Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

August 8, 2023

Episode #106 - Executives Under Attack

Cyber criminals continue to increase their focus on executives and other high-profile individuals. Using well crafted and targeted attack methods, criminals are able to coerce people into sending money and information directly into the wrong hands. This week, the guys talk about whaling, spear phishing, and other tactics being used in successful attacks! 

Burger King forgets to put a password on their systems, again

NodeStealer 2.0 takes over Facebook Business accounts and targets crypto wallets 

New AI phishing tool FraudGPT tied to same group behind WormGPT

Microsoft key stolen by Chinese hackers provided access far beyond Outlook

Zero-day in Salesforce email services exploited in targeted Facebook phishing campaign

Unpatched Apache Tomcat servers spread Mirai botnet malware

White House Cyber Workforce Strategy: No Quick Fix for Skills Shortage

China-backed hackers suspected in NetScaler RCE attacks

US govt is hunting a Chinese malware that can interfere with its military operations

Why the California Delete Act Matters

Tesla Jailbreak Unlocks Theft of In-Car Paid Features

Amazon's AWS SSM agent can be used as post-exploitation RAT malware
cyber-rants-authors-small-1

Send Us Your Questions & Rants!

Categories

Archives

Transcript


Hello and welcome to the Cyber Rants podcast. This is Zach Fuller, joined by Mike Rotondo and Lauro Chavez. Be sure to rate the show, share it, tell your friends. We want to get the word out today about what we're talking about, especially when it comes to executives and leadership within organizations. 

We are going to talk about whaling, whale fishing, spear phishing, targeted attacks on specific people. These are becoming more and more prevalent these days. So we figured in usual cyber ants fashion, that we'd talk about it. 

So we're going to dive into that here. But first, Mike will kick us off with the news. Well, the first story is a whopper of a story. You could say it's a whale, actually. Burger King forgets to put a password on their systems again. 

CyberNews research team uncovered that Burger King in France exposed sensitive credentials to the public due to a misconfiguration on their website. The affected website served for job applicants, people who sought employment. 

Burger King in France might have been potentially affected. It's not the first time Burger King has leaked sensitive data in 2019 due to similar misconfiguration. Burger King reportedly leaked personally identifiable information of children who bought Burger King menus. 

Yeah. Anyway, so there we go. Node Stealer 20 takes over Facebook business accounts and targets crypto wallets. Palo Alto's Networks Unit 42 discovered a previously unreported phishing campaign that distributed a python variant of Node Stealer. 

The malicious code was designed to take over Facebook business accounts and steal funds from cryptocurrency wallets. Since December 2022, the experts observed threat actors targeting Facebook business accounts with phishing lure, offering tools such as spreadsheet templates for business. 

The malware was first spotted in late January 2023. That allows. That allows stealing browser cookies to hijack accounts on multiple platforms, including the browsers or Windows systems. It can target multiple web browsers including Google Chrome, Microsoft Edge, Brave and Opera, as well as Facebook, Gmail and Outlook. 

The variant, disclosed by Meta in May, is a custom JavaScript malware that bundles the node JS environment. Node JS was used to allow malware execution on multiple OSes. So I don't know that there's why you would have Facebook business, but I don't know why you'd have Facebook. 

But that's another story. New AI phishing tool fraud GPT tied to the same group behind worm GPT A new AI bot called fraud GPT has been discovered being sold on various dark web marketplaces and Telegram accounts that is exclusively targeted for offensive purposes such as creating spear phishing emails, cracking tools, and carding. 

Fraud GPT was more focused on short fraud GPT was more focused on short duration, high volume attacks such as phishing, while worm GPT was more focused on longer term attacks with malware and ransomware. 

Researchers said they found evidence that fraud GBT has been circulating on Telegram since July 2022. The researchers said a threat actor can draft an email with a high level of confidence that will entice victim users to click on malicious links. 

Bad news the subscription starts at $200 a month and goes up to $1,700 a year, so they got to make their money, too. Microsoft key stolen by Chinese hackers provided access far beyond Outlook been the story that's been circulating for a while. 

The private encryption key used by Chinese hackers to break into the email accounts of high level US. Government officials disclosed last week also gave them access to other Microsoft products. On July 11, Microsoft disclosed that a threat actor linked to the Chinese government had, through an inquired Microsoft private encryption key, forged authentication tokens that gave them access to Exchange online Outlook email accounts for more than 25 organizations, including government activities. 

