MoveIt Hack: What Businesses Should Know and Individuals Should Do

Dozens of global businesses may have been impacted by the MoveIt hack, a cyber attack on a third-party data-transfer provider that has potentially exposed the sensitive personal information of millions of people in the United States alone. Here is what businesses and individuals should know about the hack and how they should respond.

The MoveIt Hack Explained

MoveIt is a data-transfer tool developed by Progress Software that allows businesses to send large volumes of data across the Internet. In a typical MoveIt transfer, data are sent from one user’s account to a web server, then downloaded to another user’s account, completing the transfer.

A Russian hacker group known as Cl0p claims to have used a vulnerability in MoveIt to access the servers that stored the data, exfiltrating millions of records. Data were stolen from a broad range of organizations, including banks, broadcasters, the U.S. Department of Energy and the Oregon DMV, which alone reported approximately 3.5 million records exposed.

Cl0p has posted a growing list of potential targets on the Dark Web and is threatening to publish the data unless the impacted organizations pay a ransom.

It is important to understand what this attack is not and what it is. Though it has been reported as a ransomware attack by some media outlets, it is not a traditional ransomware attack where hackers lock up an organization’s systems and demand a payment to release them. Instead, Clop is holding the data it stole hostage and threatening to publish or sell it if impacted organizations do not pay. The MoveIt attack itself was limited to MoveIt servers and hackers did not gain direct access to other online systems of their victims. However, the data stolen in the attack may contain information that criminals could use in the future to carry out phishing or pretexting attacks, login credentials or personal information that can be used for identity theft.

The exact nature of what was stolen will vary from organization to organization. In some cases, information about employees was compromised. In others, individual customer records, potentially including Social Security numbers, were stolen. What any organization lost depends on what they sent via MoveIt and what Cl0p was able to access. In remarks to reporters on June 15, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said, “As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred.”

It is possible that Cl0p is overstating the data it actually has. Those who sent data via MoveIt should still have their data, as Cl0p was only able to steal the copies sitting on MoveIt servers.

How Should Businesses React to the MoveIt Attack?

If you use MoveIt, patch the software immediately. Only download the software directly from the Progress Software site. Be alert for additional updates on vulnerabilities and patches from Progress Software. Unpatched software may still be vulnerable to the exploits used by Cl0p.

Assess the potential damage from the MoveIt hack. The start date for the hack is unknown, but it is believed to have begun in late winter or early spring 2023. Examine the records for all MoveIt transfers since January 1, 2023, and the data that were transferred. Assume that these data have been stolen and could be sold to other hackers or published on the Dark Web. Do not assume that paying a ransom will protect your data. Criminals may take your money and sell the data anyway. You must assume that any sensitive information sent via MoveIt after January 1 has been compromised.

Change login credentials. All logins must be updated. This is a good time to consider adding two-factor authentication or a password manager if you do not currently have them.

Alert any potentially impacted clients or customers. Failure to disclose knowledge of a data breach can lead to lawsuits, government fines and possible sanctions on the organization or its senior leaders. If there is any doubt about data theft, assume the data were stolen and notify everyone who was potentially impacted. It is better to over-respond in this situation than to discover that you failed to notify victims.

Discuss phishing and pretexting risks with employees and reinforce protocols. Data stolen in this breach could include both business and personal emails for employees, which could provide fuel for pretexting attacks for the next 12 months. Cyber security employee training can help employees identify and respond to risks, but when the threat of an attack rises, organizations must instill extra vigilance through additional communications. Explain to employees what happened, how the stolen data can be used to commit acts of fraud or theft and how to respond if they receive an unusual or unexpected request from a co-worker or organizational leader.

Step up monitoring. IT and Accounting personnel should be on the lookout for new or unusual behavior. Pay particular attention to an increased number of login attempts, new remote login attempts or very small charges hitting bank accounts or debit/credit cards. These are all possible signs of criminals attempting to validate stolen credentials ahead of a larger attack.

How Should Individuals React to the MoveIt Hack?

Assume your personal data have been stolen. The MoveIt breach is just one of many ongoing data breaches. Most people should assume that their personal information, including passwords, phone number, email and address have been stolen and are available on the Dark Web. You will take a much more active and stronger approach to online security if you believe your personal information has been compromised than if you assume that it has not.

Freeze your credit. Unless you are applying for credit cards, a mortgage or a loan, freezing your credit is one of the best ways to prevent identity theft. You will need to reach out to each of the three credit-reporting agencies to do this, and to unfreeze your credit if you decide to apply for a loan in the future.

Use two-factor authentication on all sensitive logins. If two-factor authentication is available, you should take advantage of it and ensure that codes are sent to your smart phone rather than an email address that a criminal could compromise. If the sites you commonly use do not require two-factor authentication, consider using a password manager to gain an extra bit of security. The benefit of two-factor authentication is simple: Even if criminals steal your password, they cannot access your accounts without the two-factor authentication code.

Monitor your financial statements closely. Be on the lookout for very small charges, from one penny to just over one dollar, originating from unknown sources, as well as small charges that are quickly refunded to your account. Criminals use these small charges to validate stolen credit and debit cards before they carry out significant attacks. Some legitimate businesses that require access to your bank account will also use this method. When in doubt, contact your bank and ask about the transaction.

Be wary of emails about the MoveIt hack. Nearly every high-profile data breach is accompanied by a second wave of phishing attacks attempting to capitalize on it. You may receive official-looking emails from banks or service providers informing you of the breach and asking you to log in to verify your account or update your information. Never click on links in emails or text messages, even if you believe they are legitimate. Open a web browser, go to the verified website for the business and log in there.

