500k to the wrong account, checking out of LinkedIn, and Lockbit bites the dust.

This week:

3 – 500k to the wrong account

2 – Another reason to check out of LinkedIn

1 – Lockbit bites the dust [UPDATE: It has picked itself up off the floor]

?

?

3 – Local authority sends €500k to a ‘spurious’ account

“Detectives investigating the circumstances behind a suspected payment fraud at an Irish local authority are believed to be focusing their inquiries on [€515,000 worth of] online transactions made by the local authority to a spurious account.”

According to a member of the council quoted in this report in the Irish Independent, the local authority was the victim of a fraudulent transaction that was initiated by a third party whose identity is currently unknown. Asked if this was the result of someone being fooled into paying a fake invoice or changing the bank details of a legitimate supplier, the councillor said he could not comment but he did say “the days of a criminal gang going into carry out a bank robbery, we don’t see or hear of it anymore. What we see now is very sophisticated fraud through an internet transaction.”

So what? Two things:

1. Just like a burglar, most cyber attackers are financially motivated, and want to get a pay-off as quickly as possible. While we do not yet know what caused the crime in this local authority, we know that ‘Invoice Redirection Fraud’ and ‘CEO Fraud’ are two of the most common frauds in Ireland (and most countries). For more information on these types of frauds and what you can do to reduce the likelihood of such a fraud in your organisation, check out Step 3 of my Secure Foundation Guide or take a look at the Gardai’s fraud prevention advice .
2. According to d’internet, ‘spurious’ is a fancy word for ‘fake’. I assume legal eagles, law enforcement agencies, and journalists are legally obliged to use the fancy words wherever possible.

?

?

2 – Another reason to check out of LinkedIn

“Recent reports indicate that North Korean hacking groups are employing artificial intelligence tools like ChatGPT to launch intricate cyberattacks against American white-collar workers.”

According to this report in MSPowerUser , “North Korean actors are leveraging AI-powered LLMs to generate content likely used in spear-phishing campaigns. These campaigns typically involve impersonating legitimate entities, such as recruiters, to trick individuals into revealing sensitive information or clicking on malicious links”. Attackers use the content creation and message crafting skills of LLMs like ChatGPT to “meticulously craft fake recruiter profiles on LinkedIn, engaging in extended conversations to build trust with their targets”. Apparently, of all the social media platforms, LinkedIn is “emerging as the platform of choice for phishing scams.”

So what? Three things:

1. Make sure your staff awareness training is not just focusing on email – The attackers are on social media too.
2. Have you noticed that LinkedIn is showing you fewer posts from friends, ex-colleagues, and first connections, and more (r?a?n?d?o?m? ?c?r?a?p? ?f?r?o?m? ?a?d?v?e?r?t?i?s?e?r?s?) informational posts from LinkedIn premium members? I certainly have. The risk of now seeing ChatGPT-powered content and profiles makes the platform even less appealing.
3. If everyone is now wearing t-shirts and hoodies to the office (a?n?d? ?p?y?j?a?m?a?s? ?w?h?e?n? ?t?h?e?y?'?r?e? ?w?o?r?k?i?n?g? ?f?r?o?m? ?h?o?m?e?), why are we still using the term ‘white collar workers’? Perhaps it’s another legal obligation on journalists.

?

?

1 – Lockbit bites the dust (temporarily)

“Law enforcement agencies from 11 countries have disrupted the LockBit ransomware operation in the most thorough and coordinated takedown of a cybercrime portal that has been seen to date.”

According to this report on Risky Biz, “the takedown began [on Monday] when a seizure banner replaced the frontpage of LockBit’s dark web portal where the gang typically listed its victims”. So far, 4 gang members have been identified (‘detained’ or ‘indicted’). More importantly, as a result of the operation, a decryption utility for Lockbit ransomware is now available to victims through the No More Ransom site.

So what? Two things:

1. The gang leader has not yet been found, so the risk of this ransomware gang reappearing remains. However, the law enforcement agencies should be congratulated for taking down what looks like a large and sophisticated operation. [UPDATE: Thanks to Francois P. and Jacques Sauve for pointing out that the Lockbit gang is now back up-and-running.]
2. They should also be congratulated for their sense of humour, as the web pages announcing their success mimic the look and feel of the ransomware gang’s web pages. The Risky Biz article includes plenty of screenshots.[UPDATE: Apparently, the Lockbit sites were taken over by law enforcement agencies due to a software vulnerability that the gang had not 'patched'. In other words, a gang that takes advantage of software vulnerabilities was taken down (temporarily).. by a software vulnerability!]