Cyber Brief for CFOs: December 2023

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.

Eftsure’s 2023 recap

Two major trendlines stood out to us over the last 12 months: the massive increase in the number of fraud attempts, as well as the growing complexity of tactics involved in those attempts. This year saw a nearly three-fold increase in the average number of fraud attempts detected per week, compared to 2022. And, perhaps unsurprisingly, that activity spiked toward the end of the financial year, from April to June. 

In previous months, we touched on the growing complexity and sophistication of some fraud attempts. Most concerningly, malicious actors have started infiltrating both the target organisation and its supplier, creating intricate threads of emails and communications that make the fraud attempt appear even more convincing. 

We’ve also seen some organisations targeted multiple times, with various invoices totalling millions of dollars per attempt. However, that doesn’t mean fraudsters are only targeting large organisations or going after large sums of money. Prevented fraud attempts ranged from the millions to only a few hundred. 

The takeaway for 2024? All organisations of all sizes are fair game in the eyes of scammers, and we expect to see more sophisticated tactics unfolding amid a larger volume of attempts.

‘BIN attacks’ use small businesses as testing grounds for fraud

Cybercriminals are increasingly exploiting small business websites for BIN attacks, a method involving the use of stolen credit card numbers for fraudulent transactions. These attacks start by using a card’s Bank Identification Number (BIN) to guess valid card details, followed by testing the card’s validity through minor online purchases. Then, the validated card numbers are either sold or used for larger fraudulent activities. 

Preventing these attacks is challenging, so be on the lookout for small, suspicious transactions. According to figures from the Australian Payments Network, payment card transaction fraud totalled $577 million in 2022, a 16.5% increase compared to the previous year.

Vulnerability found in LastPass and other password managers

Security researchers have identified a significant vulnerability, dubbed AutoSpill, in six popular password managers used on Android devices: Dashlane, 1Password, LastPass, Enpass, Keeper, and Keepass2Android.

The flaw compromises the Android autofill function, allowing hackers to circumvent the security of the autofill feature and potentially expose user credentials. The vulnerability occurs when an Android app uses WebView, a Google component for displaying web content, to request a login page. Instead of solely filling in the credentials on the intended login field, the flaw enables these details to be accessed by the host app. 

This issue is particularly concerning in common scenarios like opening hyperlinks in apps such as Skype or Gmail, or using ‘Login with Apple/Facebook/Google’ buttons within third-party mobile apps.

Government releases 2023-2030 Australian Cyber Security Strategy

Australia’s long-awaited national cybersecurity strategy landed last month. As we’ve reported previously, the $586 million strategy establishes six ‘shields’ in a bid to create multi-layered defences and a collaborative, cross-sector approach. 

The 2023-2030 Cyber Security Strategy focuses on safeguarding government, businesses and individuals from cyber threats. Key initiatives include a ransomware playbook for businesses, cyber awareness programs and a mandatory reporting scheme for businesses. The strategy also contemplates a single portal for reporting cyber incidents and a voluntary scheme to evaluate the cybersecurity of smart devices. 

The strategy also includes $26 million to establish ‘rapid assistance’ cyber expert teams to support Pacific Island nations against escalating online threats from criminal groups and hostile states. 

Major Gmail security update aims to reduce spam 

Google has introduced a significant security upgrade for Gmail, an email app with 1.8 billion users. Powered by artificial intelligence (AI), the update is centered around the Resilient & Efficient Text Vectorizer (RETVec). RETVec enhances Gmail’s ability to identify and flag harmful content in emails, such as phishing attempts, by improving text classification models. 

These models previously struggled against adversarial text manipulations used by malicious actors. Google claims that RETVec not only boosts spam detection by 38% and reduces false positives by 19.4%, but it also cuts down computational costs by 83%, making it a major advancement in Gmail’s defences.

Watchdog says superfund had ‘significant cyber deficiencies’ 

The Australian Prudential Regulation Authority (APRA) has directed NGS Super to engage external advisors for a cybersecurity review and to remediate any impacted customers. This action follows a hack earlier this year that compromised significant customer data. 

NGS Super manages $14 billion for 114,000 customers. Finding substantial weaknesses in its cyber controls, APRA has imposed additional conditions on its financial services licence and demanded improvements. This comes after APRA’s deputy chairwoman, Margaret Cole, warned super funds of the need for a drastic increase in cybersecurity measures, urging them to be “bold and brave” in making necessary changes to protect customers from cyber threats and fraud.