Abnormal Security today revealed a concerning trend: the automotive industry has experienced a shocking 70% surge in business email compromise (BEC) attacks.
Even more alarming, 63% of organizations in the automotive sector face at least one vendor email compromise (VEC) attack every week.
The research blog is now live at https://abnormalsecurity.com/blog/automotive-industry-bec-vec-attacks.
Well, I didn’t have this on my BINGO card.
Automatic, who owns WordPress (fun fact, this blog is hosted on WordPress) and Tumblr, has acquired Beeper, who you might recall got into one hell of a fight with Apple last year when they tried and failed to bring iMessage to Android phones:
Messaging today is a mess. We have endless chat apps on our phones, each with different contacts and notification settings, making it all too easy to accidentally ghost family and friends.
That’s why we’re excited to announce today that Automattic has acquired Beeper, a universal messaging app that combines 14 different chat networks in one inbox. We began investing in messaging last year when we acquired Texts.com. Now, two of the most exciting teams in tech will work together to push the boundaries of messaging, giving us one app that will improve our focus and the way we communicate.
So why would they do this? Well Automatic wants to create its own messaging app. Thus this fits in with that ambition. And given Apple’s current issues with the US Justice Department, I guess they felt that the time was right to jump into this market as it might get a lot more competitive shortly. Well, I wish them luck with that because if that doesn’t happen, Automatic has spent a lot of money for no appreciable gain.
It’s tax time here in Canada. And much like spring flowers, Canada Revenue Agency scams are popping up everywhere. Here’s today’s example. This arrived via email late yesterday:
Now right off the top I knew that it was a scam for the following reasons:
There’s also a third thing that identified this as a scam:
That’s the email address that the email was sent from. Which is not the Canada Revenue Agency which typically end in cra-arc.gc.ca. So if you see this email, and you’ve identified all of this, this is the point where you should delete this email. But I’m going down the rabbit hole to expose their endgame. Which is of course a scam to capture your banking credentials. So after clicking on “Deposit your refund” which by the way you should never do, you get taken to this web page:
Now you’ll notice the address of the web page. Here’s a closer look:
That’s not the Canada Revenue Agency as their website is https://www.canada.ca/en/revenue-agency.html. But the threat actors are hoping that you won’t notice. Clicking on the CAPTCHA (which works by the way) takes you here:
Then from there, the threat actors have spent some time trying to replicate each bank’s web page to fool you into entering your banking credentials so that they can swipe your hard earned money. Take CIBC for example:
Other than the two missing pictures at the bottom of the page, this is a pretty good replication of the actual CIBC website. While the threat actors didn’t that that detail right, what they did get right was the fact that there’s code to check the validity of the card number that you have to enter. That way the threat actors aren’t wasting time going through bogus data to find the bank accounts that they can actually steal money from. That shows how crafty these scammers have become. It also shows why you need to always watch out for them as they are clearly evolving to better execute their scams. Thus as always, delete this email the second it arrives in your inbox and move on with your day.
Cranium today announced the launch of its new innovative partner program – the Cranium Connect Reseller Program. Designed to provide new opportunities for organizations to discover the benefits of enhancing AI security and governance, the Cranium Connect Reseller Program actively fosters a community of value-added partners, security and risk-focused service providers, and alliance partners.
Representing a significant milestone for expanding the reach of AI security across diverse industries, this initiative focuses on channels for resale, services, and support to enhance profitability and predictability for partners. Those joining the Cranium Connect Program will benefit from competitive margins, access to advanced services, and a surge in customer demand, all driven by Cranium’s strategic marketing efforts.
The program has distinct tiers, each offering escalating benefits and support. This tiered approach ensures a customizable experience for each partner, fostering growth alongside their business development.
Additional benefits include access to dedicated partner testing environments, certification training, promotional opportunities, comprehensive support via the Partner Portal, a hub for sales and marketing resources, and deal registration management.
As the foremost enterprise AI security and trust software firm, Cranium empowers organizations to ensure the security and compliance of their AI and GenAI systems. The Cranium Enterprise software platform offers comprehensive solutions for driving visibility, security, and governance across all AI and GenAI environments. Secure your enterprise’s AI today with Cranium.AI.
Google has introduced the Find My Device network for Android. Which as the name suggests is just like the Find My network that Apple rolled out a while ago. This network will allow you to do five things:
This is live in the US and Canada and works on phones running Android 9 or higher. The one that that I think is a win here is that this will further discourage the use of AirTags and other Bluetooth trackers by criminals as any of these trackers are now more likely to be found by “Joe Average.”
