Month: March 2020

In July 2019, Gulf News reported on an apparent multimillion-dollar fraud involving the disappearance of some 6,000 tons of rice that Indian exporters had shipped into Dubai.  According to Gulf News, the 6,000 tons of rice disappeared – as did the company in whose name the rice was ordered and its ostensible representatives, whose checks (at least some of which were postdated) for the rice purchases, the warehouse from which the rice disappeared, and airline tickets bounced due to insufficient funds — without a trace.  At that time, the Dubai Public Prosecutor ordered police in the Jebel Ali district of Dubai to investigate possible fraud by six men and two companies, including a Dubai money exchange, in the case.

On March 6, Dubai authorities reportedly made their first arrest in the case.  The individual, a 52-year-old Indian national, was released on bail two days later.  It is not clear whether the conditions of that individual’s bail prohibit him from leaving Dubai while the investigation proceeds.

Note:  This initial report may be heartening to the 20 or more Indian rice exporters who were victimized by the fraud.  It nonetheless underscores the need for exporters in general to pay attention to indicia of trading fraud schemes, which have plagued the United Arab Emirates for some time. As the Indian Consulate in Dubai tweeted after the arrest, “Indian traders especially those in rice should take due precautions specially on terms and mode of payment [Ed. – postdated checks] to avoid such situations.”

As the coronavirus pandemic intensifies its grip around the world, it may be difficult for people who constantly seek new information about it online to recognize that cyber-attackers have no compunctions about exploiting popular fear and uncertainty for their own benefit.  Two recent reports indicate that malicious actors are actively exploiting people’s concerns about coronavirus to infect computers with malicious code.

On March 5, software firm Check Point reported that since January 2020, there have been more than 4,000 coronavirus-related domains registered globally.  For example, according to CheckPoint data, weekly coronavirus-related domain registrations rose rapidly from approximately 100 as of January 13 to nearly 1,000 as of January 27 and nearly 1,000 as of February 10.  Check Point found that of those 4,000 registered domains, 3 percent were found to be malicious and an additional 5 percent are suspicious.  CheckPoint also concluded that coronavirus- related domains are 50 percent more likely to be malicious “than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s day.”

In addition, CheckPoint reported that “a widespread targeted coronavirus themed phishing campaign was recently spotted targeting Italian organizations.”  That campaign reached 10 percent of all organizations in Italy “with the aim of exploiting concerns over the growing cluster of infections in the country.”

On March  11, The Next Web reported that a security researcher at Reason Labs found that hackers are exploiting organizations that have created dashboards to track the spread of coronavirus “to inject malware into computers” and steal users’ information such as user names, passwords, credit card numbers that are stored in users’ browsers.  The researcher found that hackers are designing websites that “pose as genuine maps for tracking coronavirus, but have a different URL or different details from the original source.”

Note:  As more and more employees are working from home during the pandemic, they are likely to be using their computers for extended periods for both work and personal purposes.  For that reason, information-security officers in all types of organizations should bring these reports to the attention of all corporate employees, and provide the following directions:

• Do not use your work computers to search for information about coronavirus developments. Even a single point of entry for a cyber-attacker can potentially result in compromise of an entire network.
• When you use your personal computer to seek out coronavirus information, do not click on every site that purports to offer virus-tracking or -reporting information, as “lookalike” domains are highly likely to be malicious. Instead, use only dashboards that you have verified come from the actual organizations presenting those dashboards.
• Ignore any websites, emails, posts, or texts that promise information about coronavirus “cures” or vaccines – there are none, according to the Centers for Disease Control and Prevention.
• If you see purportedly coronavirus-related emails, websites, or domains that appear suspicious, do not click on any of those links, but report them to a designated email address in your organization for reporting spam and fraudulent emails.

On March 9, according to Gulf News, the Dubai Court of First Instance sentenced a Dubai manager at an unnamed government entity to five years’ imprisonment, a fine of Dh1.85 million (US $503,587), and repayment of that amount “for taking more than Dh1 million [US$ 272,209] in bribes to facilitate unauthorised payments and procedures.”

The Court of First Instance reportedly stated that the unnamed defendant “sought a Dh1 million bribe from a contracting company in return for facilitating a payment of Dh50 million [US$13.6 million] on a project the company had won with a government entity,” and “accepted Dh856,000 [US$233,000] in bribes from three other companies in return for helping them be listed as service providers with the government entity, between November 9, 2017 and July 5, 2018.”  Records showed that Emirati police received information about the manager’s bribe-taking, and authorities arrested him “after setting a trap for him.”

