Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Financial Loss. Show all posts
Wireless
Cyber Scammers cyber threat Cyberattacks CyberCrime FBI FCC Financial Loss Reddit SIM SIM swap Swap Scam T-Mobile Technology Verizon Wireless

Inside Job Exposed: T-Mobile US, Verizon Staff Solicited for SIM Swap Scam

 


T-Mobile and Verizon employees are being texted by criminals who are attempting to entice them into swapping SIM cards with cash. In their screenshots, the targeted employees are offering $300 as an incentive for those willing to assist the senders in their criminal endeavours, and they have shared them with us. 

The report indicates that this was part of a campaign that targets current and former mobile carrier workers who could be able to access the systems that would be necessary for the swapping of SIM cards. The message was also received by Reddit users claiming to be Verizon employees, which indicates that the scam isn't limited to T-Mobile US alone. 

It is known that SIM swapping is essentially a social engineering scam in which the perpetrator convinces the carrier that their number will be transferred to a SIM card that they own, which is then used to transfer the number to a new SIM card owned by the perpetrator. 

The scammer can use this information to gain access to a victim's cell phone number, allowing them to receive multi-factor authentication text messages to break into other accounts. If the scammer has complete access to the private information of the victim, then it is extremely lucrative. 

SIM swapping is a method cybercriminals utilize to breach multi-factor authentication (MFA) protected accounts. It is also known as simjacking. Wireless carriers will be able to send messages intended for a victim if they port the victim’s SIM card information from their legitimate SIM card to one controlled by a threat actor, which allows the threat actor to take control of their account if a message is sent to the victim. 

Cyber gangs are often able to trick carrier support staff into performing swaps by presenting fake information to them, but it can be far more efficient if they hire an insider to take care of it. In the past, both T-Mobile and Verizon have been impacted by breaches of employee information, including T-Mobile in 2020 and Verizon last year, despite it being unclear how the hackers obtained the mobile numbers of the workers who received the texts. 

The company stated at the time that there was no evidence that some of the information had been misused or shared outside the organization as a result of unauthorized access to the file, as well as in 2010 a Verizon employee had accessed a file containing details for about half of Verizon s 117,00-strong workforce without the employee's authorization.

It appears that the hackers behind the SIM swap campaign were working with outdated information, as opposed to recent data stolen from T-Mobile, according to the number of former T-Mobile employees who commented on Reddit that they received the SIM swap message. As the company confirmed the fact that there had not been any system breaches at T-Mobile in a statement, this was reinforced by the company. 

Using SIM swap attacks, criminals attempt to reroute a victim's wireless service to a device controlled by the fraudster by tricking their wireless carrier into rerouting their service to it. A successful attack can result in unauthorized access to personal information, identity theft, financial losses, emotional distress for the victim, and financial loss. Criminals started hijacking victims' phone numbers in February 2022 to steal millions of dollars by performing SIM swap attacks. 

The FBI warned about this in February 2022. Additionally, the IC3 reported that Americans reported 1,075 SIM-swapping complaints during the year 2023, with an adjusted loss of $48,798,103 for each SIM-swapping complaint. In addition to 2,026 complaints about SIM-swapping attacks in the past year, the FBI also received $72,652,571 worth of complaints about SIM-swapping attacks from January 2018 to December 2020. 

Between January 2018 and December 2020, however, only 320 complaints were filed regarding SIM-swapping incidents resulting in losses of around $12 million. Following this huge wave of consumer complaints, the Federal Communications Commission (FCC) announced new regulations that will protect Americans from SIM-swapping attacks to protect Americans from this sort of attack in the future.

It is required by the new regulations that carriers have a secure authentication procedure in place before they transfer the customer's phone numbers to a different device or service provider. Additionally, they need to warn them if their accounts are changed or they receive a SIM port out request.
Read more »
unauthorised access
Cyber Fraud Financial crime Financial Loss Information Technology Online fraud Online Scam OTP unauthorised access

E-Challan Fraud, Man Loses Rs 50,000 Despite Not Sharing Bank OTP

 

In a cautionary tale from Thane, a 41-year-old man, M.R. Bhosale, found himself embroiled in a sophisticated online scam after his father fell victim to a deceptive text message. The incident sheds light on the dangers of trusting unknown sources and underscores the importance of vigilance in the digital age. 