New York City is the latest victim forced to take a city payroll website offline and remove it from public access for almost a week now after dealing with a smishing incident.
The website was partially taken offline following the smishing campaign that allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain.
It wasn’t till after being contacted by POLITICO, who first reported the incident last week, the city warned the roughly 300,000 full time workers of the phishing campaign, but they did not mention that access to the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) website (including essential tax forms) would be limited.
That action also came after the city’s largest agency, the Department of Education, sent an email to its employees on March 23rd, warning about “a new smishing” or SMS phishing campaign “targeting users of NYCAPS/ESS.”
“This (is) a user education issue to not fall prey to these scams, but the real site is antique & easily cloned,” said Naveed Hasan, a technology consultant and member of the city’s Panel for Education Policy.
Dave Ratner, CEO, HYAS had this to say:
“Smishing campaigns are becoming more commonplace, in part because of our increasing reliance and familiarity with automated systems that generate text messages, and in part because the rise of AI makes it so much easier to generate accurate-looking fakes. This trend will unfortunately continue and there are only two good ways to address it. The first involves increased training, education, and communication; the second involves the use of highly accurate Protective DNS systems which are capable of separating malicious from legitimate sites on the Internet and ensuring that individuals are not accidentally fooled.”
I have long argued for the use of either multi-factor authentication, or better yet password less authentication to stop this sort of thing from happening. But either has to be combined with user education and better checks to ensure “smishing” isn’t a successful attack vector.
The newly unveiled American Privacy Rights Act (APRA) represents a significant step toward establishing a federal data privacy standard in the U.S., offering a bipartisan solution to longstanding legislative challenges. This legislative effort underscores a unified approach to enhance online privacy protections, aiming to reconcile differences over state preemptions and legal remedies for privacy breaches.
Antonio Sanchez, principal evangelist at cybersecurity company Fortra says:
“Today, about half of the states have some sort of legislation, but it’s varied. Ideally, this legislation would be a baseline of privacy at the federal level which provides consumers with more control over their personal data. Each state would then decide on passing something more stringent than the baseline.
This would be a great win for consumers as this would be a big step towards reducing misinformation, disinformation, and AI generated content which are used to sway the public’s mindset on a particular issue. For big tech this would represent a big hit to their bottom line since big tech monetizes personal data by mining, using, and selling it. The ones that use it deliver content (real and AI generated) to targeted audiences to either position a product or gain support on a social issue.
I like the idea, but we will see if this continues to move forward or if it slowly fades away and nothing happens.”
This is a piece of legislation that is long overdue. If the people on Capitol Hill are smart they would do everything possible to move this bill forward and get it passed into law. But given the tenor of politics in the US at the moment, one has to wonder if that will happen.
UPDATE: Madison Horn, Congressional Candidate (OK-5) and cybersecurity expert adds these comments regarding the American Privacy Rights Act:
The American Privacy Rights Act is a significant first-step towards setting up national consumer centric data privacy standards. While the American Privacy Rights Act aims to define the type of data that companies can collect, there is ambiguity and concern in a number of areas that will be left vague. In the typical process for introducing new regulation, there is either over or under calibration, or it is not specific enough. Regulators must define what data is considered necessary, determine how data collection needs should be managed across applications, determine whether data storage will be centralized or segmented, and establish clear limitations on the types of data companies can collect.
I have concerns that regulators will over-calibrate these new data privacy regulations and inadvertently introduce vulnerabilities in company systems, potentially making it easier for bad actors to exploit them. While giving consumers control over their data is a positive step, it’s crucial that identity and access-management are securely designed, otherwise bad-actors could easily steal personal data. Giving consumers the right to access, correct, delete, and export their personal data is a great step forward, but brings significant security concerns. There’s a technical challenge in setting up and managing identities to ensure that people can’t access or edit someone else’s data. Despite the good intentions, opening these doors will inadvertently increase security concerns. The real task lies in minimizing these incidents as much as possible. It’s all achievable, but requires careful planning and execution.
