We must add that it is not the bargain variety you might find on the discount store’s own shelves, or the branded variety that cyber security vendors dispense at trade shows — although he does admit to liking these — but an external Security Operations Centre that can monitor and respond to security incidents around the clock.

“I’m finally getting my SOC! It was approved last week, so I’m happy to be getting a team for 24/7 coverage from a firm already very knowledgeable about our environment,” he says.

McCourt adds that having “eyes on the glass” 24/7 all year round will ensure that alerts are promptly addressed overnight and that triage is handled.

“It’s about having that staff augmentation and those extra capabilities and 24/7 coverage that I’m excited about. Especially leading up to Christmas when staff are off for a period. I want to take time off, too.”

For McCourt, the SOC means he might also have time to reflect on what has been an eventful year for his organisation.

Parent company Pepco acquired rival retailer Poundshop last year and inherited an e-commerce platform, creating new security challenges.

Last month, the retailer also introduced an online web and mobile loyalty programme, Poundland Perks, which has given the team additional GDPR, data protection, and data security issues to manage.

“These developments mean that we have taken a new step in terms of what we’ve had to manage and maintain, and it’s really putting the focus on the digital side of our business,” he says.

“It’s made us look at where we have visibility from in terms of a basic GDPR perspective and whether we have the processes and procedures in place to accommodate these protections.

“It’s also introduced a lot of new challenges not only from a capability perspective but from a capacity perspective,” he adds.

Structure

Given the organisation’s size, McCourt says he manages a relatively small security team. The London-based Pepco Group encompasses 850 Poundland stores in the UK, along with Dealz stores in Ireland and Poland.

The Pepco brand also has 4,500 value stores in 20+ European countries. Another part of the business is China-based PGS, which helps with supply chain management and product acquisition.

“My role is specifically at Poundland and Dealz, and I have counterparts that work independently at Pepco and PGS. We all help support our parent company,” McCourt explains.

“Compared to other categories of business, we have a relatively small IT team for what we manage and maintain. So really, it’s a prioritisation of products and projects as well as ensuring that we dedicate time to increase the resiliency of our internal processes,” he says.

“It all boils down to that security triad of ‘confidentiality, integrity and availability’ into the digital estate,” he adds.

Hungarian phishing attack

According to McCourt, cyber awareness training has always been central to Poundland’s security posture — even before Pepco disclosed that a phishing attack earlier this year caused one of its European branches to lose €15.5 million (roughly $16.8 million).

Initial reports suggested it was a BEC (Business Email Compromise) attack. In contrast, others claim it was a sophisticated phishing attack, in which scammers impersonated trusted entities to trick people into revealing sensitive information.

Because the incident is still being investigated by the Hungarian police, Interpol, and other law enforcement agencies, McCourt says he can’t provide details.

“I can’t comment on what happened, but I can say what it wasn’t; it wasn’t a BEC attack. But ultimately, there were elements of phishing and communication through nonstandard company protocols, which resulted in quite a loss overall,” he says.

In terms of lessons learned, McCourt says the group has added more processes and procedures around how transactions occur.

The key message he wants to convey to staff is that if something doesn’t feel right, they should try and verify it “because, in this case, as well as the issues caused by the attackers, there was also some breakdown in the process,” he adds.

Verification may even involve picking up one of those old-fashioned devices called ‘telephones’ and checking with a line manager or CFO before making large or unusual transactions.

Poundland has been working with KnowBe4, a security awareness training platform that increases awareness through regular security exercises, for about a year.

Initially, McCourt used the platform for small-scale phishing exercises, but it recently expanded to 1,600 users.

The intention now, he adds, is to roll these regular training exercises out at a group level and add the training to its physical retail store environment, bringing the total number of Pepco users to 10,000.

A coffee with…Erich Kron, security awareness advocate, KnowBe4

According to Javvad Malik, Knowbe4’s lead security awareness advocate, most exercises can be reduced to empowering staff to say no to something and ensuring they verify requests.

“That is probably your biggest defence. And if the phone isn’t the norm, it should be the norm.

“Or, some other process needs to be put in place because while it’s true that AI and deepfakes are on the rise, ultimately, they still target human emotion and trigger someone into doing something within a short time while trying to establish some authority.”

Thinking fast, thinking slow

Malik says that nearly every work-based social engineering attack has three core components. The first is the attacker asserting an authoritative identity. “They will either try to claim to be your boss, a partner, or someone important.”