Expect a wave of phishing and spam attacks. Any time a major data breach occurs, a rise in phishing and spam attacks follows as recently stolen email addresses and phone numbers get added to criminals’ databases. Be particularly mindful of attacks that spoof popular shopping sites or delivery services, such as Amazon, eBay or UPS. Follow the same rule for emails and texts about the MoveIt attack: do not click on links in emails or texts and log in directly to websites to verify any potential issues. Block any spam messages that you receive and block numbers that send spam or phishing texts.

Maintaining vigilance after a significant data breach can be challenging. Many people and organizations will be alert for a week or two, then assume that things are back to normal if no attacks occur. While there are no hard and fast data on the lag between when data are stolen and when criminals launch attacks, know that a fresh set of stolen data can circulate for up to two years online. High-value data, such as login credentials, may be used by criminals within a few hours to try and compromise additional systems.

Preventing fraud and theft online requires a consistent approach amid evolving threats. Protect Now offers in-depth seminars and online cyber security employee training that raises vigilance and empowers employees to recognize and stop cyber threats. To learn more, contact us online or call us at 1-800-658-8311.

AI Voice Scams Are Here: What Businesses Must Know

The phone rings at the desk of a new employee. The boss is on the line. He says he’s having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

AI Voice Scams Are Here: What Businesses Must KnowA shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone’s voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve “Grandparent scams,” where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

  1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee’s keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
  2. Establish firm business protocols. At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper’s end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
  3. Train, train, train. The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company’s policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks. Protect Now can help you develop a complete employee training program and establish protocols based on your specific business needs. To learn more, contact us online or call us at 1-800-658-8311.

Pretexting Attacks Nearly Double in 2023: What Business Owners Need to Know

Pretexting attacks, many launched through Business Email Compromise (BEC), have nearly doubled in 2023 according to the Verizon 2023 Data Breach Investigations Report. First, the costs: Based on 16,312 data security investigations that found 5,199 confirmed breaches in the past year, Verizon determined that 74% of all breaches involved human actions, and 97% of breaches were financially motivated. Business Email Compromise attacks accounted for more than half of the attacks Verizon documented, with a median of $50,000 stolen per attack.

Companies Make Phishing Attacks Easy with Too Much Information OnlineFor more intrusive system compromise attacks, more than 95% of attacks resulted in business losses between $1 and  $2.25 million. Training employees to recognize and thwart these attacks is far less expensive than the remediation and recovery that may be needed after a successful attack. Employees need to know what pretexting is, how it works and how to respond to it.

What Is Pretexting?

Pretexting is a form of phishing where the criminal gains the trust of an employee by pretending to be a vendor, business partner or coworker. Some examples of pretexting include the following:

  1. An IT team member contacts an employee and asks them to download software to perform system maintenance.
  2. A senior leader or executive contacts an employee and asks them to buy gift cards for a client or a company promotion, then asks for the gift card codes so they can be distributed immediately.
  3. A client asks for a regular delivery to be routed to a new address.
  4. A vendor asks for credit card information to resolve a payment problem.
  5. A bank employee asks for account access to resolve a problem.
  6. A coworker sends a text that reads, “Let me know if you get this text.”

All of these are real-world examples of pretexting scams. The criminal creates a pretext, a scenario that asks the targeted employee to take action personally. This can include downloading malware or programs that allow remote access to devices, providing logins or providing two-factor authentication codes.

Criminals who use pretexting scams have varying degrees of sophistication. Text-based scams tend to be the most common and least sophisticated. Pretexting scams that involve email may include convincing duplicates of company, client or business email templates or websites, as well as return addresses that are virtually indistinguishable from legitimate emails. The criminal attempts to gain trust, relying on the employee’s desire to be helpful or resolve a business problem.

These attacks are rising in frequency because they are successful. Most employees have been trained to ignore requests from strangers and to go directly to websites instead of clicking on links in emails. What these employees often are not prepared for is a criminal who wants to communicate with them directly. The pretext catches them off guard. A criminal would never call and pretend to be a client, or text and pretend to be a CEO, would they?

How to Stop Pretexting Attacks

Businesses of every size must include pretexting awareness as part of cyber security employee training. Employees with access to company finances, customer and employee data or system credentials should be the top priority for this training, but it must extend to every member of the workforce to be effective. If criminals believe they can steal thousands of dollars from your company, they will probe every possible weakness to try and get a foothold in your organization.

It is equally critical to train remote and hybrid employees who spend only part of their time in the office. This has emerged as a significant training gap in many organizations, and it is a ripe target for pretexting. At a minimum, you must continually remind employees that you will never text them asking for a response or to purchase anything. Establish protocols for times when IT must work with employees remotely. Make sure employees know who the IT staff are and provide a mechanism to verify that they are speaking with a coworker rather than a criminal. Provide an email address for a staff member who is always available in case an employee needs to verify an IT request.

Be wary of what you share online about your company and its people. Criminals will mine your About and Staff pages for names, emails and titles that they can use for pretexting. They will read your press releases to learn about your vendors and clients. Unprotected digital assets, including site code and images, can be used to create spoofed versions of your website or company emails to trick employees.

As with other social engineering scams, a skeptical employee can be the best defense. Employees should be continually reminded to stop and think if an interaction seems strange and to verify any unusual requests with a trusted co-worker by voice or in person.

Protect Now will help you stop pretexting, phishing and other social engineering attacks with our CSI Protection Certification program, designed for the specific needs of small- and mid-sized businesses and available via in-person seminars, virtual seminars or eLearning. Contact us online to learn more, or call us at 1-800-658-8311.