Security Experts Respond to a New Wave of Recent Incidents

Cybersecurity experts weigh in on some recent cybersecurity incidents — including an Italian bank, a retail breach, video game money, voicemail messages and domain registry — and reveal dangers within the digital ecosphere.

UniCredit, an Italian global banking and financial services company, reported a compromised file, generated in 2015, is the source of the latest breach of emails and phone numbers of three million of its domestic clients. This is the third security incident at Italy’s top bank in recent years. Unicredit said it has spent 2.4 billion euros since 2016 to upgrade its IT systems and improve its cybersecurity.

Jelle Wieringa, technical evangelist at KnowBe4, said, “Spending money in itself isn’t enough. Organizations need to spend it where it will matter most, where they get the best bang for the buck (or Euro). Around 91% of all successful data breaches happen through the use of social engineering. Bad actors manipulate users to gain entry to whatever assets they want, which makes securing the human factor of the organization a priority. The most efficient way to safeguard the human factor is by helping employees to make smarter security decisions through ongoing security awareness training.”

James Carder, chief information security officer and vice president, LogRhythm Labs, warned, “This data breach unveils how inadequately cybersecurity tools are implemented and utilized, and proof that you cannot just throw a bunch of money at the problem.” Carder added, “In today’s modern, data-centric landscape, customers’ personally identifiable information) is more vulnerable to attack than ever before. There is no doubt that there are thousands of financial institutions with sensitive data stored that have similarly been compromised and have yet to find the threat.”

Vinay Sridhara, CTO of Balbix, maintained any organization entrusted with customer information must ensure the integrity of that data, especially financial institutions. “Even though the exposed information did not include any financial information, or the credentials required to access client accounts, the simplicity of this attack showcased how vulnerable banks and other financial corporations are to threat actors.” He noted, “It is imperative that UniCredit and other financial institutions’ security teams adopt a proactive cybersecurity strategy in order to safeguard consumer data and comply with regulations including EU’s GDPR and California’s CCPA.”

Bed, Bath and Beyond announced in an SEC filing it discovered a third party acquired e-mail and password information from a source outside of the company’s systems. It reported the incident affected less than 1% of the company’s online customer accounts and did not affect any payment cards.

Javvad Malik, security awareness advocate, KnowBe4, suggested, “It should serve as a reminder to all companies that employee training is important, so that they do not put the company at risk through actions outside of work. In addition, technical controls such as two-factor authentication, and monitoring controls could have detected and prevented the attack.”

Players can no longer resell container keys, purchased with real money and used to unlock the loot boxes of the video game “Counter-Strike: Global Offensive” because of their use to launder money. “In the past, most key trades we observed were between legitimate customers,” the company wrote on the Counter-Strike blog. “However, worldwide fraud networks have recently shifted to using CS:GO keys to liquidate their gains.” The blog said at this point they believe nearly all key purchases traded or sold on the marketplace to be fraud-sourced. “As a result, we have decided that newly purchased keys will not be tradeable or marketable.”

Kevin Gosschalk, CEO of Arkose Labs, said, “The gaming industry is booming and is expected to reach $174 billion by 2021. The growth the industry is experiencing makes it an attractive and lucrative target for fraudsters. Gaming merchants are, by design, a high transaction digital good providing service. Because you cannot delay a digital gaming transaction for several days like you can on a physical goods purchased online, the window for a gaming company to screen transactions is very limited — which enables more fraud to slip through.”

Gosschalk noted because the keys now connect to the purchasing account to avoid further fraudulent activity this only opens up doors for hackers to commit different types of fraud. “Like account takeovers, which are the result of high-profile data breaches that make credentials and customer data readily available for purchase on the dark web.”

McAfee researchers reported an uptick in phishing scams using audio voicemail messages targeting Microsoft Office 365. McAfee researchers stated. “At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies targeted.”

Colin Bastable, CEO of security awareness and training company Lucy Security, noted brands build trust and credibility at immense cost to, so it makes sense for hackers to misuse brands. “we see these attacks every day, and our job is to expose and educate our customers’ employees to real-world experiences. That requires a wide range of simulated attacks, from the vanilla email hyperlink phish to elaborate attacks disguised as messages from real brands.”

Brian Krebs in his Krebs on Security blog reported domain registry firm Web.com, which operates a portfolio of brands also including Network Solutions and Register.com, said in a written statement that a third-party gained unauthorized access to a limited number of files, but no credit cards, in late August 2019. The Jacksonville, Fla.-based firm said the information exposed included contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder.

Alexander García-Tobar, CEO and co-founder of Valimail. Commented, “Network Solutions’ data breach exposed accountholders’ contact and service information, which is all that cybercriminals need to execute highly tailored, convincing phishing attacks and impersonation attempts. Phishing campaigns often follow hot on the heels of breaches like this, targeting the victims with fake security warnings that look like they came from the breached company. If successful, these attacks can lead to account takeover, identity theft and other scams.”