1-888-643-2217 Email ABEX
Keeping you updated

Securing the Remote Desktop Protocol

With more and more cyber incidents stemming from vulnerable RDP ports, CFC’s Incident Response Team has provided some more information about this technology and steps that businesses can take to protect themselves.

What is Remote Desktop Protocol (RDP)?

RDP is a proprietary Microsoft protocol that allows a user to access their desktop and computing resources remotely from another computer. It is also sometimes referred to as Terminal Services.

Why is RDP vulnerable?

The presence of RDP being available over the internet can be easily detected by people scanning the entire internet. Cyber criminals routinely attack computers and servers where RDP is accessible in order to install malware such as ransomware, or to use the computer as a staging post for other attacks.

They attack RDP in various ways such as brute-forcing their way into the network by trying millions of different passwords that have been exposed in previous breaches, or by using compromised passwords from phishing attacks against the company. RDP is also subject to several software vulnerabilities that if left unpatched can allow an attacker access into your computer network.

Suggested steps to protect your network

  • Turn off Remote Desktop access if it is not necessary. If necessary, secure it behind a VPN and/or multi-factor authentication. This is often best achieved by using an RDP Gateway server in conjunction with a firewall.
  • Use strong, unique passwords throughout your network. The UK’s National Cyber Security Centre has excellent guidance on modern password policies available at https://www.ncsc.gov.uk/collection/passwords/updating-your-approach.
  • Keep your operating system updated. Several well-documented and routinely abused vulnerabilities exist in RDP, and new software vulnerabilities are found all the time so patching them in a timely manner is vital. Where the server is running an outdated version of the Windows operating system (such as Server 2008 or Windows XP) look to upgrade the software to a more modern version currently receiving security patches.
  • Limit the number of failed logon attempts before timing out to a number suitable to your organization. This makes systems significantly more resilient against brute-force attempts to guess user passwords. You can also disable the built-in Administrator account on Windows servers and/or rename it to something else, as that is the most commonly guessed username.

Source: www.cfcunderwriting.com


Nursing Home Faces Huge Financial Loss from Social Engineering

Social engineering involves the use of deception to manipulate individuals into carrying out an act, such as transferring money, handing over confidential information, or clicking on a malicious link, and it’s causing serious financial harm to organizations around the world.

Any organization that transfers funds electronically can be susceptible to social engineering attacks, and entities operating in the care sector are no exception to this. Many care homes not only receive funds electronically in the form of payments from residents and their families or funding from government bodies, but they also disburse large amounts of money in the form of payments to members of staff and to third party suppliers and contractors. All these transactions make for a tempting target for cybercriminals, who are constantly on the lookout for opportunities to intercept fund transfers and divert them to fraudulent accounts.

One of CFC policyholders affected by such a loss was a company providing assisted living facilities for elderly residents across three sites.

In this case, the care home was the victim of what is sometimes known as “CEO fraud”. CEO fraud typically describes a situation in which a fraudster impersonates the CEO or another senior executive of an organization and instructs an employee to make an urgent payment to a fraudulent account for a particular reason.

Password protection problems

In this instance, the fraud appears to have stemmed from a targeted brute force attack on the care home’s CEO’s business email account. A brute force attack is where a hacker uses a computer program to crack passwords by trying numerous possible password combinations in rapid succession, with the program typically trying a long list of the most commonly used passwords. The longer and more complex the password, the more difficult and time consuming it is for the program to crack.

Unfortunately, the CEO’s email account did not have a strong password in place. With the password lacking in both length and complexity, the program was able to crack it. To make matters worse, the care home did not have multi-factor authentication enabled for remote access to email accounts, meaning that as soon as the CEO’s password was cracked, the hacker was able to gain access to his account without having to go through a second verification procedure, such as inputting verification code or number.

Having gained access to the CEO’s email account, the fraudster was able to spend time perusing the CEO’s inbox and outbox, gathering valuable information about how wire transfers were processed at the company as well as establishing the working relationship that the CEO had with members of the care home’s finance team. What’s more, the fraudster was also able to access the CEO’s calendar and establish what the CEO would be doing on any given day.

Having worked out the CEO’s schedule from his calendar, the fraudster waited until the CEO was on holiday. With the CEO not on site at the care home and with reduced chances of the scam being uncovered, the fraudster chose this moment to strike.

