Category Archives: Security

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Inside a Business Email Compromise Operation

Posted on by

A new report from cybersecurity company Agari’s Cyber Intelligence Division outlines the operations of a business email compromise (BEC) gang in West Africa, showing that criminals who engage in BEC online theft can have a diverse portfolio of online criminal activity that they use to build their capabilities, and use sophisticated methods to scam their victims, including businesses and government agencies.

BEC is a cyberfraud tactic in which a scammer will contact a target using phishing emails imitating a fellow employee of the target (often someone in the finance department or management) usually seeking to convince the victim to conduct a business transaction, most likely a money transfer to an account run by the scammer. The scammers may also try to trick their victims into clicking a link in an email or visiting a scam website, which could provide the scammers with the victim’s online credentials or download malware onto the victim’s computer and gain access to their company’s network.

As Risk Management previously reported, Beazley Breach Response Services found that BEC-related attacks cost victims an average of $70,960, but the FBI’s Internet Crime Complaint Center has estimated that the total “revenues” of BEC attacks doubled in 2018 to $1.3 billion. BEC attacks are also extremely common—approximately two-thirds of IT executives are reportedly dealing with them.

Agari’s report, titled “Scattered Canary: The Evolution of a West African Cybercriminal Startup,” shows that cybercriminal gangs diversify their criminal schemes, using their established infrastructure from one type of scam to facilitate others. Agari researchers named the group Scattered Canary and compared it to a tech startup because of its recruitment and expansion strategy. Scattered Canary has pursued a variety of different criminal social engineering efforts, including:

  • Romance scams: Creating a fake online romantic relationship with a victim and requesting gifts, access to their bank or retirement accounts, or services related to other scams.
  • Check fraud: A scammer offers to purchase an item for more than its advertised price with a check (which is fraudulent), then requests that the seller send the extra amount to a third party (a fictional shipping company, for example).
    buy cellcept online blockdrugstores.com/wp-content/uploads/2023/10/jpg/cellcept.html no prescription pharmacy

  • Credential harvesting: Tricking victims into providing their online credentials, including log-in information for online financial services.

Agari says that Scattered Canary built up a network of members and the skills to easily transfer from one scheme to another.

buy zetia online blockdrugstores.com/wp-content/uploads/2023/10/jpg/zetia.html no prescription pharmacy

The group has used multiple BEC tactics over time, transitioning from tricking employees into carrying out wire transfers from their companies’ bank accounts to convincing victims to buy gift cards that scammers would then cash out via cryptocurrency exchanges.

buy levofloxacin online blockdrugstores.com/wp-content/uploads/2023/10/jpg/levofloxacin.html no prescription pharmacy

More recently, the group has targeted human resource departments to change the direct deposit information for a company’s executive, then cashed out the deposits using prepaid debit cards.

Businesses should train their staff at all levels on how to spot BEC and other types of online scams. If employees can recognize phishing emails and websites, and know not to click links or provide information in response to either, this can protect companies from fraud and significant financial loss. In addition to training staff, the FBI suggests always verifying requests to send money, even if the email requesting the transfer is urgent, by speaking directly to the person who seems to be requesting the money on the phone (using the previously known number, not the one provided in the email) or in person. The FBI also suggests setting up filters that flag email addresses that are similar to the company’s email, and creating an email rule that notes emails coming from outside the company, among other technical steps.

For more from Risk Management about controlling the risks of BEC and other social engineering fraud, check out:

Assessing the Legal Risks in AI—And Opportunities for Risk Managers

Posted on by

Last year, Amazon made headlines for a developing a human resources hiring tool fueled by machine learning and artificial intelligence. Unfortunately, the tool came to light not as another groundbreaking innovation from the company, but for the notable gender bias the tool had learned from the data input and amplified in the candidates it highlighted for hiring.

buy oseltamivir online thecifhw.com/wp-content/uploads/2023/10/jpg/oseltamivir.html no prescription pharmacy

As Reuters reported, the models detected patterns from resumes of candidates from the previous decade and the resulting hiring decisions, but these decisions reflect that the tech industry is disproportionately male. The program, in turn, learned to favor male candidates.

buy robaxin online thecifhw.com/wp-content/uploads/2023/10/jpg/robaxin.html no prescription pharmacy

As AI technology draws increasing attention and its applications proliferate, businesses that create or use such technology face a wide range of complex risks, from clear-cut reputation risk to rapidly evolving regulatory risk. At last week’s RIMS NeXtGen Forum 2019, litigators Todd J. Burke and Scarlett Trazo of Gowling WLG pointed toward such ethical implications and complex evolving regulatory requirements as highlighting the key opportunities for risk management to get involved at every point in the AI field.

