Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management
ISMG Editors: Growing Fallout From the Snowflake Breach
Also: Tackling Online Fraud; Highlights From ISMG's Midwest Summit Anna Delaney (annamadeline) • June 28, 2024In the latest weekly update, Information Security Media Group editors discussed the fallout from the recent Snowflake breach and its impact on 165 companies and their users, the ongoing challenges in combating online fraud, and takeaways from ISMG's cybersecurity summit in Chicago.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Tom Field, senior vice president, editorial; and Suparna Goswami, associate editor, ISMG Asia - discussed:
- Highlights from ISMG's North America Midwest Summit, which featured an exclusive keynote address by U.S. Rep. Bill Foster of Illinois, covering technology, governance and artificial intelligence;
- How social media platforms, particularly Meta, face criticism for their inadequate reporting mechanisms and lack of accountability in addressing scams, which persist despite numerous user complaints and regulatory efforts worldwide;
- The latest victim of the Snowflake breach, Neiman Marcus, which reported that nearly 65,000 customers' personal information was exposed as part of a larger campaign affecting about 165 Snowflake customer accounts.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 14 edition on whether AI will survive the data drought and the June 21 edition on how Medibank's lack of MFA caused a data breach.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this week, we'll discuss the recent Snowflake breach and its impact on yet another victim, the ongoing challenges in combating online fraud, and takeaways from the ISMG Cybersecurity Summit held in Chicago last week. The gang today includes Tom Field, senior vice president of editorial, Suparna Goswami, associate editor at ISMG Asia, and Mathew Schwartz, executive editor of DataBreachToday and Europe. Excellent to see you all.
Tom Field: Thanks for having us over to the cookout.
Suparna Goswami: Welcome back!
Delaney: Tom, on last week's Editors' Panel, you told us that you were looking forward to the ISMG Cybersecurity Summit in Chicago. So how did it go and what are the takeaways we need to know?
Field: It did not disappoint. It was our Midwest Chicago event. We've been doing Chicago events for over a decade now. Good attendance, good speakers and excellent engagement throughout the day in terms of the sessions we had, the exercises and the roundtables I hosted. Also the video studio that our friend Michael was hosting throughout the day. No surprise - AI remains the hot topic in a couple different ways. We had panels on how AI is being used in cybersecurity defenses. We talked about the threat landscape. So if you divide it down to the threat landscape and defenses on the threat landscape, a lot more talk about deepfakes, particularly with financial institutions, and they're concerned about those with account takeover and even starting new accounts - impersonations - same thing leads to a lot of fraud. And then you hear consistently about the relentless phishing attempts. Not just the sophistication of the emails that are being used, or whatever is being used to socially engineer the prospective victims, but just the relentlessness - the scale of it. Those are things that people are talking about. In terms of defenses, a lot more talk about using generative AI to enhance the work of SOC analysts to bring information together and help separate some of the false negatives and positives. More on malware analysis, which has been called the killer app of gen AI by some CISOs. Interestingly, more CISOs are now talking less about what they're doing internally with gen AI but are asking the question, what are my vendors doing? And asking a lot more about how their key partners are using gen AI and to what benefit. In addition to the AI topics, certainly we discuss supply chain security, software and business supply chain, as well as the staffing and skills crisis and what organizations are doing to try to make cybersecurity positions more attractive to increasingly whoever is curious. It's not that they're looking for specific certifications or experiences, but curious people who want to come in and learn, and we can work with them. In addition to that, we had our solutions room, which you've run, where we bring in a deepfake incident and do a tabletop exercise with the entire room, aided by our own CyberEdBoard members, as well as in this case, the Secret Service and Mandiant, which is a part of Google Cloud. Terrific event. People love that so much - the exercise. And we bring people up on stage and talk about it. This deepfake topic resonates. To summarize the exercises, on a weekend, the CFO hears from the CEO with a video message saying, there's an imperative to wire $5 million immediately for a business transaction. Don't tell anybody else about this. We don't want word to get out. Do it now, and the CFO does it. It's fraudulent. What happens? So the topic certainly resonates, and a lot of our attendees are taking these exercises, bringing them back to their organizations, following up and using them to see discussions with their own leadership and even with the board. So, I have a lot of fun with this, and I'm glad that it's getting such traction. So in summary, that's what we did in Chicago last week.
Delaney: Excellent. Did anything surprising come up in the deepfake scenario session?
