Cyber Security News Update – Week 43 of 2019

Didn’t even know Facebook had a lottery. Apparently it doesn’t, but that doesn’t stop fraudsters from using it to scam people.

According to ID Theft Center, “The Facebook Lottery Scam is certainly nothing new, but what makes this version different is the accompanying image of a certificate of authenticity made out to the recipient. In this version, which typically comes through private messages on Facebook due to lack of email security service, someone contacts you to let you know that you’ve won, and then informs you that you must show up in person to collect your winnings.

When you reply that you can’t do that due to geographic limitations, you’re then offered the option to have the winnings shipped to you for an outrageous amount of money. One of the methods for enticing people to play along is to use hacked friends’ accounts, meaning the award notice can look like it came from someone you know.”

Stripe Phishing Scam

Stripe is a popular payment processing service used by a lot of small and online businesses which enables them to accept credit card payments. Naturally, something as popular as Stripe is going to be a target for hackers.

News comes this week that “Cybercriminals have devised a phishing campaign that takes aim at customers of the online payment processing company Stripe, with the intention to steal their credentials, compromise their accounts and presumably view their payment card data.”

The article goes on to say “The attackers employ two clever tricks to hide their malicious activity. First, they use a technique to block email recipients from viewing the destination of a malicious embedded link when they hover over it with their cursor. Then, after stealing victims’ login credentials, they use a fake log-in error message as a sneaky way to transition them back to the legitimate Stripe website.”

Phishing Phrontier

What’s the newest type of phishing attack? How about evasive spear phishing.

According to Glass Wall Solutions, “Evasive Spear Phishing [is] a unique malicious file, being sent from one actor to one recipient.” In other words, evasive spear phishing describes a totally unique event. This is to differentiate it from normal spear phishing where the same message/attachment is reused for several targets.

The weapon of choice in evasive spear phishing is always an attachment and the two most popular are PDF (43%) and Word (35%). Generally speaking, the objective of evasive spear phishing is the “theft of highly valuable or influential information or data that can be monetized.” The industries most susceptible to evasive spear phishing are technology and legal.

Body Count

In this section, we normally detail the cost of successful phishing attacks and ransomware on victims. But today, we’re in for a treat. Today, we’re going to detail the cost to the perpetrator of conducting phishing scams.

According to Katy (Texas) News, “A Katy area resident has been found guilty of 27 federal criminal charges related to a major hacking of the Los Angeles Superior Court computer system and then using it to send approximately 2 million malicious phishing emails. Oriyomi Sadiq Aloba, 33, was found guilty after a three-day trial ended last week. Aloba was taken into federal custody immediately after the verdict was read. Aloba will be sentenced in October. He faces a potential of more than a 350 year sentence.”

It doesn’t make up for all the damage he’s done, but it sure does feel good. It feels like justice.

Oriyomi wasn’t the only bad guy to get outed this week. According to SC Magazine, the “Hacker behind Montgomery County school data breach [has been] identified. The as-yet-unnamed student faces disciplinary action from the school and possible criminal charges.”

And that’s the week that was.