How Card Skimming Disproportionally Affects Those Most In Need

When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almost always made whole by their financial institution. Yet, one class of Americans — those receiving food assistance benefits via state-issued prepaid debit cards — are particularly exposed to losses from skimming scams, and usually have little recourse to do anything about it.

California’s EBT card does not currently include a chip. That silver square is a hologram.

Over the past several months, authorities in multiple U.S. states have reported rapid increases in skimming losses tied to people who receive assistance via Electronic Benefits Transfer (EBT), which allows a Supplemental Nutrition Assistance Program (SNAP) participant to pay for food using SNAP benefits.

When a participant uses a SNAP payment card at an authorized retail store, their SNAP EBT account is debited to reimburse the store for food that was purchased. EBT is used in all 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, and Guam.

EBT cards work just like regular debit cards, in that they can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM.

However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make payment cards much more difficult and expensive for skimming thieves to clone.

Alas, it is no accident that all of the states reporting recent spikes in fraud tied to EBT accounts — including California, Connecticut, Maryland, Pennsylvania, Tennessee, and Virginia appear to currently issue chip-less cards to their EBT recipients.

The Massachusetts SNAP benefits card looks more like a library card than a payment card.  Oddly enough, both are reliant on the same fundamentally insecure technology: The magnetic stripe, which stores cardholder data in plain text that can be easily copied.

In September, authorities in California arrested three men thought to be part of a skimming crew that specifically targeted EBT cards and balances. The men allegedly installed deep insert skimmers, and stole PINs using tiny hidden cameras.

“The arrests were the result of a joint investigation by the Sheriff’s Office and Bank of America corporate security,” reads a September 2022 story from The Sacramento Bee. “The investigation focused on illegal skimming, particularly the high-volume cash-out sequence at ATMs near the start of each month when Electronic Benefits Transfer accounts are funded by California.”

Armed with a victim’s PIN along with stolen card data, thieves can clone the card onto anything with a magnetic stripe and use it at ATMs to withdraw cash, or as a payment instrument at any establishment that accepts EBT cards.

Skimming gear seized from three suspects arrested by Sacramento authorities in September. Image: Sacramento County Sheriff’s Office.

Although it may be shocking that California — one of America’s wealthiest states — still treats EBT recipients as second-class citizens by issuing them chip-less debit cards, California behaves like most other states in this regard.

More critical, however, is the second way SNAP cards differ from regular debit cards: Recipients of SNAP benefits have little to no hope of recovering their funds when their EBT cards are copied by card-skimming devices and used for fraud.

That’s because in the SNAP program, federal law bars the states from replacing SNAP benefits using federal funds. And while some of these EBT cards have Visa or MasterCard logos on them, it is not up to those companies to replace funds in the event of fraud.

Victims are encouraged to report the theft to both their state agency and the local police, but many victims say they rarely receive updates on their cases from police, and, if they hear from the state, it’s usually the agency telling them it found no evidence of fraud.

Maryland’s EBT card.

That’s according to Brenna Smith, a reporter at The Baltimore Banner who recently wrote about the case of a Maryland mother of three who lost nearly $3,000 in SNAP benefits thanks to a skimmer installed at a local 7-Eleven. Maryland [Department of Human Services] spokesperson Katherine Morris told the Banner there was evidence of “a nationwide EBT card cloning scheme.”

The woman profiled in Smith’s story contacted all of the retailers where her EBT card was used to buy thousands of dollars worth of baby formula. Two of those retailers agreed to share video surveillance footage of the people making the purchases at the exact timestamps specified in her EBT account history: The videos clearly showed it was the same fraudster making both purchases with a cloned copy of her EBT card.

Even after the police officer assigned to the victim’s case confirmed they found a skimmer installed at the 7-Eleven store she frequented, her claim — which was denied — is still languishing in appeals months later.

(Left) A video still showing a couple purchasing almost $1,200 in baby formula using SNAP benefits. (Right) A video still of a woman leaving from the CVS in Seat Pleasant. Image: The Baltimore Banner.

The Center for Law and Social Policy (CLASP) recently published Five Ways State Agencies Can Support EBT Users at Risk of Skimming. CLASP says while it is true states can’t use federal funds to replace benefits unless the loss was due to a “system error,” states could use their own funds.

“Doing so will ensure families don’t have to go without food, gas money, or their rent for the month,” CLASP wrote.

That would help address the symptoms of card skimming, but not a root cause. Hardly anyone is suggesting the obvious, which is to equip EBT cards with the same security technology afforded to practically everyone else participating in the U.S. banking system.

There are several reasons most state-issued EBT cards do not include chips. For starters, nobody says they have to. Also, it’s a fair bit more expensive to produce chip cards versus plain old magnetic stripe cards, and many state assistance programs are chronically under-funded. Finally, there is no vocal (or at least well-heeled) constituency advocating for change.

All Eyes on Cloud | Why the Cloud Surface Attracts Attacks

Cloud environments have seen a meteoric rise in the past decade. What began as means of data storage has now become a full-scale computing platform, enabling a global shift in how businesses share, store, optimize, and manage information. However, threat actors have witnessed these changes and taken to targeting the cloud, knowing that more and more businesses continue to make the transition to hybrid workspaces and cloud technologies.

The same features that make cloud services beneficial to organizations are the same that make them attractive to threat actors. In recent years, attacks on cloud environments have surged as threat actors took advantage of the high volumes of sensitive data flowing between organizations and their cloud service providers. Opportunistic by nature, threat actors thrive off of weak credentials, misconfiguration, and human errors when it comes to planning their attacks on the cloud surface.

While the related security challenges haven’t slowed cloud adoption, organizations should be aware of their scope, significance, and how to secure against them. This blog post outlines why cloud has emerged as one of the most attacked surfaces and what security measures businesses can implement to safeguard their cloud environment and data.

Cloud Attacks Are Rising

The number of reported attacks on clouds has increased dramatically in the last few years, in part spurred on by the COVID-19 pandemic when businesses of all sizes needed to adapt quickly to alternative means of operation.

According to Gartner, the pandemic along with a surge in digital services have made cloud the “centerpiece of new digital experiences”, and global cloud revenue will total $474 billion this year – a $66 billion dollar increase from 2021. The research firm also predicts that more than 95% of new digital workloads will be deployed on cloud-native platforms resulting in a 30% increase from the year before.