Field: No, I wouldn't say anything surprising came up there. But I also moderated two different roundtables. One was on continuous exposure management and just trying to get a better handle on visibility into all the devices and networks and when the telemetry that's coming from them. But equally interesting and engaging was talking about the evolving threat landscape. We had a gentleman there from Mandiant sharing highlights of their latest threat report looking at the top threat actors and actions, as well as the reduction of dwell time. What stuck out to me talking to the CISOs in the room was the one who felt that he had his identity pretty well nailed down through the ubiquitous use of YubiKeys and he wasn't concerned about ransomware. He felt he could take care of that. He wasn't concerned about the software supply chain. Felt he had a good handle on that. But what he said is that the AI guy is the one that's going to bring me down, and that ceded a lot of thought to me and gave me something to bring back to our team that this is something we want to explore more with our audience, to find out what their concerns are and how some of those concerns might be addressed. But the AI guy is the one who's going to bring me down. That's a line that resonates.
Mathew Schwartz: Yeah, topical stuff Tom. With the elections happening, there's one in the U.S. later this year, but there's definitely one happening here in Britain on July 4, of all possible dates in the year. And there's been a lot of concern about deepfakes being used there. The malicious use cases are bad for financial stuff. There's been a lot of research showing that for elections, people tend to spot when stuff is junk, so that part at least is good, because there was a lot of concern about that 6-12 months ago, which I don't think is coming to fruition. So there are some good notes on the malicious AI front.
Field: Yeah, I'm not so sure we're as good at spotting junk in the U.S. as perhaps in the U.K. But that aside, I missed to mention that we did have an Illinois congressman, Bill Foster, who sat with me for our keynote discussion, and we had to talk about the upcoming election because we're going to be electing a president in November. It could be the president we have now. It could be the president we had before. But what that says is cybersecurity priorities are subject to change, and if they do, what are the ramifications of that? And I wish somebody had an answer, but nobody does. They're all big. This one's big.
Delaney: An excellent event, rich education. Thanks for sharing Tom. Suparna, you have written that a major barrier to combating online fraud is the difficulty of reporting scams on Facebook due to inadequate reporting options and responses. Just how bad is the problem?
Goswami: Oh yes, it was a topic that I found to be interesting, and that's why I happened to write a blog that Facebook does nothing to stop scams on its platform. So look at the kind of crimes committed on Facebook. You can get the best of phones and cars using stolen identities. You can open bank accounts and credit union accounts. The people on Facebook openly ask if you want to make quick money, and if you have accounts in certain banks, can you carry out these fraudulent activities? There is a group on Facebook called 'FRAUD UNIVERSITY', which has more than 7,000 members, and they teach you the various ways to commit fraud. And this is one of the several groups I'm mentioning here. This is not the only group, and what amazes me is how openly they write about it and talk about it. But if you try to report any of the scam content to Meta, which is Facebook's parent company, you won't find a scam or a fraud reporting option. So I'll give you an example. One of my contacts on LinkedIn also posted this on LinkedIn. He tried to report it to Meta. So first, as I mentioned, he did not find any reporting option. There was no scam or fraud option that was given. So what he did, he selected the next best, obvious choice, which was unauthorized sales. After reporting to the group, he waited for a week or so for a response to come. There was no immediate response. Now you think that Facebook would delete a group called FRAUD UNIVERSITY after it was being reported, but no. Facebook investigators did not think the group violated any of its guidelines. Even worse, after having reported the group to Meta, the scammers got together and reported him for harassment, and Meta subsequently took down his profile. So they did not take down the FRAUD UNIVERSITY group, but they took down his profile because he was harassing the group. I reported this because scams have a huge impact on banks as well. It is a known fact that a large percentage of scams originate on social media. Now, a report by the Federal Trade Commission says that one in four people who have removed reported losing money since 2021. They said that the scam started either on WhatsApp or on social media. A U.K. finance analysis of nearly 7000 authorized push payment fraud cases also found that 70% of the scams originated on online platforms like Facebook. But the reaction of Facebook is every now and then we will hear them that they are trying to work out ways to fight against the tools used by scammers. But even today, most of us have a difficult time getting the internet platforms to take down the scam sites. The problem is that Meta and other social media platforms have very little accountability or regulatory oversight. So I'll give you an example. Section 230 of the Communications Decency Act in the U.S. says that Congress explicitly protects social media platforms from liability for the content that users post on sites. Now, this act was back in 1996 and unfortunately, social media now is used for various scams like pig butchering, money mulling, crypto scams, disinformation, hate speech and others. Last month, two house representatives introduced a bill to kill Section 230 in an effort to force Congress to reform the law. But again, all the big tech companies rallied together to oppose it, and nothing has been done. Even in other countries, there has not been much of an effort. In the U.K., a few months back, they were rallying to get both telcos and those tech companies together. But again, there is no law as such. Australia will have a law in a few months, where both telcos and tech companies will be liable for scams, and not only financial institutions. So let's see what happens here.
