Tis the season to be jolly… Jolly cautious that is. I’ve been ‘Spoofed’ and had my data stolen

Tis the season to be jolly… Jolly cautious that is.

For those of you who know me and my almost evangelical pursuit of cyber security, this may come as a surprise. For those who don’t – I am the national lead for KPMG Forensic Technology which includes our Cyber Incident Response services. Within the last few weeks I have been the victim of spoofing and been advised that my data was part of the ‘Starwood’ attack.

Given normal spiking of these types of attacks at this time of year, I thought it timely to share the experience.

The Starwood attack: Starwood is the flagship points program for the Marriott chain and includes a raft of hotel chains around the world including Sheraton, Westin, and W.  If, like me, you travel regularly for work, you are also likely a Starwood member with your precious ‘free nights’ accommodation points, credit card details and other personal information stored within their system.

In what the chain is calling the “Starwood Guest Reservation Database Security Incident”, they advise that in Sept 2018 they detected an unauthorised attempt to access the guest reservation system. Further, it seems that there had been unauthorised access going back to 2014 and the data of over 500 million people was accessed, with over 320 million including details such as credit card and passport details. I am in there somewhere.

Marriott has responded appropriately with identity monitoring and credit checks for a year whilst it investigates, which is entirely appropriate – but my data remains exposed nonetheless. So what do I do?

Of course, I changed my password, but this would not have prevented the attack. If you have a Starwood account, I would also consider a secondary question – do you use the same password elsewhere?  If so wrap yourself on the knuckles and don’t do it again!  I know, I know – sooo many passwords to remember you almost can’t help but do that, but there are alternatives. Encrypted password safes and the like are becoming a fact of life and security organisations are starting to look beyond UserID and password as the gateway to all thing sensitive. There is just too much at risk.

Other than that, taking up the offer of identity monitoring and conducting my own monitoring of my points account and credit card transactions is all I really can do.  It is quite disempowering.

Spoofing: This one is a little more personal and targeted directly at me.  This is more disconcerting and my first thought was that the baddies obviously didn’t do their research in targeting me. In another non KPMG role I have, the finance team received an email from my address requesting assistance in regards to a change of payment processing details. The exact wording was:

“Hi Helen (name changed),

We have recently opened a new bank account on our company y name in Poland. I want you to prepare a direct deposit payment to update the account.

I need your prompt assistance on this matter.

Kind Regards (my real email signature with images etc.)”

Note that there are no links to click or actual details provided – yet.  This is just setting the scene to establish trust and a ‘relationship’ had Helen responded.  Helen is a cyber confident lady and contacted me directly to check on this.  My initial though was that my account had been breached and I immediately changed the password yes – yet another unique one to add to the ever-growing list), however my team confirmed that the email address was indeed mine but that it had been spoofed (faked) and the message had come through the Netherlands and the UK with the address registered via “Go Daddy”.  Given the accuracy of the signature block, an actual email of mine has found its way to their possession at some point. More interestingly, they addressed it to Helen, someone whom I have never previously dealt with, but is in the right place to process transactions, which begs the question where did that information come from?

I’m tempted to respond to the fake me and show you how this plays out to its ultimate goal of extraction of funds… perhaps a topic for another article.

This is not as uncommon as you might think.  Our colleague Gary Gill, a Sydney Forensic Partner who has led some of Australia’s most complex fraud investigations was recently targeted by the ATO scam threatening imminent arrest if an outstanding tax bill wasn’t paid immediately.  Needless to say the ATO does not contact you by phone with a pre-warning that the Police are on their way. They were never going to get that past Gary, but it is indicative that the scattergun approach is alive and well – for the baddies this isn’t always personal but rather ‘throw the net as wide as you can and see what you catch’.

What about you?

Whether you are heading yonder or staying home for Christmas, you will no doubt have your favourite connected device close by taking pics, booking trips, committing memorable moments to social media channels or staying in touch with family and friends. Meanwhile the kids, both big and small, will be all over the latest whiz bang internet connected must have thingy.

When people are winding down and enjoying the festive spirit, cyber security is not front of mind. It is front of mind for those seeking to take advantage. Christmas is a season of increased online scams and fraudulent activity, both at home and at work. We need to remain vigilant to be cyber confident.

Whilst this may seem like common sense, you would be surprised.  Our Forensic Technology team is constantly called to respond to cyber incidents where the first foothold was gained by simplest of measures. This is often followed with the team identifying a raft of personally identifiable or confidential information located in places that it shouldn’t be and accessible to the perpetrator.

You know phishing but what about pharming? Or vishing?  It is a constant learning curve and if it can happen in Australia’s largest protected organisations, do you really think it cannot happen to you? I’m often asked “Why would they target me?” You are a potential gateway.

So what are the most common attacks we are currently seeing and what are the lessons for us all?

Phishing: in all its forms is still the single most effective means of penetration. We are seeing an evolution with background social media research, phone calls and communications before the attack is launched when trust is established. Both at home and at work phishing can open the door to your most sensitive information and it doesn’t matter whether we are talking about an ASX listed entity or your personal data and bank accounts. We are the Human Firewall and a critical part of security strategy so take the time to think about that email.

Not so free WiFi: The exorbitant costs of data roaming when travelling often leads us to access “Free WiFi” wherever possible whilst travelling internationally, particularly airports and hotels.  Is “Airline Lounge WiFi” the same as “Airline_Lounge WiFi”? It is most certainly not – be sure you know which is real.

Man in the Middle:  increasingly common in work environments and in some cases indicative of a broader ‘Business Email Compromise’ breach. Often linked to phishing or Free WiFi whereby the attacker has gained access and is able to search and modify invoices from legitimate vendors and send them from legitimate email accounts, which assist it to look authentic whilst filtering out responses to prevent the victims seeing them. If a communication, request or change is unexpected, you should question and validate it.

Internet of Things: The seemingly never ending race to develop the latest must have gadgets often means associated connectivity security is relegated to an afterthought.  Have you ever wondered why the new device App seeks access to your contacts, pics, location etc or worse makes suggestions to you based on your information prior to asking – meaning that it had already done so? I love tech gadgets, I’m just wary of what I give them access to.  Access at home can be a doorway to access at work, particularly if you connect work devices at home too. Take a little time to understand how these latest gadgets work and what they have access to.

It’s not all doom and gloom however, a level of awareness and a healthy curiosity can be an incredibly effective weapon against these attacks – and with a little effort it will become second nature.

Be Cyber Confident. Keep the cyber Grinch at bay so you can relax and enjoy the festive spirit and all that it entails.

Have a very Merry Christmas and a fabulous New Year.  I’ll be busy getting to know ‘me’ and I’ll let you know how that goes…



Add a comment