The first step was to send an email impersonating the CEO to a member of the care home’s finance team. The fraudster used a method known as email spoofing, which is when someone sends an email from one email address but labels it as being sent from a different address. Fraudsters use programs or websites which enable them to make an email look as though it has come from a legitimate email address, as well as allowing them to alter the address that the recipient responds to. The fraudster sent an email that appeared to come from the genuine email address of the care home’s CEO, and any response to the email was sent to a remarkably similar looking email address set up by the fraudster.

So while the emails sent by the fraudster appeared to come from the CEO’s genuine email address of Joe.Bloggs@XYZresidentialcare.com, any response to that email would automatically be sent to Joe.Bloggs@XYZresidentilcare.com, ensuring that the CEO wouldn’t see any response from the member of the finance team to the email and uncover the scam.

The fraudulent email explained that the CEO had received notice of an outstanding payment of $47,584 that needed to be paid urgently to a firm that had supposedly provided some management consultancy work for the care home a few months ago. The email included the account details that the funds needed to be sent to and the fraudster was keen to stress that the payment had to be made the same day.

Fine tuning the scam

The fraudster also added some subtle touches to the email to make it look as authentic as possible. The CEO addressed the member of the finance team using an abbreviated version of her full name, which the fraudster appears to have picked up from viewing previous email correspondence between the CEO and this member of the finance team. The fraudster also mentioned that he was enjoying his holiday and would be busy all day and signed off with the CEO’s genuine email signature.

In normal circumstances, the member of the finance would have confirmed the details of the transfer with the CEO in person. But with the CEO on holiday, and with the email appearing to come from the correct address, along with the use of her nickname and a genuine email signature, the employee assumed that the request was genuine. Not wanting to disturb the CEO while on holiday and conscious that the payment was urgent, the employee paid the funds into the account and sent an email confirming this to the account run by the fraudster.

Seeing that the initial ruse had worked, the fraudster sent a similar email the following day, this time requesting a payment be made for $39,731 to another account. The employee arranged the payment once more, meaning that some $87,315 in total was transferred to accounts controlled by the fraudster.

The scam was only discovered a week later when the CEO returned to the office and the payments were brought up in conversation. The care home reported the incident to local law enforcement and tried to get the recipient banks to recover the funds, but most of the money had been withdrawn from the accounts. One of the banks was able to recover a meager $600, leaving the care home $86,715 out of pocket. Fortunately, the care home had purchased cybercrime cover on their cyber policy with CFC and were able to recover most of the loss.

The key driver for cyber claims? Human error

This claim firstly illustrates how CEOs and senior executives are prime targets for cybercriminals. These individuals usually act as the face of their companies and tend to have bigger profiles on company websites and social media accounts, allowing cybercriminals to gather valuable information about them. In addition, cybercriminals know that employees are instinctively less likely to question instructions from CEOs and other senior executives. Individuals in leadership roles need to be especially conscious of sticking to good cybersecurity practices, such as having good password management in place. Likewise, employees need to be alert to suspicious emails from senior executives, particularly in instances where an urgent payment request is made, and have robust callback and authentication procedures in place.

Finally, this claim also discredits one of the most common objections to cyber insurance: namely that by investing in IT security, organizations have no need for cyber insurance. But most cyber incidents are a result of human error. With increasingly sophisticated attacks like this on the rise, it makes it very difficult for employees to tell the difference between a real email and a fake one. Furthermore, with more and more financial transactions being carried out electronically, the number of opportunities for cybercriminals to steal these funds has never been greater. Having good training and authentication procedures can certainly help reduce the risk of an event like this, but it’s impossible for any business to be completely impervious to attacks. This is why cyber insurance should be a part of any prudent organization’s risk management program, acting as a valuable safety net should the worst happen.

Source: www.cfcunderwriting.com


Product Recall Insurance

Product recall insurance helps safeguard a business from the financial impact of a recall, specifically the first and third-party costs associated with identifying and addressing the issue, conducting the recall and keeping the business operational.

When considering product recall insurance, it’s important to remember that the cost of a recall includes much more than the cost of getting the goods off shelves or back from customers.

Recalls of any kind can impact cash flow, squeezing a company’s ability to pay staff, purchase raw materials or even continue production. For some businesses, a product recall can present a true crisis.

For more information about CFC’s product recall policy click here to download the full infographic below.

Source: www.cfcunderwriting.com

 

 

 


Apples and Pears: The IP Dispute that’s Making Headlines

The David vs Goliath battle began when Apple tried to stop Prepear from trademarking a pear logo, claiming it was too similar to its own. Angered by Apple’s stance, Prepear launched a petition to stop Apple from pursuing the legal action and prevent the company from undertaking similar complaints in the future.

