News

The World Economic Forum has shared recommendations on how to build on the success of existing partnerships to accelerate the disruption of cybercriminal activities

The new Remcos RAT variant identified in a new phishing campaign exploits CVE-2017-0199 via malicious Excel files

Researchers have uncovered a surge in phishing attacks using Visio .vsdx files to evade security scans

This year’s Blue OLEx cyber-attack drill was hosted in Italy and benefited from the new EU-CyCLONe for the first time

The UK Regional Organised Crime Unit (ROCU) Network has urged the elderly to be on the lookout for scam texts offering a winter fuel subsidy

Swedish-Russian national Roman Sterlingov has been jailed for 12 years and six months for operating notorious cryptocurrency mixer Bitcoin Fog

As we honor Veterans Day, it’s crucial to recognize not only the sacrifices made by those who served but also the unique cybersecurity challenges they face in today’s digital age. Veterans, with their deep ties to sensitive military information and benefits, are increasingly being targeted by cybercriminals seeking to exploit their personal data. Seven in 10 military vets and active-duty service members have been a victim of at least one digital crime.

From phishing scams impersonating official VA communications to the risk of military identity theft, veterans encounter specific threats that require tailored cybersecurity awareness and precautions. By taking proactive steps, veterans can implement strong security practices to better protect their identities and enjoy a safer online experience.

Understanding the Risks

Veterans possess a wealth of sensitive information tied to their military service. This includes not only Social Security numbers, medical records, and details about deployments and benefits, but also personal histories that can include addresses, family information, and even details about combat experiences. Such comprehensive information is highly valuable to cybercriminals for various malicious activities, including identity theft and financial fraud.

Cybercriminals can exploit this data to impersonate veterans, gain unauthorized access to financial accounts, file false claims for VA benefits, or sell the information on the dark web. The repercussions of such breaches extend beyond financial loss, impacting veterans’ reputations, access to essential services, and overall peace of mind. Safeguarding this sensitive data is critical to ensuring veterans’ security and well-being in the digital age.

Common Threats Faced by Veterans

One of the primary threats that veterans encounter is phishing scams. These scams often impersonate official communications from the Department of Veterans Affairs (VA) or other military organizations. Cybercriminals use deceptive emails, text messages, or phone calls to trick veterans into revealing personal information or clicking malicious links that can compromise their devices.

Another prevalent danger is military identity theft, where criminals use stolen or fabricated military credentials to access benefits, obtain loans, or commit fraud in the veteran’s name. This type of identity theft can be particularly devastating, affecting not only financial stability but also the veteran’s reputation and access to crucial services.

Cybersecurity Awareness and Security Tips

In 2023, military consumers filed more than 93,000 fraud complaints, with imposter scams alone accounting for 42,766 cases, resulting in reported losses exceeding $178 million. To combat these threats, veterans must be equipped with robust cybersecurity awareness and practices:

1. Social Media Caution: Avoid sharing specific details about military service, deployments, or personal schedules on social media. Cybercriminals can use this information to impersonate you or guess security questions for account access. Adjust privacy settings on social media platforms to restrict who can view your posts and personal information. Social Privacy Manager can help you adjust more than 100 privacy settings across your social media accounts in just a few clicks.
2. Recognizing Phishing Attempts: Always verify the authenticity of emails or messages claiming to be from the VA or other military organizations before clicking on links or providing information. Official organizations typically do not request sensitive information via email or text.
3. Use Multi-Factor Authentication: Secure online accounts by enabling multi-factor authentication (MFA) whenever possible. MFA adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone or email, in addition to your password.
4. Embrace Password Complexity: Create passwords that are at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Avoid using easily guessable information like birthdates or common words. Use a reputable password manager to generate and store complex passwords securely.
5. Regularly Monitoring Financial Accounts: Keep a close eye on bank statements, credit reports, and VA benefits statements for any unauthorized activity. Early detection can minimize the damage caused by identity theft. Setting up credit monitoring can also help you keep an eye out for unusual activity on your accounts.
6. Automatic Updates: Enable automatic updates for operating systems, software applications, and antivirus programs to ensure you have the latest security patches and protections against vulnerabilities.
7. Educating Family Members: Inform family members about the importance of cybersecurity practices, including recognizing phishing attempts and safeguarding personal information. Encourage family members to review and adjust privacy settings on their own social media accounts to limit exposure of personal information that could indirectly impact your security.
8. Consider Identity Theft Protection: For increased peace of mind, consider investing in a McAfee+ Family plan which protects up to 6 members with identity and privacy protection, including 24/7 monitoring of your personal info with alerts if something requires your attention and award-winning antivirus security for all your devices​​.

