Netizen Cybersecurity Bulletin (September 14th, 2021)

Overview

• Phish Tale of the Week
• Hackers target United Nations in latest data breach
• U.S SEC changes stance on Cybersecurity. What does this mean for your business?
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting employees that may be expecting an invoice to be paid or just someone who doesn’t check their email rigorously. This email appears to be a survey request for Costco where the viewer could receive $50 for their participation. This email contains Costco’s branding and a convincing message saying the survey should only take 30 seconds, so why not click on the link and get our $50? Unfortunately, there’s plenty or reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, check all suspicious emails from companies against previous correspondences you’ve received and make sure the sender address is the same.
2. The second warning sign in this email is the inconsistent messaging. The subject line reads that “$50 could be yours today”, however there is no further mention of this incentive. Look for consistency throughout emails with companies. Most companies will also attach a terms and conditions statement regarding the incentive from the survey.
3. The final warning sign for this email is the callouts at the bottom. Two addresses are referenced at the bottom of the email, neither of which belong to any Costco locations. An easy way to spot a scam email is to reference buildings or locations mentioned in the correspondence. When searched on maps, each of these locations turns up as empty addresses with no occupants.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

For Costco specific recommendations and tips check out this link to their fraud detection center here.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Hackers target United Nations in latest data breach

Last week, Cybersecurity research firm Resecurity discovered that an outside hacker group had targeted the United Nation’s internal network. The breach first occurred on April 5^th, 2021, with hostile activity finally concluding in their environment on August 7^th. The primary purpose of this attack was intelligence gathering with threat actors making out with a trove of data that could be utilized to perform cyberattacks against other government organizations in the future.

Experts in the industry have theorized that stolen login credentials from a U.N. employee were the initial attack vector the hackers used to gain access to the U.N.’s systems. Many believe that the credentials were sourced from a website on the dark web known for selling and distributing stolen credentials.

When asked why the threat actors targeted the U.N, Resecurity CEO Gene Yoo had this to add “Organizations like the U.N are a high-value target for cyber espionage activity. The actor conducted the intrusion with the goal of compromising large numbers of users within the U.N. networking for further long-term intelligence gathering.”

Reports from this incident vary on the scale of the attack. On the one hand, the U.N. claims that the attackers were doing nothing more than just taking screenshots of the compromised network. On the other hand, Resecurity believes that the attackers stole data during this incident, which may become catalysts for more attacks.  

U.N. spokesman Farhan Haq reported that “This attack had been detected before we were notified by Resecurity, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” Haq also noted that the United Nations had been frequently targeted by cyber-attacks before, which is not a new phenomenon to the organization.

To read more about this article, click here.

U.S SEC changes stance on Cybersecurity. What does this mean for your business?

The United States Securities and Exchange Commission (SEC) has reevaluated what it deems a threat for companies. Starting this year, the SEC will now consider cyber vulnerabilities an enormous business risk. This news comes as the regulatory commission levied significant fines on two well-known companies for failure to disclose cybersecurity issues. British education company Pearson PLC agreed to pay $1,000,000 in settlement charges following reports it misled investors after a 2018 data breach saw millions of student records stolen from their database. On a more recent note, real estate company First American Financial settled $500,000 in damages after failing to disclose a vulnerability in their environment that compromised up to 800 million files, many of which including social security numbers and other PII.

This shift in how the SEC punishes companies for cybersecurity malpractice could significantly affect how companies view cybersecurity threats and issues moving forward. Currently, businesses are required to disclose “risk factors” so public investors can better understand the company’s stock. These “risk factors” include operations, competitive, economic, and cybersecurity incidents. However, few companies have ever faced any real regulatory repercussions from the SEC after suffering a cyberattack.

What baffles many is that current risk disclosure policies were based on The Securities and Exchange Act of 1934, written during a time when the internet was still over half a century away. While the agency amended the procedures to include significant cybersecurity-related risks and incidents in 2011, and further echoed that cybersecurity incidents pose a substantial threat to our capital markets in 2018, there is still more to be done.

This report comes as defense contractors have begun the painstakingly slow process of adopting the Cybersecurity The fines passed down to Pearson PLC and First American Financial are watershed moments for how companies view cybersecurity. Before, organizations took a more relaxed approach to disclosing vulnerabilities and their overall cyber posture. Hopefully, the enforcement of these penalties will shine a light on the operational woes that cybersecurity incidents can create. Organizations must act with clarity and conciseness to combat the ever-changing cyber landscape. The time for action is now.       

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.