Businesses need to plan beyond traditional security strategies to manage a widening enterprise attack surface as well as the risks associated with cloud services. The following statistics show the rise in cloud adoption and just how much clouds have come under attack in the last few years:

  • 69% of organizations have accelerated their cloud migration in the last 12 months. The percentage of organizations with most or all of their IT infrastructure in the cloud is expected to increase from 41% to 63% in the next 18 months (Foundry, 2022).
  • 49% of IT professionals reported that cloud-based attacks led to unplanned expenses.
  • 80% of CISOs surveyed by PurpleSec were unable to identify instances of excessive access to data in their cloud environments.
  • 79% of organizations have suffered at least one cloud-based data breach in the last 18 months. Further, 43% have reported 10 or more breaches within that same time frame (Emertic, 2021).
  • 83% of cloud breaches are derived from access-related vulnerabilities (CyberTalk.org, 2021).

Understanding Cloud Risks

Using cloud services inherently exposes organizations to new security challenges, often related to unauthorized access, insider threats, and supply chain risks. To a threat actor, cloud vulnerabilities are means of gaining access to exfiltrate data from the targeted organization’s network whether by service disruptions, ransomware, or unauthorized data transfer. More sophisticated threat actors may employ lateral movement and detection evasion techniques, or account takeovers to establish and maintain a long-term foothold within the targeted network before leveraging existing services and tools found within it.

Common cloud security risks include the following:

  • User Account Takeovers – Whether credentials are stolen through phishing, brute force, or malware, weak password policies often lead to compromised user accounts.
  • Misconfiguration – Cloud service providers offer different tiers depending on the needs of the organization. This allows the cloud to work to scale with the organization. However, many organizations lack the security posture needed to ensure the safety of these services, resulting in security risks in the deployment stage of implementation. Misconfigured servers are a leading cause of compromise when it comes to cloud-based attacks.
  • Vulnerable Public APIs – Public APIs allow trusted users to interact and operate within the cloud. If exploited, these APIs become a straightforward method for threat actors to gain access to the platform and exfiltrate sensitive data in the cloud database. Further, if the original configuration of the API harbors any vulnerabilities, this leaves threat actors with a backdoor for future exploits.
  • Insider Threats – Even organizations with a healthy cyber ecosystem can fall victim to a legitimate, malicious user with a mind to leak data. Malicious users often already have access to sensitive or critical data, and may also have the permissions to remove certain security protocols. The threat of malicious insiders is greatly minimized through zero-trust policies and identity and access management solutions.
  • Denial-of-Service (DoS) Attacks – Designed to overload a system and bar users from accessing services, DoS attacks are especially devastating to cloud environments. When the workload increases in a cloud environment, it will provide extra computational power to address the extra load. Eventually, the cloud slows down and legitimate users lose their access to any files in the cloud.
  • Third-Party Vendors – It is important for organizations to assess third-party risks when using vendor services. Clouds are susceptible to supply chain attacks when threat actors infiltrate a network through unsecured third-parties that work with the organization. Cyber risk is inherited when organizations choose to work with vendors who have more lax cybersecurity posture than their own.

Defending the Cloud – Cyber Hygiene Matters

Securing the cloud begins with the basics. Cloud environments require short and long-term security planning, implementation, and strategy, and practicing cyber hygiene is the first step of that strategy.

Organizations that have processes in place for strong password requirements, multi-factor authentication, patch management, software updates, and device security can impede threat actors from grabbing those low-hanging fruits and lessen the attack surface under target.

Cover the Bases with Zero Trust & Segmentation

There is no such thing as immunity from cyber attack, but implementing zero trust policies goes a long way when building a holistic defense against threat actors who are eyeing a vulnerable cloud. Threat actors cause the most damage when they are able to move laterally through a victim’s network and escalate privileges along the way.

Adopting zero trust makes life more difficult for threat actors. The zero trust principle works by eliminating the concept of ‘trust by default’. Implementation of zero trust requires each user and machine to authenticate before receiving only the specific access pre-determined for their role.

Network segmentation plays an important part in successful zero trust implementation as well. By segmenting networks into smaller subnets that each act like their own, independent network, administrators can better control and secure the flow of traffic between each one via granular rules. This approach breaks up the architecture of a network and allows administrators to pinpoint technical issues more easily and be able to improve monitoring efforts.

Develop a Cloud Operational Strategy

Clouds are, at their core, designed to help businesses scale and store data, not to provide security. For many organizations, clouds are managed by DevOps and CloudOps teams rather than the in-house security team. In siloed organizations, security measures may not be uniform across different teams and could cause discrepancies in how the cloud is protected.

Defending cloud infrastructure requires a joined-up strategy that looks at the organization’s cloud footprint with a holistic approach. Data needs to be collected and analyzed from all available sources in a way that security teams can ingest and understand.

Simplify the Challenges of Multi-Cloud Environments

Many organizations have multiple clouds deployed to optimize support for a larger data infrastructure. However, this scales up the complexity of the cloud infrastructure. Protecting multi-cloud environments means trying to find a common way to cover clouds that may each have a unique deployment, set of regulatory requirements, and policies.

A lack of uniformity here can be a big challenge for organizations, particularly if the organization does not have access to cloud security experts. Multi-cloud environments become even more complex if they are provided by different vendors. Integration between each of the cloud solutions may be difficult and result in a loss of visibility.

Dealing with these challenges involves considering the future as well as the present. Will technology investments made yesterday and today integrate with those of tomorrow? Many organizations have understood the need to move to an XDR platform, but only an open XDR platform that integrates existing solutions and can integrate with them, analyzing data, receiving alerts and automatically sending responses, can effectively address the challenges of a multi-cloud environment.

Conclusion

The widespread adoption of cloud technologies continues to re-shape the modern day workforce. A significant part of the digital transformation happening globally, cloud implementation has allowed businesses to lessen costs, increase organizational agility, and improve long-term scalability. Though the migration to cloud has benefited many businesses, it has come with a variety of new attack vectors for threat actors.

To get ahead of threat actors, organizations using cloud services must fully understand how the services are being implemented and maintained. Visibility within the cloud is critical to seeing how file sharing is being done, the type of data being stored and its security, and what applications are connected.

SentinelOne can help organizations improve their cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Learn more about Singularity™ Cloud or contact us today for a demo.