What to do if you may have been exposed

If you think you have been the victim of identity theft, immediately take steps to protect yourself and your family:

1. Place a Fraud Alert and Get Your Credit Reports: Contact a major credit bureau (Equifax, Experian, or TransUnion) to place a fraud alert on your credit report. This alert notifies creditors to take extra steps to verify your identity before opening new accounts in your name. Request and review your credit reports from all three bureaus to check for any unauthorized accounts or transactions.
2. Notify Your Commanding Officer: If you are an active-duty service member, inform your commanding officer immediately. This step is crucial to prevent unexpected calls or actions related to fraudulent debts or activities that could impact your military status or security clearance. Your commanding officer can provide guidance and support in handling the situation within military protocols.
3. File a Police Report: Contact your local law enforcement agency to file a report about the identity theft. Provide them with a copy of your Identity Theft Report from IdentityTheft.gov. A police report can support your claims of identity theft and may be required by creditors or financial institutions as part of the recovery process.
4. Monitor Your Accounts: Regularly monitor all financial accounts, including bank accounts, credit cards, and investment accounts, for any suspicious activity. Report any unauthorized transactions immediately to the respective financial institution.
5. Consider Placing a Credit Freeze: A credit freeze restricts access to your credit report, making it more difficult for identity thieves to open new accounts in your name. Contact each of the credit bureaus to request a credit freeze. You can temporarily lift or permanently remove the freeze when needed.
6. Report identity theft to the FTC: Visit identitytheft.gov, the Federal Trade Commission’s dedicated website for identity theft victims. Follow the step-by-step instructions to report the theft and provide as many details as possible about the fraudulent activity. IdentityTheft.gov will help you create an Identity Theft Report, which is essential for disputing fraudulent charges and repairing your credit.
7. Seek Support and Counseling: Identity theft can be a stressful and emotionally draining experience. Consider seeking support from military support services, such as Military OneSource, which offers resources and counseling to service members and their families facing financial challenges and identity theft.

As veterans continue to navigate the complexities of modern life, safeguarding their personal information online is paramount. By staying informed about cybersecurity best practices and leveraging available resources, veterans can significantly reduce their risk of falling victim to cyber threats.

The post Safeguarding Those Who Served: Cybersecurity Challenges for Veterans appeared first on McAfee Blog.

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.

In an alert (PDF) published this week, the FBI said it has seen un uptick in postings on criminal forums regarding the process of emergency data requests (EDRs) and the sale of email credentials stolen from police departments and government agencies.

“Cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI warned.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about an account at a technology provider — such as the account’s email address, or what Internet addresses a specific cell phone account has used in the past — they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted (eventually, and at least in part) as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

In some cases, a cybercriminal will offer to forge a court-approved subpoena and send that through a hacked police or government email account. But increasingly, thieves are relying on fake EDRs, which allow investigators to attest that people will be bodily harmed or killed unless a request for account data is granted expeditiously.

The trouble is, these EDRs largely bypass any official review and do not require the requester to supply any court-approved documents. Also, it is difficult for a company that receives one of these EDRs to immediately determine whether it is legitimate.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

Perhaps unsurprisingly, compliance with such requests tends to be extremely high. For example, in its most recent transparency report (PDF) Verizon said it received more than 127,000 law enforcement demands for customer data in the second half of 2023 — including more than 36,000 EDRs — and that the company provided records in response to approximately 90 percent of requests.

