Information Technology

A romance scammer in the United Kingdom has been jailed after trying to con 670 people. 

According to the UK’s National Crime Agency (NCA), Osagie Aigbonohan, originally from Lagos, Nigeria, used a range of fake names, dating apps, and social media networks to find and connect with potential victims who were looking for a relationship. The 41-year-old’s aliases included “Tony Eden.” While masquerading as Tony, Aigbonohan targeted a woman and built up a relationship over a period of ten months before begging her for money to help him with an incident relating to an overseas business.  The woman was told that a machinery accident at work – and the subsequent need to pay for worker funerals – had rinsed his bank account, and he needed to hire drill equipment to resume operations. This led to fraudulent transfers of £9,500 ($13,000) to various accounts held under fake identities, which eventually made their way into Aigbonohan’s personal account.  In another case, a woman who was terminally ill became a victim. “Aigbonohan continued to pursue her even after she had passed away,” the NCA says.  The crime agency estimates that at least 670 people were targeted by the romance scammer, at least eight people sent him money, and in total, approximately £20,000 ($27,200) was fraudulently obtained. 

Following an NCA investigation, Aigbonohan was arrested in July last year and was charged with fraud and money laundering. It was also discovered that Aigbonohan had overstayed his visa, was staying in the UK illegally, and was using a counterfeit driver’s license.  Southwark Crown Court has now sentenced Aigbonohan to 28 months behind bars.  “Romance fraud is a particularly callous offense, involving exploitation of an individual’s emotional needs and caring qualities, to extract money from them,” commented James Lewis of the Crown Prosecution Service (CPS). “People should be particularly vigilant over the coming month as we head towards Valentine’s Day and more people seek a partner.” UK Finance estimates that between January and November 2021, UK residents lost £18.5 million ($25.2 million) to romance scams, an increase of 12% year-over-year. In the same year, the FBI estimates that $133 million has been fraudulently taken from victims in the United States.  In other NCA news, a 32-year-old man from Nottingham was jailed earlier this month after admitting to the use of Remote Access Trojans (RATs) to spy on both children and adults. Sensitive and explicit material was also stolen from handsets infected by the malware.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has warned of a new scam tactic targeting users of Google’s search platform, some of whom have unwittingly assumed advertisements containing fake bank hotlines to be legitimate. Victims of these scams have already lost more than S$495,000 ($367,775) since December 2021. Singapore Police Force (SPF) said these phishing ads would pop up on Google when users searched for a bank’s contact number with the intention of seeking advice for various reasons. These ads would show up amongst the first few search results and contain fake contact details for the bank, the police said in its advisory note released Wednesday. Unwitting victims who called these numbers would speak with someone impersonating as a bank employee, who then would proceed to alert them of issues with their bank account, credit or debit cards, or loans. Victims would be instructed to temporarily transfer funds to bank accounts provided by the impersonator, in order to resolve the issue or make payments for outstanding loans. 

Some victims would receive SMS messages with headers spoofing the bank’s Sender ID, so these would appear as legitimate communications from the bank. The messages would either contain instructions to reset the victim’s bank account as part of Singapore’s efforts to combat scam or state that the victim had to transfer money for early loan settlement. “Victims would only realise that they had been scammed when they contacted the bank via the authentic hotline to verify the new bank account number or when the bank contacted them to verify the reason for the large sum of money transferred,” SPF said.Since last month, at least 15 victims had lost more than S$495,000 ($367,775) to these scams, according to the police. Its latest advisory follows a spate of phishing SMS scams that affected at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million. Some S$2.7 million alone was lost over the recent three-day Christmas weekend and several victims reportedly lost their life savings. The bank has since promised to make full restitution of losses to all victims of the scams. 

Industry regulator Monetary Authority of Singapore (MAS) on Wednesday also introduced additional security measures that banks would have to implement, in light of the OCBC scams. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens. Banks also would have to set up dedicated and “well-resourced” customer assistance teams to deal with customer feedback on potential fraud cases. MAS said the new measures, which should be deployed within two weeks, aimed to strengthen the security of digital banking. “MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” it said.RELATED COVERAGE More

Matt Damon
Image: Crypto.com
Cryto.com CEO Kris Marszalek told Bloomberg on Wednesday that the attack earlier this week hit 400 users. For what Marszalek said was a period of 13 to 14 hours, Crypto.com paused its users’ ability to withdraw funds and subsequently asked its users to reset two-factor authentication. The company informed its users they would need to sign back into their accounts and reset their two-factor authentication. Marszalek said Crypto.com’s 200 security professionals had created a “very robust” infrastructure and stated it had defence-in-depth. “There are multiple layers, and in this particular incident, some of these layers were breached,” he said. “Which resulted in about 400 accounts having unauthorised transactions.” Marszalek added the impacted users had their funds fully reimbursed on the same day, and while he would not be drawn to put a figure on the amount of funds taken, he said the company was working on a postmortem that would appear on its blog in the next few days.

“In any case, one has to remember that given the scale of the business, these numbers are not particularly material.” While Marszalek did not put a number on it, PeckShield did, claiming around $15 million was being washed through a coin tumbler. The CEO also said in other sections of the interview that he expected increasing use cases, such as blockchain gaming, to increase the number of cryptocurrency users to over one billion this year. He added the company was looking at potentially purchasing blockchain gaming companies. Related Coverage More

Where cybersecurity is concerned, governments and businesses often tout the importance of “shared responsibility”, with consumers urged to also practise good cyber hygiene to help stave off attacks and protect their own assets. A recent spate of online scams in Singapore, however, reveals that blame will be placed on individuals when possible and demonstrates that regulations sometimes are the only way to shake organisations out of complacency. People, process, and technology. How often has this trinity been preached as the three fundamentals of any successful digital adoption and the holistic approach to ensure good security posture? Which of the three, though, bears greater weight? Does technology play the biggest role in cybersecurity? Or are processes the most critical component of this equation?  When it comes to blame, it appears that significant onus is placed on consumers to safeguard their personal data and bear the consequences should they fall for online scams.  A recent series of online scams involving at least 469 customers of OCBC Bank resulted in losses of more than SG$8.5 million ($6.32 million), with S$2.7 million scammed over the recent three-day Christmas weekend alone. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000. 

In these cases, which first surfaced December 1 last year, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP).  Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate.  In its statement released December 30, OCBC made clear that customers were “the first line of defence” against such scams and that once funds were moved from their account, the possibility of recovery was “very low”. The bank said it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages. 

Upset over how the breach was handled, affected OCBC customers expressed frustration over the lengthy time they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked to stem the leaks. Several noted a lack of urgency amongst OCBC’s customer agents when told about the security breach.   In his interview with local media platform Mothership, the 43-year-old male victim added that the bank staff he corresponded with did not even appear to be aware of the ongoing scams. Noting that his account was breached on December 20, he questioned whether OCBC had done enough to alert its own staff and customers of the growing security risks when the attacks had been escalating since early-December.  Inundated with the bad press that followed, OCBC on Wednesday said all customers affected by the scams would receive “full goodwill payouts” comprising the amount they lost. This came after its previous statement on Monday that it had begun to make “goodwill payouts” since January 8, but did not specify if this applied to all customers or whether they would receive the entire amount they lost. OCBC probably sees this $8.5 million writeoff as a necessary cost in crisis management, but it will likely take much more before the bank is able to regain the trust of its customers and brand reputation. It also faces possible repercussions from industry regulator Monetary Authority of Singapore (MAS), which said it would “consider appropriate supervisory actions” after the bank conducted a “thorough” investigation to identify and plug deficiencies in its processes.  Meanwhile, MAS on Wednesday introduced several measures that banks would have to implement as a result of the phishing scams. These include the removal of hyperlinks from email or SMS messages sent to consumers, a 12-hour delay in activating mobile software tokens, and setting up a dedicated and “well-resourced” customer assistance team to deal with customer feedback on potential fraud cases. Noting that these new measures aimed to strengthen the security of digital banking in Singapore, MAS added that financial institutions should implement further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer’s contact details. More permanent solutions also are in the works to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders, MAS said.  Stronger regulatory hand needed for businesses to take security seriously These steps, in my view, are a long time coming.  Too many organisations, including banks, for far too long have adopted bad business practices that put customers at risk of security attacks. They also have been increasingly heavy-handed in the amount of personal data they demand from customers in return for access to services, including critical services. More importantly, as the number of cyber attacks and breaches continues to grow, businesses still lack a proper plan to help them more quickly respond to security incidents and stem any potential data leak.  OCBC clearly did not have a cybersecurity incident framework in place. If it did, it would have been able to better handle calls from frantic customers alerting them of the scams and more swiftly block affected accounts to stop further fraudulent transactions from taking place.   There are further questions about why the bank’s SMS header was so easily spoofed and whether it took any prior measures to prevent, or even to investigate, the phishing scams when these first surfaced.  Local law enforcements had published multiple advisory notes, including one as early as last April and another in November, about fake SMS messages with spoofed SMS headers of banks.  Did OCBC heed these alerts? Or did the bank deem it okay to ignore them since the advisory notes served as warning for consumers to take the necessary measures and be “the first line of defence”?

Shouldn’t OCBC have been the very first line of defence instead in this case? In a January 17 reply to reports on the SMS phishing scams, IMDA’s director of communications and marketing Foo Wen Dee said a pilot was launched last August to enable organisations to register SMS Sender ID headers they wished to safeguard. Doing so with SMS Sender ID protection registry would help ensure messages sent via unauthorised use of the protected SMS Sender ID would be blocked.  Foo wrote: “The success of this measure, however, requires organisations such as banks to participate in the pilot, which would include registering the SMS Sender IDs they wish to protect and choosing the approved SMS aggregators that are allowed to send SMSes on the banks’ behalf. “When the registry was initiated, some banks signed up for the registry. Other organisations such as Lazada and SingPost also signed up. We urge more businesses that use SMS Sender IDs to do so,” she said. She added that IMDA was working with telcos in Singapore to roll out other measures, including blocking commonly spoofed numbers. It’s interesting that Foo chose not to list examples of banks that participated in the pilot, when she did for organisations in other sectors.  So, did OCBC put its SMS Sender ID in the registry? And if it did, did it do so before or only after the phishing scams surfaced in December? And why was it the only bank hit, and hit so severely, by the onslaught of attacks?  These are questions that cannot afford to go unanswered, especially as Singapore is about to push its digital banking regime into full gear. The four successful bidders of the country’s digital bank licences are expected to begin operations from early-2022.  Scarred by the numerous reports of life savings wiped clean from bank accounts, with blame put on the victims, how many will rush to sign up for services offered by digital banks? If scammers are able to find holes in the systems and processes of established traditional banks such as OCBC, what more can they do with banks that run entirely on online infrastructures? Furthermore, several victims of the OCBC scams were not from vulnerable groups that were less tech-savvy and more susceptible to cyber scams. They were young, presumably already familiar with consuming online services, and professionals from both the financial and IT industries.  If even they were fooled by the cyber scammers, what hope is there for others less accustomed to digital banking services? Consumer trust plays a key role in driving adoption and, if left unaddressed following the latest series of events, may put a spanner on Singapore’s hopes of a thriving digital banking era. On a flip side, it could actually result in a new competitive advantage for new digital players, now that the trusted relationship between incumbent banks and customers may have somewhat eroded. While it remains to be seen how the industry will recover from the OCBC saga, what has become clear is the need for stronger regulations to shake companies out of inertia.  For one, MAS’ inclusion of incident response as some of the measures banks must adopt is a positive step forward.  A ZDNet report I published last week discussed the importance of cybersecurity incident response in bolstering cyber resilience and network availability. As mentioned previously, a robust incident response plan could have helped OCBC stem funds from leaking further and saved its customers, as well as the bank, from losing S$8.5 million.  There should be clear guidelines, and mandates if necessary, that ensure businesses and banks respond within a stipulated time when customers call their hotline about a potential security breach. Failure to meet this should result in financial penalties or the inability of breached organisations from renouncing liability.  Companies also should be required to release an incident report, following its investigation into the service breach, that highlights the cause of the breach and remediation steps taken to plug the security holes, if any. Where necessary, this report should include additional measures customers may need to take to better protect their personal data with the organisation. For instance, it has been two months since DBS suffered its most serious service disruption last November, during which its customers could not log into or access the bank’s online and mobile services for the bulk of two days. Few details were offered about the cause then.  Does it plan to release a report detailing its review of the incident soon? Has it at least submitted its findings to MAS? If not, how then will DBS customers be certain the bank’s processes and systems did not trigger the service disruption, and that their data and accounts are adequately secured? In addition, the implementation of security measures deemed critical to combat growing threats, such as registering and protecting SMS Sender IDs, should be mandated and enforced, rather than left as optional.  If MAS can release guidelines disallowing the marketing of crypto services to safeguard consumers against trading “on impulse”, then surely it can do the same to mandate the adoption of steps critical to protect people’s life savings? While concerns that over-regulating can stifle innovation are valid, laws and rules are necessary when there is blatant failure, on the part of businesses, to do what is required in their customers’ interest.  Yes, cybersecurity is a shared responsibility, but it doesn’t mean companies get to throw their arms up at first chance and say, “we told you so”, when customers make a mistake and fall for–to use a term breached organisations commonly point to–“increasingly sophisticated”, online scams. Equal efforts also should be made to immediately address and contain the impact of security incidents, regardless of how the breach happened. Assume breach position does not mean businesses get to skip due diligence. And the next time someone mentions the tradeoff between convenience and security, remind them about the bank accounts that were drained of life savings over one link in an SMS message.   RELATED COVERAGE More

US President Joe Biden responded forcefully to reports of a wide-ranging cyberattack on Ukrainian government systems Wednesday afternoon, telling reporters that the US would respond with its own cyberattacks if Russia continues to target Ukraine’s digital infrastructure.  “The question is if it’s something significantly short of an…invasion or major military forces coming across,” Biden said in response to a question about how the US would respond to a Russian invasion of Ukraine. “For example, it’s one thing to determine that if they continue to use cyber efforts, well, we can respond the same way, with cyber.”

[embedded content]

The Daily Beast later asked White House Press Secretary Jen Psaki and she confirmed that if Russia continued to launch cyberattacks, they would be answered with a “decisive, reciprocal, and united response.”Biden’s comments come after Ukrainian officials told journalist Kim Zetter that dozens of systems within at least two government agencies were wiped during a cyberattack last week. Microsoft released a detailed blog about wiping malware, named “WhisperGate,” and said it was first discovered on January 13. In a follow-up examination of WhisperGate, security company CrowdStrike said the malware aims “to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations.” “However, the WhisperGate bootloader has no decryption or data-recovery mechanism, and has inconsistencies with malware commonly deployed in ransomware operations,” CrowdStrike explained.

“The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.”Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine, told The Washington Post that one of the agencies affected by the wiper was the Motor Vehicle Insurance Bureau. The wipers were launched days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services. While it was initially unclear whether the website defacements and the wiper attacks were coordinated, Ukrainian officials confirmed this week that they occurred at the same time. Kitsoft, the company that built about 50 of the government websites, told Zetter that it too discovered WhisperGate malware on its systems. Ukraine’s State Service for Special Communications and Protection confirmed Zetter’s reporting in a statement. Ukrainian officials floated several theories for how hackers got into their systems, theorizing that a CMS vulnerability may have been the cause. The Cyberpolice Department of the National Police of Ukraine also said hackers may have gotten in using the Log4J vulnerability or through compromised employee accounts. According to The Washington Post, Russia has brought more than 100,000 troops to its border with Ukraine. The Associated Press reported this week that Poland was also raising its nationwide cybersecurity terror threat level in response to the attacks on Ukraine.  More

ProtonMail announced on Wednesday that it will be blocking tracking pixels and hiding IP addresses as part of a new “enhanced tracking protection” feature.ProtonMail’s Lydia Pang explained in a blog post that the company believes “reading emails should be as private as our end-to-end encryption makes sending them.””Today, we’re happy to introduce enhanced tracking protection, a feature that will provide an additional layer of privacy to your inbox. Now you can read your emails without letting advertisers watch you, build a profile on you, or serve you ads based on your mail activity,” Pang said.”By default, ProtonMail on the web now protects your privacy by: Blocking tracking pixels commonly found in newsletters and promotional emails, preventing senders from spying on your mail. Hiding your IP address from third parties so your location remains private. With enhanced tracking protection, you can continue to use your ProtonMail address to subscribe to newsletters and register for online accounts everywhere while enjoying a better, more private email-reading experience.”
ProtonMail
The company said about 40% of emails sent and received daily are tracked and that email tracking has increased in recent years. Companies are able to track emails by embedding pixels in the emails sent to you. The pixels log details about your activity and ProtonMail said every time you open an email with spy pixels in them, it collects information like when you opened it, how many times you opened it, your location and IP address. “The gathered data is sent to the email sender, all without your consent. Email trackers can sometimes even expose your information to third parties, allowing them to track you across the web and connect your online activity to your email address, further shaping your invisible online profile,” Pang explained. 

“The feature is enabled by default on our web app, so you can enjoy peace of mind knowing that your emails are always protected.”ProtonMail has become well-known as one of the most privacy-focused email services available but faced backlash in September after it revealed it can be “forced to collect information on accounts belonging to users under Swiss criminal investigation.” More

The Open Source Security Foundation (OpenSSF), GitHub, and Google announced on Wednesday the launch of Scorecards V4, which includes larger scaling, a new security check, and a new Scorecards GitHub Action for easier security automation.OpenSSF launched the Scorecards in November 2020, creating an automated security tool that produces a “risk score” for open source projects and helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain.Since Google and OpenSSF’s July 2021 announcement of Scorecards V2, the Scorecards project has grown steadily to over 40 unique contributors and 18 implemented security checks.

Open Source

The Scorecards Action, released in partnership with GitHub, automates the process on how to judge whether changes to a project affected its security. Previously, tasks like this had to be done manually. The Action is available from GitHub’s Marketplace and is free to use. It can be installed on any public repository by following these directions.”Since our July announcement of Scorecards V2, the Scorecards project—an automated security tool to flag risky supply chain practices in open source projects—has grown steadily to over 40 unique contributors and 18 implemented security checks. Today we are proud to announce the V4 release of Scorecards, with larger scaling, a new security check, and a new Scorecards GitHub Action for easier security automation,” said Google Open Source Security Team members Laurent Simon and Azeem Shaikh.”The Scorecards Action is released in partnership with GitHub and is available from GitHub’s Marketplace. The Action makes using Scorecards easier than ever: it runs automatically on repository changes to alert developers about risky supply-chain practices. Maintainers can view the alerts on GitHub’s code scanning dashboard, which is available for free to public repositories on GitHub.com and via GitHub Advanced Security for private repositories.”

The two added that they have scaled their weekly Scorecards scans to over one million GitHub repositories and partnered with the Open Source Insights website for easy user access to the data.
Google
The Open Source Security Foundation explained in a blog post that although the world runs on open-source software, many open source projects engage in at least one risky behavior — like not enabling branch protection, not pinning dependencies, or not enabling automatic dependency updates. “Scorecards makes it simple to evaluate a package before consuming it: a scan run with a single line of code returns individual scores from 0 to 10 rating each individual security practice (“checks”) for the project and an aggregate score for the project’s overall security. Today’s release of a Scorecards GitHub Action makes it easier than ever for developers to stay on top of their security posture,” the organization said. “The new Scorecards GitHub Action automates this process: once installed, the Action runs a Scorecards scan after any repository change. Maintainers can view security alerts in GitHub’s scanning dashboard and remediate any risky supply-chain practices introduced by the change.”All of the alerts will now include the severity of the risk, the file and line where the problem occurs, and the remediation steps to fix the issue. The latest release also adds the License check, which detects the presence of a project license, and the Dangerous-Workflow check, which detects dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows.A number of open-source projects have already adopted the Scorecards Action, including Envoy, distroless, cosign, rekor, kaniko. “Scorecards provides us the ability to rapidly litmus test new dependencies in the Envoy project,” said Envoy’s Harvey Tuch. “We have found this a valuable step in vetting new dependencies for well-known attributes and we have integrated Scorecards into our dependency acceptance criteria. Machine checkable properties are an essential part of a sound security process.”  More

Password manager 1Password said it closed its latest funding round on Wednesday, raising $620 million and boosting its valuation to $6.8 billion.

The Series C funding round included the participation of ICONIQ Growth, Tiger Global, Lightspeed Venture Partners, Backbone Angels, and Accel, which led the Canadian company’s series A and B rounds. Celebrities like Ryan Reynolds, Scarlett Johansson, Robert Downey Jr., Matthew McConaughey, Chris Evans, Rita Wilson, Ashton Kutcher, Trevor Noah, Justin Timberlake, and Pharrell Williams also participated in the series C round. Executives like Robert Iger and LinkedIn’s Jeff Weiner invested in the company as well. “Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been bigger for 1Password. We create products and solutions that improve upon and easily layer into a company’s existing security infrastructure, nurturing better habits for employees while strengthening a company’s security posture from within,” said Jeff Shiner, CEO of 1Password.”That way, we can tackle the biggest security threats facing the modern workforce and deliver on the promise of providing a safer life online for families and businesses around the world,” Shiner continued.1Password told ZDNet it would use the money to scale the platform and expand its offerings. Over the last year, the company increased its B2B business footprint, adding more than 100,000 companies as customers over the last 24 months. The company has also grown to 570 employees and launched several new products, including a password sharing tool and more. 

Will Griffith, a founding partner at ICONIQ Growth, said more than one hundred CISOs, CIOs, CTOs, developers, and IT leaders were impressed by “1Password’s ability to balance strict security standards with a profound understanding of how humans behave.” “By making safe online behavior second nature, 1Password is not only protecting individuals but also the enterprises where they work.” Griffith said. 

Tech Earnings More