This document provides an overview of various cybercrime topics including common cybercrimes like business email compromise, ransomware, and data breaches. It discusses statistics on internet usage and economic factors related to cybercrime. Examples are given of real data breaches at companies like Equifax and First American Title that resulted from unpatched vulnerabilities. Lessons learned are outlined around the importance of swift patch management, user education, and an organizational approach to information security where technology, policies, and human factors all play a role. Emerging trends mentioned include increased COVID and election related cyber attacks relying on disinformation.

1. Cybercrime—A Primer
9/8/2020
Frederick Scholl
MS Cybersecurity Program Director

2. • Lies, damn lies and statistics
• Sometimes cyber crime statistics can
be overwhelming
• Cyber crime research through stories
• Research done by using court
transcripts
• Breaches caused by people lapse +
technology lapse
How do we prevent cybercrime?

3. • Loss of privacy
• Trade secret theft
• Business Email Compromise
• PII breaches (Personally Identifiable
Information)
• Ransomware
Five Perspectives of Cybercrime

4.  Cell phone subscriptions = 7.5 B
 Internet access = 3.9 B people
 GDP per capita per year
 Quatar = $138,910
 Central African Republic = $700
 Population of sub-Saharan Africa = 2 X China by 2099
Cybercrime is Here to Stay

5. • US v. AK 2016-17: Maryland district
• JK gets romantically involved with AK; they break up 5/2016
• AK took over following accounts: Facebook, Yahoo, Instagram, Nelnet, Apple,
TurboTax
• Sent spoofed threatening messages from JK to himself
• Had JK’s clients discontinue their insurance
• Had JK arrested and jailed 6 times; filed protective order against her
Protecting Your Privacy

6. • Monitor privacy of all social media platforms
• Use password manager (LassPass, DashLane, etc.)
• Use Multi Factor Authentication
• Protect even accounts without financial impact
• Jumbo Privacy (www.jumboprivacy.com)
Protecting Your Privacy

7. • One Time Password
• Send time token protected by
• Secret Key (QR code)
Google Authenticator for MFA

8. • Internal and External
• US and China agree to not “conduct or knowingly support cyber-enabled theft of
intellectual property” for commercial gain! (2015)
• Nationwide Children’s Hospital, Columbus Ohio
• YZ and LC worked at NCH from 2007-2017 doing exosome research and…
• Started Chinese company offering exosome research and services in 2015
• Started US company offering exosome research and services in 2016
• Worked for the Chinese State Administration of Foreign Expert Affairs Agency
• Sent NCH trade secrets to Chinese and personal email accounts
Trade Secret Theft: Robbing Children

9. • Attack went on for years
• Technology: Data Loss Prevention (DLP)
• Middle management requirements
• More training on how to manage risk
• Supervision of employees
• Privileged Access Management Systems
• DLP
Solutions: Trade Secret (Insider) Theft

10. • Use of email to steal funds from corporate accounting
• The $15m “emergency” that needed to be addressed
BEC (Business Email Compromise)
Hackers
Chuck Elsea
Controller: Kevin
McMurtry
Outside attorney
Hackers’
Bank

11. • Sender: hacker
• From address: ft-809@outlook.com
• Spoofed sender: Chuck Elsea, CEO
• To address: kmcmurtry@scuolar.com
• Body: “I have assigned you to manage file FT 809. This is a
strictly confidential operation to which takes priority over other
tasks”. Regards, Chuck Elsea
#1: Email to Controller
Non-standard address
Bad English

12. • Sender: hacker
• From address: ft-809@outlook.com
• Spoofed sender: Chuck Elsea, CEO
• To address: kmcmurtry@scuolar.com
• Body: “For the last months, we have been working on acquiring a
Chinese company. Please reach out to attorney Rodney Lawrence
for information on where the funds need to be deposited
Rodney.Lawrence@kpmg-office.com”
#2: Second Email to Controller
Non-standard address
Bad English
Non-standard address

13. • Sender: hacker
• From address: Rodney.Lawrence@kpmg-office.com
• Spoofed sender: Chuck Elsea, CEO
• To address: kmcmurtry@scuolar.com
• Body: “Please see here the below wire details. Shanghai Pudong
Development Bank, Amount USD $780,000. Regards, Rodney
Lawrence, KPMG”
#3: Third Email to Controller
Non-standard address
Started small

14. • Sender: hacker
• From address: ft-809@outlook.com
• Spoofed sender: Chuck Elsea, CEO
• To address: kmcmurtry@scuolar.com
• Body: “SEC require us to close the deal by Monday. In order to
avoid any penalties, we will execute the wire immediately. Balance
to pay: $7,020,000. Please proceed asap with the wire. Chuck”
#4: Fourth Email to Controller
Non-standard address
Bad English

15. • Check email addresses and content!
• Don’t publicize your back office staff
• Management authorizations and signature level
• Office 365 has “Advanced Threat Protection” but it
doesn’t stop account takeovers
Lessons Learned

16. • Started in Woolford, MD as credit reporting service
• Equifax—145 million records breached 2017
• US charges PLA members with the crime (2/2020)
PII* Breaches: Fixing Technical Vulnerabilities
Dispute Resolution System: ACIS
Running on “Apache” software
* PII = Personally
Identifiable Information

17. • On March 8, US DHS publishes a bulletin about critical vulnerability (fix within 48
hours) in Apache software
• Process of fixing software vulnerabilities is “patching”
• March 9 Equifax security team notifies CIO (GP) that ACIS system needs
“patching”; CIO missed the email
• July 29 suspicious activity noted on ACIS from China
• Breach made public on September 19, 2017
What Happened?

18. • First American Title— 850 million documents exposed 2017-2019
• Started in Orange County, CA 1889
• Anyone user could see any other user’s information (SSN, finances, etc.)
PII Breaches: Fixing Technical Vulnerabilities
FAST: online title
document repository

19. • Vulnerability was created in 2014
• Discovered in December 2018 by FA’s Cyber Defense Team
• Report sent to application team management
• No action taken
• Misclassified security risk as low
• Didn’t fix within the required 90 days
• Journalist published this information in May 2019
What Happened: First American

20. • Fix your remediation process first, not your vulnerability
• Educate boards and senior management
• Keeping track of risks, not just vulnerabilities
Lessons Learned Fixing Vulnerabilities
Controlled Unclassified Information
If you want to do business
with the Federal
government

21. • A type of extortion
• SamSam Ransomware
• Atlanta spent $2.6 million to recover
• Mansouri and Sanvandi indicted Nov 2018 (Iran)
Ransomware Breach: Atlanta
Back Office
Data
Phishing
Web Portal
Remote Access
Managed
Service
Providers
Attack
Paths

22. • MAZE
• REvil
• Nemty
• DoppelPaymer
Ransomware Trends
Affiliates Target
GandCrab founder
arrested August in
Belarus
Bitcoin
Payment

23. • Not a special animal; attacks same as other threat
• Use same prevention methods
• Recovery: Use tried and true 3-2-1 backup method
• Three copies of data
• Two media types
• One copy offsite (not connected)
Ransomware: Lessons Learned

24. • People are partly responsible for security breaches, but also need to be the best
defense
• Executives: Culture, Strategy, Policy
• Middle Management: Execution, Tactics, Supervision, Controls
• Line workers: Follow Process, Procedures, Standards
• Technology matters, but is not “all important”
Information Security: A Team Sport

25. • More COVID related attacks; don’t rely exclusively on technology to protect
• Election related scams will exponentially increase
• Biggest risk is disinformation
Trends: The Near Future

26. Thank You