Weekly podcast: $100 million phishing scam, Yahoo (again), LastPass vulnerabilities, and ICO GDPR report

This week, we discuss the arrest of a Lithuanian man over a $100 million phishing scam, an indictment against the alleged perpetrators of the Yahoo breach that compromised half a billion accounts, a number of vulnerabilities affecting LastPass’s browser extensions, and the ICO’s warning to local councils to prepare for the GDPR

Hello and welcome to the IT Governance podcast for Friday, 24 March 2017. Here are this week’s stories.

A Lithuanian man has been arrested for orchestrating a $100 million phishing scam. According to court documents, 48-year-old Evaldas Rimasauskas from Vilnius registered a company in Latvia with the same name as an Asian computer hardware manufacturer, and opened various bank accounts in its name in Latvia and Cyprus. He then sent phishing emails, masquerading as legitimate emails from the hardware manufacturer, to employees at two unnamed US-based Internet companies – a multinational technology company and a social media company – to induce them to wire him a total of $100 million, which he then immediately transferred to accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

Assistant Director-in-Charge of the New York Office of the FBI William F Sweeney Jr commented: “Criminals continue to commit a wide variety of crimes online, and significant cyber data breaches have had a negative impact across a variety of industries. The FBI will continue to work with our domestic and international partners to pursue criminals who engage in this type of activity, wherever they may be hiding.”

Acting US Attorney for the Southern District of New York Joon H Kim said: “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

Talking of phishing, the Yahoo breach that compromised half a billion accounts (yup, that again) apparently started when an employee succumbed to a phishing attack in early 2014. Malcolm Palmore, the special agent in charge of the FBI’s silicon valley office, told Ars Technica that ‘the initial breach […] likely started with the targeting of a “semi-privileged” Yahoo employee and not top executives [and that] social engineering or spear phishing “was the likely avenue of infiltration” used to gain the credentials of an “unsuspecting employee”’.

An indictment against two FSB agents, Dmitry Dokucjaev and Igor Sushchin, and two criminal hackers, Alexsey Belan and Karim Baratov, provides more information, stating that the conspirators used spear phishing emails to “trick unwilling recipients into giving [them] access to their computers and accounts.” Once they had access to Yahoo’s internal networks, they allegedly located Yahoo’s User Database and Account Management Tool, which let them alter targeted accounts, and discovered a tool that let them create forged cookies, which gave them access to others.

Tavis Ormandy of Google’s Project Zero has discovered a number of vulnerabilities affecting LastPass’s browser extensions, which could have allowed attackers to retrieve login credentials from its password manger. Its Android and iOS mobile apps were unaffected.

In an incident report issued on Wednesday, LastPass said that “To exploit the reported vulnerabilities, an attacker would first lure a user to a malicious website. Once on a malicious website, Tavis demonstrated how an attacker could make calls into LastPass APIs, or in some cases run arbitrary code, while appearing as a trusted party. Doing so would allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s [sic] login credentials.”

LastPass has confirmed that fixes were “being pushed to all users and most should be updated automatically.” If you want to check your version numbers, you should now be using version 4.1.43.82 with Chrome, 4.1.30 with Edge, 4.1.36 with Firefox, and 4.1.28 with Opera.

Finally, the Information Commissioner’s Office (ICO) – the body that enforces data protection law in the UK – has published the results of an information governance survey of local councils that it conducted at the end of 2016.

According to the survey, a quarter of councils are yet to appoint a data protection officer. (Under the new General Data Protection Regulation (GDPR) public authorities – and others – must have one.) More than 15% of councils don’t conduct data protection training for employees that process personal data. (The GDPR requires personnel that have permanent or regular access to personal data to be appropriately trained.) And a third of councils don’t perform privacy impact assessments. (Under the GDPR, data protection impact assessments – essentially the same as privacy impact assessments – are mandatory in certain circumstances.)

All organisations that process personal data – not just councils – must abide by the GDPR from 25 May 2018 or face potential fines of up to 4% of annual global turnover or €20 million – whichever is higher. For more information, visit itgovernance.co.uk/gdpr.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s March book of the month is Once more unto the breach – Managing information security in an uncertain world, by Andrea C Simmons. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.