Singularity™ Cloud
One home to secure VMs, servers, containers, and Kubernetes clusters across multi-cloud and datacenters. Prevent, detect, investigate, and respond to threats in the cloud in real time—without sacrificing performance.

Anti-Money Laundering Service AMLBot Cleans House

AMLBot, a service that helps businesses avoid transacting with cryptocurrency wallets that have been sanctioned for cybercrime activity, said an investigation published by KrebsOnSecurity last year helped it shut down three dark web services that secretly resold its technology to help cybercrooks avoid detection by anti-money laundering systems.

Antinalysis, as it existed in 2021.

In August 2021, KrebsOnSecurity published “New Anti Anti-Money Laundering Services for Crooks,” which examined Antinalysis, a service marketed on cybercrime forums that purported to offer a glimpse of how one’s payment activity might be flagged by law enforcement agencies and private companies that track and trace cryptocurrency transactions.

“Worried about dirty funds in your BTC address? Come check out Antinalysis, the new address risk analyzer,” read the service’s opening announcement. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

Antinalysis allows free lookups, but anyone wishing to conduct bulk look-ups has to pay at least USD $3, with a minimum $30 purchase. Other plans go for as high as $6,000 for 5,000 requests. Nick Bax, a security researcher who specializes in tracing cryptocurrency transactions, told KrebsOnSecurity at the time that Antinalysis was likely a clone of AMLBot because the two services generated near-identical results.

AMLBot shut down Antinalysis’s access just hours after last year’s story went live. However, Antinalysis[.]org remains online and accepting requests, as does the service’s Tor-based domain, and it is unclear how those services are sourcing their information.

AMLBot spokesperson Polina Smoliar said the company undertook a thorough review after that discovery, and in the process found two other services similar to Antinalysis that were reselling their application programming interface (API) access to cybercrooks.

Smoliar said that following the revelations about Antinalysis, AMLBot audited its entire client base, and implemented the ability to provide APIs only after a contract is signed and the client has been fully audited. AMLBot said it also instituted 24/7 monitoring of all client transactions.

“As a result of these actions, two more services with the name AML (the same as AMLBot has) were found to be involved in fraudulent schemes,” Smoliar said. “Information about the fraudsters was also sent to key market participants, and their transaction data was added to the tracking database to better combat money laundering.”

Experts say the founder of Antinalysis also runs a darknet market for narcotics.

The Antinalysis homepage and chatter on the cybercrime forums indicates the service was created by a group of coders known as the Incognito Team. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the creator of Antinalysis is also one of the developers of Incognito Market, a darknet marketplace specializing in the sale of narcotics.

“Incognito was launched in late 2020, and accepts payments in both Bitcoin and Monero, a cryptoasset offering heightened anonymity,” Robinson said. “The launch of Antinalysis likely reflects the difficulties faced by the market and its vendors in cashing out their Bitcoin proceeds.”

The Good, the Bad and the Ugly in Cybersecurity – Week 42

The Good

Ask a security professional about the weakest link in any organization and the answer most commonly received is: users. A lack of awareness regarding threats as well as poor or absent cyber hygiene practices mean that phishing and social engineering are a threat actor’s favorite play.

It may come as a welcome surprise, then, to learn that according to a new survey, there’s been a marked improvement in cybersecurity awareness among the general public over the last three years. Coming after the pandemic and the large-scale shift to work from home, that can only be good news for enterprise security teams.

The survey found that in 2022, some 77% of respondents said they use MFA to log into online accounts compared to only 50% in 2019. An encouraging 88% said they now use strong passwords, up 12% from three years ago. In 2019, some 31% of people said they did not use any kind of security feature to unlock their smartphones. That number is down to 15% in 2022.

Cybersecurity awareness data
Source

What accounts for this rise in cybersecurity awareness? The report suggests that the coverage of cybersecurity issues and emerging digital threats in the media, the increase in data breaches, and the growing awareness of ‘cookies’ and third-party trackers on personal devices are all likely to have contributed to the general perception that cybersecurity is an issue that affects all of us, at home and at work.

The Bad

If it’s good news we’re all becoming more cyber aware, on the other side of the fence is the unwelcome news that threat actors are making it easier to create and conduct phishing campaigns with a new PhaaS (Phishing-as-a-Service) platform called Caffeine. While PhaaS’s are not an entirely new phenomenon, what makes Caffeine particularly troubling is that anyone can sign up for it on the public internet.

Typically, threat actors wanting to use a PhaaS need a recommendation from a current customer or must go through some kind of vetting process. Caffeine is a site hosted on the public internet which accepts applications from anyone with just an email address, researchers say. For as little as $250/month, subscribers can use the platform to create customized phishing kits, generate URLs to host malware payloads, and track their campaign’s progress.

Caffeine login page
Caffeine login page

Caffeine significantly lowers the barrier to entry to would-be threat actors, offering to take care of infrastructure, fake sign-in pages, website hosting, email templates and more. The service currently targets the theft of Microsoft 365 credentials via fake sign-in pages hosted on compromised WordPress sites. Researchers say they expect to see the service expand its targets as it develops.

With competing PhaaS offerings advertising services such as 2FA and MFA bypasses, it seems that threat actors have a wealth of easy options for getting new campaigns off the ground.

Whether Caffeine’s open registration and appearance on the public internet will survive scrutiny from security researchers and law enforcement remains to be seen, but even if the service eventually retreats underground, the onus is on users and security teams to bolster their defenses. The emergence of services like these is only likely to increase the already high volume of phishing attacks being seen by enterprise security teams.

The Ugly

Last week, Fortinet issued a private warning to its customers of a new authentication bypass flaw affecting its FortiOS, FortiProxy and FortiSwitchManager products. This week comes the unpleasant but not entirely unexpected news that the flaw, tracked as CVE-2022-40684, is being actively exploited in the wild.

The critical flaw allows an unauthenticated attacker to perform arbitrary operations on the products’ admin interface after sending maliciously-crafted HTTPS requests. These operations include modifying admin user’s SSH keys, adding new local users, updating network configurations to reroute traffic, and initiating packet captures.

CISA has added the bug to its database of Known Exploited Vulnerabilities (KEV), and FortiNet has advised organizations to hunt for the following IoC in device logs:

user=”Local_Process_Access”

In addition, those using the affected products should apply the available patches without delay. For those that cannot patch, Fortinet is advising admins to disable HTTP/HTTPS administrative interface or limit the range of IPs allowed to reach it.

In other bug-related news, Microsoft’s monthly ‘Patch Tuesday’ failed to offer fixes for the recently reported Exchange Server vulnerabilities commonly-known as ProxyNotShell but did fix 13 other critical flaws that could allow for privilege escalation, spoofing and remote code execution. Three critical RCEs affect Microsoft Office and Word. As always, Microsoft users are urged to patch at the earliest opportunity.

8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads

In July of 2022 we reported on 8220 Gang, one of the many low-skill crimeware gangs we observe infecting cloud hosts through known vulnerabilities and remote access brute forcing infection vectors. We noted that 8220 Gang had expanded its cloud service botnet to an estimated 30,000 hosts globally.

In recent weeks, the group has rotated its attack infrastructure and continued to absorb compromised hosts into its botnet and to distribute cryptocurrency mining malware.

8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads

Misconfiguration Key to Infection Attempts

Exploit attempts from 8220 Gang continue at a pace consistent with our previous reporting. The majority of active victims are still operating outdated or misconfigured versions of Docker,  Apache, WebLogic, and various Log4J vulnerable services.

8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet. Victims are typically using cloud infrastructure such as AWS, Azure and similar with misconfigured instances that allow remote attackers to gain access. Publicly-accessible hosts running Docker, Confluence, Apache WebLogic, and Redis can easily be discovered and attacked with little technical know-how. 8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network.

The top victims recently communicating as miner bots are exposed Ubiquiti Unifi Cloud Keys running outdated Network Controller software or Prometheus container monitoring systems. The vulnerabilities exploited are usually far from fresh – such as with CVE-2019-2725 – the Oracle Weblogic vulnerability being exploited to download the installer script, e.g., 871f38fd4299b4d94731745d8b33ae303dcb9eaa. The objective of the infection attempts continues to be growing the botnet and expanding cryptocurrency hosts mining when possible.

8220 Gang Leverages PureCrypter

We have observed 8220 Gang using the PureCrypter Malware-as-a-service. PureCrypter is a loader service available for a low cost since 2021 and has been observed distributing a large variety of commodity malware. Windows systems targeted by 8220 Gang have been served by the PureCrypter downloader through the group’s traditional C2 infrastructure, most commonly 89.34.27[.]167. The downloader then beacons back following the injectors image extension URLs. The use of Discord URLs can also be observed for the download of illicit minors.

One clear example is the miner ee6787636ea66f0ecea9fa2a88f800da806c3ea6 being delivered post-compromise. This loader beacons to Discord:

https://cdn.discordapp[.]com/attachments/994652587494232125/1004395450058678432/miner_Nyrpcmbw[.]png

and downloads 833cbeb0e748860f41b4f0192502b817a09eff6a, ultimately beginning cryptomining on the victim host.

It is unsurprising to discover 8220 Gang experimenting with new loaders and miners alongside their traditional exploitation attempts against publicly exposed services. As the threat landscape evolves, we can expect threat actors to seek new methods to thwart defenses, hide their campaigns, and generally attempt to increase attack success. This is simply a new iteration of 8220 Gang attempting to do so.

Shifting Infrastructure

Since July, 8220 Gang shifted to using 89.34.27[.]167, and then in early September 2022 rotated its infrastructure to 79.110.62[.]23, primarily relying on two previously reported  domains letmaker[.]top and oracleservice[.]top.

8220 Gang also makes use of a miner proxy at 51.79.175[.]139. Hosts infected with illicit miners will communicate with the proxy as it acts as a pool to combine resources and avoid analysis of their cumulative mining metrics.

Visual Context of 8220 Gang Infrastructure Roles
Visual Context of 8220 Gang Infrastructure Roles

Thriving Abuse of Amateur Tooling

As we’ve reported in the past, the scripts, miners, and infrastructure surrounding the campaigns of 8220 Gang stem from the general reuse of known tools. “Script Kiddies” may be a more industry appropriate name. Analysis of the tools and vulnerabilities at a high level reveals a much wider set of illicit activity.

For example, through GreyNoise data we can see how common CVE-2019-2725 crawlers are over the last 30 days. 8220 Gang and other attackers make use of scanning for and exploiting similar n-day vulnerabilities with success. One theory may be that these types of attackers seek out easy to compromise systems like this as they are unlikely to be remediated quickly since they are not even meeting common updating practices. These attackers are operating with success, regardless of the state of vulnerability management. One could consider such attacks to be bottom feeders of targeting perhaps.

GreyNoise Trend of CVE-2019-2725 Crawlers
GreyNoise Trend of CVE-2019-2725 Crawlers

The loader script is also incredibly common to observe through publicly accessible hosts and honeypots running common cloud services. The script has evolved greatly even in a single year, with many variants, and it is no longer useful tracking as a single name (e.g., Carbine Loader). For example, searching VirusTotal for any shell scripts containing the go-to uninstall commands for common cloud security tools, plus unique variable names, leads to hundreds of recent results. 8220 Gang is only one of many abusing the same scripts to keep their botnets alive.

Conclusion

8220 Gang continues their botnet proliferation efforts, rotating to new infrastructure. The group continues to make use of the same mining proxy server, and defenders should investigate any continual traffic to that destination. Additionally, with the experimentation with PureCrypter MaaS, the group has clearly attempted to evolve their attack efforts. As cloud infrastructure and common publicly accessible services remain vulnerable, we expect 8220 Gang to continue growing into the future.

Indicators of Compromise

Communications
89.34.27.167 (From July into September 2022)
79.110.62.23 (Primary since September 2022)
51.79.175.139 (Miner Proxy)
198.23.214.117 (Miner Proxy)
work.onlypirate[.]top
a.oracleservice[.]top
b.oracleservice[.]top
pwn.oracleservice[.]top
c4k-ircd.pwndns[.]pw
jira.letmaker[.]top
https://cdn.discordapp[.]com/attachments/994652587494232125/1004395450058678432/miner_Nyrpcmbw[.]png

File Hashes SHA1
165f188b915b270d17f0c8b5614e8b289d2a36e2
528477d0a2cf55f6e4899f99151a39883721b722
557d729f8a7ba712a48885304280b564194406d3
58af7af0dbf079bafd8fae1a7b3a2230b2bcba31
740a1cdee7b7f4350eec53c1ca3022562ea83903
7477812278038e8d3606c433f1c4389b897012e2
75ea4b0b76a0b61bd0f8f4a491e5db918bc1df1c
7b128cd6cf092409fc9c71ddd27c66dd98002b1a
871f38fd4299b4d94731745d8b33ae303dcb9eaa (CVE-2019-2725 example)
9bc4db76ae77ea98fdcaa9000829840d33faba97
be53175a3b3e11c1e3ca7b87abb6851479453272
c1630af40f38f01e94eec2981c5f4f11481ba700
c22f9ae02601a52c9dca91c3b4cb3d2221f54b50
c537cf320e90a39e7f5e9846e118502802752780
c86349460658a994e517fede6773e650f8f3ac9b
d5138d1708d5d77ea86920a217c2033a2e94ad7e
ee6787636ea66f0ecea9fa2a88f800da806c3ea6

Microsoft Patch Tuesday, October 2022 Edition

Microsoft today released updates to fix at least 85 security holes in its Windows operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, noticeably absent from this month’s Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in Microsoft Exchange Server.

The new zero-day flaw– CVE-2022-41033 — is an “elevation of privilege” bug in the Windows COM+ event service, which provides system notifications when users logon or logoff. Microsoft says the flaw is being actively exploited, and that it was reported by an anonymous individual.

“Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone’s list to quickly patch,” said Kevin Breen, director of cyber threat research at Immersive Labs. “This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit. Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network.

Indeed, Satnam Narang, senior staff research engineer at Tenable, notes that almost half of the security flaws Microsoft patched this week are elevation of privilege bugs.

Some privilege escalation bugs can be particularly scary. One example is CVE-2022-37968, which affects organizations running Kubernetes clusters on Azure and earned a CVSS score of 10.0 — the most severe score possible.

Microsoft says that to exploit this vulnerability an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that may not be such a tall order, says Breen, who notes that a number of free and commercial DNS discovery services now make it easy to find this information on potential targets.

Late last month, Microsoft acknowledged that attackers were exploiting two previously unknown vulnerabilities in Exchange Server. Paired together, the two flaws are known as “ProxyNotShell” and they can be chained to allow remote code execution on Exchange Server systems.

Microsoft said it was expediting work on official patches for the Exchange bugs, and it urged affected customers to enable certain settings to mitigate the threat from the attacks. However, those mitigation steps were soon shown to be ineffective, and Microsoft has been adjusting them on a daily basis nearly each day since then.

The lack of Exchange patches leaves a lot of Microsoft customers exposed. Security firm Rapid7 said that as of early September 2022 the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.

“While Microsoft confirmed the zero-days and issued guidance faster than they have in the past, there are still no patches nearly two weeks out from initial disclosure,” said Caitlin Condon, senior manager of vulnerability research at Rapid7. “Despite high hopes that today’s Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates. Microsoft’s recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix.”

Adobe also released security updates to fix 29 vulnerabilities across a variety of products, including Acrobat and Reader, ColdFusion, Commerce and Magento. Adobe said it is not aware of active attacks against any of these flaws.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

S Ventures Invests in Laminar, a Cloud Data Security Pioneer

S Ventures is excited to showcase our investment in Laminar, a pioneer in the cloud data loss prevention (DLP) and data security posture management industry.

Cloud adoption has grown rapidly in recent years, and was further accelerated by the COVID-19 pandemic. Worldwide end user spend on public cloud in 2023 is expected to reach $600 billion. On top of that, the amount of enterprise data continues to expand exponentially, having more than doubled from one petabyte to just over two petabytes from 2020 to 2022. More than 60% of this data is generated in the cloud.

As more organizations rely on the public cloud for their enterprise infrastructure and build their businesses to be cloud-native, it’s more important than ever before to mitigate data security and privacy risks accordingly.

The growing reliance on the cloud also breeds new cybersecurity and data challenges. Many companies embrace a multi-cloud environment which requires additional controls to be in place to protect sensitive data. Different environments have different built-in security controls and tools, making visibility and consistent protection difficult to achieve. Properly identifying and mitigating data risk requires understanding of data sensitivity, data security posture, and data exposure in one common view. That’s why Laminar is a meaningful addition to S Ventures’ portfolio of category-defining security and data companies.

Laminar’s plug-and-play platform spots data privacy and protection violations without any prior knowledge of the environment and without impacting performance. It autonomously and continuously discovers and classifies new datastores for complete visibility, prioritizes risk based on sensitivity and data risk posture, secures data by remediating weak controls, and actively monitors for egress and access anomalies. Laminar’s commitment to helping organizations securely modernize their businesses aligns with S Ventures’ goals and vision for a more secure future for all.

Since its emergence from stealth in November 2021, Laminar released general availability of its platform in February 2022 and has significantly grown its platform capabilities:

  • Data Catalog for Cloud Security (DCCS): Autonomous discovery and classification for all data across AWS, Azure, GCP, and Snowflake;
  • Data Security Posture Management (DSPM): Detection and alerting on data-centric security policy violations, prioritization of issues for resolution, and actionable remediation recommendations;
  • Cloud Data Access Control (CDAC): Mapping of what data is accessible to an entity, which entities have access to sensitive data, and which entity is actually accessing which data;
  • Cloud Data Detection and Response (CDDR): Monitoring and detection of anomalous access patterns that may indicate a data leak or potential breach of sensitive data.

Our customers, as well as organizations around the world, are prioritizing the need to control and protect sensitive data in the public cloud. We see Laminar’s approach as complementary in helping our customers secure data across public clouds and are excited to support Laminar in building a cloud data security platform to discover, protect, secure, and monitor everything built and run in the cloud.

Please visit www.laminarsecurity.com and the S Ventures page to learn more.

CISO Wins | Reducing Risk Across Endpoint, Identity and Cloud Surfaces

2022 has, so far, shown us that data breaches, cyber threats, and privacy incidents are here to keep media outlets busy and news headlines stacked. The threat of cyberattack has permeated every layer of the global infrastructure from small businesses to large-scale enterprises. Even nation states have not been immune to cyber compromise.

Just this year, we saw the ransomware attack on the Costa Rican government that brought the country’s Ministry of Finance, public health services, and import and export sectors to a standstill. Data breaches were reported by two major international airlines in India and Turkey and, as the school year kicked-off, a disproportionately high number of attacks plagued U.S. schools, even resulting in the identity theft of minors.

Enterprises experienced their share of cyber dilemmas as well. Networking giant, Cisco, was hit with an identity-based attack through Active Directory, and ransomware gangs have zeroed in on nearly every critical sector including digital security firms, defense contractors, manufacturers, and information technology companies.

In all of these examples, there were security solutions in place. This blog post discusses the realities of the uphill battle enterprises are facing against cyber threats, their significance, and what actions they can take to better protect themselves.

Understanding Adversaries & Attack Surfaces

Today, businesses are asked to show they have reputable cybersecurity solutions in place before they can even get insurance coverage. As for threat actors, they have both evolved and expanded. Ransomware-as-a-Service (RaaS) business models have given non-technical criminals the ability to launch full-fledged campaigns. Double and triple extortion tactics are commonplace and ‘big game hunting’ targets high-value or high-profile organizations which have been identified as being able to pay large ransoms.

Not only have threat actors become more adept, attack surfaces are widening as businesses thrive in the age of more access, more connections, and more tools. The term ‘attack surface’ refers to the totality of vulnerabilities found in an environment. The term ‘attack vectors’ refers to ways that an unauthorized party can access the environment in question. Larger, more complex environments typically have a greater number of attack vectors and a larger attack surface to protect.

Observing the current threat landscape, three main attack surfaces come to the forefront: endpoints, cloud, and identity.

Attacks on Endpoints

The task of endpoint protection has grown more complex in recent years as more organizations adopt remote workers and BYOD (bring-your-own-device) policies. Endpoint-delivered threats usually start with malware-carrying devices that are then connected to the targeted network and spread infection, or social engineering tactics that trick unsuspecting users to install malware on their device.

Modern day work cultures allow endpoints to access sensitive data no matter where they are connected from, which increasingly puts the onus on the integrity of the endpoint itself. As endpoints are a critical part of every organization, their defense is a priority.

Attacks on Cloud

Security teams are starting to rethink their strategy as more businesses make the move from on-prem to hybrid and cloud environments. While cloud services offer an attractive boost in collaboration, scalability, and efficiency, they come with new risks that must be taken into account. Cloud computing requires businesses to secure virtual machines, containers, serverless workloads, and Kubernetes – all of which could be leveraged as potential attack vectors.

Cloud misconfigurations can easily expose businesses to cyberattack. Cloud environments are especially vulnerable to severe data loss, insider threats, supply chain attacks, and denial-of-service access.

Attacks on Identity

Identity-based attacks often involve the threat actor weaponizing legitimate tools and software used by their targeted victim. This year, Active Directory (AD) infrastructure continues to be an oft-exploited element in ransomware campaigns and post-compromise extortion efforts. For threat actors, targeting identity through sources such as compromised AD or access management is their quickest way to reaching their targets.

Since AD serves as a gateway to the rest of a company’s network, threat actors leverage the existing infrastructure to perform enumeration and move laterally through the rest of the network layers, escalating their privileges, obtaining access to sensitive files, and exfiltrating the data they are after.

Taking Care of Low Hanging Fruit

With low barrier entryways available and the possibility of generating high revenue, cyber adversaries will always look for easy ways into a targeted environment. It is crucial for businesses to identify and secure the attack vectors applicable to their network.

Not to be confused with attack surfaces, attack vectors are the means by which a threat actor gains unauthorized access to an environment. Common attack vectors include phishing and compromised credentials.

Existing infrastructure and solutions are also increasingly exploited by threat actors. Examples of these include:

  • Multi-Factor Authentication (MFA) – While enabling MFA is highly recommended, examples from this year showed attackers exploiting this essential protection layer. Adding rules and monitoring attempts can help enterprises prevent and detect abuse of MFA for malicious access.
  • Chrome & Browser Extensions – With the explosion of web applications, browser extensions have become essential for employees to perform their work. However when compromised, threat actors can perform data scraping techniques and see user behavior within the browser. Only approved extensions should be installed on company devices.
  • Unpatched Software – Outdated software is one of the easiest ways threat actors gain unauthorized entry into a targeted network. Patch management keeps endpoints and networks up to date with bug fixes against known exploits as well as bolstering protection via new safety features.

The Long-Term Security Play | How SentinelOne Can Help

From a strategic standpoint, enterprise leaders need to take stock of the attacks happening on various surfaces as well as trending threats seen in the threat landscape. Enterprises that can keep their security strategies agile are the ones that stay ahead of cyberthreats.

Improving the organization’s security posture is a long-term play based on three major pillars: people, process, and technology. It requires understanding and a coordinated effort from all parts of a business, smart investment in effective technology, and a willingness to embed cybersecurity best practices on the day-to-day level of operations.

People: Build a Strong Security Strategy & Team

Enterprises are toughening up their teams in order to withstand and counter sophisticated cyber threats. Many companies are bringing in Chief Information Security Officers (CISOs) to assess, plan, and maintain the safety and digital growth of a business.

Based on the fluctuating threat landscape, CISOs are responsible for reevaluating their security strategies and adjusting how their business monitors and responds to potential attacks. Experienced CISOs stay ahead of developing cyber trends and attack patterns to build best practices that make sense for their team. A CISO’s cybersecurity strategy does not only safeguard people and processes but can also drive new opportunities, increase operational efficiency, and build up their business’s authority in their industry.

Process: Securing Operations & Workflows

Cyber attackers are the ultimate opportunists, always looking for the path of least resistance in the form of unprotected servers, vulnerable devices, or even third-party vendors that have weak security practices. Threat actors have been known to use relatively straightforward social engineering and phishing attacks to gain entry and then abuse the infrastructure itself, such as Active Directory, to spread quickly into an environment. Implementing identity protection is critical to stopping the misuse and exploitation of existing infrastructure and software and securing sensitive data held within it.

Enterprises globally trust SentinelOne’s industry knowledge and experience with fighting back privileged escalation and lateral movement. Get comprehensive identity security as part of Singularity™ XDR for autonomous protection including:

  • Singularity™ Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity™ Identity defends Active Directory Domain & Azure AD Identities and domain-joined assets from adversaries aiming to gain privilege and move covertly.
  • Singularity™ Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.
  • Singularity™ Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity™ Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.

Technology: Prepare to Invest In Tech

Security that stays relevant to developing cyber threats and also scales along with a business required investment in the right technology. Today, many businesses are adding artificial intelligence (AI) and machine learning (ML) to their security arsenal to better identify and respond to advanced persistent threats. When it comes to staying ahead of threats, speed is the differentiating factor – AI and ML both allow enterprises to combat emerging attacks by detecting patterns in real time. Many threat campaigns, particularly ones using ransomware, only last a few hours and actors are often already within a victim’s network just waiting to deploy. For context, major ransomware attacks from this year alone totaled over $236 million.

SentinelOne’s Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) seamlessly combines automation with both AI and ML to detect and remediate modern attacks in real-time, at machine speed, and without extra intervention. This means that businesses can focus their resources on addressing operations-specific tasks. SentinelOne’s EPP solution also fully replaces legacy AV and AM solutions and can be scaled and tailored to fit a businesses’ specific requirements and processes.

Conclusion

While the headlines may make it seem like threat actors are winning in the ongoing cyber fight, enterprises can learn much from the attacks that have already happened and action them as lessons learned.

An adaptive and agile security strategy, team, and culture will take enterprises far in the uphill battle against growing cybercrime. Binding together people, process, and technology is key in taking a smarter, proactive approach to novel threats.

Enterprise businesses trust SentinelOne to help safeguard their critical attack surfaces by fusing together autonomous, AI-driven threat hunting and EDR capabilities. To learn more, request a demo or contact us for expert advice.

90 Days | A CISO’s Journey to Impact

The Good, the Bad and the Ugly in Cybersecurity – Week 41

The Good

Former Canadian government employee, Sebastian Vachon-Desjardins, pleaded guilty this week to ransomware crimes that had earned him $21 million in Bitcoin and $500,000 in seized cash. For over 10 months, Vachon-Desjardins operated as an affiliate for Netwalker, a Russian-speaking ransomware gang that targeted organizations in more than 30 countries during the height of the COVID-19 pandemic.

Vachon-Desjardins has been sentenced to a 20-year prison term in the United States after admitting to four charges including conspiracy to commit wire fraud, conspiracy to commit computer fraud, intentional damage to a protected computer system, and sending a demand in relation to damaging a protected computer.

Netwalker affiliate

Vachon-Desjardins was one of Netwalker’s most prolific affiliates according to U.S. court filings. Netwalker’s targets included schools, hospitals, emergency services, law enforcement agencies, and businesses, all of which were on the receiving end of ransom demands in exchange for the return of their encrypted data. With as many as 400 entities affected and a collected total of $40 million in ransom payments, Vachon-Desjardins himself was found to have received a third of the proceeds.

The DOJ’s press release noted that Netwalker’s attacks specifically took advantage of the global pandemic crisis to extort victims. The U.S. District Judge who doled out the sentence went above the 12 to 15-year prison term suggested by federal guidelines with the intention of deterring cybercriminals on the whole. The Assistant Attorney General of the Justice Department explained, “Today’s sentence demonstrates that ransomware actors will face significant consequences for their crimes and exemplifies the Department’s steadfast commitment to pursuing actors who participate in ransomware schemes.”

The Bad

This week, the FBI warned of a rise in ‘pig butchering’, a scam focused on stealing increasing amounts of crypto from user accounts over an extended period of time. The FBI’s public service announcement aims to raise awareness amongst investors as more incidents are reported.

‘Pig butchering’ is still a relatively new scam but uses age-old social engineering tactics. The ‘pigs’ in this case are unsuspecting investors who are contacted by fraudsters through social media. Fraudsters then work to establish long-term relationships with these individuals either through fake friendships, the promise of romantic connections, or even going as far as impersonating a real acquaintance.

The victims are eventually convinced to invest in cryptocurrency on counterfeit platforms which are designed to show huge returns on funds. Spurred on, they’re encouraged to make more investments, thus ‘fattening up’ the size of the target. Only upon withdrawal do the investors realize they have been scammed as the fraudster ceases communication and shuts down the fake crypto exchange platform. The consequences of these scams are usually significant with the victim’s losses ranging from thousands to millions of dollars.

pig butchering

The FBI is warning investors to verify the validity of any unsolicited investment opportunity and to check that domain names in links point to legitimate financial institutions. Threat actors typically use a technique called typosquatting that relies on misspelled URLs with a slight deviation from a legitimate website address to trick victims into visiting malicious sites. Cyber criminals running ‘Get rich quick’ investment scams also commonly try to persuade victims to download malicious apps on the pretext of offering some tool needed for investing.

Caution is the first line of defense, here, and as the old adage has it, if an opportunity sounds too good to be true, it most probably is.

The Ugly

Reports have emerged this week that men eligible for enlistment in Russia began leveraging cybercrime services soon after President Vladimir Putin called for a partial mobilization of troops to fight in Ukraine. Resorting to illegal online marketplaces, many men who have not fled are soliciting falsified exemptions while those who have are reportedly turning to identity-masking tools to protect themselves from discovery.

Since the invasion in February, opportunistic scammers have taken advantage of the sociopolitical climate to exploit people who are trying to survive the war. So far, some scammers have claimed to sell forged documents on the dark web that would allow Russian men to evade the draft while others have pledged to mask their buyers’ records in enlistment office databases – all in exchange for a fee as well as the buyer’s passport. After payment is made, the scammers stop communication and likely use the stolen money and identities to perpetuate their schemes.

Cyber intelligence firm, KELA, also reported on a number of cybercrime forums claiming to provide fake documents and medical reports, as well as connecting buyers to job opportunities that would result in a postponed draft.

The call for partial mobilization has created an environment where Russian citizens are seeking illegal means to avoid the order. Underground markets and darknets are prospering as new scams surge. Cybercrime has long played off of human emotions such as fear, uncertainty, and desperation and, as the conflict in Ukraine continues, it seems cybercrime forums will continue to exploit desperate individuals living in wartime.

Report: Big U.S. Banks Are Stiffing Account Takeover Victims

When U.S. consumers have their online bank accounts hijacked and plundered by hackers, U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule.

The findings came in a report released by Sen. Elizabeth Warren (D-Mass.), who in April 2022 opened an investigation into fraud tied to Zelle, the “peer-to-peer” digital payment service used by many financial institutions that allows customers to quickly send cash to friends and family.

Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo. Zelle is enabled by default for customers at over 1,000 different financial institutions, even if a great many customers still don’t know it’s there.

Sen. Warren said several of the EWS owner banks — including Capital One, JPMorgan and Wells Fargo — failed to provide all of the requested data. But Warren did get the requested information from PNC, Truist and U.S. Bank.

“Overall, the three banks that provided complete data sets reported 35,848 cases of scams, involving over $25.9 million of payments in 2021 and the first half of 2022,” the report summarized. “In the vast majority of these cases, the banks did not repay the customers that reported being scammed. Overall these three banks reported repaying customers in only 3,473 cases (representing nearly 10% of scam claims) and repaid only $2.9 million.”

Importantly, the report distinguishes between cases that involve straight up bank account takeovers and unauthorized transfers (fraud), and those losses that stem from “fraudulently induced payments,” where the victim is tricked into authorizing the transfer of funds to scammers (scams).

A common example of the latter is the Zelle Fraud Scam, which uses an ever-shifting set of come-ons to trick people into transferring money to fraudsters. The Zelle Fraud Scam often employs text messages and phone calls spoofed to look like they came from your bank, and the scam usually relates to fooling the customer into thinking they’re sending money to themselves when they’re really sending it to the crooks.

Here’s the rub: When a customer issues a payment order to their bank, the bank is obligated to honor that order so long as it passes a two-stage test. The first question asks, Did the request actually come from an authorized owner or signer on the account? In the case of Zelle scams, the answer is yes.

Trace Fooshee, a strategic advisor in the anti money laundering practice at Aite-Novarica, said the second stage requires banks to give the customer’s transfer order a kind of “sniff test” using “commercially reasonable” fraud controls that generally are not designed to detect patterns involving social engineering.

Fooshee said the legal phrase “commercially reasonable” is the primary reason why no bank has much — if anything — in the way of controlling for scam detection.

“In order for them to deploy something that would detect a good chunk of fraud on something so hard to detect they would generate egregiously high rates of false positives which would also make consumers (and, then, regulators) very unhappy,” Fooshee said. “This would tank the business case for the service as a whole rendering it something that the bank can claim to NOT be commercially reasonable.”

Sen. Warren’s report makes clear that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments.

“In simple terms, Zelle indicated that it would provide redress for users in cases of unauthorized transfers in which a user’s account is accessed by a bad actor and used to transfer a payment,” the report continued. “However, EWS’ response also indicated that neither Zelle nor its parent bank owners would reimburse users fraudulently induced by a bad actor into making a payment on the platform.”

Still, the data suggest banks did repay at least some of the funds stolen from scam victims about 10 percent of the time. Fooshee said he’s surprised that number is so high.

“That banks are paying victims of authorized payment fraud scams anything at all is noteworthy,” he said. “That’s money that they’re paying for out of pocket almost entirely for goodwill. You could argue that repaying all victims is a sound strategy especially in the climate we’re in but to say that it should be what all banks do remains an opinion until Congress changes the law.”

UNAUTHORIZED FRAUD

However, when it comes to reimbursing victims of fraud and account takeovers, the report suggests banks are stiffing their customers whenever they can get away with it. “Overall, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received,” the report notes.

How did the banks behave individually? From the report:

-In 2021 and the first six months of 2022, PNC Bank indicated that its customers reported 10,683 cases of unauthorized payments totaling over $10.6 million, of which only 1,495 cases totaling $1.46 were refunded to consumers. PNC Bank left 86% of its customers that reported cases of fraud without recourse for fraudulent activity that occurred on Zelle.

-Over this same time period, U.S. Bank customers reported a total of 28,642 cases of unauthorized transactions totaling over $16.2 million, while only refunding 8,242 cases totaling less than $4.7 million.

-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 cases of unauthorized transactions, totaling $125 million. Bank of America refunded only $56.1 million in fraud claims – less than 45% of the overall dollar value of claims made in that time.

Truist indicated that the bank had a much better record of reimbursing defrauded customers over this same time period. During 2021 and the first half of 2022, Truist customers filed 24,752 unauthorized transaction claims amounting to $24.4 million. Truist reimbursed 20,349 of those claims, totaling $20.8 million – 82% of Truist claims were reimbursed over this period. Overall, however, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received.

Fooshee said there has long been a great deal of inconsistency in how banks reimburse unauthorized fraud claims — even after the Consumer Financial Protection Bureau (CPFB) came out with guidance on what qualifies as an unauthorized fraud claim.

“Many banks reported that they were still not living up to those standards,” he said. “As a result, I imagine that the CFPB will come down hard on those with fines and we’ll see a correction.”

Fooshee said many banks have recently adjusted their reimbursement policies to bring them more into line with the CFPB’s guidance from last year.

“So this is heading in the right direction but not with sufficient vigor and speed to satisfy critics,” he said.

Seth Ruden is a payments fraud expert who serves as director of global advisory for digital identity company BioCatch. Ruden said Zelle has recently made “significant changes to its fraud program oversight because of consumer influence.”

“It is clear to me that despite sensational headlines, progress has been made to improve outcomes,” Ruden said. “Presently, losses in the network on a volume-adjusted basis are lower than those typical of credit cards.”

But he said any failure to reimburse victims of fraud and account takeovers only adds to pressure on Congress to do more to help victims of those scammed into authorizing Zelle payments.

“The bottom line is that regulations have not kept up with the speed of payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized payment scam losses have outpaced credit card losses and a regulatory response is now on the table. Banks have the choice right now to take action and increase controls or await regulators to impose a new regulatory environment.”

Sen. Warren’s report is available here (PDF).

There are, of course, some versions of the Zelle fraud scam that may be confusing financial institutions as to what constitutes “authorized” payment instructions. For example, the variant I wrote about earlier this year began with a text message that spoofed the target’s bank and warned of a pending suspicious transfer.

Those who responded at all received a call from a number spoofed to make it look like the victim’s bank calling, and were asked to validate their identities by reading back a one-time password sent via SMS. In reality, the thieves had simply asked the bank’s website to reset the victim’s password, and that one-time code sent via text by the bank’s site was the only thing the crooks needed to reset the target’s password and drain the account using Zelle.

None of the above discussion involves the risks affecting businesses that bank online. Businesses in the United States do not enjoy the same fraud liability protection afforded to consumers, and if a banking trojan or clever phishing site results in a business account getting drained, most banks will not reimburse that loss.

This is why I have always and will continue to urge small business owners to conduct their online banking affairs only from a dedicated, access restricted and security-hardened device — and preferably a non-Windows machine.

For consumers, the same old advice remains the best: Watch your bank statements like a hawk, and immediately report and contest any charges that appear fraudulent or unauthorized.