IT admins can lock some of the obvious open doors in business applications, but system visibility is key. Build automatic monitoring defenses and adopt a Git-like tool so you can "version" your business apps to restore prior states.

Read some the cybersecurity headlines and you'll notice a trend: They increasingly involve business applications.

For example, the email tool Mailchimp says intruders broke into its customer accounts via an "internal tool." Marketing automation software HubSpot got infiltrated. Corporate password wallet Okta was compromised. Project management tool Jira made an update that accidentally exposed the private information of clients like Google and NASA.

This is one of cybersecurity's newest fronts: your internal tools.

It's only logical that malicious actors would intrude here next, or that employees would accidentally leave doors open. The average organization now has 843 SaaS applications and increasingly relies on them to run its core operations. I was curious about what administrators can do to keep these apps secure, so I interviewed an old colleague, Misha Seltzer, a CTO and co-founder of Atmosec, who is working in this space.

**Why Business Applications Are Particularly Vulnerable**

The users of business applications tend not to think about security and compliance. Partly, because that's not their job, says Misha. They're already plenty busy. And partly, it's because these teams try to purchase their systems outside of IT's purview.

Meanwhile, the apps themselves are designed to be easy to launch and integrate. You can launch many of them without a credit card. And users can often integrate this software with some of their most vital systems of record like the CRM, ERP, support system, and human capital management (HCM) with as little as one click.

This is true of most apps offered within those major vendors' app stores. Misha points out that Salesforce users can "connect" an app from the Salesforce AppExchange _without actually installing it_. That means there's no scrutiny, it can access your customer data, and its activities are logged under the user profile, making it difficult to track.

So, that's the first issue. It's very easy to connect new, potentially insecure apps to your core apps. The second issue is that most of these systems haven't been designed for administrators to observe what goes on within them.

For example:

*   **Salesforce** offers many wonderful DevOps tools, but no native way to track integrated apps, extend API keys, or compare orgs to detect suspicious changes.
*   **NetSuite's** changelog doesn't provide detail on who changed what — only _that_ something changed, making it difficult to audit.
*   **Jira's** changelog is equally sparse, and Jira is often integrated with Zendesk, PagerDuty, and Slack, which contain sensitive data.

This makes it difficult to know what's configured, which applications have access to what data, and who has been in your systems.

**What You Can Do About It**

The best defense is an automatic defense, says Misha, so talk to your cybersecurity team about how they can roll monitoring your business applications into their existing plans. But for complete awareness and coverage, they, too, are going to need deeper insight into what's happening within and between these applications than what these tools natively provide. You'll need to build or buy tools that can help you:

*   **Identify your risks:** You'll need the ability to view everything that's configured in each application, to save snapshots in time, and to compare those snapshots. If a tool can tell you the difference between yesterday's configuration and today's, you can see who has done what — and detect intrusions or the potential for intrusions.
*   **Probe, monitor, and analyze for vulnerabilities:** You need a way to set alerts for changes to your most sensitive configurations. These will need to go beyond traditional SaaS security posture management (SSPM) tools, which tend to monitor only one application at a time, or to only provide routine recommendations. If something connects to Salesforce or Zendesk and alters an important workflow, you need to know.
*   **Develop a response plan:** Adopt a Git-like tool that allows you to "version" your business applications to store prior states which you can then revert to. It won't fix every intrusion, and may cause you to lose metadata, but it's an effective first line of remediation.
*   **Maintain your SaaS security hygiene:** Deputize someone on the team with keeping your orgs up to date, deactivating unnecessary users and integrations, and ensuring that security settings that were turned off are turned back on — e.g., if someone disables encryption or TLS to configure a webhook, check that it was re-enabled.

If you can put all that together, you can start to identify areas that malicious actors could get in — such as through Slack's webhooks, as Misha points out.

**Your Role in Business System Security**

It's not up to administrators alone to secure these systems, but you can play an important role in locking some of the obvious open doors. And the better you're able to see into these systems — a chore which they aren't always natively built to allow — the better you'll know if someone hacked a business application.

The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications

**Woburn, MA – July 26, 2022 –** No More Ransom, the initiative launched to help victims of ransomware decrypt their files, has celebrated its six-year anniversary. Since the launch, it has grown from four partners to 188 and has contributed 136 decryption tools covering 165 ransomware families. In doing so, it has helped more than 1.5 million people decrypt their devices all over the world, with the project available in 37 languages.

Ransomware encrypts valuable information stored on victims’ computers by infecting them using insecure and fraudulent websites, software downloads, malicious attachments, and through RDP (remote desk protocol) attacks and exploiting vulnerable internet-facing servers. Criminals then seek ransom from the victim, promising to retrieve their encrypted data in return. This type of malware has been a cybersecurity concern for many years, with attackers targeting all types of stakeholders, including both customers and enterprises, and evolving from separate gangs to full-fledged businesses with their own ecosystems.

To help people and organizations retrieve access to valuable information, the National High Tech Crime Unit of the Dutch National Police, Europol’s European Cybercrime Centre, Kaspersky and other partners jointly created the No More Ransom initiative in 2016. On the official website, participants can publish decryption tools, guidelines, and instructions on how to report a cybercrime, regardless of where it happened. These tools and materials have helped victims of 165 ransomware families get their data back without any payments. In addition to the decryption tools, the project also aims to spread information on how ransomware works and what measures can be taken to prevent infection.

Kaspersky is one of the founding partners that contributed to 9 decryption tools that helped to retrieve the data encrypted by 38 ransomware families. Since 2016, these tools have been downloaded more than 185,000 times.

“Ransomware is an effective way to get money from victims and remains one of the biggest cybersecurity concerns,” said Jornt van der Weil, security researcher at Kaspersky Global Research and Analysis Team. “In just the first three months of 2022, more than 74,000 unique users were found to have been exposed to this type of threat – and all these attacks were successfully detected. This has led to an increase in the tendency of helping these initiatives, and I’m extremely happy that we are able to assist people and companies in restoring their digital assets, without paying the attackers. This way we hit the criminals where it hurts - their business model - as users are no longer forced to pay to decrypt their data. We will keep on fighting ransomware with our existing and future partners.”

To find further information on helping in the fight against ransomware, or to learn more about the No More Ransom initiative, please visit the initiative’s website at nomoreransom.org.

No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices

A reading list of recommended novels curated by cybersecurity experts for cybersecurity experts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

8 Hot Summer Fiction Reads for Cybersecurity Pros

Craig Newmark Philanthropies (CNP), the grantmaking organization launched by the founder of craigslist, has announced a three-year, $1.725M commitment to support the newly established Consortium of Cybersecurity Clinics, a network of organizations working to expand cybersecurity clinics at colleges and universities in the U.S. and around the world. Similar to clinics in schools of law and medicine, cybersecurity clinics provide students with hands-on experience as they work to strengthen the digital defenses of nonprofits, hospitals, municipalities, small businesses, small critical infrastructure providers and other under-resourced organizations.

The funding builds on more than half a million dollars gifted by CNP in 2020 and 2021 to incubate the clinic model; the combined gift of over $2M to UC Berkeley represents a core element in Newmark’s $50M pledge to support cyber civil defense.

“University-based clinics provide critical cybersecurity assistance in their communities, and create a pipeline of diverse talent to work on the frontlines of cyber civil defense in every state,” Newmark said. “Cyber civil defense depends on efforts across federal, state and local levels, and cybersecurity clinics are a crucial component to scale a national effort.”

“We’re incredibly proud to be part of Craig’s groundbreaking philanthropic commitment to cyber civil defense,” said Ann Cleaveland, Executive Director of the UC Berkeley Center for Long-Term Cybersecurity, which hosts the Consortium. “The Consortium is a key component of a National Cyber Workforce and Education agenda, which has risen all the way to the White House. The vision of the Consortium is to advance cybersecurity education for public good, and for university, college and community-college based clinics to be available in all 50 states.”

Newmark provided early seed funding to the University of California, Berkeley’s Citizen Clinic, a trailblazing public interest digital security clinic that trains and deploys student teams to help nonprofits, journalists, human rights defenders and social justice activists defend themselves against digital threats. Since its founding in 2018, Citizen Clinic has trained over 100 students from diverse disciplines to strengthen the cyberdefenses of 14 nonprofit clients, including women’s reproductive rights, LGBTQ rights and indigenous rights organizations.

In 2021, Citizen Clinic’s leaders teamed up with MIT and other founding members to launch the Consortium of Cybersecurity Clinics, an international network of institutions that serves as a forum for clinicians, trainers and advocates to network and share knowledge, expand the reach of cybersecurity clinics, and lower the barriers for other institutions of higher education to successfully establish their own clinics.

In addition to UC Berkeley and MIT, founding members of the Consortium include the Indiana University Cybersecurity Clinic; University of Alabama Cybersecurity Clinic; University of Georgia CyberArch; Global Cyber Alliance; Rochester Institute of Technology; and the R Street Institute. Consortium membership has since grown to include participants from three countries, and nine states, as well as the District of Columbia.

Each consortium-affiliated cybersecurity clinic operates independently, and focuses on unique audiences and service specialties. Every clinic has one or more faculty directors training students to provide digital security services, such as vulnerability and risk assessments, cybersecurity policy templates, incident response plans, ransomware training, NIST and CMMC certifications, and more.

“In _Fortune_ magazine’s first-ever ranking of online master’s degree programs in cybersecurity, Berkeley was named No. 1,” says Chancellor Carol T. Christ. “With Craig’s meaningful investment, we can do even more to prepare diverse, talented students at Berkeley and elsewhere to help vulnerable organizations become more resilient to cyberattacks. His support ensures we will continue to lead national and international efforts to make the digital landscape a safer, more humane place.”

With funding from CNP, the Consortium will establish a “gold standard” clearinghouse for the development and dissemination of tools, knowledge, and resources for cybersecurity clinics and their clients. The funding will enable the Consortium to bring on its first Director, convene members to support peer learning, expand the membership and number of clients served, and grow the Consortium’s public Cybersecurity Clinic Education Center.

“Our ambition is to dramatically grow the number of universities and students engaged in clinics, with attention to women and student bodies under-represented in cybersecurity, as well as to incubate new cybersecurity clinics through mentorship and direct funding,” Cleaveland said. “We are grateful to early funders of this work, including the William and Flora Hewlett Foundation, Microsoft, the Public Interest Technology University Network (PIT-UN), and the Fidelity Charitable Trustees’ Initiative.”

Craig Newmark Gives UC Berkeley $2 Million for University Cybersecurity Clinics

Year-long analysis from Norton Labs finds nearly three-quarters of phishing sites imitate Facebook.

TEMPE, Ariz., July 26, 2022 /PRNewswire/ -- NortonLifeLock's global research team, Norton Labs, today published its quarterly Consumer Cyber Safety Pulse Report, detailing the top consumer cybersecurity insights and takeaways from April through June 2022. Leveraging the company's global threat telemetry, the analysis includes new findings on how cybercriminals are using social media phishing attacks to steal people's private information.

Norton Labs analyzed a full year of phishing attacks on the top social media platforms, and while plenty of fake login pages designed to trick victims into inputting their login credentials were found, the diversity and complexity of lures went far beyond that one technique.

"Threat actors use social media for phishing attacks because it's a low-effort and high return way to target billions of people around the world," said Darren Shou, head of technology, NortonLifeLock. "As social media is intertwined in our daily lives, it's key to know how to spot the signs of a scam, and keep a sharp eye on where requests for your information are coming from. Even better, consider strong, multi-layered security that can be on the lookout for you."

Norton Labs uncovered the top tactics cybercriminals use to get victims to reveal personal information, and while classic login phishing pages are still the most common ploy, cybercriminals are finding new ways to deceive social media users. Tactics include account lockouts – making it seem that a victim's account has been locked luring victims to reveal login credentials or install malware on the promise of increasing follower count; and verified badge scams – prompting users to login to obtain, or not to lose, their verified status on the platform.

Another phishing campaign tactic aims to intercept temporary codes to break into profiles with two-factor authentication enabled. These tokens are generally tied to the victim's device and allow the scammer to perform privileged operations such as modifying personal details or login credentials.

This quarter, Norton also found that it's never too early for scammers to take advantage of the back-to-school season. As school-aged children enjoy their summer, cybercriminals are already at work, using the back-to-school time to inspire a variety of financial scams, such as bogus offers of scholarships and financial aid.

**By the Numbers**

From April through June 2022, Norton thwarted over 900 million threats, or around 10 million threats per day. Norton blocked:

*   22.6 million phishing attempts
*   103.7 million file threats
*   302 thousand mobile threats
*   78 thousand ransomware attacks

For more information and Cyber Safety guidance, visit the Norton Internet Security Center.

**About NortonLifeLock Inc.**  
NortonLifeLock Inc. (NASDAQ: NLOK) is a global leader in consumer Cyber Safety, protecting and empowering people to live their digital lives safely. We are the consumer's trusted ally in an increasingly complex and connected world. Learn more about how we're transforming Cyber Safety at www.NortonLifeLock.com.

SOURCE NortonLifeLock Inc.

Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media

Just ahead of its headline-grabbing attack on the Italian tax agency, the infamous ransomware group debuted an improved version of the malware featuring parts from Egregor and BlackMatter.

Reverse-engineering the latest ransomware executables from the group behind LockBit shows that the developers have added capabilities from other popular attack tools and are actively working to improve LockBit's anti-analysis capabilities, according to researchers.

This significant evolution, seen in the recently debuted LockBit 3.0 (aka LockBit Black), is likely meant to offset better defenses, a greater scrutiny by researchers and investigators, and competition from other gangs, according to analyses by multiple researchers.

"There is no question that, whether it is law enforcement pressure or the defenders getting better, that we are seeing that these groups are forced to evolve — they have to get better at what they are doing," says Jon Clay, vice president of threat intelligence for Trend Micro.

They also have to keep up with the Dark-Web Joneses. To that end, the latest version now requires a key to obfuscate its main routines and hinders reverse engineering and analysis, for example — a technique used by other ransomware families, such as Egregor, cybersecurity firm Trend Micro stated in an advisory published on Tuesday. The new version of the ransomware program also enumerates available application programming interfaces (APIs), a feature identical to the BlackMatter ransomware program, the company stated.

**Ransomware Attack on Italy's Tax Agency**

Earlier this month, the Italian Revenue Agency became the latest purported victim of LockBit, with the group boasting that it encrypted and exfiltrated 78 gigabytes of files from the tax agency. If true, the organization will have to find a way to recover, but the attack also threatens Italian citizens, Gil Dabah, co-founder and CEO of data-protection firm Piiano, said via email.

"The second type of victim is the individual whose data was compromised," he said. "In this case, there is a high chance that the data of an individual taxpayer was compromised."

Following Russia's invasion of Ukraine, these ransomware groups have committed to supporting Russia and are increasingly facing requests to conduct operations against nation-state targets, says Paul Martini, CEO of iBoss, a provider of cloud-security solutions.

"The shadow cyber-war between nations that has been carried out through espionage, disinformation campaigns, and strategic attacks on critical targets is just starting to come out of the shadows," he said. "We can expect this to boil over and the West is going to need stronger defenses in place to protect government and civilian targets."

The group behind LockBit has had a good run so far in 2022. Despite an 18% drop in overall attacks, likely due to the disruption of the infrastructure behind the Conti cybercrime group or possibly fallout from Russia's invasion of Ukraine, LockBit has become the most commonly encountered ransomware family, accounting for 40% of all attacks detected by security firm NCC Group in May.

But evolution is necessary to stay on top.

**Major Improvements for LockBit 3.0**

The changes to the latest version of the LockBit ransomware includes functions that collect system APIs as a way to use legitimate functions as part of its attack and extensive — albeit fairly simple — encryption of configuration data and code, according to Trend Micro's advisory.

Perhaps most notably, a major addition to LockBit 3.0 is a set of features to slow down or prevent reverse engineering. The program includes, for example, a password required to decrypt the main body of executable code and a feature that attempts to crash debuggers.

"They pride themselves on their ability to regularly update their ransomware and ransomware-as-a-service offerings," says Trend Micro's Clay. "There are a lot more obfuscation capabilities in 3.0, and they put in a lot of features that try to minimize how much analysts and researchers can discover about their code."

Meanwhile, the adoption of BlackMatter tactics is unsurprising, given that both LockBit and BlackMatter are Russia-linked groups and cybercriminals are increasingly moving between groups.

**The Basics of Ransomware Defense Still Work**

For the most part, the new features found in LockBit 3.0 do not undermine current defenses, says Trend Micro's Clay. Multi-factor authentication can block the most common approach to gaining access — through stolen credentials — while modern endpoint detection and response (EDR) can detect and stop and attack before attackers start encrypting data. Finally, having a good backup process for critical data will make recovery easier.

"They \[ransomware groups\] claim that backups will not help, but if you have a proper procedure then you can recover your data," he says. "The good news is that the defenders have implemented a lot of these best practices, and they seem to be working."

LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top

Wide use of Microsoft 365 applications by business lets phishers easily launch data theft, BEC, ransomware, and other attacks, new report finds.

Microsoft is the most popular brand targeted for phishing attack abuse, followed by Facebook, Crédit Agricole, WhatsApp, and Orange, according to newly released research. 

The team at Vade has put together its "Phishers' Favorites" report for the first half of 2022. The report names Microsoft as the brand of choice for lures because of widespread use of Microsoft 365 applications by businesses of all sizes, as well as the veritable buffet of possible attacks a threat actor could launch for a compromised account, including ransomware, business email compromise (BEC), and more. 

Additional findings in the phishing attack overview shows financial services is the most targeted sector for phishing attacks, with cloud, e-commerce/logistics, telecom, and social media following just behind. 

“Detecting phishing emails is difficult not only for users but also for security vendors,” the phishing report explains. “As the sophistication of attacks increases, so does the likelihood that a costly attack will bypass security and land in an inbox.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Tops Brands Phishers Prefer

Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

**Vulnerable Insiders**

Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cybercrime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

Palo Alto Networks' report points to how some threat actors — such as the highly destructive LAPSUS$ group — have attempted to recruit insiders by offering money for access credentials or for helping them carry out their attack in other ways. "When some people are struggling to make ends meet, \[such\] offers could be more tempting to some," the report said.

This trend has been flagged before: A report from Flashpoint in May noted the growing popularity of insider recruitment efforts among threat actors. Flashpoint counted as many as 3,988 unique insider-related chat discussions — primarily on Telegram — between Jan. 1 and Nov. 30, 2021, with a particularly sharp spike happening after August. Many of those attempting to recruit were ransomware operators or other extortion groups. Commonly employed tactics included using a known insider or running public recruitment advertisements and direct solicitation.

Another survey that Pulse and Hitachi ID conducted of 100 IT and security professionals showed 65% saying that threat actors had approached them or their employees for assistance with a ransomware attack over the past year.

**Phishing, Software Vulns Remain Major Initial Access Vectors**

Unit 42's research also confirmed what security teams fighting on the front lines to keep their organizations safe already know: Ransomware and BEC attacks continue to dominate the need for incident response. A startling 70% of intrusions were tied to one of these two causes. In BEC attacks, the data showed that threat actors typically spent between 7 and 48 days in the breached environment before the victim contained the threat, with a median dwell time of 38 days. The median dwell time for ransomware attacks was slightly lower, at 28 days, likely because of how noisy these attacks are.

Phishing continues to be the top vector for initial access so far in 2022, and was the suspected cause in 37% of the incident response cases that Unit 42 completed between April 2021 and May 2022.

"Unfortunately, most organizations learn about one of these attacks the hard way — upon receiving an extortion demand or after wire fraud is committed," says Dan O’Day, consulting director, Unit 42 at Palo Alto Networks. "Increasingly, threat actors quickly gain access, identify and exfiltrate sensitive data, and deploy extortion tactics — sometimes in a matter of hours or in just a few days."

Notably, 31% — or nearly one-in-three intrusions — resulted from attackers gaining an initial foothold via a software vulnerability. Some 87% of the vulnerabilities that Unit 42 researchers were able to positively identity fell into one of six categories: ProxyLogon and ProxyShell flaws in Exchange Server; the Apache Log4j flaw; and vulnerabilities in technologies from Zoho, SonicWall and Fortinet. In 55% of incidents where Unit 42 was able to positively identify the vulnerability that an attacker used to gain initial access, the vulnerability was ProxyShell, and in 14% of the cases it was Log4j.

"Because one-third of attacks target software vulnerabilities, security teams should continue to patch vulnerabilities early and often," says O'Day. While some threat actors continue to rely on older, unpatched vulnerabilities, others are looking to exploit new vulnerabilities increasingly quickly. "In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough," he says.

As one example, he points to a threat prevention signature that Palo Alto Networks released for an authentication bypass vulnerability in F5 Big IP technology (CVE-2022-1388). "Within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts," he says. "More and more, we're seeing attackers scanning as soon as details of a critical vulnerability are published."

Poor patch management practices exacerbated the issue for many organizations — it contributed to 28% of the breaches that Unit 42 responded to. One example of poor patch management is simply waiting too long to implement a patch for a known vulnerability, O'Day notes. "Further, around 30% of organizations were running end-of-life software versions that were affected by CVEs that had known active exploits in the wild and were featured in cybersecurity advisories from the US government."

Economic Downturn Raises Risk of Insiders Going Rogue

Artificial intelligence tools can help companies strike the right balance between preventing financial crime and maintaining customer service and satisfaction.

We've entered a perfect storm for financial crime where fraud is flourishing. This maelstrom has been created by the combined effects of geopolitical events and the ongoing global pandemic, which has led to the digitalization of society ramping up, by necessity, even faster than it was before.

While all sectors are suffering, financial technology (fintech) has been hit particularly hard, which makes striking the right balance between preventing financial crime and maintaining high levels of customer service and satisfaction all the more difficult — and business-critical. As the situation continues to evolve and worsen, it has become a high priority for fintechs to learn how to effectively fight and defeat fraudsters, while continuing to grow their top lines.

As companies address this challenge, they must consider:

*   What key areas should fintechs focus on? Where is fraud rife?
*   How can fintech minimize the negative impact of fraud on operations and finances?
*   Can technology defend against the fraudsters?

**'Fraud-as-a-Service' Takes Center Stage**

It sounds like just a clever play on words based on the software-as-a-service (SaaS) model, but fraud-as-a-service (FaaS) is a real phenomenon. Mirroring the cloud model through which fintechs deploy many of their capabilities via services, bad actors with worse intentions are leveraging similar technology to commit service-based crime on an unprecedented scale. FaaS occurs when an individual or group of fraudsters facilitate fraudulent online activity by providing tools and services to others.

This devious method enables fraudsters to purchase and exploit data and tools leveraging stolen or synthetic identities, which they then use for fraudulent purposes. FaaS also enables scaled attacks on fintechs in which fraudsters overwhelm financial systems with bad traffic and complete illegal transactions at a high volume. Using this approach, fraudsters are mimicking the fintechs' use of quick, easy, and cost-effective online processes, as well as the best analytics and data, only to defraud instead of enrich. The result: Software fights software at an unmanageable scale.

**Trouble Spots**

One area where fraud is particularly pernicious in the industry is onboarding, where it's vital for fintechs to balance keeping crime at bay while still ensuring a high level of customer service. Identity fraud and fraudulent documentation issues often arise during the onboarding of new customers, which can hurt a company's growth objectives and hinder its customer service goals.

Identity theft and document fraud are on the rise and already cost the global economy billions of dollars a year, with no end in sight. Beyond onboarding, institutions are asking for more documents to verify customer identities, requiring proof of residence and age and evidence of income, in addition to standard IDs. Whether it's the alteration of bank or government documents or the creation of false ones, the fact is that it just takes one valid forgery for a bad actor to wreak havoc.

If that same fraudster has access to multiple stolen identities, then the fintech is going to face scaled attacks via serial fraud attempts. Often a case of successful fraud is the precursor to other crimes, such as money laundering, human trafficking, and even terrorism.

**Using AI to Scrutinize Identity**

It can feel hopeless when learning of scaled-up attacks executed at high speed, but resisting and rooting out fraud is possible with artificial intelligence (AI). Typically, new fraud patterns are hard to detect until they have been observed for a period of time, at which point fintechs can react and deploy defenses against the attack. Usually, the time lag is too great and the damage has been done. But AI can subject every customer interaction, from documentation to behaviors, to a level of forensic analysis that would be impossible for humans to achieve at the same speed. The technique can filter out everything from fake documents and stolen data to bot-executed serial fraud efforts.

Incorporating AI ensures that fintechs will allow fewer high-risk identities and document transactions in their processes, helping them outsmart the fraudsters and beat them at their own game.

However, it's not enough to simply invest in AI technologies; human capabilities are just as important to achieve financial crime prevention at scale within an AI-centric model. Fintechs should not only understand the data they're working with and have AI expertise at the ready, but they should also ensure alignment with business objectives and establish an appropriate operational workflow. By blending these critical elements, fintechs _can_ successfully fight financial crime.

AI Can Help Fintechs Fight Fraud-as-a-Service

Attackers are easily turning popular messaging apps and their associated services — like bots, cloud infrastructure, and CDNs — against users, researchers warn.

Threat actors have figured out how to use the existing functionality and infrastructure of popular messaging apps such as Telegram and Discord to host, launch, and execute a variety of malware, as shown by ongoing, dangerous campaigns. 

From bots that enable games and content sharing, to robust content delivery networks (CDNs) ideal for hosting malicious files, these platforms are helping fuel a surge of new attacks, according to the security research team at Intel 471. 

Most often, the malware is used along with easily acquired infostealers to prey on unsuspecting users and steal their credentials, auto-filled data, payment card information, and more.   

"Using messaging platforms, such as Telegram and Discord, allows threat actors to hide in plain view," John Bambenek, principal threat hunter at Netenrich, explains to Dark Reading. "Many people already use these applications so you can't just block them (though you may be able to block API access to those services in an enterprise environment). And there is no a large team administering those platforms so they are not staffed to monitor channels and servers for criminal misuse." 

**CDNs Abused to Host Malware **

Some attackers have found success using CDNs like Discord's to host their malware, which the analysts point out has no restrictions for file hosting. 

"The links are open to any users without authentication, giving threat actors a highly reputable web domain to host malicious payloads," according to the report on messaging app threats. PrivateLoader, Discoloader, Agent Tesla stealer, and Smokeloader are just a few of the malware families the researchers found lurking in Discord's CDN.  

**Telegram Bots Swipe OTP Tokens **

Although the tactic isn't new, 471 analysts point out an emerging threat group, Astro OTP. It's actively using Telegram bots to steal one-time-password (OTP) tokens and SMS message verification codes used for two-factor authentication.  

"The operator allegedly could control the bot directly through the Telegram interface by executing simple commands," the report explains. "Access to the bot is extremely cheap, a one-day subscription can be bought for $25, with a lifetime subscription available for $300."

The threat from this tactic lasts far beyond the initial compromise The Intel 471 team warn that gathering compromised credentials and other information can be a critical precursor to a devastating enterprise attack. 

It's up to users to be aware of the security of messaging platforms they use, the 471 researchers say, adding that enterprise security teams should take the time to protect against these types of messaging application man-in-the-middle attacks.   

"Whether these actors are stealing credentials for further sales or bypassing verification codes to gain unauthorized access into a victim's bank account, the ease by which threat actors can obtain this information should serve as a warning," Michael DeBolt, chief intelligence officer at Intel 471, tells Dark Reading about his research team's findings. "Security teams should institute token-based multi-factor authentication wherever possible, and educate their user base on what possible scams stemming from these automated schemes can look like."

Source

DARKReading