In a blog post published Friday, head of research at Wiz said Further investigation has revealed the key would have given the cybercriminals access to far more than Outlook, spanning many other Microsoft services that use the same authentication process. 

Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure ad applications, including every application that supports personal account authentication, such as SharePoint teams, OneDrive customer applications that support the login with Microsoft functionality, and multi tenant applications in certain conditions. 

Zero day and salesforce email services exploited in targeted Facebook phishing campaign There's Facebook again. Researchers at Guardio Labs uncovered a sophisticated phishing campaign exploiting a zero day vulnerability in salesforce email services and SMTP servers. 

The phishing campaigns are able to evade conventional detection methods by chaining the salesforce vulnerability and legacy quirks in Facebook Web games platform. Threat actors were able to craft spear phishing messages posing as sent by Meta and using the salesforce domain@salesforce.com and infrastructure the messages aimed at triggering recipients into clicking on a link. 

The content claims that the recipient's Facebook account is undergoing an investigation due to suspicions of engaging in in person nation. The phishing email is well formed in an attempt to appear as a legitimate message. 

It mentioned the target's real name and seems to be mailed from Meta platforms. By clicking on the link, the recipient is directed to malicious landing page that is crafted to capture the victim's Facebook account credentials and two FA codes. 

Okay. Oh, and that was the last one. So we have some headlines. Unpatched apache tomcat server Spread mariah Botnet malware the White House cyber Workforce Strategy no quick fix for skills shortage. Yeah, no kidding. 

China backed hackers suspected in netscale RCE attacks. There's a new thing called the California Delete Law that's coming out that actually is a good thing. Definitely. Take a look. Look at that. And then Amazon's AWS SSM Agent can be used as a post exploitation rat malware. 

So we got that going for us. Laura, you're out in the wilderness, in your metaverse, in your corner. Tell us something good. Thanks, Mike. Yeah, the mini world serious. I'm in one of the mini worlds of Alaro's Corner. 

And since we have leadership on the discussion topic today, I thought I'd come out with three leadership tips for the new CISO that has come onto the job. And I've been asked this by a few of my individuals that reach out to me for questions every now and then. 

Hey, what are three things that I should know if I come on to a job? And I'm in a cyber leadership position, so this is kind of hard to define, so I did my best. Number one, take a good site scope of all the tools and technologies that exist today and make sure you're getting the most out of them. 

Most of you may have heard me say that all it is inherited. At this point. There's not a lot of new technology being built in organizations. A lot of time are network engineers, software engineers? Definitely software engineers know all about inherited code. 

But it is starting to learn that, too, coming into tools and technologies that have just been there for years and haven't been changed. And that's not necessarily a bad thing. But you need to understand, are you getting the most out of your tools and technologies. 

So make sure that you're taking the time to build a capabilities matrix or even something that. You might want to call a telemetry matrix just to make sure that you've got visibility and understanding of all the critical areas of the business, from logging to even the code online and the repositories that your developers are using. 

Before you let any one of the engineers recommend any new tools. I think this is always a good idea to do an architectural gut check. Make sure that you got everything that you need. Use that matrix to define what you're requirements are, what you're missing. 

That way, you kind of know where you need to be lined up for the gaps, and then you can probably get into some demos with some cool tools to find out if that's something that you could benefit from. So number one, make sure you're getting the most out of your tools. 

Number two, which could be argued as should be number one, but I believe number one needs to happen before number two can happen. That sounds weird, but in any case, document the business level cybersecurity risks and ensure that you are keeping leadership aware, even if they seem like they don't care right now. 

Okay? It's your job as a cybersecurity professional, specifically in a leader position, to make sure that you're accounting for all the business critical level risks that exist out there. So document them. 

And a lot of the times when you come in and you start bringing these things up, you'll notice that you might get some resistance from leadership. They may give you a cold shoulder, but it doesn't matter. 

Make sure that you're documenting all this stuff, creating your risk reports like a good cyber professional should. And that way, when worst case scenario happens, you can hand over all of your neat, tidy risk reports to the opposing counsel and almost like a liberal get out of jail free card because you had been documenting the stuff the whole time. 

So number two, document all of the business level risks, have a risk register, and make sure that you're letting leadership know in the form of emails or in leadership meetings, even if they don't care. 

Number three probably the most important one in my opinion, but don't overwhelm your skeleton staff of It and cybersecurity professionals that you have today. I know that everybody seems like they're trying to get more out of less. 

