FBI: Business Email Compromise: The $43 Billion Scam

This Public Service Announcement is an update and companion piece to Business Email Compromise PSA I-091019-PSA posted on www.ic3.gov. This PSA includes new Internet Crime Complaint Center complaint information and updated statistics from October 2013 to December 2021.

DEFINITION

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.

The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.

STATISTICAL DATA

The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars. This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.

The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers. Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore.

The following BEC/EAC statistics were reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021:

Domestic and international incidents: 241,206
Domestic and international exposed dollar loss: $43,312,749,946
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:
Total U.S. victims: 116,401
Total U.S. exposed dollar loss: $14,762,978,290
Total non-U.S. victims: 5,260
Total non-U.S. exposed dollar loss: $1,277,131,099
The following statistics were reported in victim complaints to the IC3 between June 2016 and December 2021:
Total U.S. financial recipients: 59,324
Total U.S. financial recipient exposed dollar loss: $9,153,274,323
Total non-U.S. financial recipients: 19,731
Total non-U.S. financial recipient exposed dollar loss: $7,859,268,158


BEC AND CRYPTOCURRENCY

The IC3 has received an increased number of BEC complaints involving the use of cryptocurrency. Cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.

The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.

DIRECT TRANSFER – Mirrors the traditional pattern of BEC incidents in the past.

Graphic depicting the direct transfer iteration of the BEC/Cryptocurrency scam. Bad Actor has already arranged control of a named cryptocurrency wallet for the funds to be converted to

SECOND HOP TRANSFER – Uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver’s licenses, passports, etc., that are used to open cryptocurrency wallets in their names.

Graphic depicting the Second Hop Transfer iteration of the BEC/Cryptocurrency scam. Moves funds to cryptocurrency account controlled by Bad Actor

In the past, the use of cryptocurrency was regularly reported in other crime types seen at the IC3 (e.g., tech support, ransomware, employment), however, it was not identified in BEC-specific crimes until 2018. By 2019, reports had increased, culminating in the highest numbers to-date in 2021 with just over $40M in exposed losses. Based on the increasing data received, the IC3 expects this trend to continue growing in the coming years.

Chart depicting Reported Loss Associated with BEC/Cryptocurrency Complaints for the years of 2018, 2019, 2020, and 2021.

SUGGESTIONS FOR PROTECTION

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds. Regardless of the amount lost, file a complaint with www.ic3.gov or, for BEC/EAC victims, BEC.ic3.gov, as soon as possible. 

FBI warns of deceptive and deepfaked job applicants for remote work

The FBI Internet Crime Complaint Center (IC3) warns of an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions. Deepfakes include a video, an image, or recording convincingly altered and manipulated to misrepresent someone as doing or saying something that was not actually done or said.

The remote work or work-from-home positions identified in these reports include information technology and computer programming, database, and software related job functions. Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information.

Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.

IC3 complaints also depict the use of stolen PII to apply for these remote positions. Victims have reported the use of their identities and pre-employment background checks discovered PII given by some of the applicants belonged to another individual.

Report It

Companies or victims who identify this type of activity should report it to the IC3, www.ic3.gov.

If available, include any subject information such as IP or email addresses, phone numbers, or names provided.

Local Field Office Locations: www.fbi.gov/contact-us/field-offices

CISA Alert (AA22-181A) StopRansomware: MedusaLocker

 This uses vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks

Summary

Actions to take today to mitigate cyber threats from ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.

Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder. 

Download the PDF version of this report: pdf, 633 kb

Technical Details

MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].

MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol. 

MedusaLocker then: 

  • Restarts the LanmanWorkstation service, which allows registry edits to take effect. 
  • Kills the processes of well-known security, accounting, and forensic software. 
  • Restarts the machine in safe mode to avoid detection by security software [T1562.009].
  • Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [T1486]. 
  • Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension. 
  • Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%Roaming directory and scheduling a task to run the ransomware every 15 minutes. 
  • Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [T1490].

MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors. 


To read the Full Report go here

NIST Announces the Release of Draft NIST IR 8323 Revision 1: Foundational PNT Profile

 NIST Announces the
Release of Draft NIST IR 8323 Revision 1 | 
Foundational PNT Profile: Applying the
Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and
Timing (PNT) Services.
 

PNT

Credit: Shutterstock

About Revision 1 of the
Profile

The PNT cybersecurity profile is part of NIST’s response to the
February 12, 2020, Executive Order (EO) 13905, Strengthening National Resilience Through
Responsible Use of Positioning, Navigation, and Timing Services
. The
EO notes that “the widespread adoption of PNT services means disruption or
manipulation of these services could adversely affect U.S. national and
economic security. To strengthen national resilience, the Federal Government
must foster the responsible use of PNT services by critical infrastructure owners
and operators.” The Order also calls for updates to the profile every two years
or on an as needed basis.