Apple vs Prepear: How it happened

When small business owner Natalie Monson filed a trademark application on behalf of her recipe and meal planning app, Prepear, she had no idea of the legal fight that would quickly ensue.

The small business owner was faced with a notice of opposition from tech giant Apple, because the company believed Monson’s logo to be too similar to its own. Apple’s complaint to the US patent and trademark office cited concerns over the pear logo hurting its brand, due to its similarities with the company’s world famous apple logo.

Apple’s filing noted that the pear logo being used by Prepear “consists of a minimalistic fruit design with a right-angled leaf, which readily calls to mind Apple’s famous Apple Logo and creates a similar commercial impression, as shown in the following side-by-side comparison.” Regulators were therefore asked to reject the trademark application.

While Apple is, primarily, a technology and software company, its legal team argued that the brand’s minimalist logo is so recognizable that consumers may see the Prepear logo and immediately associate it with Apple.

Apple’s statement said that as the company has “services related to computer software, as well as healthcare, nutrition, general wellness, and social networking” consumers could mistakenly believe the recipe planning service was one of its new apps.

Why this case matters

The legal battle that Prepear has on its hands is an extreme example of what can happen when small businesses come up against far more powerful brands. While many companies believe themselves to be immune from the threat of IP disputes, this is rarely the case.

When considering the risks posed by IP disputes, companies tend to focus exclusively on competitors within their industry. But the case of Apple vs Prepear shows that cases can easily be brought by those outside of a company’s sector. It’s therefore incredibly difficult for brands to predict every single IP risk that might be out there.

Cost is another important factor in IP disputes. Small businesses like Prepear have just a fraction of the resources of some of their much larger counterparts, meaning that when an IP case does emerge, they are often not in a position to defend themselves. In fact, many small companies whose logos were deemed too similar to Apple’s have already been forced to stop using logos and foot the bill of a complete redesign.

Legal disputes are often very harmful to a company’s reputation, and this can have an impact no matter who is in the right, and who is in the wrong. If a dispute is ongoing, consumers can be quite reluctant to spend money with a company due to worries about its future. Similarly, partner brands and wholesale contacts are often hesitant to work with a company undergoing a dispute with an established brand.

IP infringement litigation is another risk to organizations and infringement allegations can sometimes arise following an IP opposition. The cost of IP litigation can be considerable, and for small businesses the spiraling costs of a legal dispute can become seriously problematic. Many simply do not have the resources to fight legal battles with brands that have far greater resources at their disposal. But smaller companies are far from powerless when it comes to issues relating to IP. They just need to take steps to protect their brand, products and services from IP complaints before any problems arise.

How can brands protect themselves?

IP insurance enables companies of all sizes to defend themselves from any claims of IP infringement. These policies can also help brands pursue other companies that might be infringing on patents, copyrighted materials or trademarks.

Contact your insurance broker to find out more about our IP insurance policies.

Source: www.cfcunderwriting.com


City Government Falls Victim to Social Engineering

Social engineering involves the use of deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information, or clicking on a malicious link, and it’s causing serious financial harm to organizations around the world.

Any organization that transfers funds electronically can be susceptible to social engineering attacks, and entities operating in the public sector are no exception to this. Public entities not only receive funds electronically in the form of grants from central government and tax receipts from local residents, but they also disburse large amounts of money both internally to different departments and externally to third party suppliers and contractors. All these transactions make for a tempting target for cybercriminals, who are constantly on the lookout for opportunities to intercept fund transfers and divert them to fraudulent accounts.One of our policyholders affected by such a loss was a local government for a city with a population of around 140,000. The city government’s responsibilities include public transportation, car parking facilities, social housing, parks and recreation areas, and recycling and waste disposal, and more.

Fraudster glimpses prime opportunity

The scam all began when an employee from the city’s finance department fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them through to a fake login page.

In this case, the employee received an email purporting to be from Microsoft. The email explained that the employee’s email account details needed to be verified in order for them to continue to use Outlook without disruption. With the email appearing to come from an official source and with the employee not wanting to suffer any disruption to her work, she clicked on the link included in the email. The link took her through to a seemingly legitimate landing page with Microsoft branding in place, where she inputted her email login details. Assuming that her account had been verified, the employee gave no further thought to the incident. However, by inputting her credentials on this login page, the employee had inadvertently passed on her details to a fraudster.

To make matters worse, the city government had not enabled multi-factor authentication on staff email accounts, so the fraudster was able to use the credentials to access this employee’s account remotely. This allowed the fraudster to monitor communications to and from the account and gather valuable information about any upcoming transactions.

