At a glance.
- New York Department of Financial Services amplifies its fraud warning.
- Ransomware and the pressure to pay.
- Update on the MobiKwik incident.
New York DFS focuses on fraud.
The Cybersecurity Division of the New York Department of Financial Services (DFS) has published a letter warning of a cybercrime operation targeting public-facing instant insurance quote websites. In a follow-up to an initial letter sent in February, which stated that cybercriminals are exploiting vulnerabilities in the application design and code of these sites in order to access user data, two new hacking techniques have been identified. First, hackers are capitalizing on vulnerabilities in the code of data prefill systems used to redact or mask portions of consumer data. Second, cybercriminals are using credential stuffing to infiltrate insurance agents’ accounts. DFS is urging financial services companies to avoid displaying prefilled NPI on these sites and to protect agent portals with access controls outlined in DFS’s cybersecurity regulation.
Meanwhile, DFS announced a regulatory enforcement action against a New York licensed mortgage banker and loan servicer for violating cybersecurity regulations, JD Supra reports. The mortgage banker failed to report a data breach caused by an employee overriding the company’s multi-factor authentication protocol. As the company had extensive software security in place, including antivirus and end-point protection software and automated detection rules, the incident highlights the need for more robust employee training procedures. The company agreed to pay a fine of $1.5 million, as well as improve its cyber risk and assessment protocols.
James McQuiggan, security awareness advocate at KnowBe4, commented on the place identity theft occupies in the underworld's criminal economy. “Cyber criminals will take any information they can leverage and work to get the next bit of data. The result is identity theft to profit and sell it on the black market like the dark web," he said, adding, "Organizations need to ensure they are protecting all data exposed to the internet with additional authentication, namely multi-factor authentication. While it can still be bypassed using extreme measures, it can slow down the less capable cyber criminals from gaining further information.”
Ransomware surge increases pressure to pay.
As ransomware incidents have seen a rapid rise over the past year, ZDNet examines the reasons why. Increasingly, ransomware operators are not merely encrypting a target’s networks, but also employing a double-extortion technique, threatening to publish sensitive data if ransom demands are not met. With more entities acquiring cyberinsurance, an ever great number of targets have the means to pay, making attacks even more attractive to cybercriminals. Ransomware-as-a-service operations have made the attack method accessible to more threat actors than ever before. But as a recent paper from defense think tank Royal United Services Institute and cybersecurity company BAE Systems warns, “The more organizations that pay a ransom, the more acceptable the notion of paying a ransom to solve the problem becomes.”
This pressure to pay, as well as the desire to resolve the attack before it ruins a target’s reputation, has led to a rise in the need to enlist the help of professional ransomware negotiators, and SearchSecurity offers an inside look at these complex negotiations. In order to maximize discretion, many victims prefer the assistance of incident response firms over involving law enforcement. The negotiation process is impacted by a number of factors: the size of the ransom demand, the attackers’ record for restoring systems after payment, their history with extortion, the victim’s ability to pay, and the ransom deadline. COO of infosec consultancy Aggeris Group Kevin Kline says, "Taking a quick cash payment is more attractive to them than negotiating for days or even weeks and waiting for cyber insurance payments for $250,000 or $500,000 demands that they ultimately may not get." Complicating matters, the U.S. Department of the Treasury's Office of Foreign Assets Control recently issued an advisory stating that making payments to entities on the U.S. sanctions list is illegal and could result in civil penalties. That said, according to threat intelligence vendor GroupSense, 100% of their negotiations have ended in lower payments, many reduced by at least 10%. That hardly seems, however, enough to compensate for fueling a bandit economy.
Developments in potential MobiKwik breach.
As the CyberWire noted yesterday, earlier this month a researcher discovered that threat actors on the dark web had released the data of 99 million users allegedly stolen from Indian mobile payments startup MobiKwik. MobiKwik, however, denied a breach had even occurred, asserting that the researcher’s findings were a “media-crazed” attempt at sullying the company’s name before Mobikwik’s IPO launch. As Business Standard now reports, the Reserve Bank of India has asked the firm to perform a third-party forensic audit using a government-approved auditor, and MobiKwik has also involved the Computer Emergency Response Team. However, the Quint reports that as of yesterday the hackers have deleted all the data from the dark web. When asked why the sudden change of heart, they responded: “All of India is worried about this leak...We had very long and deep conversations with some independent security researchers about the consequences if data is leaked or sold and decided we will delete all data from our end as MobiKwik is incompetent in that regard.”