Microsoft reports increasingly sophisticated tax theme phishing, a Minnesota Cybersecurity and computer forensics expert faces questions about its credentials and an inquiry from the FBI Australian retirement funds rated in cyber attacks that leave some customers panicked. This is Cybersecurity today, and I'm your host, David Shipley. With tax day rapidly approaching the United States on April 15th and April 30th.
In Canada, criminals are once again ramping up their tax theme, phishing campaign volumes and sophistication. Microsoft's threat intelligence team is reporting that they've seen campaigns using QR codes and URL or web link shortener services, and they posted examples and thorough analysis including images of the kinds of tax themes that they're seeing.
These campaigns lead to phishing pages delivered via the raccoon oh 365, phishing as a service platform, remote access, Trojans, and other forms of malware. Example email subjects include notice IRS has flagged issues with your tax filing. Unusual activity detected in your IRS filing and important action required IRS audit. It's crucial to note that the IRS does not initiate contact with taxpayers by email, text, or messages on social media to request personal or financial information.
I. Now, typically this kind of campaign would be great to replicate with a phishing simulation to help people learn from experience in a safer way. However, the IRS has taken a particularly stern stance on phishing simulations that use its name or logos, and has warned major phishing simulation providers and their customers not to use them, or they may face significant legal consequences. Government agencies in many countries have additional legal protections for their name, likeness and logos.
If you are determined to do a tax theme, phishing simulation, avoid using government agency real names or logos that may make the simulation less compelling in some cases, but it can save you a world of grief. Think internal tax agency or Canada Tax Service instead of using names like IRS or CRA.
In past conversations with an IRS agent about this very issue, the agent explained that tracking down phishing simulations reported to them by recipients was taking away too much of their valuable resources from investigating real phishing attacks. Now, you may not agree with that take, but I can guarantee you that it's not worth getting into a fight with a US Federal government agency.
You can still educate your employees about tax themes, which can help both protect themselves at home and at work. Think about deploying educational modules, not just relying on phishing simulations or having a lunch and learn virtually or in person, and sharing the examples that Microsoft has provided.
Cybersecurity journalist Brian Krebs has a jaw dropping story this week about a Minnesota cybersecurity and computer forensics expert whose testimony has been featured in thousands of courtroom trials over the past 30 years, facing questions about his credentials and an inquiry from the Federal Bureau of Investigation. According to Krebs, mark Lanterman, a former investigator for the US Secret Services Electronic Crimes Task Force founded the Minneapolis Consulting Firm.
Computer Forensic Services or CFS. Krebs has reported that the CFS website had claimed that lantern's 30 year career, including seeing him testify as an expert in more than 2000 cases with experiencing cases involving sexual harassment. Workplace claims, theft of intellectual property and trade secrets, white collar crime and class action lawsuits.
That information was removed from the CFFs website last month with the removal coming after the Hennepin County's attorney's office said it was notifying parties to 10 pending cases that they were unable to verify lantern's educational and employment background. The county also said the FBI is now investigating allegations around lantern's credentials were first raised by Sean Harrington, an attorney and forensics examiner based in Prescott, Wisconsin.
Harrington alleged that Lanterman had lied under oath in court on multiple occasions when he testified he has a Bachelor of Science and a Master's degree in computer science from the now defunct Upsala College, and that he had completed his postgraduate work in cybersecurity at Harvard University. Legal experts say this issue could be grounds to reopen a number of adjudicated cases in which the expert's testimony may have been pivotal.
Krebs has also reported alleged shocking statements by Lanterman and behavior by CFS regarding putting claims or liens on client data and offering up client data for auction if invoices that clients had objected to weren't paid. This story could have massive repercussions and raises questions about the need for potentially professional standards, bodies, and reliable accreditation for cybersecurity expertise, especially when it's relied on by the courts.
There's a reason why lawyers, doctors, and engineers, and many more have mandatory professional associations and regulations around their professional conduct. At a minimum, certain highly specialized roles like cyber forensics should absolutely be held to the same high professional standards as other fields. Several of Australia's largest superannuation providers have been swept up in what appears to be a highly orchestrated cyber scam.
Taking hundreds of thousands of dollars from members retirement funds, rest Host Plus Insignia. Australian Retirement and Australian Super have all been flagged as targets. But so far the biggest impact seems to be at Australian Super. Reportedly, attackers had timed the account takeovers to occur in the early morning hours when people would be asleep and less likely to be able to see or act in a timely fashion to prevent the theft.
As the nation's largest super fund, Australian super manages over Australian 365 billion or about 223 billion US dollars on behalf of 3.5 million members in this breach. A handful of those members saw a collective Australian $500,000 or US $305,000 siphoned off. The fund says it's working with authorities to track down the missing money, but is yet to confirm it will fully compensate affected members.
One significant question remains did the compromised accounts have mandatory multifactor authentication on logs or fund transfer authorization? In many cases, financial institutions, including retirement funds, are often very reluctant to add features like MFA for fear could drive customers to competitors who are seen as more convenient.
Additionally, absent any regulations to make financial services more secure and require MFA many won't and will re reduce their risk simply by holding customers accountable or liable for losses. I. This story is one of many that highlight the need for a shared risk and shared responsibility model between financial institutions and customers.
Financial services providers must be required to offer MFA, and ideally, they should only allow customers to choose from MFA methods not to be able to opt out completely from MFA, but even the best multifactor authentication can still be socially engineered. That's where the customer comes in.
Customers must be required to take basic security awareness about their financial services account, and that training must indicate clearly that they have certain responsibilities and they need to also indicate clearly they understand those responsibilities, including the need to protect usernames, passwords, and to avoid authorizing MFA requests that they didn't start.
We're always interested in your opinion, and you can contact us at [email protected] or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening. I.