Weekly podcast: criminal and legal rewards for hacking, and malvertising

In this week’s podcast, we discuss cyber criminals’ poor spelling, Google’s bug bounty programme and a malvertising spike.


Hello and welcome to the IT Governance podcast. Here are this week’s stories…

First, spelling. Reuters reports that a spelling mistake cost cyber criminals nearly $1 billion in February when they attempted to scam Bangladesh’s central bank – but misspelled the name of the NGO they were impersonating. According to Reuters, the criminals “breached Bangladesh Bank’s systems and stole its credentials for payment transfers” before bombarding the Federal Reserve Bank of New York with “requests to move money from the Bangladesh Bank’s account there to entities in the Philippines and Sri Lanka”.

Four requests, totalling about $81 million, were successful, but a fifth, for $20 million, was stopped when the Deutsche Bank officials who were routing the transfer noticed that the word ‘foundation’ was misspelled ‘fandation’. According to the BBC, the head of the bank, Atiur Rahman, failed to tell the government about the incident, apparently leaving the finance minister, AMA Muhith, to learn of the incident via press reports. Mr Rahman has now resigned.

A note to the criminals: you can buy a lot of dictionaries with $81 million.

Legal hacking offers its rewards too. Google has announced that it’s expanded its bug bounty programme, doubling the top reward “for the persistent compromise of a Chromebook in guest mode” to $100,000, and adding a ‘Download Protection Bypass’ bounty to reward hackers who identify “methods that bypass Chrome’s Safe Browsing protection features.” $100,000 is a few pennies shy of $81 million, true, but “Last year, Google paid security researchers more than $2,000,000” as part of its Security Reward Program. Don’t be evil.

Bug bounty programmes like this can only be a good thing – encouraging security researchers to find vulnerabilities, which can then be addressed, is an essential part of best-practice security, as encouraged by many laws, standards and frameworks. On a smaller scale, if you want to identify the weaknesses in your applications or networks, a penetration test will find them for you so that you can plug your security gaps – and is considerably cheaper than dealing with the aftermath of a breach.

Security researchers Trustwave, Trend Micro and Malwarebytes have all reported a huge spike in malicious activity last weekend when a malvertising campaign related to the Angler exploit kit affected several major websites – including msn.com, nytimes.com, bbc.com, aol.com and newsweek.com – by utilising an expired domain that until recently belonged to a legitimate advertising company.

The Angler EK is known to exploit vulnerabilities in Adobe Flash, Java and Microsoft Silverlight, among others, infecting unsuspecting users’ machines with the TeslaCrypt ransomware and the Bedep trojan which gives attackers remote access. If you’re concerned about the threat of malvertising, make sure that your software is up to date, and that all appropriate security patches have been applied.

And that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

DailySentinel-Subscription

2 Comments

  1. Marc Turner 18th March 2016
    • Lewis Morgan 18th March 2016