Delaney: What do you think is needed to ensure better accountability and regulation on these platforms? Is it possible?
Goswami: Monetary penalties are the only effective incentive. The banks and the financial institutions, I keep talking to them. They do a lot to tackle fraud. Of course, they are not perfect, but they are doing a lot on their end to tackle fraud and everything, but their efforts alone will not solve the problem. Tech companies have to be made equally liable or equally involved, if not liable, but equally involved in tackling the scam. Without their involvement, the public will remain at high risk of online scams. Consumers need more protection, and it's not the big tech companies who need protection, but it's the consumers who need a bit more protection. Like I said, some countries are doing this. But still, a lot needs to be done. Like I said, even in the United Kingdom - they signed an online fraud charter last year, November 2023. But after that, very little action has been taken on that. So because it's huge money, the big tech companies don't have that incentive, and it's not a top priority for them because it's a bad thing. Everybody agrees, but it's just not a top priority for them because there is no financial liability that is involved. So why would they focus on this?
Schwartz: You are seeing some better defenses in the forms of banks here in the U.K. I have put a lot more checks in place when you go to pay for something, trying to get you to think twice about why am I doing this? Has someone told me it has to happen right away, which is a red flag. We had a lot of trouble with fraud and this sort of thing. Back in the days of print newspapers, you had people listing scams, running scams and stuff like that. There's no way newspapers could police that. Online criminals have taken those skills or that approach, and it's almost the equivalent of malicious classified advertising, and it's very difficult, if not impossible, I would say for social media firms to block this. So I don't know if holding them or trying to hold them liable is the right step.
Goswami: See, it would be difficult, no doubt about it. And like you said, the U.K. happens to be one of the few countries that have put a lot of liability on the banks. But like I said, it's not the banks who will alone be responsible. You gave a good example of newspapers, but in tech companies, if there is somebody who's reporting a scam on a group called FRAUD UNIVERSITY, at least you should have the reporting option for fraud or scam.
Schwartz: Definitely.
Goswami: But they have just been blind, and it's not that it's been told to them today. It has been there for years, at least post-Covid, but they have taken little action on that. So why have they not taken action? Maybe monetary liability is the way forward. Let's see.
Field: You make a good point so far. There needs to be a way to report this.
Delaney: Excellent points around. Time will tell. I'm not sure how much luck we get without Meta, but it's a serious issue. Mat, onto you. Another victim of the Snowflake breach has surfaced with Neiman Marcus reporting that nearly 65,000 customers' personal information was exposed as part of a larger campaign affecting about 165 Snowflake customer accounts. Just tell us about this latest development.
