STE WILLIAMS

Wooo, fancy – a guy who phished more than 100 companies out of nearly £1m (around $1.1m) in cryptocurrency used some of that money to sit his butt down in a first-class carriage on the train. That’s how they caught him, actually – with “his fingers on the keyboard” as he was logging in to a dark web account on a train between Wales and London back in September 2017.

Flash forward two years, and Wooo-HOOOOO, it’s payback time!

As in, literal payback. London’s Metropolitan Police announced on Friday that Grant West, who was 25 when police arrested him on that train and who is now 27, has not only been jailed for fraud after carrying out attacks on more than 100 major brands worldwide, including Apple, Uber, Sainsbury’s, Groupon, T-Mobile, Ladbrokes, Vitality, the British Cardiovascular Society and the Finnish Bitcoin exchange.

He’s also been ordered to pay back the money he ripped off.

Goodbye, cryptocurrency: when Southwark Crown Court gave West ten years and eight months jail time, the judge also said that his ill-gotten loot would be sold and that the victims will receive compensation.

I therefore order a confiscation of that amount, £915,305.77, to be paid as a way of compensation to the losers.

Some of it’s frozen and being held by the FBI, and all of it’s fluctuating madly, as cryptocurrencies do, which has made it tough to figure out exactly how much to give victims.

West has to agree to release the funds from his accounts, but there’s not much of a choice there: he’d be looking at four additional years in jail if he were to refuse, the judge said.

West did, in fact, agree to give up the money, which reportedly included ethereum, bitcoin and other cryptocurrencies. Unfortunately, victims won’t be able to claw back the money West blew on his fancy travel: besides his first-class train habits, he also blew the money on holidays, food, shopping and household goods.

West admitted to charges including conspiracy to defraud, possession of criminal property, unauthorized modification of computer material, and drug offenses.

Dirty deeds done in the dark

This is how he got all that money: as the Met tells it, West wasn’t an elite hacker. But while he just ran a phishing scam, it was a sophisticated one: his convincing come-on managed to trick even computer-savvy people, including at least one software engineer.

West first started trading on the dark web in March 2015 and completed more than 47,000 sales of people’s financial data in the form of “fullz”: slang for a complete set of records that can be used to commit fraud. He did his work using the handle “Courvoisier”.

Besides selling victims’ financial data, West also sold cannabis and “how to” guides instructing others how to carry out cyberattacks.

Then, between July and December 2015, West ran the phishing scam masquerading as online takeaway service Just Eat, in an attempt to get at the personal details of 165,000 customers. The Met says that he didn’t succeed in getting the financial data, but his actions still cost the company about £200,000 (USD $244,769).

Just Eat’s computer systems or network hadn’t been breached, but details of those compromised accounts flooded the dark web.

As the software developer victim described it to the BBC in November 2015, West’s scam email asked some Just Eat customers to fill out a survey in exchange for £10.

To do so, they were told to click on a link that brought them to a phony site that convincingly masqueraded as the real Just Eat website and which asked for a username and password.

At the end of the survey, customers were asked to enter their personal bank and credit card details in order to get that £10 credit. It wasn’t until he got to this point that the software developer realized it was a scam – the forgery was that convincing.

After police arrested West, they found financial data belonging to more than 100,000 people on his girlfriend’s laptop – the device he used to carry out his attacks. They also found an SD card from West’s home address, in Kent. On that card, they found about 78 million individual usernames and passwords, as well as 63,000 credit and debit card details.

They also seized £25,000 cash and half a kilogram of cannabis in storage units that West rented in Kent.

Detective Chief Inspector Kirsty Goldsmith, head of the Met’s Cyber Crime Unit, said in a press release that West’s arrest and conviction is just one example of how the dark web isn’t dark enough to hide crooks from computer-savvy cops:

The MPS is committed to ensuring that individuals who are committing criminality on the Dark Web are identified, prosecuted and their criminal assets are seized.

What to do?

The Met reminded people to use strong passwords in order to reduce your chance of being victimized by somebody like West. Watch our straight-talking tips on how to choose decent passwords.

And, of course, one password isn’t enough. You need to have a different password for each online account you have.

Nobody expects you to remember a grocery list worth of complicated passwords, and that’s why we believe in using password managers to create them and/or to store them all and fill them in.