Based on NIST’s interaction with public and private sector
stakeholders and their efforts to create “sector specific” profiles, it was
decided to create Revision 1. No substantive changes were made to the original
Foundational Profile; NIST is only seeking comments on the changes made in this
Revision. Among the most noteworthy are: the addition of five new Cybersecurity
Framework (CSF) Subcategories, and the addition of two appendices; Appendix D;
Applying the PNT Profile to Cybersecurity Risk Management, and Appendix E;
Organization Specific PNT Profiles.

All changes are captured in Table 26: “Change Log” for easy
reference to reviewers.

The PNT Profile was created by applying the NIST CSF to help
organizations:

  • Identify systems dependent on
    PNT
  • Identify appropriate PNT
    sources
  • Detect disturbances and
    manipulation of PNT services
  • Manage the risk to these
    systems

Organizations may continue to use this profile as a starting point
to apply their own unique mission, business environment, and technologies to
create or refine a security program that will include the responsible use of
PNT services.

The public comment
period for this publication is now open through August 12, 2022. 

Email comments directly to: [email protected].

Submit Comments

A Tale of Two Cities – Exploring the future of work – A Data AI Hackathon

 This is an IN-Person Event

The pandemic is (mostly) behind us now, but have perceptions and mindsets of city dwellers changed forever?
Do young people see the world in the same way?
Is there any evidence that people in cities now value work-life balance?
At the Artificial Intelligence: Cloud and Edge Implementations course at the University of Oxford, last year, we worked with Open data from Transport for London and explored the behaviour of people in the pandemic

But is this a global trend?

Created in partnership with Microsoft and University of Oxford, the A tale of two cities – Exploring the future of work – A Data AI hackathon addresses the above questions

We present the findings from London open data and the hackathon will ask the same questions based on open data in New York

What will we find in this saga of two cities? Do we see a pattern with wider implications? What does it mean for the future of work?

We invite you to join us in reviewing datasets from these two cities using Data and AI tools to develop new insights and solutions that emerge from data captured before, during, and after the pandemic.

✨ Rules: Form a team of maximum (3) individuals to take the data and process results. Choose your team prior to the event or on-site amongst attendees.
✨ Suggested Tools: PowerBI, Python, AI builder, Synapse, CosmosDB, and Percept.
✨ Prerequisites: We recommend that attendees are data professionals and possess skills related to the above tools. If you are not fully knowledgeable with the above tools, you are free to apply what you learn in our offered workshop content or you can use the hackathon as a learning opportunity / opportunity to work with others.

✨ If participants do not currently have an Azure subscription, we have a limited supply (25) of Azure passes with some credit available.

✨Prize: The winning team (of 3), currently will get (3) $100 Amazon gift cards and (1) free placement to the Oxford University Digital Twins course (online)– team will have to decide who receives the course. Additional prizes are TBD✨

Agenda:
• Day 1: July 21st 530PM – 8PM : Introduction to the problem, London data comparison, details for the hack shared to group.
• Day 2: July 22nd 9AM – 5PM : Hackathon / Informative Presentations

  • 9:00 AM : KickOff presentation with introduction to additional Data & AI tools – Paul DeCarlo & Ruth Yakubu
  • 10:00 AM : NoSQL 101 and Intro to Cosmos DB – Jay Gordon
  • 10:30 AM : Introduction to Azure Percept – Amira Youssef
  • Office hours – work on Hackathon/Ask questions of available experts

• Day 3: July 23rd 9AM – 1PM : Present Hackathon findings and solutions; choose winner

We hope to share insights from this work, widely building on our experience at the University Of Oxford.
Rikesh Shah, Head of Open Innovation @ Transport for London said “I am pleased to see that the open data and innovation journey we started at University of Oxford is now expanding to the city of New York. I look forward to hearing about the learnings from New York”

Register HERE

Become a Microsoft Sentinel Ninja: The complete level 400 training – Microsoft Tech Community!

 Microsoft Training

The number of security incidents and information related to them are rising daily. Traditional tools and methods aren’t enough to process all the data and to respond to all the incidents. That is where SOAR (Security Orchestration, Automation, and Response) can help.

Where to start?

In addition to being a Security Information and Event Management (SIEM) system, Microsoft Sentinel is a Security Orchestration, Automation, and Response (SOAR) platform. As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.

 

If you are wondering where to start in learning about Microsoft Sentinel’s SOAR capabilities, take a look at some of the resources outlined below: 

 

When working with Microsoft Sentinel Automation, it is essential to understand Microsoft Sentinel API and the use of API in general. Microsoft Sentinel API 101 is a great place to start.

 

Utilizing Microsoft Sentinel Automation may need additional permissions. Please review the needed permissions.  

 

The Microsoft Sentinel Content hub provides access to Microsoft Sentinel out-of-the-box (built-in) content and solutions. This is the starting point when searching for a playbook template and all other content for Microsoft Sentinel.

 

SOAR Content Catalog is an excellent source of information about the most used playbook connectors.