Bhosale's father, a diligent auto-rickshaw driver in Ghatkopar, received a seemingly official text message from the Panvel Traffic Police, notifying him of a traffic violation challan against his vehicle. The message directed him to settle the fine through a designated app called Vahan Parivahan, with a provided download link. Unbeknownst to him, the message was a clever ruse orchestrated by scammers to dupe unsuspecting victims. 

When Bhosale's father encountered difficulties downloading the app, he sought his son's help. Little did they know, their attempt to rectify the situation would lead to financial loss and distress. Upon downloading the app on his device, Bhosale encountered a barrage of One-Time Passwords (OTPs), signalling a red flag. Sensing trouble, he promptly uninstalled the app. 

However, the damage had been done. A subsequent check of his bank statement revealed unauthorized transactions totalling Rs 50,000. With resolve, Bhosale wasted no time in reporting the incident to the authorities. A formal complaint was filed, detailing the deceptive mobile number, fraudulent link, and unauthorized transactions. 

In response, the police initiated an investigation, invoking sections 66C and 66D of the Information Technology Act to pursue the perpetrators and recover the stolen funds. This unfortunate ordeal serves as a stark reminder of the prevalence of online scams and the importance of exercising caution in the digital realm. To avoid falling victim to similar schemes, users must remain vigilant and skeptical of unsolicited messages or unfamiliar apps. 

Blind trust in unknown sources can lead to devastating consequences, as Bhosale's family discovered firsthand. Furthermore, it is essential to verify the authenticity of communications from purported official sources and refrain from sharing personal or financial information without thorough verification. 

In an era where online scams abound, skepticism and diligence are paramount. As the investigation unfolds, Bhosale's story serves as a cautionary tale for all internet users. By staying informed, exercising caution, and seeking assistance when in doubt, individuals can protect themselves from falling prey to online scams.
Read more »
Vulnerabilities and Exploits
Authentication Data security software Financial Loss MFA Microsoft OAuth Third Party Apps Vulnerabilities and Exploits

OAuth App Abuse: A Growing Cybersecurity Threat

User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field.

OAuth (Open Authorization) is a widely used authentication protocol that allows users to grant third-party applications limited access to their resources without exposing their credentials. While this technology streamlines user experiences and enhances efficiency, cybercriminals are finding innovative ways to exploit its vulnerabilities.

Recent reports from security experts shed light on the alarming surge in OAuth application abuse attacks. Money-grubbing cybercriminals increasingly leverage these attacks to compromise user accounts, with potentially devastating consequences. The attackers often weaponize OAuth apps to gain unauthorized access to sensitive information, leading to financial losses and privacy breaches.

One significant event that underscores the severity of this threat is the widespread targeting of Microsoft accounts. Cyber attackers have honed in on the popularity and ubiquity of Microsoft services, using OAuth app abuse as a vector for their malicious activities. This trend poses a serious challenge to both individual users and organizations relying on Microsoft's suite of applications.

According to a report, the attackers exploit vulnerabilities in OAuth applications to manipulate the authorization process. This allows them to masquerade as legitimate users, granting them access to sensitive data and resources. The consequences of such attacks extend beyond financial losses, potentially compromising personal and corporate data integrity.

The financial motivation behind these cybercrimes, emphasizes the lucrative nature of exploiting OAuth vulnerabilities. Criminals are driven by the potential gains from unauthorized access to user accounts, emphasizing the need for heightened vigilance and proactive security measures.

Dark Reading further delves into the evolving tactics of these attackers, emphasizing the need for a comprehensive cybersecurity strategy. Organizations and users must prioritize measures such as multi-factor authentication, continuous monitoring, and regular security updates to mitigate the risks associated with OAuth application abuse.

The increasing misuse of OAuth applications is a turning point in the continuous fight against cyberattacks. The strategies used by cybercriminals also change as technology does. People and institutions must remain knowledgeable, implement strong security procedures, and work together to protect the digital environment from these new dangers. According to the proverb, "An ounce of prevention is worth a pound of cure."
Read more »
Spear Phishing
Axios Data Breach Financial Loss Ransomware Attacks. Securities and Exchange Commission Sensitive Information Spear Phishing

Security Executives: Navigating Cyber Liability Risks

Businesses and organizations across all industries now prioritize cybersecurity as a top priority in an increasingly digital world. Following cyber threats and breaches, security executives are facing increasing liability issues, as reported in recent studies. In addition to highlighting the necessity of effective cybersecurity measures, the Securities and Exchange Commission (SEC) has been actively monitoring the activities of security leaders.

The SEC's recent complaint against a major corporation underscores the gravity of the situation. The complaint, filed in November 2023, alleges that the security executives failed to implement adequate measures to safeguard sensitive information, resulting in a significant data breach. The breach not only exposed sensitive customer data but also caused financial losses and reputational damage to the company. This case serves as a stark reminder that security executives can be held personally liable for lapses in cybersecurity.

As highlighted in the 2022 Axios report, boardroom cyber threats are becoming increasingly sophisticated, targeting high-level executives and their decision-making processes. Cybercriminals employ tactics such as social engineering, spear-phishing, and ransomware attacks to exploit vulnerabilities in organizational structures. This necessitates a comprehensive approach to cybersecurity that involves not only technological solutions but also robust policies, employee training, and incident response plans.

One invaluable resource for organizations striving to enhance their cybersecurity posture is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework provides a structured approach to managing and reducing cybersecurity risks. It outlines five key functions: Identify, Protect, Detect, Respond, and Recover. By following this framework, security executives can establish a clear roadmap for assessing and improving their organization's cybersecurity capabilities.

Security executives are dealing with an ever-growing amount of accountability in the field of cybersecurity. Reports and recent instances highlight the necessity of taking preventative action to reduce liability risks. An essential instrument for strengthening an organization's defenses against cyber threats is the implementation of the NIST Cybersecurity Framework. Organizations may better safeguard themselves, their stakeholders, and their reputations in an increasingly digital environment by implementing a comprehensive cybersecurity strategy.

Read more »
Software
Cyber Security Financial Loss Hackers Identity Theft Passwords Smishing Scam SMS Phishing Software

Beware: Government's Alert on Smishing Scam Threat

The Indian government has now urgently warned its citizens about the threat posed by smishing scams. Smishing, a combination of the words 'SMS' and 'phishing,' is the practice of hackers sending false text messages to people in an effort to get their sensitive personal information. This official warning serves as a reminder that residents need to be more vigilant and knowledgeable.

The warning highlights that cybercriminals are exploiting SMS communication to carry out their malicious intentions. These messages often impersonate legitimate entities, such as banks, government agencies, or popular online services, luring recipients into clicking on malicious links or sharing confidential information. The consequences of falling victim to smishing can be dire, ranging from financial loss to identity theft.

To shield themselves against this growing menace, citizens are urged to follow certain precautions:

1. Verify the Source: Always double-check the sender's details and the message's authenticity. Contact the organization directly using official contact information to confirm the legitimacy of the message.

2. Don't Click Hastily: Refrain from clicking on links embedded in SMS messages, especially if they ask for personal information or prompt immediate action. These links often lead to fraudulent websites designed to steal data.

3. Guard Personal Information: Never share sensitive information like passwords, PINs, Aadhar numbers, or banking details via SMS, especially in response to unsolicited messages.

4. Implement Security Measures: Install reliable security software on your mobile devices that can detect and block malicious texts. Regularly update the software for enhanced protection.

5. Educate Yourself: Stay informed about the latest smishing techniques and scams. Awareness is a strong defense against falling victim to such tricks.

6. Report Suspicious Activity: If you receive a suspicious SMS, report it to your mobile service provider and the local authorities. Reporting aids in tracking and preventing such scams.

The government's warning serves as a reminder that while technology enriches our lives, it's vital to remain cautious. Cybercriminals are continuously devising new ways to exploit unsuspecting individuals, making it imperative for everyone to stay well-informed and adopt preventive measures.

Read more »
User Security
Cyber Attacks Financial Loss IoT UK UK Businesses User Security

Nearly Half of UK Businesses Suffered Cyber-Assaults in the Past Year

 

The latest findings from the manufacturers' association Make UK and the security software and services company BlackBerry revealed that 42% of UK firms have experienced cyber-attacks in the last year. The survey found that 26% of respondents had significant financial losses as a result of an attack, with losses ranging from £50,000 to £250,000. 

According to the study, production halts were the most frequent impact of cyberattacks (reported by 65% of those impacted), followed by reputational damage (43%). The majority of those who were attacked, 74%, claim that strong cyber-security measures shielded their companies from any harm. 

The Cybersecurity: UK Manufacturing report, which was based on a survey of 112 businesses representing a wide range of sizes and industries, manufacturers face a variety of cyber-security risks, from straightforward employee mistakes to intricate targeted attacks. Maintaining legacy IT (45%), a lack of cyber-skills (38%), and granting access to outside parties for monitoring and maintenance (33%) are listed as the top three cyber-security concerns. 

The industrial Internet of Things (IoT) and Industry 4.0 are seen as the primary drivers of cyberattacks by nearly one in three organizations (30%). A little more than a third (37%) claim that their organizations’ reluctance to adopt new connected technologies has limited their ability to increase efficiency and stifled their ability to expand. 

Smaller businesses are frequently more susceptible to targeted cyberattacks, yet many do not provide staff training on cyber security. A formal cyber-security procedure is now in place for over two-thirds (62%) of manufacturers, which is an increase of 11% from a year ago. Over half (58%) have elevated this obligation to the board level, while a comparable percentage has given a senior manager responsibility for cyber-security. 

Businesses are exposed to increased cyber-security concerns as they use more digital technologies. Ninety-five percent of respondents said they thought their businesses needed cyber-security measures, and two-thirds said that importance had increased over the previous year. 

However, while implementing new technology to increase output, the majority (54%) have chosen not to take any further cyber-security precautions. Along with the cost of maintaining security systems, the initial outlay on cyber-security measures is considered the biggest obstacle (mentioned by 40% of businesses). 

Russia, followed by China, according to three-quarters (75%) of those polled as the biggest cyber threat to their companies. 38% of people worry about threats coming from the UK. 

“Digitisation is revolutionizing modern manufacturing and becoming increasingly important to drive competitiveness and innovation. While cost remains the main barrier to companies installing cyber-protection, the need to increase the use of the latest technology makes mounting a defense against cyber threats essential,” stated Make UK CEO, Stephen Phipson. No business can afford to ignore this issue and while the increased awareness across the sector is encouraging, there is still much to be done.
Read more »
Scam
Cyber Fraud cybercriminals Facebook Ads Financial Loss Phishing Scams Scam

 Facebook: Bogus Event Scammers are Targeting Vendors

 

Victims have experienced nothing but worry as a result of a real-world scam that takes the pleasure out of craft fairs. It may sound strange, but it's a common criticism aimed at small/self-employed business owners who sell their own creations. They sell a range of craft-style things similar to those seen on Etsy and Redbubble in large quantities. Putting these products in front of live audiences at an event will almost certainly increase sales. 

Vendor fraud denotes misdeeds executed on a company's accounts payable (AP) for financial gain by vendors, or an employee. It's a type of scam that includes misrepresenting a vendor's or recipient's account details in AP to reroute payments.

How does this bogus vendor fair operate?

Regardless of location, the mainstream follows a consistent pattern. 
  • The imposters create completely new Facebook accounts and frequently use the same name on many accounts. 
  • They collect information from potential fair exhibitors via multiple web forms wherein name, address, description of sold things, business name, and phone number are all requested. 
  • Payment inquiries are made at this point. The recovery of funds might range from "fairly easy" to "total disaster" depending on the payment type.

How are the victims selected? 

Before claiming why an event is taking place nearby, the fraudsters use the seller's own public information against them, indicating the seller's location or even the types of products sold. The most intriguing aspect of it all is that fake fair frauds aren't an unusual occurrence. It's a legitimate sub-industry populated by devoted con artists. 

For example, false payments — in a payment scheme, the fraudster and employee can create a fictitious vendor (shell company) or manipulate an actual vendor's account to reflect their information. 

Changes to existing checks or the creation of unauthorized checks are examples of check changes. An employee takes checks from a vendor, alters the beneficiary, or forges the vendor's signature, and deposits the monies into an account of their choosing. 

Overbilling — When dealing with large numbers, a vendor expands invoices by adding extra goods or services to invoices raised to your organization. 

Vendor Fraud Classification 
  • Billing Fraud: Employees might manipulate payments in two ways. It can entail creating a fake vendor or generating duplicate payments using a genuine vendor's account. 
  • Fictitious Vendor - An employee with sufficient authority and access creates a fictitious vendor account or a shell corporation, registers it as a vendor, and makes regular payments to it. 
  • Duplicate Payments - An employee impersonates a legitimate vendor, manipulates payment data, and makes duplicate payments on a vendor's invoice. 
  • Check Manipulation: An employee falsifying or altering information on a vendor's check to redirect funds to a personal bank account. 
  • Bribery Acceptance: This sort of fraud is the outcome of an agreement between a vendor and an employee, in which the employee receives personal remittances from the seller in exchange for more advantages or sales.
  • Excess Billing: When a vendor invoices the company for excess quantities/prices than what was previously agreed upon, it is referred to as overbilling. 
  • Price fixing: Two sellers work together to fix prices at greater than normal levels.
  • Bid rigging: A form of fraud that involves collaboration between two or more vendors and workers to secure a procurement contract in favor of the highest bidder.
  • Cyber fraud: Vendor fraud cases are conducted by unknown, unauthorized personnel with no link to either the company or the vendor, making them the most difficult to identify. 

Indicators of threat 

For customers: the seller claims to be unavailable (for example, because they are traveling or have relocated to another country) and demands money before arranging for delivery of the items. They must pay the seller using foreign money transfers, checks, or direct bank transfers. They may receive a forged email receipt from the website's secure payment provider.

For vendors: Even if one is selling an expensive item like a car, the potential buyer is willing to buy your item without seeing it in person. The goods are widely available in the customer's native country, and a possible overseas buyer might be interested in purchasing them (e.g. a car or a couch). The cost of shipping frequently outweighs the cost of the item. 

Measures

Facebook posts without a location tag are an attempt to remain anonymous. Methods of Invoice Matching, Using Data Mining, Methodologies Establishing a fraud helpline might allow staff to report problems without fear of repercussions.

Vendor fraud can have a significant financial impact on a company, it can be avoided by properly developing, evaluating, and updating corporate rules regularly. 
Read more »
Phishing scam
Business Email Compromise Financial Loss Phishing scam

European Cinema Chain Loses an Astonishing US$21.5 Million to a Business Email Compromise




An European-based cinema chain Pathé lost an enormous fortune of around 19 million euros (US$21.5 million) to a business email compromise (BEC) scam in March 2018 by an attack, which kept running for about a month and ultimately costed the organization 10 percent of its aggregate profit.

The scammers here deserted setting the 'fake President' against the 'real CFO' for faking French head office missives to the Dutch management.

Beginning with the following mail:
“We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.”

Even however the CFO and Chief considered it odd, they pushed on in any case and still sent more than 800,000 in Euros. At the point when more demands pursued, including a few while the CFO was on furlough—the two executives were fired not long after the head office took note of the situation.

In spite of the fact that they weren't associated with the fraud, Pathé said they could and should have seen the warnings. The business email compromise endeavor was devastatingly effective as they failed to take note of the warnings and there was no security net set up.

Typically a business email compromise is a sort of phishing attack, topped with a dash of 'targeted' social engineering however this specific BEC scam was very intriguing since it featured a somewhat extraordinary way to deal with the attack.

As the business email compromise keeps on developing in ubiquity among the scammers, and it's up to us to battle it. It is progressively essential for any and each organization to consider the BEC important. 

 BECs being a standout amongst the most slippery dangers around it is advised for the all the clients to keep their funds operating at a profit as a need, regardless of the fact that whether they disseminate motion pictures, IT administrations, or anything else for the matter.

Read more »
Subscribe to: Posts (Atom)