SAN FRANCISCO – Apple on Friday urged iPhone owners to install a security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by malware dealers.
Researchers at the Lookout mobile security firm and Citizen Lab at the University of Toronto said they had uncovered a three-pronged attack targeting the dissident’s phone “that subverts even Apple’s strong security environment.”
Lookout and Citizen Lab worked with Apple on an iOS patch to defend against the attack, called Trident because of its triad of methods, the researchers said in a joint blog post.
“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” Apple said in a released statement.
Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. NSO was acquired by the U.S. firm Francisco Partners Management six years ago.
Lookout referred to Pegasus as the most sophisticated attack it has seen, accessing calls, cameras, email, passwords, apps and more.
The spyware was detected when used against Ahmed Mansoor, a human rights activist who has been repeatedly targeted using spyware.
After receiving a suspicious text with a link, he reported the matter to Citizen Lab, which worked in conjunction with San Francisco-based Lookout to research the affair.
“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information,” the joint blog post said. “This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”
Mansoor received text messages on Aug. 10 and 11 promising that secrets about detainees being tortured in United Arab Emirates jails could be accessed by clicking on an enclosed link, researchers said.
Had he fallen for the ruse, the Trident chain of heretofore unknown “zero-day exploits” would have broken into his iPhone and installed snooping software.
Once infected, Mansoor’s iPhone would have been turned into a “spy in his pocket” capable of tracking his whereabouts and conversations, Citizen Lab said.
Mansoor was targeted five years ago with FinFisher spyware and again the following year with Hacking Team spyware, according to Citizen Lab research.
“The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists,” the researchers said.
Although the cyberattack on Mansoor was not linked to a specific government, Citizen Lab said indicators pointed to the UAE.
UAE authorities did not comment on the matter.
Lookout and Citizen believe the spyware has been “in the wild for a significant amount of time.”
“It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android and Blackberry.”
Citizen Lab has also found evidence that “state-sponsored actors” used NSO weapons against a Mexican journalist who reported on high-level corruption in that country and on an unknown target in Kenya.
The NSO tactics included impersonating sites such as the International Committee of the Red Cross, the British government’s visa application processing website and a wide range of news organizations and major technology companies, the researchers said.
Mansoor’s decision to enlist Citizen Lab instead of falling into the trap gave researchers a rare chance to expose the work of “shady cyber arms dealers” who command high prices for morally questionable services, said Lookout’s vice president of security research, Mike Murray.
Invoices posted online have shown that hackers can charge tens of thousands of dollars per target hit with their software.
“The smartphone is a valuable target, and breaking into it is a valuable skill set,” Murray said. “People who can do this, and with wiggle room in their moral code, have realized the business opportunity.”
NSO Group has been around since 2010, and the capture of one of its weapons was billed as a first.
Studying Trident has helped cyberdefenders find ways to spot spyware that had been operating unseen, and they are “actively catching it in the wild now,” Murray said.
He declined to reveal anything about other targets, saying that they were people likely to be under surveillance in other ways by local authorities.
Citizen Lab saw the attack on Mansoor as further evidence that “lawful intercept” spyware has significant abuse potential, and that some governments can’t resist the temptation to use such tools against political opponents, journalists and human rights defenders.
Fast-growing Schutz Shoes upgrades its fraud detection software to slash manual reviews and improve order processing.
Online orders were flowing into shoe e-retailer Schutz Shoes, the U.S. division of Brazilian-based shoe retailer Arezzo & Co., but the small team spent an increasing amount of time checking whether an order was fraudulent. When one employee on a staff of seven has to manually review the legitimacy of an online order, that’s time away from customers and other business, says Kimberly Gort, e-commerce manager for Schutz.
Schutz Shoes started selling online in 2014 operating its e-commerce site in the basement of its New York City store. That first year, Schutz had about $350,000 in online sales. In 2015, about half of its product catalog was available online and sales grew to $1.5 million. Now, with all of its products available online, Schutz Shoes projects about $3 million in online sales for 2016, Gort says. The retailer also opened a store in Los Angeles.
With triple-digit percentage growth comes growing pains. When the e-retailer received a modest five online orders a day, using the free tool from its e-commerce platform provider (Shopify Inc.) worked fine, Gort says. The plugin would flag orders that might be fraudulent, and the retailer decided to approve or decline such orders. For example, the tool flagged an order if the credit card and shipping addresses didn’t match, so a Schutz employee had to call the customer and determine if it was a legitimate order. Deciding what was and wasn’t fraudulent often was difficult, Gort says.
“There’s always a risk,” she says. “It was like we were playing roulette.”
The situation frustrated the retailer and the shopper, as some shoppers were blocked from placing an order or their order was delayed or they had to deal with a phone call from the retailer. Schutz was missing out on orders, devoting almost a full employee to manually check the orders and seek out consumers to verify information. As order volume and sales grew, the manual-review model no longer worked, Gort says.
In July, Schutz Shoes decided to integrate fraud detection software provider ClearSale onto its platform, choosing the vendor because it was used by parent company Arezzo. It took about two weeks to integrate the technology onto Schutz’s site, Gort says.
ClearSale factors in about 100 variables to approve or deny orders, and then has its 500-person team to dig deeper on flagged orders, says Rafael Lourenco, vice president of operations at ClearSale. Orders can be approved within three seconds, while an order that requires manual review will take 24-48 hours, he says.
The impact of adding ClearSale was almost immediate, Gort says, as Schutz Shoes was no longer on the hook to manually check flagged orders. The e-retailer now approves 94-96% of its orders, which is about a 5% increase from when it relied on its free plugin, Gort says.
ClearSale charges per transaction and takes a 0.4-1.5% cut of the sale. The commission is worth it, Gort says, as more sales are approved. In August, Schutz Shoes paid ClearSale $1,500. The retailer processed 1,200 online orders that month, 1,002 of which ClearSale reviewed in some capacity; of those 1,002 orders, 973 (97.1%) were approved.
ClearSale has about 2,000 clients, and more than 90% are retailers, Lourenco says. Across all of its clients, 93.5% of orders are automatically approved, Lourenco says.
Recently, ClearSale updated its formula with another variable to approve or deny orders. The feature factors in how long a consumer is on the website before she purchases. The shorter it is, the more suspect. However, this is only one variable and a short time between landing on the site and purchasing will not automatically flag an order, Lourenco says. The new feature increased ClearSale’s average approval rate by 1%, he says.
Fraudsters are using clever impersonation techniques to siphon millions from unprotected businesses
When Keith McMurtry, corporate controller of Scoular, a 124-year-old US grain-trading and storage company, was asked by his chief executive to wire $17.2m to an offshore bank account, he did not question it.
Chuck Elsea told Mr McMurtry in a top-secret email that Scoular was in talks to acquire a Chinese company. The chief executive instructed him to liaise with a lawyer at KPMG who would provide the wiring instructions to an account in China.
“We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly,” Mr Elsea wrote in an email in June 2014. Over three transactions, Mr McMurtry transferred the $17.2m to an account in the name of Dadi Co at Shanghai Pudong Development Bank, according to an affidavit signed by an agent with the Federal Bureau of Investigation and filed in a Nebraska court.
The email was a fraud. Criminals impersonated Mr Elsea by creating a phoney email account in his name. They also set up fake email and phone numbers in the name of a real KPMG partner, who later said he had never heard of Scoular. US authorities have traced the emails and phone number to Germany, France, Israel and Russia.
Scoular, which is ranked 66th on Forbes’ list of the US’s largest private companies with revenues of $5.9bn, is one of several thousand companies that have fallen victim to a new type of fraud known as business email compromise schemes which have netted $800m in the past six months.
In January 2015, Xoom, an international money transfer company bought for $890m last July by PayPal, a pioneer in digital payments, said an employee in its finance department was duped into transferring $30.8m in corporate cash to an overseas account.
Ubiquiti Networks, a US manufacturer of wireless networking products, disclosed that its finance department was targeted last June by an imposter and transferred $46.7m to overseas accounts. After discovering the fraud the company began legal proceedings and has recovered $8.1m.
More than 12,000 businesses worldwide have been targeted by the scams, also known as CEO email schemes, between October 2013 and this month. The transactions have netted criminals $2bn, according to the Internet Crime Complaint Center, an intelligence and investigative group within the FBI that tracks computer crimes. Companies large and small, across 108 countries, have been hit and the threat is growing, law enforcement officials say.
“It has gotten quite out of hand,” says Mitchell Thompson, a supervisory special agent and head of the financial cyber crimes task force in the FBI’s New York office.
The criminals are “becoming more brash”, he says, by introducing third parties, such as law firms and consultants, to carry out the fraud. They have also become more sophisticated about how they troll potential victims.
“They’re using social media a lot against us. They might send a spam email intentionally to see that the executive is out of the office, [making] it prime time to target. They might look on Facebook and see that [the chief executive is] travelling to Europe or Australia so they know you’re in the air for a certain amount of time” and have a window to strike, Mr Thompson says.
Tricking people using the internet to steal money is hardly new. There have been criminal groups taking advantage of users of dating websites and fundraisers for disasters or terrorist attacks. A decade ago authorities were flooded with complaints of bogus Nigerian email scams and false lottery winners.
Criminals use a variety of tactics. Sometimes they gain access to executives’ emails by hacking into the accounts using phishing emails. The accounts of chief executives can also be spoofed by changing a letter or replacing a company’s official email service with a Gmail account. The phoney account created to mimic the KPMG lawyer used the suffix @kpmg-office.com, a fake address convincing enough to trick someone who is not checking carefully.
The criminals usually impersonate the executive and order the transfer, often through a second account they secretly control, such as the one said to belong to the KPMG lawyer. The money is sent to accounts in Asia or Africa, where it is harder for authorities to recover. By the time the company realises it has been duped, authorities say, the money has long gone.
Mr McMurtry told the FBI that he was not suspicious of the transfers since Scoular was discussing an expansion in China and he had been working on an annual audit with KPMG, according to the FBI affidavit. Mr McMurtry, who is no longer with Scoular, did not respond to requests for comment. Scoular also declined to speak.
The scam began simply enough. Mr McMurtry received an email purporting to be from Mr Elsea. “I have assigned you to manage file FT-809,” the bogus email said. “This is a strictly confidential operation, which takes priority over other tasks. Have you already been contacted by Rodney Lawrence [the KPMG lawyer]?” It went on: “This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
The following day “Mr Elsea” sent another email stating that the transfer was urgent and he should “proceed asap with the wire to the same beneficiary and bank account as yesterday”.
FBI agents traced the phoney email account in Mr Elsea’s name to Germany. The KPMG email name was linked to a server in Moscow. The phone number provided was traced to a Skype account registered in Israel.
Scoular’s lawyers told the FBI that Wells Fargo said Dadi — the name on the account in Shanghai where Mr McMurtry sent the money — manufactured army boots. Dadi claimed to the bank that the wire transfers were part of a sales contract for the manufacture of boots, according to the FBI affidavit. Scoular said it did not purchase boots.
Mr Lawrence, the KPMG lawyer whose identity was used in the email scheme, is the global leader of KPMG’s international tax services. When interviewed by the FBI he told them he was not familiar with Scoular and had not spoken with anyone at the company, according to the affidavit.
The FBI obtained a court order to seize the funds held at Shanghai Pudong Development Bank but was told that the account had been closed and the funds transferred.
Business email compromise crimes are “a huge” problem, says Austin Berglas, head of cyber investigations at K2 Intelligence and a former chief of the FBI’s cyber branch in New York. Executives are so reliant on email they do not pick up the phone to confirm the transaction and “there is no second check,” he adds.
Some of the email scams are similar, suggesting they come from the same criminal organisation.
The FBI and US Justice Department have several investigations under way. Over the past 12 months the FBI has put more intelligence analysts on the case and have liaised with law enforcement agencies worldwide. “We will open cases this year and we will make arrests this year,” says James Barnacle, chief of the FBI’s money laundering unit.
Glen Wurm, director of accounting at AFGlobal Corp, which makes products for the aerospace, oil and gas industries, received an email in May 2014 similar to that sent to Scoular.
Purportedly from Gean Stalcup, the company’s chief executive, it said: “Glen, I have assigned you to manage file T521. This is a strictly confidential financial operation which takes priority over other tasks. Have you already been contacted by Steven Shapiro [attorney KPMG]?”
Mr Wurm was told not to speak to anyone and was directed to wire $480,000 to an account at the “Agriculture Bank of China”, according to legal documents. The hacker mimicked the tone Mr Stalcup used with Mr Wurm, according to a lawsuit that AFGlobal filed against its insurer Federal Insurance.
Six days later, Mr Shapiro contacted Mr Wurm confirming he had received the transfer, adding that he needed another $18m, according to a lawsuit. At this point Mr Wurm became suspicious and said he could not send so much money without alerting senior executives.
It was too late: the bank account had been emptied. AFGlobal is suing Federal Insurance and Chubb, its parent company, seeking more than $1m for allegedly breaching its contract by not covering the claim. Chubb has declined to comment.
Mr Thompson has declined to discuss either scheme but says criminal groups copy successful tactics. While some schemes have been as large as $90m, the average loss is $120,000.
“The ones you don’t hear about are the smaller corporations that send $50,000. They’re saying, ‘I’m not going to make payroll, we’re going to close our doors’ as a result of the fraud,” Mr Thompson says.
There is little that companies can do to recover the funds. Banks are not required by law to reimburse a company that makes a transfer. Cyber insurance policies might not cover a fraud against a company if its network has not been hacked.
“The bank will look at the totality of what the company has done to protect itself and whether or not they’re adhering to the agreement that the company has signed associated with the initiation of any of these wires,” says Doug Johnson, senior vice-president of overseas payments and cyber security at the American Bankers Association. One good practice is requiring the approval of two people, he says.
That practice is not fail-safe, however.
Like AFGlobal, Medidata Solutions, a clinical technology company, fell victim to email fraud in September 2014.
An employee in accounts received an email from an executive requesting a money transfer, according to a lawsuit filed in a federal New York court against Federal Insurance. The email included an image of the executive’s face and his signature.
Like the other alleged scams, the email included the name of a lawyer, who would act as a liaison for the employee. The employee told the lawyer that he needed the approval of two others before a $4.7m transfer could be made.
The fraudsters had a solution, though. Later that day, two employees with authority to sign off on the transfer were emailed instructions, purporting to be from the chief executive of Medidata, telling them to approve the wire to a bank account in China.
The transfer went through. Two days later, an email from the lawyer told the same employees to initiate a second transfer of $4.8m. One of the employees had grown nervous and called the executive direct — stopping the fraud and saving millions for the company.
Yet law enforcement officials say companies need to be more vigilant to guard against a crime that has become simpler to commit. “It’s easy,” says Mr Barnacle. “All you need is a computer.”
Message purporting to be from Facebook Security Management claims that your account will be disabled because other users have reported your actions. It instructs you to click a link to re-confirm your details or Facebook will remove your account.
The message is not an official Facebook security warning. Instead, it is a phishing scam designed to steal your Facebook login details as well as your credit card numbers, your email account password, and other identifying information. It is just one in a long line of very similar scam messages. If you receive one of these messages, do not click on any links that it contains.
WARNING: Your account will be disabled!
Our system has received the reports from the other users about the misuse of your account. Someone has reported your actions, which violations of our terms.
Facebook does not allow:
- Pretending to be someone else
- Interfere with another comfort for the user
- Having more than one Facebook
- Share link or video content with pornographic videos
If you are really user of this account, you’ll need to re-confirm your account. It’s easy, Click the link below to confirm your account:
If you do not immediately confirm a grace period of 12 hours after you receive this message, so sorry we will remove of your account.
According to this warning message, which claims to be from “Miller” at “Security Management Facebook”, your Facebook account is set to be disabled. Supposedly, you have been misusing your account and someone has therefore reported your actions.
The message then claims that you must click a link to re-confirm your account within 12 hours or Facebook will remove the offending account. The warning is distributed via Facebook’s internal messaging system.
However, the message is certainly not from any official security manager at Facebook. And the claim that your account will be disabled if you do not confirm your information is a lie.
If you are taken in by the ruse and click the link in the hope of saving your account, you will be taken to a fraudulent webpage that has been built to emulate the real Facebook website. The fake webpage asks you to “login” with your Facebook email address and password. Next, a second form will appear that asks you to provide your webmail address and password as well as your date of birth, country, phone number, and account security question:
Finally, you will be redirected to the Facebook Newsroom website. At this point, you may believe that you have successfully confirmed your information and thereby avoided the threatened account removal.
In reality, however, online criminals now have a good deal of your personal and financial information. They can use your information to hijack both your Facebook account and email account. Once they have gained entry to these accounts, they can use them to send out further scam and spam messages. They may send new versions of the above scam to your friends from your Facebook account via private messages.
The criminals can also use your credit card to conduct fraudulent transactions. They may also manage to use all of the personal information they have collected to steal your identity.
This criminal tactic is not new. In fact, this scam message is just one in a long line of very similar scams that have targeted Facebook users for several years. Be wary of any message that purports to be from Facebook and claims that your account will be disabled or suspended if you do not click a link to verify your account details. If Facebook needs you to address an account issue, you will most likely receive a notification from within Facebook itself when you login.
If one of these scam messages comes your way, do not click any links that it contains. Always login to Facebook by entering the address into your browser’s address bar or via a trusted app.
There's been an alarming number of phishing scams identified this year and these emails are getting more clever and realistic than ever.
The latest phishing email you need to keep an eye out for disguises itself as an iTunes email. Much like the Amazon phishing scam we showed you, this email claims that you have been overcharged for a download purchase, $25 for one song, which is usually $1.99 or less, or $45 for the Netflix app.
The email will show you a very official-looking billing statement and will encourage you to click a link that says, "Cancel andx Manage Subscriptions." But, because you're a Komando.com reader, you'll notice the typo in the link and know that's red flag number one.
Whatever you do, don't click that link. It could take you to a malicious site that can steal all of your valuable information, then it's game over.
If you think you really might have been overcharged, check your bank statements first before clicking any links.
Just being in the know about these emails is step one. There are other steps you can take to keep yourself safe from these phishing attempts. If you see an email like this in your inbox:
- Be sure to exercise caution before you click on anything. Hover over any links and see where they direct before you click. If the links provided go to a website, don't click it. Navigate to the company's site yourself without the link.
- Take some time and try to spot the typos.
- If you're not sure that you can spot the signs, click here to take our phishing IQ test to see how many stand out to you.
- Practice multi-level authentication, which means you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts.
- Another thing is to have an internet security system. We recommend our sponsor Kaspersky Lab. Software from Kaspersky Lab can recognize and block ransomware. Even if it's a new version or unknown version of a ransomware, Kaspersky Lab can figure out that the program is doing something it shouldn't. Kaspersky Lab will stop it from running and will roll back any files that were encrypted to a previous non-encrypted version. Of course, Kaspersky Lab software also helps filter out and warn you about phishing scams, so your odds of downloading a ransomware virus are slim. Get this protection, and so much more, with Kaspersky Total Security.
When it comes to investing, there are precious few certainties, other than the fact that nobody works for your financial best interest as completely as you do.
That fact became obvious to the clients of the Warrenville, Ill., company Capital Management Associates recently when the SEC brought a suit against the father-and-son team that run it for "cherry picking" trades.
We'll get back to that story in a moment. But it's important for everyone to know that even the ethical players in the financial industry earn their living based on the fees they get directly from you or via the providers of products they recommend to help you achieve your goals.
In addition, because financial management is somewhat complicated and the future is never guaranteed, it's an industry rife with opportunities for fraud and theft. That's especially a risk when people turn over complete control of their hard-earned cash to an "expert" who promises to manage it for them.
If you suspect that your financial adviser may be scamming you, here are five signs that can help you uncover it.
In the case against Capital Management Associates, the SEC alleges that the duo ran trades without specifying whether they were for clients' accounts or for the owners' accounts. Then, once the profitability or loss of the trade was assured, the company would backdate that information, assigning the profitable trades for themselves and the losers to clients.
Losing money in an investment is not a crime, but cherry-picking among winning and losing trades after the fact is.
How could clients of Capital Management Associates have known that they were getting saddled with the bad trades? The short answer is: by staying in the loop.
Those who trust their adviser to trade on their behalf should, at the very least, insist on receiving a running total of all trades when they are made. If your financial adviser can't or won't do that for you, then chances are pretty good that you're being scammed.
Bernie Madoff swindled investors out of billions of dollars in what has been called the largest Ponzi scheme ever uncovered. While Madoff, a former chairman of the Nasdaq stock exchange and securities representative on SEC industry panels, knew enough to hide from the regulators for decades, his returns were too consistent to be real.
Sponsored Links Any time an investment advisor is guaranteeing returns or assuring consistency, year in and year out, there's a pretty good chance it's a scam. And while there are a few legitimate annuities with investment accounts structured in a way to "guarantee" you won't lose money, they're generally just high-cost insurance plans where you're paying dearly for those guarantees through the structure of the deal.
Sign No. 3: You're Getting Hot Tips That You're Told You Need to Act on Now.
Any legitimate investment worth owning will still be available tomorrow, after you've had the time to think about it (and research it independently). Any pushy advisor telling you things like, "You've got to act today to get in on the ground floor" or "You don't have time to read the paperwork" is asking you to act without reviewing something, which is a common hallmark of a scam.
While there are real deadlines for things like IRA contributions, the money in those accounts can easily sit as cash until you've had time to review the details of the investment recommendation. And be aware that prices in the stock and bond markets do change regularly -- often several times throughout a trading day. If your adviser brings you an investment to consider and you do take the time to review it before buying, don't be surprised if the price winds up being a bit different than initially discussed.
Still, it's better to wait and lose a little bit than to lose everything to an outright scam.
Sign No. 4: You're Promised Investments That Will Be "No Cost to You."
If you're working with a financial adviser, that advisor is getting paid by you, either directly by checks you write or indirectly via commissions, spreads, or fees generated by the investments you make. Any adviser claiming otherwise is hiding something -- likely an outlandishly high fee for placing an investment or insurance policy, which can often run north of 7 percent of the invested amount.
A competent advisor deserves to be paid for his or her time and expertise. But one that won't tell you how much you're paying for the service or how you're paying for it is an adviser to walk away from.
Sign No. 5: Your Account Is Being Churned and Burned.
And speaking of fees, be wary of an adviser who regularly churns your account through multiple trades of similar types of annuities, mutual funds, or other investments. If your adviser is getting paid through a hidden commission from making the transaction, that activity is very likely lucrative for the adviser ... but not so much for you.
Not all investments work out, of course, but a common definition of insanity is doing the same thing over and over again while expecting different results.
If your advisor is trying to convince you that the investment you are in is so much worse than a fairly similar one you should be in, that's a sign that neither investment is likely right for you.
Welcome to the IOSCO Investor Education Gateway! This is the place to find information about many IOSCO members' on-line investor education activities, as well as IOSCO publications and presentations regarding investor education.
Investor Education has been and continues to be a significant part of multiple IOSCO seminar training programs. Additionally, and upon requests made by IOSCO members, dedicated Investor Education training has been organized and presented by IOSCO staff.
IOSCO has a major commitment to improving and promoting investor education. Just some of the priorities on the horizon for the IOSCO Education and Training team include:
- Conducting Investor Education Workshops;
- Expanding the Investor Education Gateway;
- Making investor education resources available for all IOSCO members;
- Continuing IOSCO research regarding all aspects of investor education, and offering assistance to IOSCO members with respect to their own investor education initiatives;
- Providing forums and other platforms for IOSCO members to share "Best Practices" and "Good Ideas";
- Analyze what does the current research show with respect to investor education?;
- Focus on what works and what does not work...and what is the proof if something does work?"
The International Financial Securities Regulatory Commission was established to promote investor confidence in the securities and capital markets by providing more structure and government oversight.