Of course, this isn’t just about strong passwords. You also have to spot, sidestep and report phishing email. Be wary of any link that arrives in an email. You can defend yourself by turning on multi-factor authentication (2FA) everywhere it’s offered.

It’s also a good idea to use a desktop password manager that checks the validity of domains before offering to autofill credentials. If it doesn’t offer to fill in your credentials, that could be a clue that something isn’t right about a site.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sHYkSkwLCAs/

Over the weekend, millions of customers of web hosting company Hostinger started receiving emails bearing the bad news that their passwords were being reset after a data breach.

According to Hostinger, 14 million of its users are affected by the reset, which became necessary after attackers gained access to an API server on 23 August 2019.

This server contained an authorization token [for a database], which was used to obtain further access and escalate privileges to our system RESTful API Server.

This database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords.

What this means in practical terms is that anyone whose accounts were among those 14 million will need to reset their Hostinger Client password before they can log in.

Hostinger has said it has sent password reset instructions to all its Client users.

These are hosting accounts for numerous business and personal websites (including their domain and email management), so it’s critical that this is done without delay. So far at least:

Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.

Making a hash

Hostinger states that the account passwords were hashed without specifying how this was done. As we’ve discussed in previous articles, some hashing functions are more secure than others.

One news site quotes a customer as having asked Hostinger support which function was used to hash the passwords, receiving the answer:

We used SHA-1, but all passwords have been reset to SHA-256.

Collision attacks (a hypothetically faster way to crack hashes than simple brute-forcing) have been eroding the safety of SHA-1 for years to the extent that big internet companies have readied it for the scrapheap.

Belatedly, Hostinger announced plans to investigate the origins of the latest incident with a view to improving security. For updates on the incident, refer to the company’s status page.

Ongoing risks

It’s good that Hostinger spotted the breach quickly and has mandated a password reset. Unfortunately, the risk to customers doesn’t stop there.

The attackers have enough information on customers from the other fields on the database to launch convincing phishing attacks, including ones designed to look like security alerts from Hostinger itself.

Our advice is to be extremely cautious about any emails that claim to be from a hosting company or domain registrar. Always access portals from the company’s domain and not via an email link.

000Webhost

Nearly four years ago a subsidiary of Hostinger, 000Webhost, suffered a similar data breach that affected 13 million of its customers.

The breach wasn’t noticed for five months but, worse, it emerged that account passwords had been stored in plain text with no security mechanism applied. As with Hostinger, the company said it would be upgrading its security going forward.

Iit never hurts to ask about this aspect of account security before choosing a hosting provider.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rmG_gn8oMZQ/

Source code management site GitHub is the latest company to support WebAuthn – a new standard that makes logging into online services using a browser more secure.

WebAuthn is short for Web Authentication and it’s a protocol that lets you log into an online service by using a digital key. It’s a core part of FIDO2, a secure login protocol from the FIDO Alliance, which encourages industry support for these secure login standards.

GitHub, which Microsoft bought for $7.5bn last year, has been doing its best to secure peoples’ accounts with more secure logins for a while now. Back in 2013, it announced support for two-factor authentication (2FA) via SMS text messages and 2FA apps on a mobile phone. Then, in October 2015, it launched support for universal second factor (U2F) authentication. This was a FIDO specification that allowed the use of a hardware key as a 2FA mechanism.

WebAuthn supersedes U2F and offers everything the older standard did along with some additional benefits:

• It upgrades GitHub’s 2FA support to the latest industry standard. The World Wide Web Consortium (W3C), which oversees many of the standards that make up the web, approved WebAuthn as an official standard in March 2019.
• While you can use a third-party hardware security key to use WebAuthn, in many cases you don’t need to. You can also use a digital key stored on your phone instead, turning the phone itself into your hardware key.
• WebAuthn can be a primary access factor. U2F still needed a password to gain access, meaning that it could only ever be a second factor in your login process. The U2F-based physical key effectively said “yes, the person entering that password is legit, because I am in their possession”.

In theory, WebAuthn can replace the username and password altogether, making your phone, hardware security key or biometric reader the only access mechanism. It can tell the online service you’re accessing: “You don’t need a password. I say this person is legit, and that’s enough”.