 

This blog is a fantastic starting point for utilizing SOAR in Microsoft Sentinel – I’m Being Attacked, Now What? – Microsoft Tech Community

 

Microsoft Sentinel Automation: Tips and Tricks is another excellent starting point for those who prefer webinars.

 

How to build automation rule

Automation rules are a way to centrally manage the automation of incident handling, allowing you to perform simple automation tasks without using playbooks.

 

Do you want to learn what a trigger, condition, or action is in automation rules? Start by learning more about automation rules.

 

To learn how to utilize automation rules in incident management, start here –

Create and use Microsoft Sentinel automation rules to manage incidents | Microsoft Docs

 

For tips and tricks in automation rule utilization, visit our automation rules tips and tricks blog.

 

How to build the playbook

A playbook is a collection of actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents when triggered by an analytics rule or an automation rule, respectively.

 

To learn how we utilize Logic App for playbooks, what is a trigger, action, dynamic field, etc., start with an introduction to playbooks. After that, learning how to use triggers and actions is essential.

 

As mentioned in the intro, it’s crucial to understand API as playbooks use REST API. But it is also essential to learn how to authenticate playbooks and what are API connections and permissions in Microsoft Sentinel playbooks.

 

As mentioned, automation rules are a way to manage automation centrally. One of the actions in automation rules is to run a playbook, and in this article, you can find out how to utilize this integration.

 

Microsoft Sentinel has many playbook templates that can be found in Content HubPlaybooks Template Gallery, or our official GitHub repo, but sometimes we will need to customize it for our own needs. This article will guide you through customization steps.

 

Microsoft Sentinel’s blog on Tech Community has many examples of how you can create playbooks step-by-step. For those who like hands-on, here is a list of articles containing step-by-step instructions to create playbooks:

 

Microsoft Sentinel REST API docs and sample use cases:

 

What’s new with Microsoft Sentinel Automation

In this segment, we will be publishing all new announcements related to Microsoft Sentinel Automation. Announcements are sorted by the announcement dates.

 

Tips & Tricks

To help users understand Microsoft Sentinel Automation “under the hood”, we started with the Tips & Tricks blog series:

 

Creating a playbook template can be a time-consuming task, and to help with that, we have created a script to create those templates with ease – learn how now!

 

Migrate from 3rd party automation tools

If you are already using 3rd party automation tools, learn how you can migrate to Microsoft Sentinel Automation:

NIST Selects Four Post-Quantum Cryptographic Algorithms for Standardization After the Third Round of the PQC Process

NIST has completed the third round of the Post-Quantum
Cryptography (PQC) standardization process, which selects public-key
cryptographic algorithms to protect information through the advent of quantum
computers. A total of four candidate algorithms have been selected for
standardization: CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, and
SPHINCS+. Four additional algorithms will continue into the fourth
round for further evaluation: BIKE, Classic McEliece, HQC, and SIKE.

NISTIR 8413Status Report on the Third Round of
the NIST Post-Quantum Cryptography Standardization Process, 
details
the selection rationale and is also available on the NIST PQC webpage.

See the full announcement for more details, including
discussion of a Fourth PQC Conference and an upcoming call for additional
quantum-resistant digital signature algorithms. Questions may be directed to 
[email protected]. 

Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats

The National Institute of Standards and Technology (NIST) has announced that
a new post-quantum cryptographic standard will replace current public-key
cryptography, which is vulnerable to quantum-based attacks. Note: the term
“post-quantum cryptography” is often referred to as “quantum-resistant
cryptography” and includes, “cryptographic algorithms or methods that are
assessed not to be specifically vulnerable to attack by either a CRQC
[cryptanalytically relevant quantum computer] or classical computer.” (See the National
Security Memorandum on Promoting United States Leadership in Quantum Computing
While Mitigating Risks to Vulnerable Cryptographic Systems
for more
information).

Although NIST will not publish the new post-quantum cryptographic standard
for use by commercial products until 2024, CISA and NIST strongly recommend organizations
start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which
includes:

  • Inventorying your organization’s systems for
    applications that use public-key cryptography.
  • Testing the new post-quantum cryptographic standard in
    a lab environment; however, organizations should wait until the official
    release to implement the new standard in a production environment.
  • Creating a plan for transitioning your organization’s
    systems to the new cryptographic standard that includes:
    • Performing an
      interdependence analysis, which should reveal issues that may impact the
      order of systems transition;
    • Decommissioning old
      technology that will become unsupported upon publication of the new standard;
      and
    • Ensuring validation and
      testing of products that incorporate the new standard.
  • Creating acquisition policies regarding post-quantum
    cryptography. This process should include:
    • Setting new service
      levels for the transition.
    • Surveying vendors to
      determine possible integration into your organization’s roadmap and to
      identify needed foundational technologies.
  • Alerting your organization’s IT departments and vendors
    about the upcoming transition.
  • Educating your organization’s workforce about the
    upcoming transition and providing any applicable training.

For additional guidance and background, CISA and NIST strongly encourage
users and administrators to review: