Jack’s Hacks: Spring Edition
This month Jack goes over some best practices that will help you stay safe this Spring. We also cover some of the major breaches that have caused service outages and the latest cybercrime trends.
The Last 30 Days in Cybersecurity: Notable Breaches, Outages & Ransom Demands
Cyberattack Forces Canada’s Financial Intelligence Agency to Take Systems Offline
Canada’s financial intelligence agency, FINTRAC, has taken its corporate systems offline due to a recent cyber incident. The agency clarified that the incident doesn’t involve its intelligence or classified systems. While the nature of the attack remains undisclosed, FINTRAC is working closely with federal partners, including the Canadian Centre for Cyber Security, to restore its systems. The incident underscores the ongoing cybersecurity challenges faced by government agencies who hold sensitive information. Since the attack, FINTRAC has stated that there is no evidence that any information has been removed from FINTRAC’s systems or that any information was lost. However, some of their services still remain offline.
German Authorities Shut Down Online Cyber Crime Market
In early March, German authorities announced the takedown of the “biggest illegal German-speaking online trading platform” that traded in drugs, weapons, cybercrime services, and stolen credit card data. In a joint effort between German investigators, the FBI, the U.S. Drug Enforcement Administration, and the Internal Revenue Service Criminal Investigation, the Nemesis Market platform’s server infrastructure in Germany and Lithuania was seized, along with cryptocurrency valued at 94,000 euros ($102,000). The platform operated on the darknet, accessible only through specialized tools, and boasted over 150,000 user accounts and more than 1,100 seller accounts globally.
US Transportation Department to Review Airline Privacy Practices
The U.S. Department of Transportation (DOT) is starting a review of major airlines’ privacy practices because of worries about how they handle passengers’ personal information. This involves sensitive data gathered from their apps, ticket purchases, and now, more commonly, biometric screening systems. Even though digital privacy isn’t their usual focus, the DOT can punish airlines for unfair or misleading practices regarding passenger info. The first step in this review involves several airlines, including Allegiant, Alaska, American, Delta, Frontier, Hawaiian, JetBlue, Southwest, Spirit, and United, all of which have been formally notified.
The Latest in Cybersecurity
Canada Considers Online Harms Act
The Government of Canada introduced Bill C-63, the Online Harms Act on February 26th. The long-awaited and debated bill divides “harmful content” into seven categories:
- Content that sexually victimizes a child or revictimizes a survivor;
- Intimate content communicated without consent;
- Content used to bully a child;
- Content that induces a child to harm themselves;
- Content that foments hatred;
- Content that incites violence; and
- Content that incites violent extremism or terrorism.
Bill C-63 also proposes increased responsibility for social media platforms, requiring them to take measures to reduce the risk of exposure to harmful content, publish transparency reports and put in place special protections for children using their services. If the bill is passed, changes to the Canadian Criminal Code and the Canadian Human Rights Act will follow. To call the proposed legislation controversial, would be an understatement. From accusations of Orwellian overreach and “insanity” to endorsements from the mother of Amanda Todd and victims of online bullying, sexual abuse and hate crimes, Bill C-63 has the world talking about online safety.
BlackFog’s State of Ransomware Report Reveals 43% Increase from 2023
In February, cyberattacks surged, setting a record with 57 reported incidents, marking a 43% increase from the previous year. BlackFog’s Ransomware Report also reveals that unreported attacks rose significantly by 63%. Despite hopes that things would settle down, the number of unreported cyber-attacks doubled, showing that many organizations aren’t following SEC rules about reporting incidents. Industries like government, manufacturing, and healthcare saw big jumps in attacks. Data theft, found in 91% of attacks, shows how serious the threat is. China and Russia were the top targets for stolen data. Key take-away for SMEs? Ransomware attacks aren’t going away and your business is at risk. Investing in a quality MDR/XDR solution is some of the best money small to mid-sized enterprises can spend on security right now.
Jack’s Top Monthly Hacks
For Businesses:
As tech advances, so do the tricks of cybercrooks. Artificial Intelligence (AI) is widely used in phishing attacks like Business Email Compromise (BEC) scams. In a BEC hustle, scammers leverage publicly available information to exploit vulnerabilities in various roles in businesses, governments, non-profits and schools. Executives, finance personnel, HR managers, and new employees are often targeted by criminals pretending to be someone trustworthy, requesting payment for a bogus invoice or seeking sensitive data like passwords or personal information.
Where does AI come in? Using machine learning, it’s easier for hackers to spot prime targets and craft personalized emails. With the ability to access and analyze massive amounts of data, AI can dig into public info, social media and past emails to make messages seem real. This level of personalization dodges filters and plays on human psychology, making it tough to spot fraudulent emails. And the consequences are significant. In 2023, the FBI reported losses of $2.9 billion USD from BEC schemes.
To fight back against AI-driven phishing in BEC, here’s what organizations can do:
Educate Staff: Regularly teach employees how to spot phishing with regular phishing training and simulations
Use Multi-Factor Authentication: Multi-factor authentication (MFA) on all computers and employees’ devices that access work systems
Beef Up Email Filters: Invest in AI-powered tools to catch dodgy emails before they land in company inboxes
Keep Software Updated: Update address software issues and offer vital security patches
Authenticate Senders: Use protocols like SPF, DKIM and DMARC to verify emails
Breach Response Services for Business: Cyberboxx Business has dedicated cyber incident responders available 24/7 to investigate and contain data breaches quickly.
For Individuals
Time to Have “The Talk” with Your Kids?
According to the 2023 multi-national Keeper Security Parental Practices Report: Conversations on Cybersecurity, 30% of parents admit they’ve never talked to their children about cybersecurity. Sure, that means that most parents surveyed have talked to their kids about online safety. However, when 73% of 12-16-year-olds have their own smart phones and the FBI reports that cybercrime against children is on the rise, that 30% becomes kind of a big deal.
Parents need to prioritize cybersecurity conversations and to do that, they should practice what they intend to preach. Everyone in the home with access to an online device needs to practice good cybersecurity. If mom and dad are using “password123” to login to DisneyPlus, they’re hardly setting a good example. That’s why our Cyberboxx Home product offers online safety training for the whole family.
Once parents, caregivers or educators are trained up, it’s time for the talk. Here are some resources to get you started:
- Cybersafety, including how to deal with cyberbullies and how to avoid romance scams
Take an active role in your children’s online lives and enforce safeguards from the get-go if you can. It’s important to empower our kids, but it’s still up to us adults to protect them by keeping track of screen time and knowing what they’re doing online, and who they’re doing it with.
Sign up for the BOXX Insurance Newsletter
Get the latest updates about Cyber Insurance and Protection with our newsletter.