Then, he says, there is ‘the ask’: “This is often strange or not business as usual, like ‘we’ve just swapped banks’ or something that is not a regular occurrence.”

The third aspect is time pressure: “The tone usually is ‘I’m the CEO, and we need to make this payment to a new partner, and we need this to happen within the next two hours, or we’re going to lose the deal.”

Malik says the only way to avoid falling for such scams — whether it’s an apparent physical likeness of a CEO on a video conference call or an urgent email sent from an official-looking address — is “to slow down, take a deep breath, and reevaluate.”

The security expert cites a book by Nobel Prize-winning psychologist Daniel Kahneman, Thinking Fast and Slow, categorising thinking and decision-making into two systems.

“System 1 is your reactive brain, which is saying, ‘I’m pressured, I’m angry, I’m depressed, so I must react quickly,’ and that’s where most mistakes happen,” Malik explains.

System 2 results from slower, more rational thinking, which tends to occur when one takes a step back or consults with someone else.

“So, when you get an email or a video call asking for something unusual. Take a moment, or better still, pass it on to someone else to have another pair of eyes on it. Or validate it, and your perspective becomes much more rational,” says Malik.

“For instance, if you get a letter through the door from HMRC informing you that you owe tax and need to pay immediately, your heart rate will immediately start to increase.

“But if your neighbour comes around and takes a look, they will be much calmer and can say, ‘Oh, look, this is a scam because of this, this, and this.’ It’s easier if you have someone else to bounce off.”

According to McCourt, Poundland is sending out phishing simulations once every few weeks.

“Sometimes the response is ‘You almost caught me with that one!’ but that’s not what this exercise is about. It’s about understanding the red flags and knowing what to do with them,” he says.

“The chances are the scam is going to more than one staff member, so if they know how to use that phishing alert button or to report it to IT Security, then that puts us in a good position to get those alarm bells going,” he adds.

When asked if Poundland has become a target since a store within its group fell prey to an attack, McCourt said: “We’ve had a couple of similar attacks that we could identify rather quickly, which all had the same M.O.

“We identified them very quickly and nipped them in the bud.”

Regarding other preventive measures Poundland takes, McCourt adds that the company continues to use technologies that identify malicious emails using Microsoft and other third-party tools.

Both Poundland and KnowBe4 (which itself was almost infiltrated by a fake employee/North Korean hacker earlier this year) have been publicly open about the security incidents they have experienced.

Do they think there needs to be more openness and information exchange about such attacks between companies rather than a secretive approach that might stem from concerns over reputational damage or loss of consumer or client trust?

McCourt says it would make his Christmas if firms shared a little more. “I think it’s important, especially for those CIOs and CFOs who do horizon scanning. It’s those individuals who start asking questions that I get involved with and start to answer.

“If there were more details in those reports that said, ‘These were the failings, and this is where people need to enhance their security footprint’, I’d be up for that.

“We all want to learn from each other. I don’t care if I’m talking to B&M or my other competitors because it’s all about keeping people safe. As soon as we lose trust in people, the threat field becomes more valuable for other criminals to get involved.”

The post Getting SOCs for Christmas: Poundland’s cybersecurity journey and lessons learned appeared first on TechInformed.

The crypto market had faced significant challenges in 2022 and ’23, including the collapse of major exchange FTX, but Bitcoin’s meteoric rise from $42k in January to a mid-March peak of $73k — before stabilising around $65k — has reinvigorated the crypto space and attracted a new wave of investors.

This influx, however, has been matched by a rise in malicious activities, ranging from romance scams to complex phishing operations and exit scams, underscoring the need for heightened vigilance among investors, according to Cyjax.

“At the end of 2022, the cryptocurrency market was seemingly eating itself alive, but 2024 has bounced back, and threat actors are cashing in on the opportunities it brings,” said Joe Wrieden, intelligence analyst at Cyjax.

The Cryptocurrency Threat Landscape Report – Q1 2024 – published last month – details the trending ways attacks have been carried out in 2024.

Romance scams or ‘pig butchering’

The resurgence of romance scams, also known as “pig butchering” scams — a term derived from the Chinese “shāzhūpán”, which describes fattening pigs before slaughter — has been particularly notable.

A Romance Scam, put simply, is when criminals create fake online identities to foster relationships and eventually defraud their victims.

Recent action by the U.S. Department of Justice to recover $2.3 million in cryptocurrency stolen through scams has brought attention to the severity of these fraudulent activities.

These scams are simple yet lucrative and are often connected to organised crime. They utilise inexpensive or forced labour to expand their operations, which has resulted in the theft of over $100 million in funds.