For example, Burke and Trazo noted that employees who will be interacting with AI will need to be trained to understand its application and outcomes. In cases where AI is being deployed improperly, failure to train the employees involved to ensure best practices are being followed in good faith could present legal exposure for the company. Risk managers with technical savvy and a long-view lens will be critical in spotting such liabilities for their employers, and potentially even helping to shape the responsible use of emerging technology.

buy inderal online thecifhw.com/wp-content/uploads/2023/10/jpg/inderal.html no prescription pharmacy

To help risk managers assess the risks of AI in application or help guide the process of developing and deploying AI in their enterprises, Burke and Trazo offered the following “Checklist for AI Risk”:

  • Understanding: You should understand what your organization is trying to achieve by implementing AI solutions.
  • Data Integrity and Ownership: Organizations should place an emphasis on the quality of data being used to train AI and determine the ownership of any improvements created by AI.
  • Monitoring Outcomes: You should monitor the outcomes of AI and implement control measures to avoid unintended outcomes.
  • Transparency: Algorithmic decision-making should shift from the “black box” to the “glass box.”
  • Bias and Discrimination: You should be proactive in ensuring the neutrality of outcomes to avoid bias and discrimination.
  • Ethical Review and Regulatory Compliance: You should ensure that your use of AI is in line with current and anticipated ethical and regulatory frameworks.
  • Safety and Security: You should ensure that AI is not only safe to use but also secure against cyberattacks. You should develop a contingency plan should AI malfunction or other mishaps occur.
  • Impact on the Workforce: You should determine how the implementation of AI will impact your workforce.

For more information about artificial intelligence, check out these articles from Risk Management:

Microsoft Vulnerability A Reminder to Update and Patch

Posted on by

Microsoft recently announced a major vulnerability to Windows XP, Windows 7 and several older Windows server versions. According to Simon Pope, the company’s director of incident response, “[A]ny future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” This announcement reinforces the importance of companies patching security vulnerabilities to mitigate the risk, especially on older machines that still serve essential functions.

This news follows a TechCrunch article reporting that at least a million computers worldwide, mostly in the United States, remain vulnerable to the WannaCry and NotPetya malware because users have not installed the necessary patches. Cybercriminals continue to use this malware, based on hacking tools originally developed by the NSA, to deliver all sorts of malicious software to unsuspecting victims online.

WannaCry is ransomware—malicious software that hijacks a computer and demands payment to regain control—that quickly spreads and has affected businesses, government and individuals in over 150 countries since 2017. Around the same time, a malicious software disguised as ransomware called NotPetya spread worldwide, affecting global business operations, and effectively paralyzing multiple companies in what has been called “the most devastating cyberattack in history.” Both caused massive financial damage worldwide, with WannaCry estimated at $8 billion in damages and NotPetya estimated at $3 billion.

Windows has released patches to protect systems from the newly announced vulnerability, even for Windows XP and Windows Server 2003, despite the company not usually offering support for those older systems.

online pharmacy nolvadex with best prices today in the USA

However, XP users will have to manually download the patches from Microsoft’s update website. According to a 2017 Spiceworks study, businesses worldwide were still running Windows XP on 11% of their laptops and desktops. While that has likely decreased in the past two years, it would still leave a significant number of machines running exposed systems that require manual updates to patch.

Not patching vulnerabilities has led to serious incidents, like the Equifax breach in 2017, which led to the theft of 143 million Americans’ personal information.

online pharmacy buspar with best prices today in the USA

In that case, the US Department of Homeland Security had issued a warning about the vulnerability, a patch for a web application vulnerability had reportedly been available for 2 months before the breach, and Equifax failed to implement the fix. A US House Oversight Committee report blamed the company entirely, saying that Equifax “failed to implement an adequate security program to protect this sensitive data,” and that “such a breach was entirely preventable.”

