This month in security: September 2019

US law enforcement authorities continue their war on cybercrime, but is it just a flea bite in the overall scheme of things? Garrett O’Hara argues that prevention is better than cure.

Meanwhile, a UK CEO suffered the first recorded deep-fake AI-generated voice scam and human error caused the breach of an estimated 2.6 million Australian health records.

Deep-fake AI-generated voice scams CEO

The scamming of a UK-based energy firm is being claimed as the first instance of an AI-generated ‘voice deep-fake’ used in a financial heist. Its CEO, believing he was on the phone to his boss at the German parent company, followed orders to immediately transfer 220,000 euros to the bank account of a Hungarian supplier.

The scam was only detected when the fraudster tried to initiate a second payment – whereupon it was discovered that the first amount had disappeared into a Mexican account then disbursed elsewhere…

Perspective

While scams are nothing new, this one has a futurist vibe to it. The fact it involved an (unidentified) CEO makes it speculative, so especially titillating. Apparently, the German’s voice was cleverly spoofed in accent and ‘melody’ to deceive the UK-based executive.

From my angle, deep-fake AI shows an exposure of process. In other words, organisations need to be continually thinking about People, Process and Technology – because they can’t ignore any of the three at the top end of business impact. If a payment process is weak enough that a single phone call can action a transfer, then the process is neither appropriate nor strong enough.

No code or tools needed to view Australian medical images

Security investigators in Germany have discovered unprotected medical imagery on Picture Archiving and Communications Systems (PACS) accessible via the internet. The estimated 24 million records in 52 countries – including 2.5 million Australian accounts – were stored by healthcare organisations for viewing by specialists – leaving a total of around 400 images available for download by anyone.

Perspective

This discovery taps right into the fears raised in the media in the past year over the potential vulnerability of MyHealthRecord data – as the eminently accessible records contained patient names, dates of birth and examination, and other medical information along with hi-res images of their insides.

It’s a good example of human error, in a way. The unprotected servers were using a standard medical communications protocol using ports often seen in clear text over the internet. Some of the systems even provided web-based image viewers to make it even easier for anyone to see what they were downloading! It didn’t need any new work – there was no coding required or tools to be purchased for an unauthorised breach to happen.

Operations reWired and WireWire mere drops in the ocean?

On 10 September, the FBI and the US Department of Justice announced Operation rewired, an international months-long investigation to disrupt international business e-mail compromise (BEC) schemes that intercept and hijack wire transfers from businesses and individuals. It resulted in:

• 281 arrests, including 74 in the US and the remainder in Nigeria, Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia and the UK

• Seizure of nearly US$3.7 million

• Disruption and recovery of around US$118 million in fraudulent wire transfers

Operation WireWire, a previous ‘BEC takedown’ in mid-2018, resulted in 74 arrests (mostly in the US and Nigeria), seizure of US$2.4 million and disruption and recovery of around US$14 million.

The FBI defines BEC as “cyber-enabled financial fraud … a sophisticated scam that often targets employees with access to company finances and trick them – using a variety of methods like social engineering and computer intrusions -into making wire transfers to bank accounts thought to belong to trusted partners but instead belong to accounts controlled by the criminals themselves.”

It also says the same teams are responsible for defrauding individuals as well as business; think emails from a ‘Nigerian Prince’ and calls from ‘Microsoft’ or the ‘ATO’.

Perspective

This story points to the massive scale of BEC and how widely distributed the attack teams are. It also got a mentioned on Risky Biz, which pointed out that the recovered funds and impact are miniscule compared to the size of the problem – estimated at $26 billion since 2016.

BEC is not really something law enforcement can fix, given the whack-a-mole nature of the attackers and the risk/reward ratio. It is a bit like the ‘war on drugs’, which history has shown to be unwinnable.

It all comes down to companies and individuals being mindful and cynical – the same way they would be wary of pickpockets in crowds or public transport when visiting a new city. Just say NO to BEC!