August 23, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things!
VNC under attack
Dark web intelligence firm Cyble recently reported an increase in attacks on VNC across the globe. VNC is a useful tool but should never be exposed directly to the Internet, nor used without a password.
Two big stories on cyber insurance
Two big stories came out this week regarding cyber insurance:
Check the details of your policy
A recent court case was dismissed when the victim sued its insuror for not covering the full cost of a cyber incident. Turns out, the insurance policy distinguished between "computer fraud" (with coverage of $1M) and "social engineering fraud" (with coverage of only $100,000). Details in the article referenced above. It's worth reading.
No more coverage for nation-state attacks
Lloyd’s of London recently announced it will no longer cover cyber attacks attributable to nation-state actors:
The most eyebrow-raising component is that this definition also includes cyber operations that have a “major detrimental impact” on a state’s function, something that implies an attack on critical infrastructure (such as the Colonial Pipeline and JBS attacks) might no longer be covered by the market’s cyber insurance policies.
You may recall that the 2017 NotPetya ransomware attack was attributed to Russia, and WannaCry was attributed to North Korea. Both of those attacks caused untold damage worldwide. It seems that "insurance" isn't always "insurance" these days.
Craziest case of ID theft I've ever seen
This post on LinkedIn last week is the most elaborate ID theft scheme I've ever read. I've copied the story below. Think as you read it: What was the first red flag? The second? What would you have done differently? When would you have stopped the process and sought help?
I got scammed over a job offer.
On August 5, I got an email invitation to interview for a Remote Product Design Manager position at Splunk from email@example.com to my university email. It states that I was fast-tracked to an interview because my AngelList profile shows my skills and experience would be a great fit. I scheduled the interview with an alleged Splunk HR member (Matt Olsen). I even looked up his profile to make sure that I was talking to a real person from the company. After the Skype chat interview, I was told to be online on Monday at 10 am for updates. On Monday, I received the offer, and a request to fill and sign the employment contract, background check authorization, direct deposit form to fill and sign, and a copy of my driver’s license.
Later that week, I had a chat with the alleged CIO of Splunk (Alexander Fridman) who briefed me on equipment that will be sent to set up my home office. I was told I would be given company funds to purchase an iPhone 13 Pro, an Apple Watch Series 7, and Microsoft Business Standard. The finance department will send me the company account information to purchase the items. I was instructed to link the company account to my card to pay off the current balance before I make any purchases. At this point, I received a temporary work email from IT department which I had to log in via privateemail(dot)com where I will receive updates.
On Monday, August 15, I received all the information regarding the bank account and successfully linked it to my card. I use the account to pay off the outstanding balance as told and went to the Apple Store to purchase the items. I was instructed to send the items I purchased to the vendor’s address so that proper company branding and the most up-to-date software can be installed for security purposes. I went to the UPS store on the same day and sent off the package via Next Day shipping.
While driving home, I felt uneasy so I called my friends and family to consult my suspicion. One friend suggested that I reach out to HR employees at Splunk on LinkedIn to be sure. An HR employee confirmed my suspicion. I immediately called UPS to cancel my shipment, froze my credit card, and reported the identity theft incident to the FTC. (Thank you! UPS)
During this interaction with the people who were pretending to be employees at Splunk, I felt like I was being welcomed into the team. These scammers used phrases like “You’re welcome, Splunker!” “Have a great day, Splunker” to make me feel like these people were real employees.
The most horrifying thing is how I receive this through my school email. They were targeting students like me. A part of me felt like I should have known better. The other part of me knows this is not one of those silly scams. This is an elaborate, calculated, and targeted crime.
If you have read this far, I want to say thank you for reading my story. Please share this with any applicants you know.
Wow, that is some food for thought. Have a good week!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