Schwartz: Those of you into luxury retail might know the name Neiman Marcus. It's a chain of about three dozen Neiman Marcus physical stores, also a couple of Bergdorf Goodman stores, another high-end luxury name there, and then a handful of things called Last Call, which I learned this week are their outlet stores, but these physical shops, as well as the online presence of what is now known as the Neiman Marcus Group, is notifying nearly 65,000 shoppers that their personal information has gone walkabout and may be getting used by criminals. So in terms of what was the breach, customer names, contact details, like email address, birth date, gift card numbers for any gift cards they may have purchased, although the PIN codes weren't stolen, so shoppers can rest assured that their gift cards are still intact. All this aside, this is yet another breach to come to light via an attack on Snowflake. As you mentioned, what is Snowflake? So hard to keep track of all of these upstart tech firms with these random names. This one has been around, as I again learned in the last couple of weeks, for a long time. It started as a data warehousing platform provider, and it's used by lots of companies so they can throw their data in there and do analytics with it. Other Snowflake users include Ticketmaster, owned by Live Nation Entertainment; Santander Bank; automotive parts supplier Advanced Auto Parts; and the Los Angeles Unified School District. What do these things have in common? They're not just Snowflake customers, they are also breach victims - thanks to their Snowflake account having been hacked. How did this happen? Now this is an interesting wrinkle. Snowflake gave customers the ability to enable multi-factor authentication - not in a great way. It had a single-enterprise-managed instance of Duo. Not that Duo gets bad reviews. But instead of offering a plethora of ways for customers to enable MFA, they had to opt into this one way. So because of that, or because of poor uptake or whatever, lots of Snowflake customers didn't have MFA enabled. The current count is about 155 customers who didn't have MFA enabled got hit by this Snowflake-customer-targeting campaign. The attackers wrote themselves a little tool that could use credentials they had obtained in other breaches. So for example, if you are user.com and your password is 'puppy' and you use that in Amazon, and they grab that from a breach or wherever, eBay, Amazon, whoever gets breached, they will try that on a range of other sites. They tried it on Snowflake, and they had an automated tool for logging them in using these credentials via Snowflake's web user interface, or there's also a command line tool they were hitting. They've come up with a lot of victims, and these victims have started to come to light because a Breach Forums' user - Breach Forums is a data leak market - a little like FRAUD UNIVERSITY - it does what it says in the tin. Breach Forums started to list a lot of stolen credentials that had a tag with the name of the utility that the attackers were using. So researchers have traced that back to an increasing number of known public victims of this campaign. Neiman Marcus - the most recent victim. But there are lots of other breach victim pools of data that they're advertising as well. For example, considering the Los Angeles Unified School District, a lot of students' and employees' data past and present got stolen and are being listed for sale. After it was listed for sale and nobody paid for it, apparently the attacker just dumped the data, as ransomware groups are wanted to do, because it gets headlines. So we're seeing that cycle as we've seen it before play out again with these Snowflake victims. I presume we're going to see a lot more come to light. The person who is part of the group that's leaking data said that some of the victims have already paid a ransom. You could expect them to try to cash in on the ones that haven't paid a ransom by making a big noise about the fact that this victim was breached and then probably leaking the data for free again, because it gets headlines, makes the group look bigger and better than it probably is.
Field: Mat, not that anyone's counted. But this is the fourth time Neiman Marcus has made it in the headlines for a significant breach. I'm thinking back in 2013, maybe 10 years ago in 2015 and then 2020.
Schwartz: That's correct. Their first big breach happened around the time of the Target breach.
Field: Right after.
Schwartz: And Neiman Marcus, following so quickly after Target, helped lead to things like the Payment Card Industry Data Security Standard that we now know to secure payment card data, because that had gone missing way back then. Neiman Marcus just settled. It was either that breach or a subsequent breach with a bunch of states in the last few years. So these things tick on very slowly. That was all with payment card data that got siphoned off by malware installed on point-of-sale systems. Thankfully, in this case, only the last four digits of payment cards allegedly got stolen. So they seem to have gotten better with their handling of payment card data, but retailers are still amongst the targets.
Delaney: I'm sensing a bit of sympathy in your voice when it comes to these victims who didn't implement MFA just because of the difficulty with the Duo account. Is that right?
Schwartz: Definitely. MFA everywhere is a great slogan, and especially with CISA in the U.S., the cybersecurity agency recommending that I've been putting this question to a lot of CISOs in recent months and also vendors who offer MFA or who tie into MFA, and what I'm hearing is, yes, enable it everywhere you can. Legacy systems can be a challenge. Cloud-based environments can be a challenge. Sometimes you have to pay more for your cloud environment to give you all the MFA options that you might want. So this should be much easier than it is, and just as the Neiman Marcus breach more than a decade ago helped usher in a new era of payment card data security, hopefully these breaches now are focusing attention on why wasn't MFA enabled, and what can we do or what should vendors be doing to make it easier? I hope we see a lot more pressure on organizations like Snowflake. After the breach, they've now detailed a bunch of new ways in which you can access MFA, including via open security standards, and they are pledging to provide a way to make it a default for an organization's users. So by default, everyone will have to do MFA, unless maybe they opt out. But that's then on them. That's what we should be seeing. Unfortunately, it's taken a breach to make Snowflake rethink it. Hopefully, this will be a lesson now.
Field: Invoking the spirit of our friend Jeremy Grant - not all MFA is created equally.
Delaney: Positive progress. Thank you, Mat! That was great. Educational as always. Thank you so much everybody.
Goswami: Thank you.
Schwartz: Thanks Anna!
Delaney: Thanks so much for watching. Until next time.