Today is my favorite day of the year, my firm's birthday, marking 12 years since I poured my heart, my soul and my savings into my dream; this company. It’s an incredibly proud and emotional day for me as I have spent my whole career building this business. It’s a small firm, but the key to my success lies in my skill to network and I digitally store a comprehensive list of all my network contacts and clients’ details in a secure computer. Through this, I can tailor my service to each individual client without having to re-ask for information I already know.
My nephew Matt is a good kid, he helps me out with my firm’s IT environment and set up all my networking stuff, including the firewalls which protect web traffic. He will often visit and check my systems whilst he has a coffee and chat, but lately, he has been pretty busy with his studies, so my IT environment has taken a back seat for the meantime.
I vaguely remember my nephew mentioning something about a new Microsoft patch released to fix a vulnerability, but I'm too busy at the moment. Besides, last time I installed a patch my computer restarted, and I don't have the time to go through and save all my working documents; I’ll install it tomorrow.
Little did I know that today is also Elliot's favorite day, Microsoft’s “Patch Tuesday”. The day that Microsoft releases patches for Windows’ users to protect their machines. Elliot is a skilled hacker and is able to analyse the details of the patch and uncover what vulnerabilities it might be trying to solve. This means that on “Exploit Wednesday”, Elliot and his team can deliver codes to exploit systems that haven't installed the patch, and he has just selected me as his victim.
I'm sitting at my desk tending to my daily emails when my mouse cursor starts moving across the screen without me touching it. At first, I think it's my brain playing tricks on me, last night was a big night out celebrating with my colleagues after all, so maybe I’m just tired, but no! There - it moved again!
Confused, I take my mouse and bang it against the desk - but that doesn’t help. I look up and see my cursor opening and closing my client’s files with all their personal information. I frown. I don’t have time for technology to be breaking, especially when I'm so busy. I send a frustrated message to Matt asking him to order me a new mouse.
As I leave the office my receptionist calls out to me, she sounds worried. She tells me that her mouse has been doing strange things lately, even when she disconnects it from her PC. To my dismay, I see her cursor darting around the screen like it did on mine, opening and closing files.
I start to feel concerned - two mouse devices can’t possibly break on the same day! I call Matt again and ask him to come in first thing tomorrow.
As I leave the office Elliot continues his work, he is able to control my screen through his own, a vulnerability that the latest patch would have fixed. Elliot is especially interested in the numerous files I have of client information and is able to seamlessly access and copy them. Elliot loves people who don’t install their patches, it almost makes his job too easy!
Matt inspects my computer and I stand behind him, anxiously shifting my weight to each foot. Eventually, he leans back in the chair and closes his eyes, “did you install the Microsoft patch on Tuesday?”.
I stammered, informing him that I hadn't. But surely that wouldn't explain the issue with my mouse? Matt goes on to inform me that both mine and the receptionist’s computer had been remotely accessed and controlled by a third party via remote desktop. And because of this, the hacker was able to access all our sensitive information – including my client’s.
Before I can begin to panic, a notification pops up on my computer, Matt stops mid-sentence and opens the email, but it's an email from me, to me. How could that have happened?
I have accessed all your client’s information including photo identification, names, email, addresses and bank information. I have posted them for sale on the dark web. If you transfer 0.72 bitcoin* to XXX XXX XXX I will remove them immediately.
You have until 3pm.
*Approximately $8,803 AUD
I look to Matt, waiting for him to tell me this is a joke, but he sits there quietly staring into the distance. Upon further investigation, we see that each computer has been sending my client information to a strange email account, but there is nothing we can do – it's too late now. And how can I trust that this so-called Elliot will pull the information down from the dark web if I pay him??
I’m filled with despair and guilt, if my client's information is purchased, then criminals could perform identity theft and significantly impact their lives, and I would be the one responsible for it! I’m filled with shame, how am I ever going to sleep knowing this was my fault?
Gosh, Why me?