To get this crucial data privacy law right, it’s important that everyone involved – lawmakers, regulators, and the private sector – all meet at the table together. If lawmakers try to force this law through like dictators, there will be endless pushback from lobbyists – something entirely counterproductive to effective regulation – and will only hurt small businesses and innovation. With many of the few qualified individuals in Congress left retiring or being pushed out of office by partisan politics, it’s up to the American people to elect qualified leaders with experience that matches the problems of today. Leaders that understand the nuances and pitfalls of drafting, right sizing and passing acts that adequately protect Americans while not hindering innovation and economic growth.
Home Depot experienced a data breach by one of its SaaS vendors that inadvertently exposed employees’ data. The announcement came after increasingly notorious threat actor IntelBroker leaked the data of approximately 10,000 employees on BreachForum last Thursday. While the third-party vendor was testing their systems, the data exposed includes names, work email addresses and User IDs during.
“Today, I have uploaded the Homedepot.com database for you to download, thanks for reading and enjoy!” wrote IntelBroker on BreachForums.
Recently, IntelBroker has gained notoriety by breaching large organizations and government agencies such as DC Health Link, PandaBuy, Acuity, Hewlett Packard Enterprise and the Weee! grocery service, as well as an alleged breach of General Electric Aviation.
Stephen Gates, Principal Security SME, Horizon3.ai offered this comment:
“It’s clear that traditional cybersecurity measures and approaches used in some third-party environments can fall short in identifying and mitigating exploitable risks effectively. Often, implementing and enforcing security best practices takes a back seat in smaller companies with smaller IT footprints. This is primarily due to not having dedicated security-focused personnel on staff, inadequate security budget, and leaders not fully understanding their risks.
“Often, the mantra is, “We’re just a small software supplier. Why would anyone attack us?” These sorts of supply chain events are only going to grow, and today, supplier security posture management is becoming key to ensuring someone else’s risk does not transfer upstream to you.”
Dave Ratner, CEO, HYAS followed with this:
“People need to realize that increasingly, the breach happens not because of lack of security in your organization but due to a breach in a SaaS application, third-party, or vendor in the supply chain. It highlights the critical need for cyber resiliency approaches that not only assume breaches occur but have the visibility, capability, and controls to detect them early in the kill chain and stop them before data is leaked or damage occurs.”
Craig Harber, Security Evangelist: Open Systems had this comment:
“The Home Depot data breach highlights the importance of companies implementing third-party risk management. To protect their customers, companies must implement consistent security standards across their entire business ecosystem to help mitigate cyber-attacks originating through partner and supplier systems.
“Most modern businesses depend on third-party partners. Unfortunately, these partnerships introduce inherent risks because the resulting interconnected IT/business systems do not deliver the critical trust relationship to prevent supply chain attacks, data breaches, and reputation damage.
“In this case, a SaaS vendor accidentally leaked the personally identifiable information (PII) of 10,000 employees. This information was exposed by a well-known threat actor, IntelBroker, on their data leak site. The attackers are likely to exploit this data for targeted phishing campaigns to gain credentials and infect Home Depot’s corporate network with ransomware.
“To prevent further occurrences, security teams must implement consistent security standards across the entire business ecosystem, including all its subsidiaries’ IT/business systems. Consistent security practices include requiring prompt and regular patching of system vulnerabilities and implementing multi-factor authentication to prevent exploitation.”
Supply chain attacks are real and likely happen more often than you think. Thus you have to force the companies that you work with to be on the same page as you when it comes to security. Otherwise, pwnage through no fault of your own is never far away.
UPDATE: Paul Valente, CEO and Co-founder, VISO TRUST:
“For many companies, third party risk is just a compliance checkbox. Home Depot got lucky this time, but the incident highlights how companies need to do more to elevate third party risk management. While some breaches are inevitable, using the latest AI-assisted TPRM approaches companies can avoid these types of breaches.”
TD Bank Group (TD) is the most valuable brand in Canada for the second consecutive year, according to the latest Canada 100 report by Brand Finance the world’s leading brand valuation consultancy.
With a brand value of CAD25.8 billion, TD edges out RBC, which holds the second position with a brand value of CAD22.4 billion. TD has shown robust performance in Brand Finance’s latest consumer research findings. Across Canada, Familiarity has increased from 71% to 84%, and 31% of individuals currently report using TD’s services.
WSP Global brand value soars 72%
WSP Global is the fastest-growing brand in Canada this year, with a notable 72% surge in brand value, now standing at CAD1.6 billion. This growth is primarily attributed to strategic acquisitions and market expansion efforts. The integration of Golder in 2021 and the subsequent rebranding in 2023 notably bolstered market share, driving significant growth. WSP continues its expansion journey with the acquisition of John Wood Group in 2022, aimed at enhancing its environmental leadership and, more recently, Communica Public Affairs, strengthening its indigenous and stakeholder engagement services in Canada.
