Cyber Brief for CFOs: December 2023

Welcome to the first edition of our news brief, specifically tailored for finance professionals and leaders. Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We'll bring you all the essential stories in our cyber brief so your team can stay secure.

Eftsure’s 2023 recap

Two major trendlines stood out to us over the last 12 months: the massive increase in the number of fraud attempts, as well as the growing complexity of tactics involved in those attempts. This year saw a nearly three-fold increase in the average number of fraud attempts detected per week, compared to 2022. And, perhaps unsurprisingly, that activity spiked toward the end of the financial year, from April to June.?

Concerningly, malicious actors have started infiltrating both the target organisation and its supplier, creating intricate threads of emails and communications that make the fraud attempt appear even more convincing.?

We’ve also seen some organisations targeted multiple times, with various invoices totalling millions per attempt. However, that doesn’t mean fraudsters are only targeting large organisations or going after large sums of money. This year, thwarted fraud attempts ranged from the millions to only a few hundred.?

The takeaway for 2024? All organisations of all sizes are fair game in the eyes of scammers, and we expect to see more sophisticated tactics unfolding amid a larger volume of attempts.

‘BIN attacks’ use small businesses as testing grounds for fraud

Cybercriminals are increasingly exploiting small business websites for BIN attacks, a method involving the use of stolen credit card numbers for fraudulent transactions. These attacks start by using a card's Bank Identification Number (BIN) to guess valid card details, followed by testing the card's validity through minor online purchases. Then, the validated card numbers are either sold or used for larger fraudulent activities.?

Preventing these attacks is challenging, so be on the lookout for small, suspicious transactions. According to figures from the Australian Payments Network, payment card transaction fraud totalled $577 million in 2022, a 16.5% increase compared to the previous year.

Vulnerability found in LastPass and other password managers

Security researchers have identified a significant vulnerability, dubbed AutoSpill, in six popular password managers used on Android devices: Dashlane, 1Password, LastPass, Enpass, Keeper, and Keepass2Android.

The flaw compromises the Android autofill function, allowing hackers to circumvent the security of the autofill feature and potentially expose user credentials. The vulnerability occurs when an Android app uses WebView, a Google component for displaying web content, to request a login page. Instead of solely filling in the credentials on the intended login field, the flaw enables these details to be accessed by the host app.?

This issue is particularly concerning in common scenarios like opening hyperlinks in apps such as Skype or Gmail, or using 'Login with Apple/Facebook/Google' buttons within third-party mobile apps.

Major Gmail security update aims to reduce spam?

Google has introduced a significant security upgrade for Gmail, an email app with 1.8 billion users. Powered by artificial intelligence (AI), the update is centred around the Resilient & Efficient Text Vectorizer (RETVec). RETVec enhances Gmail's ability to identify and flag harmful content in emails (e.g. phishing attempts) by improving text classification models.?

These models previously struggled against adversarial text manipulations used by malicious actors. Google claims that RETVec not only boosts spam detection by 38% and reduces false positives by 19.4%, but it also cuts down computational costs by 83%, making it a major advancement in Gmail's defences.

Antiquated mobile phone feature creates MFA security risks

A new report from Australian security firm DVULN has put telcos on high alert, revealing that hackers may be able to exploit a feature of mobile networks from 2004.

Malicious attackers are able to divert voice calls if they can fool the device owner into clicking a link that contains a "tel://" prefix. This is followed by a code that diverts the call to a different number. The vulnerability is a longstanding one, but DVULN says it's part of a "perfect storm" now that there's a growing reliance on voice calls for multi-factor authentication (MFA) systems.

Watchdog says superfund had ‘significant cyber deficiencies’?

The Australian Prudential Regulation Authority (APRA) has directed NGS Super to engage external advisors for a cybersecurity review and to remediate any impacted customers. This action follows a hack earlier this year that compromised significant customer data.?

NGS Super manages $14 billion for 114,000 customers. Finding substantial weaknesses in its cyber controls, APRA has imposed additional conditions on its financial services licence and demanded improvements. This comes after APRA's deputy chairwoman, Margaret Cole, warned super funds of the need for a drastic increase in cybersecurity measures, urging them to be "bold and brave" in making necessary changes to protect customers from cyber threats and fraud.