That’s convenient, but many people might not be comfortable with it, because no matter what people say about passwords, they provide an extra layer of protection when used with a second factor. In any case, it’s a moot point for GitHub users right now. Online service providers must configure their sites to allow WebAuthn as a primary factor, and GitHub hasn’t done this yet. It only supports security keys as a supplemental second factor right now.

Patrick Toomey, senior manager of product security at GitHub, told us:

We’re focused on leveraging the most accessible resources for user security – which ensures that the security keys are available on every major platform. We understand that security needs will continue to evolve and we’re evaluating security keys as a primary second factor as more platforms support them.

WebAuthn support is undoubtedly a step forward, even for those developers using the command line to access GitHub. A lot of software engineers live on the command line, and they often use digital keys based on the secure socket shell (SSH) protocol to access GitHub, or an alternative GitHub mechanism called a personal access token that replaces a password.

Developers might log into their online accounts via a browser only rarely, meaning that they might not use WebAuthn often. Nevertheless, setting it as an access mechanism is still helpful because it makes it much more difficult for an attacker to pose as them and access their account.

GitHub supports WebAuthn today on Firefox and Chrome across Windows, macOS, Linux, and Android. Windows users can also access the service using WebAuthn in the Edge browser, while Mac users can use Safari (currently in Technology Preview mode). iOS users can use the Brave browser, but at this point, they’ll still need to use the YubiKey 5Ci hardware key alongside it.

GitHub’s announcement furthers Microsoft’s existing commitment to WebAuthn. FIDO certified the software giant to use FIDO2 in its Windows Hello identification product in May 2019.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pL1_CDzIPLA/

Transport for London is looking at ways to improve its processes after a Register reader queried why he was being asked to write down his password on a paper form for railway staff to read.

London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard.

He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.

“I was in utter disbelief,” Fresta told El Reg, having just read about Oyster online accounts being breached by credential-stuffing crooks. “Having worked on a number of web apps, I know storing passwords in clear text is, for lack of a better word, a ginormous no-no.”

The Arriva Rail London form handed to Fresta. ARL is the outsourced operator for TfL’s London Overground services. Click to enlarge

Just to check that this wasn’t a local misunderstanding by station staff, Fresta checked it out at other stations – and was again asked to write down his password in plain text for staff to read.

TfL did not deny that this is its standard procedure for staff adding discounts to Oyster cards, but insisted in a statement to The Register that it doesn’t store those passwords and lets customers take the completed form away afterwards.

A spokeswoman told us: “Customers can add discounts to their Oyster cards at all station ticket machines and our staff are on hand to support them with this process. If a customer prefers to do this via a ticket office rather than a machine, then a password is temporarily provided to the ticket office staff via a form.

“The password is always entered in the presence of the customer and the form is returned to them to ensure it can be disposed of securely. Customers are advised to change the password on first login, if setting up an online Oyster account. We recognise that where possible this process could be improved and work is under way to identify options.”

Fresta was not impressed with TfL’s customer service, telling us he wasn’t given “any explanation as to how the information [would] be handled or why”.

National Rail tickets are paper-based with a magnetic stripe as local storage, whereas TfL’s Oyster card is NFC-based with a proper database behind it. The two systems don’t talk to each other, requiring humans to manually enter things like discounts that can be used on both. Public transport-using Britons in the southeast will be aware that discounts like a Two Together Railcard can be applied to Oyster fares. If you know how to navigate the arcane National Rail ticket system and precisely what to ask ticket clerks to sell you, train journeys entering or leaving the capital’s Oyster fare zones can be discounted quite significantly too; in some cases halving the price of an Anytime fare to some non-London destinations.

None of this, of course, helps one’s security – particularly when TfL asks you to write down your password. As ever, the standard advice is never to reuse password credentials across different sites or providers. We might add to that: as soon as you’ve written it down for ticket office clerks to read, change your password. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/27/tfl_oyster_cards_plain_text_password_form/

Apple has issued an update to address a potentially serious security flaw it re-opened in the latest version of iOS.

Monday’s iOS 12.4.1 update contains a single fix: a patch to address CVE-2019-8605. The use-after-free vulnerability would let an application gain the ability to execute arbitrary code with system privileges. Credit for discovering the flaw was given to Ned Williamson from Google’s Project Zero team, who reported the flaw to Cupertino back in March.