TELUS dials up success, overtaking Bell to become Canada’s most valuable telecoms brand
TELUS has recorded a solid 13% brand value growth to CAD11.7 billion, positioning it as the leading telecoms brand in Canada this year, surpassing Bell (brand value down 2% to CAD10.8 billion). TELUS has reported robust financial performance, driven by expanding its subscriber base – which now surpasses 10 million mobile phone users – after celebrating the strongest fourth-quarter customer growth on record. This notable achievement underscores the efficacy of its advanced broadband networks and customer-centric ethos.
Moreover, TELUS’s Brand Strength Index score has increased by 4.2 points to 80.3 out of 100. This growth primarily stems from enhanced reputation scores and improved perceptions regarding its environmental initiatives. TELUS is actively pursuing its objective of transitioning to 100% renewable or low-emission electricity within the next two years and a commitment to be carbon neutral by 2030 or sooner.
A&W is Canada’s strongest brand
In addition to calculating brand value, Brand Finance also determines the relative strength of brands through a balanced scorecard of metrics evaluating marketing investment, stakeholder equity, and business performance. Compliant with ISO 20671, Brand Finance’s assessment of stakeholder equity incorporates original market research data from over 150,000 respondents in 41 countries and across 31 sectors.
This year, A&W has claimed the title of Canada’s strongest brand with a Brand Strength Index (BSI) score of 85.3 out of 100. With over 1,000 restaurants across Canada, A&W has consistently maintained a strong level of awareness and familiarity among Canadian consumers. Brand Finance’s latest research underscores this, revealing familiarity and consideration scores of 85% and 93%, respectively, across Canada.
Despite its continued success as the strongest Canadian brand for the second consecutive year, A&W has experienced a slight decline in overall strength this year, primarily attributed to lower ESG scores. However, in a significant stride towards sustainability, A&W Canada became the first QSR brand to launch a nationwide exchangeable cup program, ‘A&W One Cup,’ to combat single-use cup waste. This initiative could bolster positive perceptions across ESG dimensions in the upcoming year.
TD has the highest Sustainability Perceptions Value at CAD1.76 billion
As part of its analysis, Brand Finance assesses the role of specific brand attributes in driving overall brand value. One such attribute that is growing rapidly in significance is sustainability. A brand’s perceived sustainability on environmental, social, and governance is represented by Sustainability Perceptions Scores. The proportion of brand value attributable to sustainability perceptions, or ‘Sustainability Perceptions Value’, is then calculated for each brand.
In addition to being the most valuable Canadian brand, TD has the highest Sustainability Perceptions Value of Canadian brands, at CAD1.76 billion. TD’s position at the top of the Sustainability Perceptions Value table does not assess its overall sustainability performance but rather indicates how much brand value is tied to its sustainability perceptions.
TD’s dedication to sustainability has received recognition in Brand Finance’s research. Amongst brands with high familiarity, TD is the highest-perceived banking brand by Canadian respondents for the environmental dimension and second for social and governance. TD recently unveiled its ambitious three-year, USD 20 billion Community Impact Plan, aimed at empowering diverse and underserved communities across the United States.
Additionally, through the 2023 TD Ready Challenge, TD also awarded $10 million in grants toward innovative solutions that address barriers to affordable housing. Under TD’s Climate Action Plan, which serves as the Bank’s Transition Plan, TD continues to advance on the Bank’s sustainability goals and role as a corporate citizen.
Most Canadians want both AI + Human Support in Customer Service Experiences: ServiceNow
Posted in Commentary on April 10, 2024 by itnerdWith ongoing debate about whether people want more AI or human interaction, new data from ServiceNow reveals a key insight: Canadians want both. The report reveals 61% of Canadian consumers prioritize seeking assistance from a human to resolve complex issues, whereas nearly half (44%) are open to AI-powered services like chatbots or intelligent search engines.
The study underlines why businesses must strike a balance in meeting consumer preferences—with 74% of Canadians saying they are less loyal to brands than they were two years ago, embracing AI tools becomes essential to stay competitive in today’s market.
The recent ServiceNow Consumer Voice Report 2024 surveyed 1,000 Canadians and found:
You can also find the full survey results here.
Leave a comment »