One English-speaking cybercriminal who goes by the nicknames “Pwnstar” and “Pwnipotent” has been selling fake EDR services on both Russian-language and English cybercrime forums. Their prices range from $1,000 to $3,000 per successful request, and they claim to control “gov emails from over 25 countries,” including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India, Kenya, Jordan, Lebanon, Laos, Malaysia, Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE), and Vietnam.

“I cannot 100% guarantee every order will go through,” Pwnstar explained. “This is social engineering at the highest level and there will be failed attempts at times. Don’t be discouraged. You can use escrow and I give full refund back if EDR doesn’t go through and you don’t receive your information.”

A review of EDR vendors across many cybercrime forums shows that some fake EDR vendors sell the ability to send phony police requests to specific social media platforms, including forged court-approved documents. Others simply sell access to hacked government or police email accounts, and leave it up to the buyer to forge any needed documents.

“When you get account, it’s yours, your account, your liability,” reads an ad in October on BreachForums. “Unlimited Emergency Data Requests. Once Paid, the Logins are completely Yours. Reset as you please. You would need to Forge Documents to Successfully Emergency Data Request.”

Still other fake EDR service vendors claim to sell hacked or fraudulently created accounts on Kodex, a startup that aims to help tech companies do a better job screening out phony law enforcement data requests. Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, with an eye toward making it easier for everyone to spot an unauthorized EDR.

If police or government officials wish to request records regarding Coinbase customers, for example, they must first register an account on Kodexglobal.com. Kodex’s systems then assign that requestor a score or credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

It is not uncommon to see fake EDR vendors claim the ability to send data requests through Kodex, with some even sharing redacted screenshots of police accounts at Kodex.

Matt Donahue is the former FBI agent who founded Kodex in 2021. Donahue said just because someone can use a legitimate police department or government email to create a Kodex account doesn’t mean that user will be able to send anything. Donahue said even if one customer gets a fake request, Kodex is able to prevent the same thing from happening to another.

Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed a second-level verification. Kodex reports it has suspended nearly 4,000 law enforcement users in the past year, including:

-1,521 from the Asia-Pacific region;
-1,290 requests from Europe, the Middle East and Asia;
-460 from police departments and agencies in the United States;
-385 from entities in Latin America, and;
-285 from Brazil.

Donahue said 60 technology companies are now routing all law enforcement data requests through Kodex, including an increasing number of financial institutions and cryptocurrency platforms. He said one concern shared by recent prospective customers is that crooks are seeking to use phony law enforcement requests to freeze and in some cases seize funds in specific accounts.

“What’s being conflated [with EDRs] is anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include control over data, like an account freeze or preservation request.”

In a hypothetical example, a scammer uses a hacked government email account to request that a service provider place a hold on a specific bank or crypto account that is allegedly subject to a garnishment order, or party to crime that is globally sanctioned, such as terrorist financing or child exploitation.

A few days or weeks later, the same impersonator returns with a request to seize funds in the account, or to divert the funds to a custodial wallet supposedly controlled by government investigators.

“In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a freeze order, that’s a way to establish trust, because [the first time] they’re not asking for information. They’re just saying, ‘Hey can you do me a favor?’ And that makes the [recipient] feel valued.”

Echoing the FBI’s warning, Donahue said far too many police departments in the United States and other countries have poor account security hygiene, and often do not enforce basic account security precautions — such as requiring phishing-resistant multifactor authentication.

How are cybercriminals typically gaining access to police and government email accounts? Donahue said it’s still mostly email-based phishing, and credentials that are stolen by opportunistic malware infections and sold on the dark web. But as bad as things are internationally, he said, many law enforcement entities in the United States still have much room for improvement in account security.

“Unfortunately, a lot of this is phishing or malware campaigns,” Donahue said. “A lot of global police agencies don’t have stringent cybersecurity hygiene, but even U.S. dot-gov emails get hacked. Over the last nine months, I’ve reached out to CISA (the Cybersecurity and Infrastructure Security Agency) over a dozen times about .gov email addresses that were compromised and that CISA was unaware of.”

South Korea warned that pro-Russian groups have attacked government and private sector websites following the deployment of North Korean soldiers in Ukraine

International energy solution provider Newpark Resources has confirmed it was hit by a ransomware attack that disrupted critical systems