Robins Newsletter #96

19 April 2020. Volume 3, Issue 16
Compliance risk and the German state of North Rhine-Westphalia’s loss of €30M-€100M #COVID19 aid because of poor identity verification. Plus DoD and measuring meaningful things. And jumping air-gaps with computer fans.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Knowing your customer in the pandemic-age

This week the German state of North Rhine-Westphalia is reported to have lost between €30M - €100M through fraudulent COVID-19 support claims before closing a state aid website.

Cyber-criminals used phishing campaigns to drive residents to complete applications at fake websites they had established. The personal information was replayed against the official state aid website, but with the bank details changed to match the criminal’s bank accounts.

All this was possible because the website did not conduct a sufficient level of identity checks before paying out. Crucially all the identity information was correct, because it had been supplied by real, legitimate claimants.

The NRW government has now reinstated the website and will only pay-out claims to bank details on record that have previously been used to pay taxes.

These ‘know your customer’ checks - which you have probably encountered when being asked to provide physical copies of passports and utility bills when opening new bank accounts, or by uploading digital copies and selfie videos to challenger banks - are commonplace across financial services.

Their purpose is to help identify fraud as well as crack-down on individuals trying to avoid international sanctions. Organisations can face hefty fines from regulators for breaching these compliance requirements.

Almost 600 official complaints have been filed in relation to the scam while it’s believed that approximately 1% of the 380,000 claims for government support may have been fraudulent.

The FT picks up the compliance story in the UK, where anti-money laundering company SmartSearch has estimated that 30,000 retail financial services firms in the UK rely on manual identity checks.

As businesses adapt their business models to support remote working and more commerce moves online that compliance risk increases with poor cyber security hygiene.

Building identity and security checks into business services should be a priority. Hastily developed technology solutions may be open to replay attacks or not provide the same level of assurance as traditional approaches.

Strengthening identity checks is an obvious area of focus. Other preventative controls like CAPTCHA or detective controls like fingerprinting and logging, can be used to help reduce fraudulent transactions.

Significant state aid packages are an obvious point though other monetary transactions - such as government-backed loans - may increasingly become a target for fraudsters as controls around grants are tightened.,

Interesting stats

862 victims have lost over… £2.1M to coronavirus-related scams in the UK, according to figures from Action Fraud 3-4x increase in reports to the FBI’s Internet Crime Complaint Centre (IC3)

79% of people admit to sharing their passwords with someone outside their home, and 39% admit to using the same password for every service, according to a survey of 1,500 Americans by Zebra Insurance

Other newsy bits

GAO report finds DoD has lost track of cyber security goals

Government Accountability Office (GAO) report has found that the US Department of Defense has failed to keep track of dozens of cyber security goals it set to improve basic security hygiene.

The stand-out observation from the report for me was that seven out of seventeen goals are completely unknown because “no one has kept track of the progress.” As the old adage goes, ‘that which is measured, improves.’ If DoD weren’t tracking it to begin with, it may not have even been a priority (though I’m sure the goals were all sensible.)

‘Measure meaningful things’ is one of the mantras that Cydea (my company) focuses on and earlier this year we published seven principles that help create the right culture, based on insights from work with a private equity firm. Focus on the outcome was one of them.

Getting the basics right is hard and it starts with consistency and the culture created at the top. (Also you might not want to consider ‘military-grade’ security software for your next purchase :-)),

Digital risk intelligence services take a blow as Pastebin limits API access

So-called ‘paste sites’ provide a way to anonymously post snippets (or longer) pieces of code or other text information. They’re used by attackers to post manifestos and make announcements, control botnets and share lists of stolen passwords and personal data. Pastebin is one of the latest such sites and going through (scraping) all the public pastes made on their site informs a lot of open-source and digital risk intelligence services.

This week those services took a blow when Pastebin, at short notice, removed access to their API and published new terms prohibiting scraping of data from their site. Such intelligence typically gives organisation information about key employees or credentials that may have been compromised, for example. Often researchers also alert the site to harmful and unauthorised content so that it may be taken down.

The backlash from the infosec community is that by limit access Pastebin is protecting malware authors and cyber-criminals, while failing to tackle harmful content they host themselves.

In brief

Attacks, incidents & breaches

Threat intel

  • US offers $5M bounty for information on North Korean hackers amid renewed warning to Financial Services sector
  • Fake Netflix, Disney+ pages being used to siphon personal data and scam users
  • FBI warns scientists working on Coronavirus are targets for cyber-espionage as nations seek intelligence on how other countries are responding
  • Patched that Pulse Secure VPN? You’d best change your domain passwords too,
  • April’s Patch Tuesday from Microsoft includes fixes for two critical vulnerabilities in font libraries that gives remote code execution
  • Nemty ransomware-as-a-service group ‘goes private’ to focus on targeted attacks
  • In-the-wild attack against fibre-optic routers to gain remote access
  • (Thwarted) Attacks on Airport, hospitals in Czech Republic

Security engineering

  • Rapid7 launch ‘AttackerKB’ tool to crowd-source data on which vulnerabilities you should care about
  • ‘SkyWrapper’ tool helps to detect intrusions that are persisting by abusing AWS Security Token Service temporary tokens
  • Check if your Internet Service Provider ‘is BGP safe yet’ (spoiler: they’re probably not) and helping to prevent hijack attacks like those featured last week (vol. 3, iss. 15),
  • Clipboard hijacking malware found in 725 ruby libraries on RubyGems
  • Dell releases SafeBIOS Events & Indicators of Attack tool to detect modifications
  • Riot Games new anti-cheat is a case study on integrity and trustworthy computing

ICS & Internet of Things

  • ‘Shakespearean’ PoetRAT group targeting government, energy sectors in Azerbaijan, interesting in SCADA and wind farms
  • ICEBUCKET Scammers are spoofing smart TVs to defraud advertisers


  • Google and Apple’s talk about the privacy features of their contact tracing solution, while…
  • NHS denies draft memo exploring ‘de-anonymisation’ of contact tracing if ministers “judge that to be proportionate at some stage”

And finally

AiR-ViBeR technique bridges air-gapped systems using computer fans

There have been some brilliant proof-of-concepts in the last year at how variations in screen brightness, ultrasonic waves and even lasers can be used to bribe air gapped systems. This week it’s the turn of the humble computer fan, whirring away to keep your computer from over heating, and now hypothetically leaking sensitive information, to boot.


  Robin's Newsletter - Volume 3

  Germany North Rhine-Westphalia Identity Cyber-crime Compliance risk Know your customer (KYC) Department of Defense (US) Pastebin Air Gap AiR-ViBeR North Korea AttackerKB SkyWrapper