The next day
The next few weeks are spent cleaning up the mess Elliot made, I have emailed all my clients and informed them that their sensitive information has been obtained and the possible effects of this. In addition, I have reported the incident to the Privacy Commissioner, just to be safe.
The patch that Peter didn’t install, known as CVE-2019-0708, was fixing a vulnerability in the Remote Desktop Protocol (RDP) service that enabled it to be abused remotely. Because Peter did not install the patch, highly skilled and trained Elliot, was able to remotely use Peter’s desktop, access his files and send information to himself.
Software patches usually fix identified vulnerabilities within your system that could be exploited by hackers. Most operating systems, by default, are configured to automatically apply patches when a system is restarted. If yours does not do this, speak with your IT professional to “enable automatic updates”.
Often, people avoid installing patches because they see it as an inconvenience. Usually, your PC must fully shut down for the patch to be installed. However, in Peter’s instance, he could have saved his clients sensitive information and his business by taking a few minutes to install the patch. Read more information on patching here.
... View more
Imagine it’s 3 weeks till Christmas
You’ve got (e)mail! ( ✉ )
The email says that you are due to receive a parcel delivery from FedEx. You weren’t expecting anything, but then, it’s close to Christmas. It could be something special – who could it be from? Excitedly, you quickly fill in the required details and send the email. You and your team at your conveyancing firm have been receiving an unusually high number of emails lately. It must be that time of the year, when old contacts try to connect, and banks ask you to validate information. A couple of them have clearly been phishing emails – thank goodness they were identified.
Unbeknownst to you, you’ve missed some.
Meanwhile at the other end of these phishing emails, Elliot is slowly gathering information about you and your firm. Through his multiple phishing emails, he’s managed to obtain quite a bit of information about you, your assistant and some of your colleagues. It was relatively easy to follow you from the coffee shop’s free Wi-Fi. As the ‘man in the middle’ (MITM), he’s managed to have continuous conversations with you and your client Grace. Now he’s just waiting for you to take the bait.
Finally, success! Elliot’s managed to install malware  into your system through one of the links you clicked on. This spyware will hide in the background and watch what you’re doing online. It records your online activities and data such as your passwords, credit card details and the websites you regularly visit. All this is happening while you remain unaware that your personal data is being compromised.
By the way, did you know that Elliot isn’t really just Elliot. He is an individual in an organised group comprising of six to seven other perpetrators existing for the purpose of theft. Not wanting to put all their eggs in one basket, at any given time, the team may be running multiple online schemes targeting many organisations. They have spent weeks planning this one, fooling different people and collecting information.
In order to perform the theft of the funds from you and your client, Grace, they have also been spending time cultivating people that can execute the transfer of these stolen funds. Abigail King looks positive as a money mule victim.
A couple of days before Christmas
The group has been busy. They’ve managed to set it up – pretending to be Grace they’ve instructed you to transfer the proceeds from the sale of her house to Abigail King. Once the settlement has completed, $250,000 is moved immediately to Abigail’s bank account. Soon after, she will transfer the money, just under $10,000 at a time, to the group’s overseas account; until she gets caught that is.
Back at your conveyancing firm the property transaction was settled several days ago, but you’ve only just realised what’s happened. The funds have gone to the account you’ve told it to go to, but that’s not the right one! You call the bank. They say that they’ll look into it.
Uncertain what to do next, you ring PEXA and inform them that your email account was possibly compromised. PEXA contacts the bank who holds Abigail’s account, ensuring no further funds can be transferred out. However, approximately $30,000 has already been transferred to an overseas account.
The bank works with their counterparts to retrieve the money. They manage to recover close to $20,000 as the remaining $10,000 has already been physically withdrawn. Just under $240,000 is returned to Grace in total, it’s not everything.
