user base. The implications for Twitter – which suffered paper losses in excess of $1 billion (US) as their shares slumped 3.2% in the hours following the breach – and for corporate security at large will be fascinating to watch over the coming weeks.

Law firm website spoofing on the rise

Multiple reports of spoofed websites have put law firm clientele and lawyers themselves at risk of cyber fraud.

Ontario’s legal malpractice insurer LAWPRO has seen a recent spike in spoofed websites among law firms. Through their AvoidAClaim blog, LAWPRO indicates that several law firms have reported that their business websites have been duplicated by fraudsters.

In the reported cases, LAWPRO has seen fraudsters blend law firm names, web content, and contact information from a variety of firms across jurisdictions to create real-looking websites crafted to trick the general public. Another common approach used by cybercriminals is to register a name similar to that of a target law firm, then copy the structure, content, and artwork from the original site in constructing a spoofed site. The contact information, however, is tweaked so that enquiries to the law firm will go directly into the scammers’ hands. From here, unsuspecting prospective clients may be duped into revealing sensitive personal information, paying fraudulent retainer fees, or losing trust funds.

While the report did not specify any particular law firms affected, an eastern Ontario practice replied to the posting confirming that it had been targeted. In a separate case, a southern Ontario law firm recently posted a warning on its website advising clients that “[p]arties unknown are using our website design and the photos of our lawyers and pretending to be another firm in the Niagara Region.”

Fraudsters aren’t only luring unsuspecting clients with fake sites – they’re targeting new staff hires too. As reported early this year by the FBI, an increasing number of impersonation sites are posting job opportunities in an effort to solicit resumes. The scammers may then introduce bogus “hiring fees” or attempt to collect additional personal information from interested applicants for a quick win. In other more elaborate cases, the fraudsters may even conduct bogus screening processes and online interviews before agreeing to “hire” their victims. At this point, the target will feel comfortable enough to provide digital signatures, driver’s license information, financial details, and void cheques to supposedly get set up on payroll and benefit systems – all of which falls into the fraudsters’ hands. The results can be devastating – beyond the stolen personal information, some victims have quit their own real jobs to pursue positions that don’t exist, creating additional financial and professional hardships.

Law firm Baker McKenzie, a global law firm with an office in Toronto, went to the extent of posting a notice on its disclaimer page warning prospective applicants about individuals masquerading as firm recruiters. The announcement goes on to provide lawyers with tips on identifying, avoiding, and reporting such frauds. LAWPRO’s posting also provides tips for law firms to research and report suspected frauds. While these resources are focused on lawyers and law firms, much of the information is applicable to any organization.

E-Transfer Phishing Scam Alert

Canada’s Financial and Consumer Services Commission has reported three successful frauds by the use of bogus e-transfers, and has expressed concern about other similar frauds that may be in process. Focused on targets in the Acadian Peninsula, the scams lured the victims into clicking links in e-transfer notice emails – links that would take the recipient to a spoofed financial website where personal credentials could be harvested. Once the login and account information had been gathered from the victim, the fraudsters pivoted to use the data to gain access to all of the accounts and credit cards associated with the target. In total, the victims were defrauded of over $20,000 (Canadian).

Particularly in the COVID-19 era when e-banking has become even more prevalent, fraudsters have stepped up their game by using phishing attacks to lure unsuspecting victims into revealing personal information. Never click a link on an e-transfer or e-deposit notice unless you are expecting funds to arrive and have carefully verified the sender. Some financial institutions allow direct deposit for e-transfers, allowing you to sidestep to re-verification process – this can be an effective way to automate “expected” transfers, and allow you to maintain a healthy skepticism when focusing on unanticipated e-deposit notifications.

Contact ISA for assistance in analyzing and assessing your exposure, and developing a remediation plan.