In addition to the manager, four other unnamed defendants, all Indian nationals, were convicted and sentenced in the case.  One of those defendants, who “was convicted of mediating between the Emirati defendant and the bribing companies,” was sentenced to five years’ imprisonment, a Dh100,000 (US$27,220), and deportation.  The three other defendants, “who worked at the companies which paid the bribes,” were convicted of offering bribes and were each sentenced to three years’ imprisonment and deportation.  In addition, each of those three defendants were fined and ordered to repay the same amount as their respective fines to the government entity: one was fined Dh250,000 (US$68,052), a second Dh100,000 (US$27,220), and the third Dh500,000 (US$136,105).

Note: These prosecutions are the latest in a series of criminal sentences since November 2019 that Dubai courts have imposed on managerial-level staff (both Emirati and foreign nationals) for bribery and other corruption-related conduct.  While reports of aggregate prosecution statistics are always instructive, reports about specific criminal prosecutions, particularly for financial crimes such as bribery and corruption, are even more useful in demonstrating the capacity and willingness of prosecutors to pursue complex criminal cases and of courts to impose appropriate sentences for such cases.

On March 7, Reuters reported that United Kingdom Chancellor of the Exchequer Rishi Sunak is expected to announce next week that the United Kingdom Government will impose an Economic Crime Levy “on banks and other firms regulated for anti-money laundering to raise up to 100 million pounds ($130 million)” for anti-money laundering (AML) measures.

The new Levy – expected to be included in the Chancellor’s first budget on March 11 – would be used “to generate cash for new technology for law enforcement and to hire more financial investigators.”  The United Kingdom Treasury is expected to do a public consultation this spring about which financial institutions would be asked to contribute to the new Levy.  That Levy reportedly would come into force in 2022-23.

Note: The Government’s Economic Crime Plan for 2019-2022 estimated that the scale of money laundering affecting the United Kingdom annually “is likely to be tens of billions of pounds.”  Measures such as the Joint Money Laundering Intelligence Taskforce (JMLIT), which has provided an important vehicle for public-private sector information-sharing, and use of Unexplained Wealth Orders and Account Freezing Orders have improved the Government’s capacity to combat money laundering effectively.

After years of severe funding cutbacks under the Conservatives’ “austerity” budgets, however, law enforcement has needed an infusion of fiscal resources for proper staffing and technological support to deal with, among other issues, the adaptability and sophistication of money laundering organizations.  While the planned levy for that purpose would be welcome, the timeframe for effecting it is far too extended.   As money launderers will not wait another two to three years to refine their methods and techniques, neither should the Government wait to provide critical resources to combat the threat they pose.

On February 24, the APWG (formerly the Anti-Phishing Working Group) released its report for the 4^th quarter of 2019 on phishing activity trends.  Key points in the report include:

• Number of Phishing Sites: The number of unique phishing sites fluctuated substantially during 4Q2019, from 76,804 in October to 39,580 in November to 45,771 in December. (3)
• Number of Brands Targeted: The number of brands targeted by phishing attacks remained highly consistent, averaging 333 per month. (3)
• Phishing Targets: Software-as-a-service (SaaS) and webmail sites remained the most frequent targets of phishing, accounting for 30.8 percent of targeted sectors. “Phishers continue to harvest credentials to those kinds of sites, using them to perpetrate business e-mail compromises (BEC) and to penetrate corporate SaaS accounts.” The next most-targeted sectors were payment (19.8 percent) and financial institutions (19.4 percent). Attacks against the cryptocurrency, logistics/shipping, gaming, insurance, energy, government, and healthcare sectors were negligible during the quarter, as each accounted for less than 1 percent of all phishing attacks detected. (5)
• Business Email Compromise: In business email compromise (BEC) schemes, criminals used gift cards most frequently (62 percent) to cash out, perpetrating Business Email Compromise (BEC) attacks used gift cards to cash out during the holiday shopping season. The report indicated that cybercriminals may have been seeking to launder money by using the cards to buy physical goods that they can then sell.  (6-7)
• SSL Protection: 74 percent of all phishing sites use Transport Layer Security (TLS) or Secure Socket Layer (SSL) protection. This percentage – the highest recorded since the start of 2015 – provides yet another indication that users cannot rely on SSL alone to determine whether a site is safe or not. (11)
• Brazilian Trends: In Brazil, the number of phishing incidents in Brazil increased dramatically, from 3,230 in 1Q2019 to 8,872 in 4Q2019. (9-10)

Note:  This Report, like the other APWG phishing trends reports, demonstrates the ubiquity and adaptability of sophisticated cybercriminals.  Information security officers should disseminate the Report to their teams, and share it with their financial-crimes compliance teams as well.