Welcome to Codebook, the rootin', tootin' cybersecurity newsletter.
Today's Smart Brevity: 1,084 words, ~4 minute read
1 big thing: How email scammers find new victims
Email scammers are just like any other small businesses: They need leads, and commercial lead-generation services — the same kind many salespeople use — are providing them.
The big picture: Email scams targeting businesses, usually referred to as business email compromise scams, can seem unsophisticated. They typically take the form of fake invoices or emails from executives asking for money transfers. But like any other kind of enterprise, they care a lot about finding new clients — or, in their case, victims.
- Email fraudsters became known as "Nigerian scammers" in the early days of the web, when people around the world started to receive messages from bogus Nigerian princes seeking cash assistance. But the name is apt — the major groups actually do operate out of West Africa, and particularly Nigeria.
Details: "Of the West African groups we've profiled, nearly all of them use lead-generation sites," said Crane Hassold, senior director of threat research at Agari, a firm that tracks how email scam groups operate.
- The criminal groups Agari has observed all used different lead-generation firms.
- The sites offer users customizable searches for targets. For example, you could look up chief financial officers for tech companies of a certain size and revenue in California.
- The groups Agari has tracked would sign up for free trials under a series of email accounts using the "Gmail dot" trick, though one group, nicknamed London Blue, outright purchased a $1,500 yearly subscription to a service last year. London Blue went on to download 50,000 leads in 6 months.
The groups could craft and refine a single spear-phishing email that would work against a wide variety of similar executives just by substituting different company names and small details.
- It's more efficient than the older method of target acquisition — scraping lists of names from websites — but it still takes time to work. It took 18 days after a scammer downloaded the name of an Agari executive, said Hassold, before a phishing email arrived.
- Targeting Agari isn't a particularly bright move, all things considered, but once the scammers get a name from a lead-generation service, they don't do further research. If they cast a wide enough net to find someone who takes the bait, they don't need to.
What they're saying: Codebook reached out to six lead-generation firms that criminal groups used in the past, as identified by a security source that asked to remain anonymous to protect its information-gathering operation. None of the firms responded.
- A quick look around the industry shows these services don't use upfront screening policies that would thwart scammers. And even a firm that did have screening policies in place appeared unaware of the scammer problem and was screening mostly to prevent spam.
The bottom line: Business email compromises reported to the FBI cost firms more than $1.2 billion in the United States alone in 2018, double the proceeds of 2017.
2. Texas rep calls for bipartisanship after losing Black Hat keynote
Late last week, Rep. Will Hurd (R-Texas) was announced as the keynote speaker at the Black Hat cybersecurity conference. One day and a controversy over his voting record later, he was taken off the card.
Hurd responded this week with a Fox News opinion piece calling for bipartisan communication and understanding.
The big picture: Outside of agreeing with Democrats by opposing a border wall, Hurd generally isn't considered a controversial figure. His votes on several women's issues, including abortion, align with the pre-Trump national Republican mainstream.
- He is, however, unquestionably one of the more cyber adept lawmakers, playing a massive role in fixing an international trade pact that inadvertently banned the international sale of cybersecurity equipment and in funding government IT modernization.
Why it matters: Black Hat removed Hurd after a flash controversy about his votes on women's issues. And that raises a number of uncomfortable questions.
- Is there a place for mainstream Republicans in cybersecurity? Despite the move, the conference would say yes. Conference organizers told Codebook there were no changes to the requirements to any of its talks outside the keynote.
- The conference said in a statement to reporters that it was uncomfortable not with Hurd's views but with a keynote bringing any political controversy outside of the cyber realm.
- Is the point of a keynote to honor the speaker, celebrate the conference or relay information? The general public response has been, more or less, all of these.
The bottom line: It's possible that the conference made the wrong decision in inviting any elected official and the wrong decision again when it removed Hurd from the card.
3. Turla group eats OilRig's lunch
Turla, an espionage group typically attributed to Russia, took over the attack platform of OilRig, an espionage group typically attributed to Iran, during Turla's newest wave of attacks, according to a new report from Symantec.
The big picture: Symantec says this is the first time it has seen one nation's hacker team steal the attack infrastructure used by another nation's group. It's an unusual step that could potentially make figuring out who is behind an attack more difficult.
Details: Turla appears to have co-opted an OilRig command and control server and used OilRig infrastructure to launch its own attacks.
- The report details the Turla takeover as a one-off observance in a broader report about new Turla tools and targets.
- Turla's most recent set of victims include the ministries of foreign affairs in a South American country, a Middle Eastern country and a European country; the ministry of the interior in a Southeast Asian country; and several government and industry targets.
4. In case you missed last week
The U.S. hacks Russian grid: The New York Times reported that the U.S. had implanted malware into the Russian electric grid as a potential deterrent against continued Russian cyber operations against the U.S. (NYT)
- Interestingly, the article reports that the intelligence community did not brief President Trump out of fears he might undermine the project. Trump has denied the operation.
- Russia says the attacks would be grounds for a cyber war.
Florida announces election funds: Florida Gov. Ron DeSantis (R) announced $2.3 million in new election security funding, raising the state's investment to $5.1 million. (The Hill)
- The announcement follows the Mueller report's finding that the state had been targeted by Russia.
Microsoft resumes selling Huawei: Redmond announced it would resume selling laptops already in stock from the beleaguered Chinese supplier. (CNBC)
5. Odds and ends
- The breached medical collections firm that spilled Quest Diagnostics customer data announced bankruptcy. (Bloomberg)
- Proofpoint goes deep on web domain fraud. (Proofpoint)
- Bitdefender released a decryptor for the GandCrab ransomware. (Bitdefender)
- On Friday, the House will mark up a modified standalone version of the election security measures from the massive Democrat-lead H.R. 1 anticorruption bill. (The House of Representatives)
- Popular web database provider MongoDB introduces field-level encryption. (MongoDB)
- Anheuser-Busch InBev will open a cybersecurity division in Israel. (NoCamels)
- Someone tried and failed to DDoS a Putin press conference, says Russian state media. (TASS).
- If you use Firefox, update it. (Threatpost)
We'll be back next week. Yee-haw.