And that might be okay to stomach when you go to buy your favorite bag of chips and you're realizing you're paying the same price and you're getting about a third of the amount that you usually get. But don't do that full capacity without a small fire. 

Hey, Laura. Hey. We're going to have to edit this. Can you cut out on that last statement? Basically, after the bag of chips, you're getting a third. So, yeah, if you can start over and then, Joe, if you can chop this stuff out for us. 

Thank you. Awesome. Yeah. Thanks, Zach. Sounding pretty good. Okay. Yeah. Now you're. Yeah. Okay, thanks. And number three, don't overwhelm your skeleton staff of It security professionals. And everybody seems to be trying to get more out of less. 

And that might be okay when you buy cut. Mikey cut out on you, too, right? Yeah, he did. Yeah. Okay. Universe doesn't want you to say this. Point number three. Yeah. Look at the sun and see if there's any solar flares right now. 

Looking up at it right now, there's a little bit of a haze. You keep your eyes on it for a bit and just watch. Once the solar flares die down, we can go again. Try again. Hey, is your microphone set to AirPods or is it set to your computer mike? 

Oh, mine's set to ipod. AirPods. AirPods. Okay, good. Okay. I want to make sure that wasn't an issue. Okay, ready? Yeah. I'll try again. All right, here we go. Point number three is don't overwhelm your already overtaxed skeleton crew of It security professionals. 

And it professionals. I know we all are trying to get more out of less right now in this economic climate, but that is not a place to do this with your people. So as the saying goes, you can't squeeze electrons out of an already at capacity GPU without risking a small fire. 

The same could be said about your professionals. So make sure that you are keeping them happy, making sure that you're offering them bonuses or incentivizing them to work remote so that they can be happy and do that work for you, even though they're probably stressed out and overworked like most of us are. 

But occasionally, bonuses can also help the four jobs that one person is doing go down just a bit easier. So point number three treat your existing personnel very well and make sure that you're being a good leader to those personnel and not overusing them in the times where we have a small crew and a lot of work to do. 

So make sure that you're treating that as a good leader should and making sure they have what they need. And since we're talking about leadership today, I think that kind of segues right into our conversation about Wailing spearing. 

Can I add one thing to the end of for the CISO? If you're going to reward your troops, find out what they like. Right. Don't take them to some gameplay that they have no interest in. Or don't take them bowling or something like that. 

Find out what they like and give them that, because that'll show you actually care. That makes sense. Well said. Well said. Yeah. I mean, we may have to do some extra editing of this episode, too, because, Mike, I think I heard you say that California did something good. 

Maybe I misunderstand it's. The Delete Me Act, where he forces companies to remove your data and reins in the data aggregators. Well, that is good. Way to go. Applaud, California. A broken clock is right twice a day. 

Step in the right direction. Well, outstanding. And we're kidding, of course, for all. All you Californians listening. And I could say that because I'm originally from California, too. Anyway, seriously, move out of there. 

Yeah, but you might want to get out quick, like yesterday. Well, that said, hey, we're going to dive in. We're going to talk a little bit about the considerations and kind of what we're seeing out there in terms of targeted attacks, especially as relates to executive leadership. 

And it's an interesting topic. No scripts here. We're just going to see where the conversation goes, and we'll give you some stories and what you can do about it. So with that, we're going to take a quick commercial break, and we will be right back. 

And we're back with the Cyber Rants podcast. Thanks for joining us today. Zach, mike and Laro here. And we are going to talk about whale fishing, spearfishing, whaling, different social engineering approaches targeted towards specific groups of people, especially leadership. 

And so maybe I'll just preface it with the concept of whaling or whale fishing is going after an executive leader or somebody of a very high profile. Might even be an ultra high net worth individual or celebrity or somebody like that. 

Spear fishing, on the other hand, could also be translated to spear fishing, those types of things, smishing, all of that. But that's targeted toward a specific group of people, not necessarily high profile, but it might be security analysts, for example, or it help desk people or something like that. 

Doesn't necessarily mean it's toward leadership. So we'll kind of loosely define those as that for today. I mean, there's a lot of different terms out there as well, but we'll focus on those. So with that. 

Should we have a little bit of story time? I got a little story. Please, go ahead. Okay. One of the reasons we've been hearing about this more and more from people, and one of the reasons this spurred the idea to talk about this is I was talking to a CEO of a company that we support just the, the other day. 

