DPP Admin Team DPP Admin Team

Three New Cyber Threats - September Edition

1. Callback Phishing

New tactic for getting WMs to download malware

Callback phishing is the latest email scam designed to get wealth managers to infect their systems with malware. It begins with an innocuous email inquiry from a prospective client looking for a wealth manager asking that someone at the firm call them. The caller is greeted by an articulate person who offers to send over information about themselves to see if they might be a good fit with the advisory firm. However, the email attachment includes malware. If the employee clicks on the attached file, it will infect the firm’s systems.

Wealth management firm employees must do their homework before responding to such inquiries, much less before opening a file sent by them. Only rarely does anyone call in asking to provide information to see if they might be a good client. Preventing this kind of breach requires educating all employees about this new, widely used scam.

 

2. Synthetic Identity Fraud

Using unprotected client personally identifiable information (PII) to fraudulently borrow money

Cyber criminals regularly look for unprotected client PII so they can apply for on-line loans and credit cards using someone else’s identity. The criminals most often target potential auto loans followed by bank credit cards, retail credit cards, and unsecured personal loans.

Unfortunately, wealth managers have immense amounts of client PII.  Per Regulation S-ID, they are liable if it is stolen be it online or by vendors (such as cleaning staff) from their offices. All WM employees need to be educated on never leaving such information out or unsecured.

 

3. Password Spraying

Weak passwords threaten wealth manager networks

Cybercriminals are now conducting “brute forced attacks” that attempt to login into administrative accounts by using a limited number of commonly used passwords. Although employees are regularly told to use unique, random passwords, inevitably one person will instead use something easy to remember. However, studies have shown that there are about one hundred such types of passwords that are commonly used. Once in, the cybercriminals quickly change the privileges associated with the breached user and then move laterally within the network .and still key data or client assets.

Strong password standards are essential to preventing this from happening.  Wealth managers need to regularly review what passwords employees are using and whether they are strong enough to prevent brute force attacks.

Read More
DPP Admin Team DPP Admin Team

Three New Cyber Threats - July Edition

1. Double Cyber Extortion Threats


Cybercriminals use malware to both take control of systems and as well to threaten to publish client info

A recently completed study has found that cybercriminals have expanded their attacks on institutions with client data.  Previously they had used malware to take control of a company’s systems, blocking the organization from functioning until they were paid ransom. However, over the last twelve months, double threats have become common.  The cybercriminals not only block companies from functioning.  They also threaten to publish stolen client data should the company find a way around their malware and not pay ransom.

For wealth managers, the risk of having stolen client data published is exceptionally problematic.  The organization and its management may be sued by the affected clients.  It is also at risk of an enforcement action under Regulation S-ID as well as under the SEC’s new cyber regulations likely to be approved in October or November.


2. New Bluetooth device can steal passwords from devices

Compromising firm online accounts with stolen passwords

A new, inexpensive device will connect with devices such as iPhones, iPads and Android phones and capture their passwords.   The device costs only $70 to build and can connect with any Bluetooth enabled device within 50 feet.

A cybercriminal trying to breach a wealth manager can use the device to steal their passwords and access company systems.   Employees need to be educated on the importance of going into their device settings and turn off Bluetooth whenever they are not using it.

3. NSO Group’s Pegasus spyware & Apple lockdown mode

Preventing cameras and microphones from being turned on without their user’s permission 

There have been multiple reports on new spyware that allows outsiders to turn on device cameras and microphones without their user’s knowledge or permission.  It has been used to spy on journalists and activists by police and intelligence organizations.  However, it could also be used to steal confidential client information from wealth management firms. 

Apple has become so concerned about this new type of spyware that it has created a new lockdown mode as an optional setting as part of its new operating software. Although it blocks this type of malware, the device becomes much more cumbersome to use including blocking message attachments, some Web browsing, and the functioning of Facetime.

Read More
DPP Admin Team DPP Admin Team

Three New Cyber Threats - June Edition

1. Voice & imaging replication for deepfake Zoom calls.

AI software can now be used to stage fake Zoom calls with individuals. In a recent attack, cyber criminals were able to accurately replicate the image and voice of the CEO of a company and use it as part of a twenty-minute call with investors without the executive’s knowledge.

This attack creates yet another set of cyber risks for wealth managers. For example, cybercriminals can pose as the wealth manager, schedule a Zoom call, and then use it to collect immense amounts of client personal information.  Similarly, they can pose as the client and use a Zoom call to direct fraudulent transactions.

2. ChatGPT makes phishing emails more realistic.

Largely unnoticed in the excitement involving ChatGPT is that it creates a host of new cyberthreats. The most common cyberattacks involve phishing attacks, emails with attachments that contain malware, malicious software designed to get behind cyber defenses, export information and take control of systems. However, until recently it had been relatively easy to spot many phishing emails because they often had spelling, grammatical or verb tense errors.  With ChatGPT, cybercriminals can write in a manner that masks their lack of understanding of English.

Wealth managers need to educate their employees about this new threat.  A single successful phishing attack can compromise the firm’s systems and lead to the potential theft of client information and assets.


3. Insider threats to businesses are rising.

A recent study found a 44% increase in the number of insider cyberattacks of businesses.  They typically occur when employees first start, leave or give notice.

Such attacks on wealth managers are both potentially lucrative and problematic.  They are lucrative because the personal information for just one client can be sold for as much as $1,000.  They are problematic because under Regulation S-ID, wealth managers are obligated to protect client personal information and, should it be stolen, the wealth manager could be subject to an enforcement action.

Read More
DPP Admin Team DPP Admin Team

Three New Cyber Threats - May Edition

1. Bypassing fingerprint authentication on devices


Compromising devices with access to firm systems

A new, inexpensive technique will allow cybercriminals to break into devices protected by fingerprint authentication protections.  Some smartphones allow users to access them using their fingerprints rather than a passcode.  As noted in last month’s alert on new threats to wealth management firms, the FBI has reported that criminals are increasingly targeting individuals to steal their devices and then use them to access the employee’s work email and other online accounts.

The prior alert focused on phones with passwords. Criminals will conduct “over-the-shoulder” attacks by memorizing a passcode as a targeted individual enters it into the device.  They later distract the individual and steal the device. The new technique – called “BrutePrint” – enables criminals to target phones which use fingerprints instead of passcodes and takes advantage of two vulnerabilities in the devices’ authentication technologies as well as the fingerprint sensors.

2. Android app with malware has been downloaded 421 million times from Google Play

Theft of passwords

A new malware virus called SpinOk was installed on 101 different legitimate apps offered on Google Play.  The software had been used by other developers because it was advertised as helping increase user interest in the underlying app. However, the same software also steals other information from devices with the app.

That this malware is so widespread creates a serious threat to any wealth managers who have employees that use Android devices to access company systems.  The malware will automatically export to remote server any passwords to sites accessed by the device, allowing cybercriminals to breach company systems.

3. Zero-click hacking of IOS devices


Ability to compromise Apple devices without the user having to click on a link

A widely publicized “zero-day” attack was alleged by Russia intelligence claiming that the NSA and Apple colluded to create a means of hacking an Apple device by just by sending it a text message. Normally the user is required to click on a link in the text for the device to be breached. 

Although Apple has denied any involvement, a similar-type vulnerability in the iOS operating system was previously identified by a Google engineer. After informing Apple so that the vulnerability could be identified and repaired, the engineer detailed what he had found at a major conference.

Apple smartphones are considered by many security experts to be the most secure operating system. That it can, on occasions, be so easily breached is yet another reason why wealth managers may ultimately have to shift to closed systems that can only be accessed by tightly controlled and managed company-owned laptop devices.

Read More