Companies use numerous different types of software in their daily operations, and software providers issue many patches for their products, which leaves companies overwhelmed. According to an April 2018 Ponemon Institute study, 68% of companies “find it difficult to prioritize what needs to be patched first.” IT staffing limitations and competing priorities within organizations can hinder these efforts, since patching requires heavy time investment and sometimes taking important aspects of the business offline to implement fixes. Companies with third-party partners and supply chains face even more complex risks, since their systems are often integrated or dependent, and companies likely do not have direct control over partners’ systems to ensure patching. Mitigating outside risk by including in contracts stipulations that third-party partners meet certain security requirements can also help.

online pharmacy imodium with best prices today in the USA

Understanding Insurance Coverage for Traveling Employees

Posted on by

BOSTONThe odds of dying in a terrorist attack: 1 in 9.3 million. The odds of getting sick while traveling: 1 in 2. But both should concern companies sending their employees around the world for business, panelists Kathleen Ellis of CNA International, Erin Wilk of Facebook and Andrew Miller of International SOS said at a RIMS 2019 panel titled “Is Insurance Enough When Employees Travel?”

The answer to this question, the panel agreed, was emphatically “no.” But, as Ellis and Wilk noted, insurance coverage is an important part of the equation for many of the biggest things that do go wrong. Even though the risk of catastrophic incident is minor compared to seemingly mundane travel concerns like weather and petty theft, companies should still prepare for the worst in advance.

This is true whether employees are going to common destinations within the United States traditionally thought of as safe or to less familiar places.

buy zydena online https://ozgurmd.com/wp-content/uploads/2023/10/jpg/zydena.html no prescription pharmacy

It is also true, Wilk said, whether the employee is an experienced traveler (who can be over-confident) or a novice (who can over-prepare and miss warning signs around them).

The panelists repeatedly stressed that companies should approach travel risk with protecting employees as their priority. Not only do companies have a “duty of care” (a legal responsibility to mitigate the risks traveling employees face), but they also need to be cognizant of the “standard of care” and “duty of loyalty.” Standard of care is the industry standard for employees’ travel risk protection, and companies’ obligation to meet that standard.

Duty of loyalty is the employees’ responsibility to abide by the safety measures the company has put in place. As recently discussed in Risk Management, this is largely on the employee, but the panel noted that employers also have a critical role to play in creating a culture that enables and encourages their people to take the necessary steps to protect themselves while traveling. As Wilk said, “Policy is a piece of paper. Employee practice is what actually matters.”

When it comes to insurance, companies should make sure they are covered, but not over-covered. For example, Miller discussed cases in which companies’ benefits, HR and legal department have all purchased travel coverage without communicating their purchases to the other departments. Businesses may also be unfamiliar with the coverage they have and pay to remediate travel problems themselves when their insurance policies would actually cover those issues.

Key insurance options include:

  • Foreign voluntary workers compensation, which covers workers traveling on business in a way similar to traditional workers’ comp, paying for disease, or repatriation or evacuation
  • Business travel accidental death and dismemberment coverage, which works like life insurance and covers both work-related and non-work-related incidents, and is an option for covering employees’ spouses and dependents
  • Kidnap and ransom coverage, which provides pre-trip support, crisis management services during an incident, and reimburses for ransoms paid for kidnapping extortion, wrongful detention and hijacking
  • Expatriate medical, which is an option for employees who are traveling long-term, and
  • Defense base act coverage, which handles government contractors overseas at embassies and military bases

The panelists also emphasized that travel risk not only endangers employees’ well-being, but also the company’s bottom line. If an employee gets sick while traveling for business, for example, the company’s investment in the trip can be wasted. Additionally, traveling employees who feel unsafe or unprepared for the risks they are facing feel less loyal to their company, and can also be distracted, potentially derailing the important business they are traveling to conduct. The panel urged that pre-trip training and a thorough understanding of the company’s existing coverage are the best ways to mitigate these risks and help employees succeed when traveling for work.