We were chatting, and it was really interesting to see from his lens what was going on in his organization. So different people that he works with on a regular basis, other leaders within the organization were getting emails, very well crafted emails that look like full email chains and text messages. 

And they were eerily accurate. They were very well done in the fact that in fact, one text message, the CEO was at an event, and the text message to one of his team members said, hey, I'm at an event, I'm out of the office right now. 

Can you do this? I think it was grab some gift cards for giveaways or something like that. One of those typical requests, right? But it's really interesting that they seem to know and granted, there are ways that you could figure this stuff out, social media and that sort of stuff, if it's up there, but I didn't really see his posts all over the place or anything like that. 

It would be tough to get that information. Another thing that had happened to the same individual was a request to make a donation to a certain group. One of his team members got a full email chain with emails that were seemingly written by him, with his signature block and all of that between him and a nonprofit. 

And it was basically led to him authorizing a transfer and the nonprofit providing wire instructions. Of course, this was all fake. He had never written any of these emails. But it was very, very well done. 

So that's an example of what whaling looks like in the real world and what's going on out there. And probably those of you listening have your own stories and you've seen things like like that happen, but it is prevalent today. 

Fortunately for them, his staff was very well trained and we've been working with them on awareness and such for quite a while. So they caught these things and they said, hey, this doesn't look right. 

But not every organization is so lucky. And a lot of the time these things are successful, which is why criminals use these tactics. So that's it. That's the end of my story. There's no amazing moral of the story or anything like that right now, other than train your people, of course. 

But I don't know, do you guys have anything you want to share or you want to dive into? Kind of what do we do about it? I was hoping were to say they lived happily ever after. Yeah, like happily ever after. 

Mike, you have a good story. I don't know if that exists in the world of cybercrime anymore. I don't know if there is a happily ever after. Unless you just disconnect from the world completely. No Internet, no computers. 

Well, what I see is the next evolution in it is TPS reports and handwritten memos with a new cover sheet. Put the new cover with a new cover sheet. Yeah. Matrix patterns. Exactly. It's hard to hack a notepad. 

So we're going back to typewriters the whole on steno pool back to Mad Men in the 70s. So we can drink scotch at 02:00 in the afternoon. Yeah, and you can smoke in your office. Sounds pretty good. It's still the five martini lunch and the whole deal. 

Back when life was good. Arguably to one's opinion. But yes, I didn't smoke in my face. I was one of those kids that mom would take me to school and I'd get to school smelling like I'd smoked all the way to school in the back of the car. 

It with no smoking stuff today, let me tell you. But you're right, Zach, there's no happy ending to this. There's no moral. I think we could each hear lots. Of stories, but one thing I want. To bring up about this is that I've had a number of colleagues reach out to me about what do I do about my senior leadership? 

They don't want to enable multifactor authentication. They refuse to take their security awareness training. And it's like you're in charge of this whole organization and you're mandating it's. Okay, you want to be ISO 27,000. 

Or sock two, type two. So you're requiring all this of your other people and your other employees. However, you seem to be exempt from the rule. And I think we've all got a story of and Mike may even have a recent one of somebody who has done that and refused to enable multi factor and it cost them their email account and some of their personal identification following information. 

And that's going to happen every single time. So if you're a leader in one of these organizations and you're listening to. The podcast or you're a security member. Make sure the leadership knows that they're not exempt from the rules. 

App take training. They still need to enable multifactor. Yes, it's another login. Yes, it's a password manager. I don't want to do it, but it seems to me that these leaders and these individuals sometimes are the easiest targets for cybercriminals because they I hate to say it, but sometimes high positions give you a reproach above the law kind of feelings, you know what I mean? 

Like, I can't be touched up here, you know what I mean? And that's exactly. Again, the criminal's motto is neglect is my ally. So if you're neglecting your multifactor, you're neglecting security awareness training. 

That's a good thing for me because that means that I can get you fooled into buying some gift cards for me. Just to accentuate that point, I can't tell that story because even if I change the names to protect the guilty, it's too fresh. 

And I know they listen to the podcast, one of our billions of fawning fans. But just to accentuate that point, laurel, Zach and I do take our security training every couple of months we do that and we could write our own security training, but we still take the security training that we get from our third party provider. 

So if we aren't above it, the CEO isn't above it. And the other thing is that the CEO needs to be and you It analysts or security analysts are maybe not the person to talk to them about it, but they're liable if something happens, they're liable. 