This is not the first time Apple has had to patch CVE-2019-8605. The vulnerability was first addressed with the iOS 12.3 update in May of this year. Users running iOS 12.2 had been using the vulnerability as the catalyst for jailbreak procedures that allow users to install and run non-approved software on their iPhones and iPads.

The flaw was thought to have been closed for good, up until last week when word broke that the unc0ver jailbreak tool was able to unlock 12.4 handsets by once again exploiting the flaw.

It seems Apple had unintentionally rolled back the 12.3 patch that addressed CVE-2019-8605 and the jailbreak exploit for the bug that had last worked in iOS 12.2 was once again succeeding on new handsets.

Breaker, breaker. Apple’s iOS 12.4 update breaks jailbreak break, un-breaks the break. 10-4

READ MORE

Jailbreaks aside, the re-exposure of the bug was embarrassing for Apple and potentially dangerous for end-users. The vulnerability could also have been targeted by criminals to install malware on iOS devices by disguising their apps as legitimate, or by injecting attack code into legitimate apps.

In releasing the fix, Apple made a point of thanking pwn20wnd, the developer of the unc0ver tool.

Those who don’t want to jailbreak their iPhones or iPads would be wise to make sure they are running iOS 12.4.1 or later.

Apple also put out updates to address the same vulnerability in macOS and tvOS. These operating systems are considered significantly less of a risk to the bug as Apple TV is largely a walled garden and macOS would require code already be running locally to exploit, at which point it’s game over anyway. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/26/apple_fixes_ios124_jailbreak/

With Windows 7’s official retirement less than five months away, Redmond is offering some business customers a way to squeeze a bit more life out of the beloved OS.

A recently unearthed provision in the Windows 7 and Office 2010 end of support FAQ notes that companies running Windows 10 Enterprise E5, Microsoft 365 E5, Microsoft 365 E5 Security, and Government E5 plans will be able to receive their first year of patch support for Windows 7 free of charge.

The idea, says Microsoft, is to allow businesses a bit more time to iron out their plans for migrating to Windows 10 from Windows 7 when official support for the later ends on January 14th, 2020.

“Starting June 1st, EA and EAS customers with active subscription licenses to Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security (as of December 31, 2019) will get Windows 7 Extended Security Updates for Year 1 as a benefit,” Redmond explained.

“With this limited-time promotion, you have more options to continue receiving Windows 7 security updates after end of support.”

The EA and EAS packages are designed for medium and large enterprises with 500 or more licenses to manage, so those will smaller packages can’t claim the discount. Companies who aren’t on one of the qualifying plans will still be able to get extended support, provided they are willing to pay up to $200 per year.

As it turns out, there is no shortage of businesses still clinging to Windows 7 despite the looming retirement. A customer survey released on Monday by Kaspersky finds that 47 per cent of SMB and enterprise customers are still running Windows 7, putting it on equal footing to Windows 10.

New old Windows bug emerges, your ‘strong’ password is anything but, plus plenty more

READ MORE

Consumers and very small businesses (under 25 people) are slightly more up to date, with 38 per cent of both categories still on Windows 7. Amazingly, of those surveyed, 2 per cent of consumers and 1 per cent of very small busineses were still on the now-ancient and highly unsafe Windows XP.

The continued reliance on Windows 7 across all markets has Kaspersky security bods worried that millions will be exposed when support ends.

“The reasons behind the lag in updating OS vary depending on the software in place, which may be unable to run on the newest OS versions, to economic reasons and even down to comfortability of routinely using the same OS,” said Kaspersky enterprise solutions manager Alexey Pankratov.

“Nonetheless, an old unpatched OS is a cybersecurity risk and the cost of an incident may be substantially higher than the cost of upgrading.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/27/windows7_free_updates/

A NASA astronaut has been accused of breaking into her wife’s bank account while working aboard the International Space Station.

Anne McClain, a veteran NASA flyer and one of the presumed frontrunners for the next manned lunar missions, is the subject of a complaint by her former spouse who claims that, while in orbit on the ISS earlier this year, McClain accessed her bank account without permission from a NASA computer.

McClain denies any wrongdoing.

According to multiple reports, the alleged unlawful access took place while McClain and ex-wife Summer Worden were in the midst of a divorce and custody battle. It is claimed that, while in low-earth orbit, McClain used Worden’s credentials to log into the account and snoop on her finances.