It’s been a few days since the incident, and because it was a phishing scam you contacted your PI insurer, they should be able to cover the money that Grace lost through your cyber security policy. As a precaution, you arrange a full review of your firm’s IT security system as well as change your passwords, and suggest that Grace, do the same. You make a mental note that in the future, you will be diligent in verbally confirm bank details, only using private secure Wi-Fi networks and being wary of phishing email scams. It may also be a good idea to install a firewall to protect your systems from malware. The biggest deterrent to a cybercriminal is attempting to break through a robust cyber security system. They will generally go for an easier target because they are financially motivated to get in and out quickly.
Cybercrime in Australia
Email is the common technique used by cyber criminals and according to the Cyber Security Review, led by the Department of the Prime Minister and Cabinet, cybercrime costs the Australian economy approximately AUD 1B per annum.
The Australian Criminal Intelligence Commission (ACIC) states that Australia is an attractive target for serious and organised crime syndicates, and because of the lucrative financial gains, cybercrime is a serious threat. According to some experts, the majority of hackers are affiliated in one way or another to organised groups. They operate like a legitimate business with people who have a range of skills working towards a common goal.
Some organised groups receive direction and support from nation states – who exist with the purpose of stealing data, disrupting operations or destroying infrastructure. The state sponsors a coordinated attack with the intention of acquiring intellectual property or government data, many of these groups are a part of a collective ‘army’.
In this fictional story, Elliot does not belong to a nation state. He is a member of an organised group, that exist for the purpose of theft. It is highly likely that this group do not reside in Australia and like most others, live a lucrative lifestyle off the stolen proceeds. The reality of this story is that it can happen to you, and that being aware, and putting in the right cyber security controls can stop you from becoming another cybercrime statistic.
 Malware is malicious software, written with the intent of doing harm to data, devices or people.
... View more
Since it is known that phone calls are insecure. What if a PEXA VOIP phone was misappropriated.
When will PEXA Users be able to establish a secure (trusted) connection with support staff?
Now there is more support staff - Thankfully!
However we no longer easily get to know all the support staff by name, or voice recognition, anymore. :(
Suggest maybe a simple reverse 'codeword', could be chosen or a 'phrase' (perhaps on the Secret Notes section of user profile) or ask 'what is my current PingID number', to ask the PEXA support staff person (as the call center ask user secret Q&A) to establish trust in talking with a legit PEXA support staff in both directions?
Increase the functionality of the Help or Feedback to have or request a support call/conversation within the workspace...
... View more
Recently, it was reported that a Victorian hospital fell victim to a cybercrime syndicate that held 15,000 medical files to ransom. This attack, a probable result of a phishing scam, inadvertently opened by a staff member, resulted in criminals hacking into the hospital’s server to plant ransomware that scrambled and encrypted data, locking access to files from medical staff.
Ransomware can happen in different forms. For hospitals, holding their data at ransom not only creates reputational damage but could have a serious impact on their patients. Another method of ransomware is to attack a company's IT infrastructure by disabling employee access to laptops or servers. The company is then held to ransom and the payment method is typically demanded in bitcoin or other forms of cryptocurrency. The use of cryptocurrency is prevalent in the cyber fraud community because of its ability to be transferred anonymously.
In 2017, two companies had their Amazon Web Services accounts compromised by hackers using the victims’ bandwidth and computing power to mine bitcoins, an energy intensive, but potentially lucrative exercise. 
Data ransom and bitcoin mining may seem simple and straightforward when compared to more sophisticated hacks such as one which occurred in 2017. The attack, called WannaCry, infected up to 200,000 computers, locking up users’ data in 150 countries, and demanded a ransom to release them. WannaCry was so damaging because the cyber criminals managed to exploit the vulnerabilities of older of Windows software when newer, more secure versions were available.
In Australia, conservative estimates show that cybercrime costs the economy in excess of AUD 1B each year. More than 500,000 small Australian businesses fell victim to cybercrime in 2017 and it is estimated that the majority paid an average of AUD 4,677 in ransom to unencrypt their data. Often small business fall victim as in some cases, maintaining the latest version of IT software is not their highest priority.