It's not you, it's them. You document. You document, recommend, and that's what you do. I mean, you identify the gaps, they make the decision, but they are the ones that's liable. Remember the target breach? 

The people that got fired were the business people, so not the It people. I have another story for demonstration that we could use as a prime example. Not fresh. Not fresh. This one's a couple of years old, but still very applicable and relevant today. 

And then what we'll do, we'll share what happened and you as listeners can think about, well, what could have been done differently. And then we will share as well and do a little roundtable here. So here's the situation, laura, you remember this very well. 

A certain company on the east coast. It was we'll call it an investment group. Joke joker. I remember that. Yeah. So the founder was on his way to a bar mitzvah one Friday afternoon and started getting some text messages in the form of two factor authentication. 

Pins, right? Little six digit Pins that pop up. Hey, enter this into your browser and you get access to your account. Well, first, didn't think of anything of it, then started getting worried, and then started realizing that, wait a minute, something's wrong here, because this is happening with multiple accounts. 

So what happened was, while this was going on, the attackers had hijacked his email account. They used what's called SIM swapping, where they replicate the SIM card on his phone because they know his phone number, right? 

So this is perfect whaling example, right? Guy deals with a lot of money, all of that, and well meaning, just unaware individual. This could happen to anybody that doesn't know how to set their. So this is not a hit on him by any means. 

But they had got access to his email account. Well, it turns out that email account was the one that everybody knew, right? This is the one that he does his transaction with. He communicates with people. 

So not hard to find that. And this particular email account was the administrator to their company wide Google Workspace account. Back then. It was called Google G suite, right? This is what, two, three years ago? 

Something like that. Then it turns out that same email account was also the administrative account for the Dropbox account. So we're talking all cloud services here, right? There's no on prem. This is a pretty small organization. 

They didn't really have On Prem servers or anything like that. They also used this for their domain registrar. Same email as the administrator for the domain registrar and for three cryptocurrency accounts. 

All right? So keep in mind that all of these had two factor authentication, but because they were linked to the cell phone SIM swapping, the attackers were able to bypass that. Plus, now that they have access to the email account, they're able to pivot and get access to all these other accounts and do password resets and all that, because it's sending those password reset requests, it's sending all those messages back to that email account that they had control of. 

So by getting access to this one individual's email account and doing this whaling attack, right, they had the phone number, they did the SIM swap, all that, they were able to access the keys to the kingdom, everything in the organization. 

They hijacked the cryptocurrency accounts, sent that money off, never to be seen again. They even went so far well, of course, they access a dropbox all the investor files, all that stuff, and even went so far as to hijack the domain name, send it to a registrar overseas, and demand a ransom. 

Now, when that happens, of course, it renders the company inoperable because nobody can email them, right? That's the domain names critical for their email, for the website, of course. And so as an investment firm, you can imagine what your investors are thinking when you're inaccessible, when you just fall off the map completely. 

So that's a huge black eye in a very trust driven world. That can be tremendously painful for a firm to go through dollars. So a lot of things happened there, but all as a result of the access to one, the leader's account, the person who founded the organization that was used to set up everything else. 

So with that, what do you guys think? Could happen differently. How could that be prevented? Don't use two factor. Well with your phone, right? Use an app. Don't use it with your don't get the authenticator apps. 

Yeah, absolutely. And Laura's frozen up on us. I think he's out in the four. Maybe he's back. I just saw. I think I'm back in my multiverse solar flares solar activity starlink. I love it. Except when there's solar activity, it looks like indoor. 

Is that where you're at? I am on the planet indoor. The ewoks were making me some bacon breakfast, which is odd for yeah, no, that was a good story, Zach, before I froze. I kind of know where we were going with that, but I think Mike said it all. 

Use one time pin. I think one of the biggest mistakes that leaders make is that multifactor in the form of SMS codes is secure. And I think SIM swapping vulnerability proves otherwise, right? At least with a pin factor like Google Authenticator or Symantec VIP, or the millions that are out there, they have to have physical access of your phone, which means they have to come to your house and kick your butt and kick your phone from you and then get you giving them the pin to log. 

You know I wouldn't do that. I wouldn't go to Mike's house and try to rip his phone out of his hands. It'd be the last thing you'd ever do. Well, it would. What with that? The other moral to this story, too, is don't use for those leaders out there. 

Don't use your main primary means of communication as your administrative credentials as well. So, in other words, have a separate email that nobody else knows. For admin access to certain platforms that you need to get into. 

So don't hold the keys to the kingdom yourself. The principle of least privilege applies to you as leaders as well. Well, I think what we really need to take away from this is that the CEO has to accept that they are a high target or CIO or the COO or whatever C level you are, or founder or what have have you, and that individual should not necessarily have those rights or access. 

There's no reason for it that needs to be protected, be it a separate account, be it someone else in the organization, be it what have you, but you need to segregate that. But you have to understand that you're a target. 

And if you have the attitude of, I don't really have anything they want to steal, I'm just a CEO, you're wrong. You got to pay attention to that and you understand your position in the company and all the OSINT that's out there. 

If you're posting on various social media where you're going all the time, it's real easy to track you find you, by the way, get rid of your facial recognition on your iPhone, too, because all they really need is a picture and your iPhone and they can steal. 

So. Yeah, the other thing I'll add to just to this. I know that Facebook and Mike's news articles earlier today, but the segregation of emails for administrative activity, I think is probably one of the most important takeaways here. 

Definitely Mike and Zach. And for those of you who are doing business on Facebook as business, and you have a business footprint on Facebook as well as Instagram, right, because they're joined and now also with what's it called, Reds, I guess, the new meta. 

Anyways, don't use your business administrative email for your contact email. These platforms give you the ability to give a contact email. For patrons and customers to get a hold of you. Do not use your admin email as a contact email. 

Get a separate email for that because guaranteed, you're going to get your Facebook or your Instagram account taken over by the many gangs that are out there that just specifically target Instagram and Facebook accounts for that very reason is that you're showing us what your administrator email is for this account because you're using it for the same as the contact email. 

So don't do that. Make sure you separate that as well. So I think we have a takeaway that we're going to remove the info@silenceector.com email from our all admin access. Yeah, there you go. That's our admin account, right? 

Exactly. We named it Admin everything at silent sector. Well, there's another good point. Don't have admin at your domain. Make it something that's not so obvious, please. Not admin at. Don't use Admin for anything admin. 

In fact, if you want your own day to day email to be admin at, hey, great. Maybe mix it up a little bit. Make it but not your actual admin accounts. One of the things, though, that we also have to recognize is that a lot of spear phishing type attempts and it goes hand in hand with whaling. 

I'm not sure it really is, but it's impersonation of the CEO or some executive leadership or some politician or whatever. A lot of what's happening out there is not. There are, of course, those direct attacks toward those people, but there's also the impersonation of those people. 

And that's probably even more prevalent right, when people the organization thinks the CFO said to make a wire, so I'm going to make a wire transfer. That's where a lot of risk is and that's where a lot of companies get caught. 

So in that. One we talked about, staff training. I mean, that's pretty obvious. And that should be done throughout the course of the year, not a PowerPoint presentation once a year before everybody leaves for Christmas and New Year's, right? 

That's not effective. Do this continuously. Do continuous phishing tests and such, but also make sure that you have processes in place when money moves. There's some sort of verification outside that chain of communication. 

So if a text message comes in, seemingly from the CEO saying, hey, buy me $5,000 worth of gift cards for this event, don't just do that. Call a known phone number. Verify through somebody else, the assistant or whoever it is, but make sure that's legitimate. 

And then the same, of course, is true with wire transfers. I mean, most financial organizations have got more sophisticated and are doing this, but not everybody. There are lots of companies out there that they pay their vendors left and right, orders coming and going, and it's hard to keep up with. 

So when one of these emails comes through, they think it's from a vendor or whatever, and then the CFO supposedly authorizes it. That's a big thing, simple thing for any of your email communication tools. 

Whenever an email comes in from an outside domain, there should be a banner that says this is an external email. So that way if you get an email and it says it's the CFO's name, for example, asking for a wire transfer, but then the banner says, hey, this is an outside email. 

You know something's up, right? They're not going to email you from their Gmail account to ask for $100,000 wire transfer to whatever vendor. So keep that in mind. What's that? Yeah, I said to the Prince of Persia, he needs $100,000 in gift cards. 

That's right. One of the ways I found to shake a lot of that out is to, when you go do your incident response exercises, invite other teams besides it to work through their processes. Because we just had one with a customer who's also a very loyal institute. 

But this is a positive shout out to them where we went through an IR tabletop exercise with their financial team and were able to call out some issues that needed to be resolved, like two factor for their payroll, that kind of thing that wasn't there. 