Worden, who has complained to NASA, as well as the FTC, says McClain had been told Worden’s account was off-limits, and that she did not have permission to use the password to check on activity. The American space agency’s inspector general will probe the claims.

McClain acknowledged looking up the account information from the internet connection NASA maintains aboard the ISS, though the astronaut is said to be contending that she did not know she was not supposed to look at the account and was merely checking on the balance to make sure the family had enough money for day-to-day expenses.

The astronaut has also posted a tweet to address the reports…

There’s unequivocally no truth to these claims. We’ve been going through a painful, personal separation that’s now unfortunately in the media. I appreciate the outpouring of support and will reserve comment until after the investigation. I have total confidence in the IG process.

— Anne McClain (@AstroAnnimal) August 24, 2019

“Lt Col. Anne McClain has an accomplished military career, flew combat missions in Iraq and is one of NASA’s top astronauts. She did a great job on her most recent NASA mission aboard the International Space Station,” NASA said in a statement to The Register.

“Like with all NASA employees, NASA does not comment on personal or personnel matters.”

My god, it’s full of tsars: A gun-toting Russian humanoid robot is on its way to the International Space Station

READ MORE

The activity in question occurred during the six months McClain spent aboard the space station earlier this year. The mission drew worldwide attention earlier this year when its planned highlight, the first ever all-female spacewalk, had to be cancelled because the space agency didn’t think to pack enough gear to kit two women at the same time.

According to the New York Times, Worden and McClain are in the middle of a contentious legal battle over the custody of the son she and Wordon have been raising together for the past five years.

The case, it is said, has been complicated by questions over whether McClain has any parental rights over Worden’s child (who was one year old when the pair were married) and allegations by McClain that Worden has a history of making poor financial decisions and having a bad temper.

The allegations come amid speculation that McClain, a six-year NASA vet and senior US Army pilot with more than 800 hours of combat flight over Iraq, is being considered among the favorites to lead NASA’s new lunar missions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/26/iss_astronaut_hacking_allegation/

Article source: https://www.darkreading.com/case-study/d/d-id/1334297?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What’s definitely not working with end-user cybersecurity awareness training – and what you can do about it.

Stu Sjouwerman has been focused on IT security for more than 30 years. The CEO and founder of KnowBe4, an awareness training provider, launched the company about a decade ago in response to what he saw as a serious gap in understanding about risk among end users.

Initially, as KnowBe4 created a customer base, many companies took on awareness training for compliance reasons. The legal landscape demanded security managers in some sectors to demonstrate they were at least offering awareness as part of overall strategy. But now their motivations have changed.

“The big movement, the sea change, has been from compliance to security,” Sjouwerman says. “Imagine a Venn diagram. One circle is compliance. The other is actual security measures you need to take to make sure the bad guys don’t come in. Awareness training has squarely moved from one circle to another.”

Sjouwerman believes awareness training has finally arrived. More organizations see the value in it beyond checking a box, he says, and are investing accordingly.

“Over [the] last few years, awareness training has come into its own,” he says. “CISOs understand there is no silver bullet in just software filters and that you really need to create a human firewall.”

So there is awareness of security awareness. That’s good news. But is it working?

“I think more companies are running programs,” says Lisa Plaggemier, chief evangelist at the InfoSec Institute, “but I question the efficacy.”  

What’s Not Working?
“The problem for some organizations trying to run really engaging, creative awareness campaigns is that they can get watered down in committees,” Plaggemier says. “When we get [human resources], corporate comms, marketing all weighing in equally on an awareness campaign, the result can be bland and maybe too ‘safe.'”

And certain strategies that originally launched in the early days of security awareness programs are now proving ineffective. According to Jason Hoenich, founder of awareness training provider Habitu8, programs based on FUD (fear, uncertainty, and doubt) and phishing simulation programs that use punitive measures are less powerful.

“Cutting off email access, Internet access, scolding, getting in trouble — these are all terrible consequences and methods against users that respond to email phishing simulation campaigns,” Hoenich says. “It’s a training — you can’t fail a training. “If [a business] is finding [it needs] to resort to this, it means the program is doing something wrong.”

Rethinking: Power to the People   
So what does work in awareness training?

One approach Hoenich has recommended lately is the use of “security ambassadors” — a grassroots community of eager employees and leaders who are responsible for engaging with their co-workers about the larger security awareness program and its purpose and goals.