Source: Smart Company, From millions to malware: Cyber attacks in Australia by the numbers, July 2018
The cybercrime landscape is ever evolving, and it is therefore imperative for our industry to continually develop and advance a robust security framework. As an industry, we must uphold the highest standards when it comes to cyber security and maintaining the latest in secure software versions. This is non-negotiable when dealing with someone’s most important and emotionally significant investment – their home.
At PEXA, we are determined to ensure that the cyber security practices we have in place continue to protect our members and their customers. Our IT systems are annually audited by external professionals and we continually explore new ways to bolster the security posture of our network. This is achieved by investing, maintaining and constantly improving security controls as well as running a Security Operations Centre to monitor, detect, and respond to cyber-attacks.
What your firm can do
To ensure your practice is protected from similar events, it is important to be aware of how these criminals operate. Hackers like this look for the weakness in a security framework and will exploit vulnerabilities in older versions of software, as they did in the WannaCry ransomware attack. As a preventative measure, we recommend staying up to date with patching.
Patching reduces the risk of hackers exploiting vulnerabilities that have already been remediated by software companies. It updates, fixes, or improves the program or data and mends security vulnerabilities and other bugs.
Firewalls are another layer of protection that can act as a barrier between your computer and the Internet helping safeguard your computer and information. By having a firewall, you reduce the risk of an attacker compromising your computer. There are a number of anti-virus providers that you could employ that meet the requirements in PEXA’s Subscriber Security Policy e.g. Symantec, McAfee, TrendMicro, etc. The Policy also provides guidance on all the security controls that PEXA Subscribers should be leveraging to maximise their security posture.
You’ll notice that in the Victorian Hospital’s ransomware attack, an unwitting staff member fell victim to a phishing e-mail. Training your staff to recognise potential cyber-fraud is the first step to preventing this from happening to you.
Additionally, your business must plan early for this eventuality, however unlikely. Making this decision will assist you in avoiding ‘heat of the moment’ reactions that could have detrimental effects on your business.
Taking the necessary steps to ensure your data is backed-up will alleviate the need to and risks involved in paying a ransom. There are two main options for backing-up your organisation’s data:
perform your own back-ups to a storage device (USB or external hard drive); or
back up to an online (cloud) service.
Business’ that decide to pay a ransom need to be aware of the risks, including the likelihood that even if the ransom is paid, they may not receive their information back and leave themselves open to further attacks. We recommend you speak with your legal advisor beforehand to ensure you are making the correct decision for your firm.
There is a lot of information available to help your firm plan for this scenario. Visit staysmartonline.gov.au for more information on ransomware and PEXA’s online Community forum to learn about measures PEXA takes to bolster security.
 Bitcoin miners pool together different computers to solve complex algorithms, success of which generates a set number of valuable new bitcoins.
... View more
It’s more than just an Internet romance...
The lover’s tale
Abigail thinks she’s in love. It must be love. She’s been looking for love for a while and Elliot seems like the perfect guy. Many of her friends have warned her about internet romances but Elliot’s different. He has never asked her for money. Never asked her for anything. She thinks he might be quite wealthy in fact. He is always moving money around. He’s been struggling lately though. So, she’s been helping him transfer money to his accounts. For some reason, he’s having issues sending money to his overseas account. Abigail doesn’t really know the reasons why, nor does she question it. It all seems too complicated, and as long as it’s not her money she’s transferring over, it must be okay… besides he’s committed to the relationship. He said they will be together soon.
Over the past couple of weeks Abigail’s been transferring money for Elliot’s family and friends. They are all preparing for a big holiday and need the money ready to meet them. It’s not much – a couple of hundred here and there. Now he’s asked for her help to transfer funds from the sale of his property in Australia.
Just a few days ago, Abigail received $250,000 to her account. She’s not meant to transfer everything over to him though. Elliot told her that while he was excited to have sold his house, he needs to move the money in parts to avoid government taxes. He’s asked her to transfer just under $10,000 at a time, over several days, because that way it doesn’t trigger any alerts. Abigail doesn’t completely understand the reasoning, but Elliot is good to her. He said they will meet face-to-face now that he has sold his house, and she is excited to finally put a face to her love.
For the third day in a row she has made the transfer. Something strange has happened though, all her accounts have now been frozen, and her bank keeps leaving messages to call them back.
The practitioner’s tale
Meanwhile your client, Grace, is frantic. She hasn’t received her house’s sale proceeds yet. It’s been a couple of days; how has this happened? You arranged the transfer of the money according to her instructions which you received just before finalising the payment. You look back at the details and see the account name Abigail King and a different BSB – not your client’s.
Wait. What’s happening?
Going back through the email trail you realise that there’s something funny about the email address. The instruction did not come from Grace. Blood drains from your face… you call the bank immediately to try and stop the funds from disappearing. Hopefully it’s not too late.
The Hacker’s tale
Meanwhile, Elliot is busy moving money around several of his accounts across the world and connecting with different people online. While he’s looking for a way to gain access to steal the funds, he has also been cultivating internet romances with men and women to transfer the funds outside of Australia. He loves living in the internet era where crimes can be performed anonymously, and no-one ever has to see his face. On the internet you can pretend to be whoever you want, and a lot of people believe you.
Unfortunately, the above scenario is all too common. Cyber criminals often use middlemen to transfer stolen money to their accounts. These middlemen are real people, with real accounts and they don’t have unusual bank account activity. Known as money mules, they are sometimes recruited or deceived into helping cyber criminals carry out these crimes. Offenders like our fictitious character Elliot.
These criminals have been known to recruit money mules via romance scams or employment scams. In a romance scam, the ‘money mule’ is emotionally invested and could also be considered a victim. Employment scams often offer potential money mules a job that requires minimal effort with lucrative returns – for instance, a small commission for receiving and transferring money.
According to the Australian Federal Police , it is a crime to transact in the movement of stolen funds, even if you are unaware that you are acting as a money mule. Money mules are caught because they are not trying to hide their activities, and when caught, they can have their entire bank accounts, including their own funds, suspended and potentially face criminal prosecution.
How can I protect myself?
Be wary of advertisements for a guaranteed income or job with lucrative returns and very little effort
Don’t transfer money on behalf of someone else, especially when you have never met them
Never give your bank details to anyone
Protect your personal information and be suspicious if anyone asks you for those details
Be cautious of people seeking financial assistance or asking you for financial details – money sent via wire transfer is rarely recoverable
As a business operator, when receiving instructions to transfer money, confirm that the instructions you’ve received have come from your client - verbally confirm details or changes with your client
Be cautious of situations where the name on the account differs from that of your customer
I think I am a victim, what can I do?
Anyone who has disclosed their bank account details, received funds into their account or suspect that they are a victim of a mule scam should contact their bank or financial institution immediately.
For more information on this and more, please refer to Scam Watch
... View more
Just got back from an awesome vacation, and yes, my cape is always on…
To address your questions, firstly, phone cloning is about having access to the phone and duplicating the SIM card. The likelihood of this happening, although possible, is considered relatively low. Because MFA is something you know and have, you would still need to know other information besides that gained from the cloned SIM card.
Also, offering practitioners the ability to choose their own PEXA name is part of our technology roadmap.
Today, what we have is MFA at login. Our teams are actively working on additional security validations that will be rolled out in the future. For example, cyber security, as we know it today, relates to three elements: something you know, for example your password, something you have, for instance, your phone, and something you are, biometrics. Our goal is to drive towards a seamless experience, and very much like Microsoft and Google, only ask for your validation when the three elements don’t match up.
On our secure digital communication… that’s a great question. However, I’m unable to provide more details here – you’ll have to wait for the announcement and I have a feeling that you’ll be excited at what’s to come. I’m looking forward to answering your questions then!
... View more