And they were very receptive. And those changes have already been implemented, so it's important to identify those kind of whale fishing attempts. However, if you've got a CEO COO CIO that is resistant, your hands are kind of tied. 

But hopefully in this day and age, they really need to understand, and maybe they're more receptive than they were, but there's an ego out there that will keep them from doing definitely. Definitely. 

One thing I'll suggest too, for internal wire transfers, have a code word. Yeah. And Laura, there's a solar flare starlink cut out on us. But to continue your thought, I know where you're going. Yeah, have a code word, some internal jargon, things like that, that, you know, that wouldn't and also make it something that's not obvious. 

It's not like pink elephant or something that doesn't belong in the email. When you use a bonafeti, essentially, is what you're doing. It needs to blend in with its surround fundings. It needs to be something that's just off enough that the individuals who need to know would recognize it, but not so off that it would be easily picked up as a code word. 

Because then when somebody's email gets breached and they see that they're going to get. They're going to have that code word, right? So make it blend in with the communications just enough it can be a phrase, whatever the case might be, but that's how those should work. 

And then everybody needs to be trained on that, of course, and reminded of that. And not through email. That, hey, this is what we say when we're, we're requesting wire transfer, right? And then just another method of authenticating that request outside that email chain. 

So don't believe everything you read on the Internet, even in your own email inbox and our text message for that way, because we're seeing more and more of that in the wailing realm and the impersonation realm especially. 

Don't click on links in text. Yeah, not at all. And honestly, I had one of my clients, I'm not going to take ownership of this, but he had this really cool acronym for addressing questionable things in email. 

And I'll let you build the acronym, but the first one is Stop. Whatever you do, stop. And then H is hold on for just a moment. I is investigate. Investigate that email and look at it. And then t is for think or talk to somebody. 

Right? So if you can remember that acronym when you see a questionable email, you should be able to hopefully investigate for authenticity. Well, I like it. There's a lot of people out there that don't know that acronym. 

Stop, hold it. Investigate, think. And make sure you yell it out loud in your office. At the top of your lungs whenever you see that. That's the sign to other people around to remember that, hey, there might be something going on. 

We might be under some sort of attempted cyberattack. So just be sure that you yell out the acronym and you'll be good to go. Everybody will. And then sometimes it hits a fan. It does? Yeah. If it hits the fan then yeah then that's when you know that if they were successful then you yell out hit the fan. 

After that, if you accidentally clicked the link or you made that wire transfer then that's your code word there. Code phrase. Well hey, that about wraps it up. That's a good note to end on and memorable one for sure with that. 

Any final words of wisdom or anything you want to share before we wrap it up? I would say that you keep in mind that these scammers, especially in phishing, run in campaigns so it'll be really intense. 

Like during the summer. It's been really intense for the last couple of weeks and started tapering off recently. It's because people are out, they're busy, they're distracted and more apt to not look closely at an email from Chase that purports to be from Chase or the IRS or something like that and get you to click on something. 

So that is one of their weapons too. You're being busy and not being fully attentive is something they prey on. Yeah. And it's all about money. If your business is making money, that's what it's all about. 

It's all about getting money. Getting money and not having to pay for the money, you know what I mean? One more thing, there are no Good Samaritans out on the internet that are scanning your website and then notifying you of vulnerabilities I identified and then offering to fix it for you. 

Don't fall for that. Good call out. Well that should be an episode in itself because that stuff comes in all the time and. It well. Hey, thanks for listening to the Cyber Rants podcast. Be sure that you rate share the episode. 

Help us get this information out there and this one in particular. If you know a CEO, CFO, CIO, somebody or in any kind of leadership position, business owner or whatever that maybe needs to hear this, hey, pass it along. 

Maybe it's a good way to to kind of help and educate in that realm. We don't want to see leadership, we don't want to see anybody in organizations fall for these cyberattacks, but especially leadership, where the ramifications could be very dramatic. 

So with that, hope you enjoyed the Cyber Rants podcast and we will catch you on the next episode. 

Silent Sector® builds and strengthens exceptional cybersecurity programs for US-based mid-market and emerging companies.

Expertise-Driven Cybersecurity®

info@silentsector.com
(855) 461-0961
LinkedIn
SERVICES
Pages
Receive News & Updates
© Silent Sector, LLC 2022 All Rights Reserved. Terms & Conditions | XML Sitemap | HTML Sitemap | Privacy Policy