Edwin Kwan: Cyber criminals have scammed the Australian Tax Office of more than half a billion dollars. They have done so by exploiting a weakness in the identification system used by the myGov online portal. The weakness allows them to redirect other people’s tax refund to their own bank accounts.

Julie Chatman: Do you remember a major breach from 2019 involving 800 million financial files, including bank account statements and mortgage payment documents? It happened due to a specific security flaw known as Insecure Direct Object References, or IDORs.

Katy Craig:  Recently spotted in various dark web marketplaces and telegram channels, FraudGPT is not to be taken lightly. If the experts are right, this AI-powered bot is exclusively designed for offensive purposes. Think spear phishing emails, stealthy, malware creation, carding, and more.

Hillary Coover:   Amidst the rise of AI-powered disinformation and deep fakes, the world’s upcoming elections in the US, UK, and India present a high-stakes battleground, where the fate of information integrity hangs in the balance.

From Sourced Network Productions in Washington, DC, it’s 5:05. I’m Hillary Coover. Today is Monday, August 7th, 2023. Here’s the full story behind today’s cybersecurity and open source headlines.

 

Edwin Kwan: Tax Refund Scams costing Australian Tax Office Over Half a Billion Dollars

This is Edwin Kwan from Sydney, Australia.

Cyber criminals have scammed the Australian Tax Office of more than half a billion dollars. They have done so by exploiting a weakness in the identification system used by the myGov online portal. The weakness allows them to redirect other people’s tax refund to their own bank accounts.

Setting up a myGov account requires 100 points of identification. This is usually either a passport and driver’s license or a driver’s license, a Medicare card or bank statement. Linking the myGov account to your tax records requires any two of the following documents: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a Super Account.

Unfortunately, those are the kind of information that were impacted by the three largest Australian breaches in the past year. The Optus breach, the Medibank breach, and the more recent Latitude Financial breach. Once the cyber criminals have enough information to link your tax records, they can then change the bank account details to have any tax rebate paid to their account. It is sadly a simple scam and as most payments made were of small amounts, they were not flagged by the tax office’s own monitoring system.

The only way to stay safe is to make sure you don’t share your ID documents without good reason. And if you were impacted by the recent breach, make sure to get your ID replaced and to also check that the Australian Tax Office only has your bank account number on file.
Resources
– ATO pays $500m to cyber criminals | Information Age | ACS

 

Julie Chatman: Close that IDOR!

I’m Julie Chatman in Washington, DC.

Do you remember a major breach from 2019 involving 800 million financial files, including bank account statements and mortgage payment documents? It happened due to a specific security flaw known as Insecure Direct Object References, or IDORs.

IDORs are still relevant today and they happen because of implementation mistakes that allow access controls to be circumvented, and a user is able to directly access objects based on input that they provide.

One example of an IDOR is URL Tampering. URL tampering is the easiest way to exploit an IDOR vulnerability. It works by changing the value of a parameter in the web browser’s address bar, creating access to information or files that should not be available without authorization.

Cookie ID manipulation is another example. Generally, cookies are used to store and exchange data between the client and server, and they can be used to identify specific users. An IDOR vulnerability makes it possible to change the cookie ID and see information that belongs to other users.

The National Security Agency, Cyber and Infrastructure Security Agency, and the Australian Signals Directorate, Australian Cybersecurity Center released a joint cybersecurity advisory to warn web application vendors, designers, developers, and organizations using web applications about IDOR vulnerabilities.

The advisory contains details for technical mitigations such as implementing secure-by-design and secure-by-default principles to ensure authentication and authorization checks for every request that modifies, deletes, or accesses sensitive data. Best practices include using automated tools for code review to identify and remediate IDOR and other vulnerabilities and indirect reference maps to make sure IDs, names, and keys are not exposed in URLs.

If you are a cyber defender in a SaaS organization, be cautious when selecting web applications. Supply chain risk management and dealing with reputable vendors are both important here. For cyber defenders in organizations with on-prem software, infrastructure-as-a-service or private cloud, proactive vulnerability scanning, and pen testing to check internet-facing web applications and network boundaries are a must.

Visit 505updates.com for a transcript of this recording and a link to the advisory.

 

Katy Craig: FraudGPT

Recently spotted in various dark web marketplaces and telegram channels, FraudGPT is not to be taken lightly. If the experts are right, this AI-powered bot is exclusively designed for offensive purposes. Think spear phishing emails, stealthy, malware creation, carding, and more.

This is Katy Craig in San Diego, California.

The menacing malware has been making the round since at least July 22nd, and its availability is as alarming as its capabilities. Cyber criminals can get their hands on this wicked tool by subscribing for $200 a month, $1,000 for six months, or $1,700 for a full year. There have already been over 3,000 confirmed sales and reviews, a clear indicator of its nefarious popularity.

This Insidious, AI-powered threat takes the concept of phishing-as-a-service (PhaaS), to dangerous new heights, causing concerns among cybersecurity experts. But here’s the kicker. While ethical safeguards can be employed by organizations, the potential for misuse remains high. Cyber criminals can easily bypass those safeguards, posing an even greater risk to our digital world.

Protect yourself by exercising caution when granting permissions to suspicious apps and webpages. Avoid installing apps from unofficial sources unless you absolutely trust the developer.

This is Katy Craig, stay safe out there.

Resources
– FraudGPT AI malware is made for sophisticated attacks
– New AI Tool ‘FraudGPT’ Emerges, Tailored for Sophisticated Attacks

 

Hillary Coover: Building Social Resilience

Amidst the rise of AI-powered disinformation and deep fakes, the world’s upcoming elections in the US, UK, and India present a high-stakes battleground, where the fate of information integrity hangs in the balance.

Hi, this is Hillary Coover reporting from Washington, DC.

In the upcoming elections in the US, UK, and India, the world faces a critical test in dealing with AI-powered disinformation and deep fakes.

Governments are working on regulations, tagging systems, and watermarking technologies to combat fake content, but these measures alone are not sufficient. Building social resilience and public education are crucial to managing AI’s misuse effectively. A public education campaign is necessary to help people recognize manipulative disinformation.

Now, I know disinformation campaigns are nothing new, but AI exacerbates the problem, as it allows for more sophisticated and targeted campaigns. Russia, China, and Iran have been using cyber influence operations to sway public opinion and disrupt elections, and AI will amplify their capabilities.

The focus is, and has been on regulating the technology. The Biden administration recently reached an agreement with seven AI companies, including Microsoft, to implement voluntary guardrails for AI use, including watermarking system to identify AI-generated content. However, this is just one element of a broader strategy needed to tackle the issue.

In the face of escalating AI-powered disinformation and deepfakes threatening elections worldwide, public education stands as the critical tool to empower individuals in identifying and countering manipulative content.
By fostering social resilience through knowledge, we can safeguard the integrity of information and protect the foundations of democracy.

Resources
–Pro Take: Tech Executives Call for Critical Thinking to Counter Deepfakes, Disinformation – WSJ

 

Hillary Coover

That’s our update for today, August 7th, 2023. I’m Hillary Coover. We’ll be back tomorrow… at 5:05.