As it happened, the city government was in the process of building a new social housing development and had contracted a third-party construction firm to carry out the building work on the project. The construction firm would send regular invoices for the work carried out to the city’s finance department, who would then arrange for a payment to be made to the construction firm’s bank account. The fraudster managed to find the email correspondence between the employee in the finance department and the finance director of the construction firm, and in the process, the fraudster established that the latest invoice, totaling $213,456, had been sent over and was due to be paid within a few weeks. Having spotted a lucrative opportunity, the fraudster chose this moment to strike.

Scam set up in a flash

The fraudster’s first step was to set up a forwarding rule in the employee’s email account. Forwarding rules are settings that can be applied to an email account which ensure that certain emails are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the construction firm’s genuine domain name were automatically marked as read and sent directly to the account’s deleted items folder.

The next step was to set up an email address impersonating the construction firm’s finance director. To the untrained eye, this was exactly the same as the finance director’s, but crucially omitted a character from the domain name. So rather than reading Joe.Bloggs@XYZconstruction.com, it read Joe.Bloggs@XYZconstuction.com.

The final step was to send an email to the employee in the city’s finance department from this fake account. In the email, the fraudster explained that the construction firm’s usual account was being audited and that meant that they were pausing all transactions while this was taking place. The email then went on to explain that a temporary account had been set up as an alternative and that all upcoming invoice payments should be sent there in the meantime, with the fraudster attaching a document with the new account details attached.

The fraudster also added some touches to the email to make it look as authentic as possible. For example, the fraudster forwarded the original email correspondence between the city government’s employee and the construction firm’s finance director to the fraudulent email address, with the fraudster then responding to this email correspondence and making it look as though the fake email was part of the original email chain. The fraudster also signed off with the finance director’s genuine email signature and the document with the fake account details featured the construction firm’s genuine logo and address details.

With the fraudster’s email forming a part of the original email chain and coming from a seemingly identical email address, along with a plausible excuse for changing the account details temporarily, the employee in the city’s finance department never doubted the legitimacy of the request and the construction firm’s account details were changed, resulting in $213,456 being sent to the fraudulent account.

Discovered too late

It was only when the construction firm’s finance director called up the city’s finance department a few weeks later to inquire about the status of the payment that the scam was finally uncovered. The banks involved and local law enforcement agencies were immediately notified about the scam and attempted to recover the loss, but by this point it was too late to retrieve the funds as they had already been transferred out of the
fraudulent account.

With the lost funds deemed unrecoverable and the construction firm still expecting its invoice to be paid, the city government had no choice but to pay the invoice again, resulting in a significant financial loss. Thankfully, however, the city was able to recoup the stolen funds under the cybercrime section of its cyber policy with CFC, which provides cover for social engineering-style losses such as these.

Follow-up with a call and other key takeaways

This case highlights a few key points. Firstly, it illustrates why any organization that is undertaking a construction project should be extra vigilant when it comes to funds transfer fraud. Cybercriminals know that any construction project is likely to require sizable transfers of money, which makes it a particularly lucrative and tempting area for them to target. Any organization involved with a construction project, whether it’s the entity that’s paying for the project or the contractors carrying it out, should be on their guard to prevent funds from being intercepted by fraudsters.

Secondly, it shows just how skillful cybercriminals are becoming at parting innocent organizations from their money and how difficult it is to spot a fake. In this case, the fraudster managed to successfully impersonate Microsoft and manipulate the city’s employee into handing over her login details; set up a forwarding rule to prevent any genuine emails from the construction firm from reaching the employee and jeopardizing the scam; set up a fraudulent email address that was virtually identical to the construction firm’s finance director’s address; make it look as though the fake email sent to the employee was part of the original email chain, and make use of the finance director’s genuine email signature and the construction firm’s logo and address on the document containing the fake account details.

Finally, it highlights the importance of having call back procedures in place. Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is verified by having a member of the accounts department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. If the city’s finance department had had this procedure in place and the employee had followed it, it’s highly unlikely that the funds would have been intercepted. Having call back procedures in place, alongside staff training on phishing risks and multi-factor authentication on email accounts, can significantly reduce an organization’s exposure to funds transfer fraud. Nevertheless, it’s worth noting that none of these methods are fool-proof and it’s very difficult to eliminate this risk entirely, especially when human error is factored in. And that’s why cyber insurance can be such a useful purchase, providing a valuable safety net when things go wrong.


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn