In this episode of Cybersecurity Today, host David Shipley covers a range of crucial issues. With tax day approaching, Microsoft reports a rise in sophisticated tax-themed phishing campaigns. The IRS has issued a warning against using its name in phishing simulations to avoid legal repercussions. Furthermore, cybersecurity journalist Brian Krebs reveals that Minnesota cybersecurity expert Mark Lanterman is under FBI investigation for potentially falsifying his credentials, impacting thousands of court cases. Lastly, several Australian superannuation funds have been targeted in a cyber scam, raising questions about the necessity of multifactor authentication for financial services. The episode emphasizes the need for stringent standards in cybersecurity expertise and shared responsibility in financial security.
00:00 Introduction and Headlines
00:24 Tax-Themed Phishing Scams on the Rise
00:36 Microsoft's Findings and IRS Warnings
01:32 Phishing Simulations and Legal Risks
02:53 Educating Employees on Phishing
03:15 Minnesota Cybersecurity Expert Under Scrutiny
04:25 Allegations and Legal Implications
05:52 Australian Retirement Funds Cyber Scam
06:16 Impact and Response to the Breach
07:07 The Need for Stronger Security Measures
08:26 Conclusion and Contact Information
Episode Transcript
Microsoft reports increasinglysophisticated tax theme phishing, a
Minnesota Cybersecurity and computerforensics expert faces questions
about its credentials and an inquiryfrom the FBI Australian retirement
funds rated in cyber attacks thatleave some customers panicked.
This is Cybersecurity today, andI'm your host, David Shipley.
(00:24):
With tax day rapidlyapproaching the United States
on April 15th and April 30th.
In Canada, criminals are once againramping up their tax theme, phishing
campaign volumes and sophistication.
Microsoft's threat intelligenceteam is reporting that they've seen
campaigns using QR codes and URLor web link shortener services, and
(00:45):
they posted examples and thoroughanalysis including images of the kinds
of tax themes that they're seeing.
These campaigns lead to phishing pagesdelivered via the raccoon oh 365, phishing
as a service platform, remote access,Trojans, and other forms of malware.
(01:05):
Example email subjects include notice IRShas flagged issues with your tax filing.
Unusual activity detected inyour IRS filing and important
action required IRS audit.
It's crucial to note that the IRS does notinitiate contact with taxpayers by email,
(01:26):
text, or messages on social media torequest personal or financial information.
I. Now, typically this kind of campaignwould be great to replicate with a
phishing simulation to help peoplelearn from experience in a safer way.
However, the IRS has taken a particularlystern stance on phishing simulations that
(01:49):
use its name or logos, and has warnedmajor phishing simulation providers and
their customers not to use them, or theymay face significant legal consequences.
Government agencies in many countrieshave additional legal protections
for their name, likeness and logos.
If you are determined to do a taxtheme, phishing simulation, avoid
(02:11):
using government agency real namesor logos that may make the simulation
less compelling in some cases, butit can save you a world of grief.
Think internal tax agency orCanada Tax Service instead of
using names like IRS or CRA.
In past conversations with an IRS agentabout this very issue, the agent explained
(02:34):
that tracking down phishing simulationsreported to them by recipients was taking
away too much of their valuable resourcesfrom investigating real phishing attacks.
Now, you may not agree with thattake, but I can guarantee you that
it's not worth getting into a fightwith a US Federal government agency.
You can still educate your employeesabout tax themes, which can help both
(02:58):
protect themselves at home and at work.
Think about deploying educationalmodules, not just relying on phishing
simulations or having a lunch and learnvirtually or in person, and sharing the
examples that Microsoft has provided.
Cybersecurity journalist Brian Krebs hasa jaw dropping story this week about a
(03:19):
Minnesota cybersecurity and computerforensics expert whose testimony has been
featured in thousands of courtroom trialsover the past 30 years, facing questions
about his credentials and an inquiryfrom the Federal Bureau of Investigation.
According to Krebs, mark Lanterman, aformer investigator for the US Secret
(03:40):
Services Electronic Crimes Task Forcefounded the Minneapolis Consulting Firm.
Computer Forensic Services or CFS.
Krebs has reported that the CFS websitehad claimed that lantern's 30 year career,
including seeing him testify as an expertin more than 2000 cases with experiencing
cases involving sexual harassment.
(04:01):
Workplace claims, theft of intellectualproperty and trade secrets, white
collar crime and class action lawsuits.
That information was removed from theCFFs website last month with the removal
coming after the Hennepin County'sattorney's office said it was notifying
parties to 10 pending cases thatthey were unable to verify lantern's
(04:22):
educational and employment background.
The county also said the FBI is nowinvestigating allegations around
lantern's credentials were first raised bySean Harrington, an attorney and forensics
examiner based in Prescott, Wisconsin.
Harrington alleged that Lanterman hadlied under oath in court on multiple
occasions when he testified he hasa Bachelor of Science and a Master's
(04:45):
degree in computer science from thenow defunct Upsala College, and that
he had completed his postgraduate workin cybersecurity at Harvard University.
Legal experts say this issue couldbe grounds to reopen a number of
adjudicated cases in which the expert'stestimony may have been pivotal.
Krebs has also reported alleged shockingstatements by Lanterman and behavior
(05:09):
by CFS regarding putting claims orliens on client data and offering up
client data for auction if invoices thatclients had objected to weren't paid.
This story could have massiverepercussions and raises questions
about the need for potentiallyprofessional standards, bodies,
and reliable accreditation forcybersecurity expertise, especially
(05:31):
when it's relied on by the courts.
There's a reason why lawyers, doctors, andengineers, and many more have mandatory
professional associations and regulationsaround their professional conduct.
At a minimum, certain highly specializedroles like cyber forensics should
absolutely be held to the same highprofessional standards as other fields.
(05:52):
Several of Australia's largestsuperannuation providers have been
swept up in what appears to be ahighly orchestrated cyber scam.
Taking hundreds of thousands ofdollars from members retirement
funds, rest Host Plus Insignia.
Australian Retirement and AustralianSuper have all been flagged as targets.
But so far the biggest impactseems to be at Australian Super.
(06:16):
Reportedly, attackers had timed theaccount takeovers to occur in the early
morning hours when people would be asleepand less likely to be able to see or act
in a timely fashion to prevent the theft.
As the nation's largest superfund, Australian super manages over
Australian 365 billion or about223 billion US dollars on behalf of
(06:37):
3.5 million members in this breach.
A handful of those members sawa collective Australian $500,000
or US $305,000 siphoned off.
The fund says it's working withauthorities to track down the missing
money, but is yet to confirm it willfully compensate affected members.
One significant question remainsdid the compromised accounts have
(07:01):
mandatory multifactor authenticationon logs or fund transfer authorization?
In many cases, financial institutions,including retirement funds, are often very
reluctant to add features like MFA forfear could drive customers to competitors
who are seen as more convenient.
Additionally, absent any regulations tomake financial services more secure and
(07:24):
require MFA many won't and will re reducetheir risk simply by holding customers
accountable or liable for losses.
I. This story is one of many thathighlight the need for a shared risk
and shared responsibility model betweenfinancial institutions and customers.
Financial services providers must berequired to offer MFA, and ideally,
(07:46):
they should only allow customers tochoose from MFA methods not to be able
to opt out completely from MFA, buteven the best multifactor authentication
can still be socially engineered.
That's where the customer comes in.
Customers must be required to takebasic security awareness about their
financial services account, and thattraining must indicate clearly that
(08:10):
they have certain responsibilitiesand they need to also indicate clearly
they understand those responsibilities,including the need to protect usernames,
passwords, and to avoid authorizingMFA requests that they didn't start.
We're always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
(08:35):
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
I.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
40s and Free Agents: NFL Draft Season
Daniel Jeremiah of Move the Sticks and Gregg Rosenthal of NFL Daily join forces to break down every team's needs this offseason.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.