As 2017 draws to a close, we here at Easy Solutions have been reflecting on the biggest fraud events of the year. These seven events changed the fraud landscape and left lasting effects on organizations and their outlook on security for years to come.
This May, Gmail users were sent emails that appeared to be from real contacts asking them to open a Google Doc that had been shared with them. People who fell for the ruse were asked to grant permission to a Google Doc application. The app was really a fake, and was used to access users’ contacts and send messages to further perpetuate the scam. Though the attack didn’t attempt to steal money, login credentials, or any information beyond a user’s contact list, it showed just how powerful social engineering can be in manipulating users to do anything an attacker desires.
Also in May, the world watched in dismay as a massive ransomware attack was launched, infecting the devices of more than 250,000 victims in 150 countries. The attack worked by exploiting a security vulnerability in Windows operating systems. Once infected, a computer’s files were encrypted. The affected computers displayed a message asking for a ransom, to be paid in Bitcoin, in exchange for the files being released. WannaCry’s incredible scope and impact caused a worldwide panic, and was followed by many other, smaller-scale ransomware attacks that continue to this day.
In June, a strand of ransomware called “NotPetya”, so named due to its similarities to a ransomware called “Petya”, hit Europe, the US, and Ukraine, causing disruptions at a number of organizations ranging from advertising firms to health care companies. NotPetya, like most ransomware attacks, demanded payment in Bitcoin in return for the decryption of files. However, the attack was suspected to be the work of amateurs, based on its code and demands. Researchers suspected that NotPetya’s goal was not profit, but instead to be disruptive. There are suspicions that the attack was politically motivated, and aimed to cause destruction in Ukraine’s IT infrastructure.
In August, an existing banking Trojan called Trickbot expanded its target base, reaching more than 12 new countries, including the US. The targets included the local URLs of almost every major bank the targeted countries, putting a large number of banks and their end-users at risk of having their sensitive information stolen. Daily updates to the code further increased the malware’s potential to do harm. To better understand Trickbot and how it works, take a look at this video.
The Equifax data breach that was disclosed in September was arguably the most impactful fraud incident of the year. More than 145 million US residents, as well as some UK and Canadian residents, had their Social Security numbers, birth dates, home addresses, and other personal data stolen in the attack. Unlike other breaches, the compromised Equifax data could potentially be used to steal the identities of 145 million victims.
In October, the US Department of Homeland Security (DHS) announced a new policy requiring that all federal agencies implement a DMARC policy to protect their email domains. This announcement, sent out in the wake of a survey from August showing remarkably low DMARC implementation for federal email domains, demonstrated that DHS was officially recognizing the importance of protecting email channels.
In November, the rideshare giant Uber admitted that it had been the victim of a data breach in October 2016, and had subsequently paid off the hackers in a bid to cover up the cybercrime. Hackers were able to gain access to the company’s systems by obtaining the passwords of Uber developers, whose only line of defense was a username-password combo. This breach shows that, even with a plethora of strong security options on the market, there are still companies who are failing to protect their sensitive data and, in turn, failing in their duty to protect themselves and their customers.
The massive cyber-attacks and data breaches of 2017 showed that, despite widely available security solutions, organizations still have a long way to go in implementing strategies to protect themselves and their users from fraud. Government regulations, such as the DMARC mandate from DHS, are helping to move the process along, but there are still many imminent risks. To learn about what our anti-fraud experts at Easy Solutions expect to see in the future, take a look at our predictions for 2018.