Malaise for the Malays

We have seen some fairly major breaches recently, most notably the total on-going clusterf**ks at Equifax, an organisation that are still finding it difficult not to repeatedly shoot themselves in what must be now, very sore feet.

It turns out, in the continuing unfolding corporate PR disaster area, that Equifax failed to inform the FCA about the breach – the FCA heard about it, like we did, on the radio. They have also decided to notify breached customers via good old Postman Pat rather than electronically to restrict the potential for crooks to use any emails as a phishing vector, which we know they are already doing. So if you get an email from Equifax, be careful what you click on.

You would have thought that you could put big money on Equifax being the ‘Breach Of The Year’, but you would have thought wrong. Step forward the country of Malaysia where it was revealed this week that personal details of almost the entire country’s population have been leaked and are available for sale on The Dark Web (mwahahaha).

That’s right, the whole country has been PWNED.

According to the Malaysian rag The Star, presumably a more reliable source of news than our own Daily Star (which wouldn’t after all be very hard), the details of 46.2 million phone subscribers have been syphoned from various telcos together with 80,000 odd sets of medical details from the Malaysian Medical Council.

Not bad for a country with a population of 32 million! This figure clearly includes the people with more than one phone (presumably not drug dealers in Malaysia) and temporary numbers used by tourists.

The opportunities for identity theft are enormous, so if you get an email from a Malaysian asking you about your credit rating, be extra cautious! Seriously though, if you deal with Malaysians, make sure they are who they say they are.

As they often say in Malaysia: Hoverkraf saya penuh dengan belut.

Also in Malaysia, as well as Russia and Armenia, Kaspersky has disclosed via its SecureList that a new crew of cyber bank robbers are doing the rounds. Dubbed the Silence it seems that this outfit is operating like Carbanak, in fact the very same master criminals probably staff it.

It will come as absolutely no surprise that the attack vector for these attacks on banks is Phishing (probably of the Spear variety) followed by very patient data gathering and lateral infection via emails sent from the initially infected machine, which obviously appear to be totally bona fide.

In discussions with customers this week we have been discussing the volume of Phishing attacks and every one of them say the same thing, they are on the rise. They will continue to grow and become more sneaky and devious.

It is imperative that in addition to technological controls you train your staff, run awareness programmes and test yourselves with some ‘dummy’ phishing campaigns. It is probably a good idea to continue to preach to your families and friends too because their breach could become your business all too quickly.

ITC can support you in developing awareness campaigns, arrange test phishing activity and recommend technologies to minimise the risk of a Phishing campaign doing for you. If you would like to talk to us, click here or alternatively email us at [email protected] or call 0207 517 3900.