“It allows a single resource managing a program for a large enterprise and the ability to create local, trusted resources for each department, building, floor, and region as necessary,” he says. “These resources also become feedback channels, so you can hear the needs of teams and departments you typically wouldn’t get the chance to interface with.”

Plaggemier believes in unique content that will interest end users at all stages of security understanding.

“The old sales funnel tells us that there are four stages people go through as they change their behavior: attention, interest, desire, and action,” she says. “You need content for people at every stage of the funnel.”

But that content has to take into consideration what its readers truly need to know.

“I still see too much homegrown content that assumes everyone is as passionate about security as we are: newsletters in 12-point type that are very content-rich,” Plaggemier says. “That’s fine for someone who is already interested or already desires to learn more about how to take action, but do you also have content for people that are at the top of the funnel?”

Rethinking: Power to the Data
In addition to technology such as phishing testing modules, there are technologies to measure and monitor users’ security behavior (or lack thereof).       

For example, in a session titled “Testing Your Organization’s Social Media Awareness” at the recent Black Hat Briefings conference, Jacob Wilkin, network penetration tester and application security consultant with Trustwave SpiderLabs, demonstrated Social Attacker and Social Mapper. These newer, open source tools can be used to gain insights on users’ security savviness when using social media. 

Social Mapper searches for profile information from social media sites including Facebook, Instagram, and LinkedIn to see how employees have linked back to an organization in their profiles. Social Attacker can be used for active testing to discover which employees actually accept connection requests from a fake account — a key sign of a user who needs awareness education.

“You see who is connecting with strangers. You see who is clicking on links that you send them,” Wilkin explained.

These tools offer visibility into end users’ security practices, which the security manager can then use to tailor education efforts. (He cautioned that use of Social Attacker may not be legal in some regions due to privacy laws and should be thoroughly investigated before use.)

People and Data: Using Both to Create Culture
How do CISOs reconcile the two approaches offered by both training and analytical tools? Is it possible to harness the latest and greatest security intelligence while also training users to be part of the solution? 

Sjouwerman thinks the answer lies in both. As an example, this year KnowBe4 acquired Norwegian-based CLTRe, a toolkit that describes itself as “the yardstick of culture.” It scientifically measures security attitudes, behaviors, compliance, cognition, communication, norms, and responsibilities, and then assesses individuals within the organization so it can serve up micro-training modules specific to each person’s weak areas.

The objective, Sjouwerman says, is to use analytics to first understand where the work needs to be done, and then get users involved in improving their own risk knowledge.

Starting with a high-level overview of security culture is the essential first step to improving awareness among the ranks, he said.

“Culture eats policy for breakfast. You can have as many policies as you want. But if your culture doesn’t support it, it ain’t going to happen.”

Hoenich also indicates that organizations must design a program that is unique to their organization.

“Each company has its own unique culture. How employees communicate with leadership and one another all mean each program needs to be unique in its approach,” he said.

Related Content:

• Haas Formula 1 CIO Builds Security at 230 MPH 
• You Gotta Reach ‘Em to Teach ‘Em
• What Every Security Team Should Know About Internet Threats
• Modern Technology, Modern Mistakes
• Why Every Organization Needs an Incident Response Plan

(Image Source: ojogabonitoo via Adobe Stock)

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/culture-eats-policy-for-breakfast-rethinking-security-awareness-training-/b/d-id/1335643?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

According to the indictments, the accused impersonated government officials when they demanded money from their victims.

A scheme that allegedly netted three individuals more than $2 million has also netted them arrests and federal indictments in a case unsealed today in New York. According to the indictments, the individuals falsely claimed to be employees of the IRS, the Social Security Administration, or the Drug Enforcement Administration when they called victims and told them they owed the government large sums of money.

According to the indictment, Kamal Zafar, Jamal Zafar, and Armughanul Asar, along with others working in call centers in India, called thousands of victims between January 2018 and September 2018 and told them that they owed money which was to be paid immediately. Once the funds were wire-transferred to accounts established in the names of fake companies, the men allegedly laundered it through a series of additional fraudulent accounts.

If convicted, each of the accused could be sentenced to up to 20 years in prison.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/3-arrested-in-transnational-fraud-indictments/d/d-id/1335646?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple