Categories: Apple
Categories: News
With the introduction of passkeys in iOS 16 and macOS Ventura, Apple is poised to sway a trend against the use of passwords.



(Read more...)




The post Apple puts the password on life support with passkey appeared first on Malwarebytes Labs.

Posted: September 13, 2022 by

The "passwordless future" is something many internet users—and a great majority of the cybersecurity industry—have hoped for. Now Apple is about to make those hopes a reality.

With the release of iOS 16 yesterday, and macOS Ventura next month, Apple fans will be able to use passkeys, its password replacement, for iPhones, iPads, and Macs. The word "passkey" is not unique to Apple, however. Microsoft and Google are using the term, too.

Apple's passkey works like a password in that it is built into entry boxes where you put your password. It also acts as a digital key that users create to access their apps or websites.

A video demonstrating passkey's use in Apple's WWDC 2022 event shows a prompt on the user's device before sign-in or during account creation, asking if they would like to "save a passkey" for the account in use. Once users say yes, they are prompted to authenticate the passkey creation using Face ID, Touch ID, or another method. The created passkey is stored in the user's iCloud Keychain and synced across all Apple devices and Safari web browsers.

Whenever a passkey is created, the device's system creates a pair of digital keys: public and secret keys. According to Garrett Davidson, an Apple engineer, in the demo video, these keys are created "securely and uniquely" for every account. The public key is stored on Apple's servers, while the secret key is kept on the device.

When signing in to an account protected by a passkey, the website or app looks for the secret key kept safe on the device to prove that the user is who the user claims they are. And because Apple's passkey is based on passwordless standards defined by the FIDO Alliance, it's likely the passkey can be stored anywhere, including some password managers with a provision for the passkey, such as Dashlane.

Those with other devices besides Apple can still take advantage of passkey. However, how things are done is slightly different because passkeys won't be stored on non-Apple devices. For example, accessing a browser account on a Windows machine would require a user to use a QR code containing a URL to a single-use encryption key and their iPhone. Once scanned, the machine and the device can communicate using end-to-end encryption via Bluetooth and share information.

"That means a QR code sent in an email or generated on a fake website won't work, because a remote attacker won't be able to receive the Bluetooth advertisement and complete the local exchange," Davidson said in the video.

"This has the potential to be _far_ superior to weak passwords and chosen by people who don't use a password manager or don't know how to choose a password," said Thomas Reed, Malwarebytes' Director for Mac & Mobile. "So even if this isn't 100% perfect, it's still going to be better than what most people are doing today."

**RELATED ARTICLES**

Apple puts the password on life support with passkey

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security and genome research as part of a new social engineering campaign designed to hunt for sensitive information.
Enterprise security firm attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security and genome research as part of a new social engineering campaign designed to hunt for sensitive information.

Enterprise security firm attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus.

It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that's ultimately designed to gather intelligence on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC).

Spoofed personas include people from Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.'s Chatham House, and the scientific journal Nature. The technique is said to have been deployed in mid-June 2022.

What's different from other phishing attacks is the use of a tactic Proofpoint calls Multi-Persona Impersonation (MPI), wherein the threat actor employs not one but several actor-controlled personas in the same email conversation to bolster the chances of success.

The idea is to "leverage the psychology principle of social proof" and increase the authenticity of the threat actor's correspondence so as to make the target buy into the scheme, a tactic that demonstrates the adversary's continued ability to step up its game.

"This is an intriguing technique because it requires more resources to be used per target – potentially burning more personas – and a coordinated approach among the various personalities in use by TA453," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.

Once the initial email elicits a response from the target, the persona then sends a follow-up message containing a malicious OneDrive link that downloads a Microsoft Office document, one of which purportedly alludes to a clash between Russia and the U.S.

This document subsequently uses a technique called remote template injection to download Korg, a template consisting of three macros that are capable of gathering usernames, a list of running processes, and the victims' public IP addresses.

Besides the exfiltration of the beaconing information, no other post-exploitation actions have been observed. The "abnormal" lack of code execution and command-and-control behavior has led to an assessment that the compromised users may be subjected to further attacks based on the installed software.

This is not the first time the threat actor has undertaken impersonation campaigns. In July 2021, Proofpoint revealed a phishing operation dubbed SpoofedScholars that targeted individuals focused on Middle East affairs in the U.S. and the U.K. under the guise of scholars with the University of London's School of Oriental and African Studies (SOAS).

Then in July 2022, the cybersecurity company uncovered attempts on the part of TA453 to masquerade as journalists to lure academics and policy experts into clicking on malicious links that redirect the targets to credential harvesting domains.

The disclosure comes amid a flurry of Iranian-linked cyber activity. Last week, Microsoft took the wraps off a string of ransomware attacks mounted by a Phosphorus subgroup dubbed DEV-0270 using living-off-the-land binaries such as BitLocker.

Additionally, cybersecurity firm Mandiant, which is now officially part of Google Cloud, detailed the activities of an Iranian espionage actor codenamed APT42 that has been linked to over 30 operations since 2015.

To top it all, the Treasury Department announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, in response to "cyber-enabled activities against the United States and its allies."

Albania, which has severed diplomatic relations with Iran after blaming it for a series of cyber offensives since July, pointed fingers at the "same aggressors" over the weekend for conducting another attack on a government system used to track border crossings.

"State-aligned threat actors are some of the best at crafting well thought-out social engineering campaigns to reach their intended victims," DeGrippo said.

"Researchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research

By Waqas
Mandiant will be integrated into the Google Cloud unit. 
This is a post from HackRead.com Read the original post: Google Buys Cyber Security Firm Mandiant for $5.4 Billion

The search engine and technology giant Google has announced acquiring Mandiant, Inc. for $5.4 billion. For your information, Mandiant is a United States-based leading provider of cybersecurity and threat intelligence.

According to a joint press release issued by Mandiant and Google, Mandiant will be integrated into the Google Cloud unit.

Founded in 2004 by Kevin Mandia, a former United States Air Force officer; Mandiant rose to fame after it published a report that accused the Chinese government and People’s Liberation Army’s Shanghai-based hacking unit of carrying out large-scale cyber espionage against companies in the United States. The 76 pages report can be accessed here .

Mandiant’s dashboard

In December 2013, Mandiant was acquired by FireEye for $1 billion, which sold it to Symphony Technology Group for $1 billion in June 2021. As of now, Mandiant has cyber security professionals in 22 countries, who serve customers located in 80 countries.

> **“The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution,” said Thomas Kurian, CEO of Google Cloud. “We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats.”**

“The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission.” – Paolo Dal Cin, Global Lead, Accenture Security.

“Google’s acquisition of Mandiant, a leader in security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments.” – Craig Robinson, Research VP, Security Services, IDC.

“Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers.” – Andy Schworer, Director, Cyber Defense Engineering, Uber.

In conclusion, Google’s acquisition of Mandiant is a strong move that will bolster the company’s position in the cyber security and cloud computing market. With Mandiant’s expertise in security and incident response, Google will be able to offer even more comprehensive and secure solutions to its customers. This is good news for businesses and consumers alike who rely on Google for their needs.

1.  Microsoft to buy GitHub for $7.5 billion
2.  Despite DDoS attack, Dyn Clinches Acquisition Deal with Oracle
3.  Israeli firm Kape Technologies buys ExpressVPN raising privacy concerns
4.  Israeli firm buys Private Internet Access (PIA) VPN raising privacy concerns

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Buys Cyber Security Firm Mandiant for $5.4 Billion

SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.

**The bug**  
A Server Side Request Forgery exists in admin/modules/bibliography/marcsru.php and admin/modules/bibliography/z3950sru.php due to the class in lib/marc/XMLParser.inc.php

**Reproduce**  
Steps to reproduce the behavior:

1.  Go to http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/index.php?mod=bibliography then go to copy cataloguing
2.  choose between marc sru or 23950sru
3.  type in something what you want in the search bar
4.  set burpsuite intercept on
5.  change the z3950_SRU_source or marc_SRU_source parameter value to some url that grab the traffic
6.  forward the request
7.  or just visit http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/modules/bibliography/marcsru.php?keywords=aaaaaaaa&index=0&marc_SRU_source=URL_ENCODED_ENDPOINT_THAT_CAPTURE_HTTP_LIKE_HOOKBIN

**Screenshots**  
Normal requests

Tampered and SSRF trigger(netcat)

Tampered and SSRF trigger(toptal.com)

**Versions**

*   OS: MacOS Mojave 10.14.6
*   Browser: Google Chrome | 103.0.5060.134 (Official Build) (x86\_64)
*   Slims Version: slims9\_bulian-9.4.2

CVE-2022-38292: [Security Bugs]  Server Side Request Forgery · Issue #158 · slims/slims9_bulian

Unpatched Pixel devices are at risk for escalation of privileges, Google warns.

A pair of critical security vulnerabilities in Google's Pixel mobile phone line could lead to privilege escalation and device takeover.

The Pixel bugs, tracked as CVE-2022-20231 and CVE-2022-20364, are in the Trust and Kernel components, respectively, according to Google's Android security advisory.

"For Google devices, security patch levels of 2022-09-05 or later address all issues in this bulletin and all issues in the September 2022 Android Security Bulletin," Google said in its Pixel patch advisory. "All supported Google devices will receive an update to the 2022-09-05 patch level. We encourage all customers to accept these updates to their devices."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Releases Pixel Patches for Critical Bugs

Analysis shows attackers breached employee credentials with voice phishing and were preparing a ransomware attack against Cisco Systems.

A month after confirming its systems were breached, networking giant Cisco reported that the attack was a failed ransomware attempt conducted on behalf of the Lapsus$ group.

The cybercriminals obtained access to Cisco's systems with a social engineering attack that began with an attacker taking control of an employee's personal Google account, where credentials saved in the victim’s browser were being synchronized. Then, in a series of sophisticated voice phishing attacks, the gang convinced the victim to accept multifactor authentication (MFA) push notifications, giving crooks the ability to log in to the corporate VPN as if they were the victim.

From there, the attackers were able to compromise Cisco systems, elevate privileges, drop remote access tools, deploy Cobalt Strike and other offensive malware, and add their own backdoors into the system.

"Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," the Cisco Talos team explained in a Sept. 11 update on the August breach. "While we did not observe ransomware deployment in this attack, the TTPs used were consistent with 'pre-ransomware activity,' activity commonly observed leading up to the deployment of ransomware in victim environments."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

By Waqas
Scuba Jake, whose real name is Jake Koehler, had his YouTube channel "DALLMYD" with 13 million subscribers hacked to steal 1.01 BTC.
This is a post from HackRead.com Read the original post: Popular YouTuber Scuba Jake’s channel hacked to run crypto scam

YouTube is frequently targeted in hacks especially to carry out **crypto scams**. The severity of crypto scams on YouTube can be quantified by the fact that in July 2020, Apple co-founder **Steve Wozniak ended up suing** Google and YouTube over Bitcoin giveaway scams being carried out in his name.

Now, another viral YouTuber Jake Koehler (aka Scuba Jake) has suffered a similar hack in which his channel “**DALLMYD**” was compromised to run a crypto scam and steal funds from his subscribers.

It is worth noting that Jake’s channel has more than 13 million subscribers and boasts 1.75 billion views since its creation in 2011. The American YouTuber is known for uploading scuba-diving videos where he goes underwater on treasure hunts and finds/returns lost items including smartphones, gadgets, and jewelry.

Archive video of Scuba Jake’s YouTube channel

According to the financial news and crypto analysis blog **Finbold**, the hacking occurred on September 9th, 2022. Reportedly, crypto scammers hijacked the channel and tried to defraud innocent followers of Scuba Jake in a **fake giveaway scheme** involving cryptocurrencies Bitcoin and Ethereum.

What’s worse, apparently scammers managed to steal 1.01 BTC (around $21,000). This analysis was based on the QR codes scammers shared with users to scan before sending crypto.

On the other hand, a look at Blockchain.com confirms that the **scammers’ Bitcoin wallet** shared with users received four transactions, and since its creation, it has received around 1.0107 BTC. That’s the same amount the scammers stole from Jake’s subscribers, but it may be higher because the scammers might have used multiple wallets during the live stream. It is worth noting that no transaction was made in the **Ethereum** wallet.

Scammers also changed Jake’s channel name to MicroStrategy US to replicate the firm MicroStrategy, a USA’s crypto-friendly business intelligence firm. Scammers hosted two live streams of an old video showcasing ex-CEO of the company and Bitcoin enthusiast Michael Saylor.

The scammers deceived unsuspecting subscribers of Jake into sending cryptocurrency and receiving a prize or higher reward from Saylor. They targeted the channel because of Jake’s massive following.

Although Jake has already confirmed the hack on his Instagram story but at the time of writing his channel was unavailable to viewers. A search for his YouTube channel shows video collaboration with other YouTubers while his channel is nowhere to be found on YouTube.

1.  **Botnet found using YouTube to illegally mine cryptocurrency**
2.  **Popular YouTube gaming channel hacked to run crypto scam**
3.  **YouTube deletes 2 million channels and 51 million videos over scams**
4.  **YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC**
5.  **British Military’s Twitter and YouTube Accounts Hacked to Scam Crypto Users**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Popular YouTuber Scuba Jake’s channel hacked to run crypto scam

Open source project is used by various SAML implementations

Jessica Haworth 12 September 2022 at 14:46 UTC

Open source project is used by various SAML implementations

  

A vulnerability in Xalan-J, an Apache project used by multiple SAML implementations, could allow arbitrary code execution, researchers warn.

XSLT (Extensible Stylesheet Language Transformations) is a markup language that can transform XML documents into other formats, such as HTML.

Xalan-J is a Java version implementation of an XSLT processor.

The project is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets, discovered by Google Project Zero’s Felix Wilhelm.

Read more of the latest news about web security vulnerabilities

This issue can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode, he warned, allowing for arbitrary code execution in software using Xalan-J for processing untrusted XSLT stylesheets.

As Xalan-J is used for performing XSLT transformations during XML signature verification in OpenJDK, this bug potentially affects a large number of Java-based SAML implementations, Wilhelm warned.

SAML is a method of authentication that enables a user to access multiple web applications using one set of login credentials.

**Mitigations**

The researcher noted that XSLT support for XML signatures can be disabled using the property, however the default value for applications running without a SecurityManager was false until JDK 17, “so I would expect a lot of implementations to be vulnerable to this”.

In a blog post published in August, Wilhelm said that he was able to write a Proof-of-Concept (PoC) exploit for this bug “that generates a valid (but useless) class file that’s almost completely controlled by the attacker”.

He continued: “While I haven’t successfully executed my own bytecode yet I’m very confident that this is possible with a bit more time investment, so I am reporting this issue now and may follow-up with a more complete proof-of-concept at a later stage.”

Another researcher has since produced their own PoC for the vulnerability, more details of which can be found on GitHub.

The vulnerability has since been fixed in OpenJDK, the open source implementation of the Java Standard Edition (Java SE) and Java Development Kit (JDK).

Wilhelm notes that it has not been fixed in Apache’s version, which is being retired.

RECOMMENDED ManageEngine vulnerability posed code injection risk for password management software

Vulnerability in Xalan-J could allow arbitrary code execution

The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

Users must continually be made aware of new threats, including attacks targeting shipping, the supply chain, email, and hybrid workers.

Digital transformation has accelerated during the past couple years, and so, too, have security threats. With more employees working remotely, more customers buying through mobile and social channels, and more retailers expanding their supply chains to keep inventory in stock, criminals have more ways than ever to go after e-commerce businesses.

Meanwhile, security awareness training may not be keeping up. It's a good time to review your organization's awareness program and adjust reflect the current threat landscape. Here's how retailers can update their awareness training and practices to match their digital transformation progress.

**A Dramatic Increase in Shipping Fraud**

While most retailers understandably focus on fraud at the payment stage of the customer journey, shipping fraud should also be considered. In fact, shipping fraud is the fastest-growing type of fraud worldwide, according to TransUnion's "2022 Global Digital Fraud Trends" report. Shipping fraud grew by 780% from 2020 to 2021, and by 1,541% from 2019 through 2021, according to the report. Shipping fraud can lead to chargebacks, inventory losses, and brand damage just as card-not-present (CNP) and account takeover (ATO) fraud do.

"Shipping fraud" is an umbrella term that covers several tactics that criminals use to exploit the e-commerce shipping process. Different approaches can target different areas of your business, so it's important to expand shipping fraud awareness across your organization rather than solely training your fraud team on this threat.

For example, your customer service and fulfillment teams should be aware of how package rerouting scams operate. Fraudsters place orders with stolen payment data or hijacked customer accounts and use the victim's real delivery address so the order doesn't get flagged as suspicious. After the order is approved, fraudsters contact customer service and request a delivery address change, claiming they made a mistake.

While honoring such a request may seem like good customer service, it could be exposing your company to fraud. One solution that can satisfy legitimate customer requests while avoiding fraud is to cancel the original transaction and run it again with the updated delivery address. If it's approved, customers get their purchases directed to the right address. If it's not, your company has avoided a case of shipping fraud.

**Expanding Supply Chains, More Email Attack Risk**

Other security risks aren't necessarily coming in through your website or shopping app, but they can imperil your brand, your business operations, and your customers. A prime example is email phishing attacks, which increased against e-commerce businesses by 53.9% from 2019 through 2021, according to the TransUnion report.

One reason for the current email phishing surge is the rapid expansion of supply chains since the start of the pandemic, as retailers made new connections to avoid running out of stock and disruptions. Another is the increasing reliance on email for customer interactions since early 2020: Online interactions now make up 61% of all customer engagements with companies, according to Salesforce's "State of the Connected Customer" report. The addition of more contacts to the email ecosystem and the higher volume of email traffic provides criminals with more opportunities to launch email attacks.

A subset of business email compromise (BEC) is vendor email compromise, and it's a growing problem. In a vendor email compromise scheme, attackers impersonate trusted third parties such as suppliers and vendors to trick employees into paying fraudulent invoices, entering login credentials, or sharing proprietary data. According to a report from email security firm Abnormal, more than half of all BEC attacks now impersonate third parties. As a result, all employees need to be aware that when emails from trusted senders, including suppliers and vendors, contain requests that seem unusual, they should flag those messages for the security team to review before responding.

**Attackers Exploit Remote and Hybrid Workforce Trends**

Ransomware and other forms of malware are a perennial problem for retailers, especially malware that steals customer payment data. Verizon's "2022 Data Breach Investigations Report" found that the retail industry suffered seven times as many instances of "capture app data" malware than other industry. These Magecart-style attacks can silently scrape data as it's entered, going undetected until fraud complaints start coming in. To prevent them, everyone who works with your website needs to be aware of the potential for this type of malware and the processes for scanning, removal, and remediation.

Another growing opportunity for malware attackers is retailers' shift to remote or hybrid workforces. As employees log in remotely more often — and more often from personal rather than company devices — fraudsters have seized the opportunity to create realistic-looking login request emails that can appear to come from your company's cloud services, such as Google Drive or Microsoft SharePoint. All employees and executives need to be aware of the risk that unexpected or slightly unusual login request messages can pose. Like unusual vendor messages, these should be reported to the security team for review before replying.

These trends illustrate why it's important for security awareness to be a process rather than a one-time discussion. This year, your people need to be aware of shipping fraud, vendor email compromise, and credential phishing attacks posing as company resource providers. Next year, it will likely be something else. By having regular discussions about these security issues and encouraging a data-safety mindset, you can reduce the risk of today's threats and create a culture of security that benefits your company over the long term.

Tag

#google