A significant operation was uncovered in Myanmar, where a “fraud factory” forced workers to execute scams, amassing $100 million in cryptocurrency from July 2022 to February 2024.

Sophisticated phishing attacks

Attackers have also become adept at exploiting vulnerabilities and social engineering tactics to impersonate legitimate cryptocurrency firms, tricking users into connecting their wallets to malware-infested sites.

The first quarter of 2024 saw a rise in phishing, including a sophisticated attack that resulted in over $700k in thefts on the MailerLite marketing platform.

Experts first thought it resulted from a ‘dangling DNS’ vulnerability, a type of security hole that attackers can exploit to redirect users to malicious websites. However, attackers had gained access to the admin panel through a customer support employee who was phished.

The breach enabled the distribution of phishing emails masquerading as reputable cryptocurrency firms. These emails offered fake airdrops to lure victims into connecting their wallets to malware known as ‘wallet drainers’.

Unlike traditional scams, which require victims to transfer funds, wallet drainers simply require the victim to connect their wallet to the malicious code, significantly lowering suspicion.

With elections incoming, deepfakes are just the tip of the iceberg, Barry O’Connell reports

‘Zero-value transfer’ attacks represent another sophisticated phishing technique to deceive cryptocurrency users into mistakenly sending funds to a fraudster’s address.

These attacks mimic legitimate recipient addresses closely, often differing only in capitalisation, to lure victims into accepting a transaction of zero tokens to the victim’s address from the spoofed one. These transactions don’t require approval due to their nil value.

The objective is to make the victim believe they have previously interacted with this address, leading them to confuse it with a genuine address during transactions.

This method capitalises on users’ difficulty distinguishing between similar-looking addresses, allowing attackers to target multiple wallets simultaneously and wait for victims to fall into the trap.

Exit Scams 

The report claims that exit scams, or “rug pulls,” have seen a disturbing rise, with attackers creating fake projects to siphon off investor funds.

Rug pulls typically involve creating a seemingly promising project to attract investment, only for the orchestrators to vanish with the pooled funds, leaving investors with worthless assets.

The process often relies on building trust through endorsements from influencers or reputable figures in the crypto world. Once the project is abandoned, confusion is created, community response is delayed, and theft is maximised.

A key tactic in these scams is ‘wash trading’, an illegal practice of buying and selling assets to feign high market activity and lure more investors.

According to the Cyjax report, the sophistication of these operations suggests a deep understanding of market dynamics and investor psychology.

Social media

Social media platform X — formerly known as Twitter — has also impacted crypto scams since Tesla boss Elon Musk bought it.

While malicious activity had occurred on Twitter before it became X, the report claims that the decision to transition X’s verification system to a paid-for model has inadvertently facilitated the proliferation of fake and impersonated accounts, leading to increased fraud.

Leveraging the perceived legitimacy previously conferred by the Twitter verification badge, fraudsters require minimal effort to execute highly lucrative scams.

Scam investigation firm ScamSniffer identified 1,517 accounts mimicking reputable companies like zkSync, Inscribe, and Optimism.

they have created a few more accounts to impersonate @Optimism @zksync @inscribe_app @Portalcoin

can you identify which one is real? https://t.co/Kfbm8PBTVr pic.twitter.com/WdVTSd6e4q

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) February 1, 2024

Cyjax warns that the ease and effectiveness of these tactics highlight a growing challenge in the digital trust landscape, necessitating increased vigilance from users and platform operators alike.

Account takeovers and malicious advertising have further compounded the issue, with notable incidents including the compromise of the SEC’s X account and the exploitation of the late ‘Friends’ actor Matthew Perry’s profile.

Last year, the social media app witnessed a significant exodus of advertisers, which the Cyjax report partly attributes to a surge in cryptocurrency-related scams facilitated through malicious advertising on the platform.

In December 2023, a notable scam operation exploited Google and X’s advertising systems to disseminate drainer malware, successfully pocketing $58 million.

What’s next?

The report concludes that the shift towards targeting individuals rather than systems represents a significant evolution in the threat landscape.

With an estimated $173 million stolen in Q1 alone, the trend of sophisticated scams, which leverage social media platforms and exploit the bullish market sentiment, is expected to continue.

“As we head into Q2, we expect to see scammers targeting newcomers more on social media platforms. As X begins to clamp down further on malicious attacks, threat actors may start to abuse other platforms such as TikTok and Instagram through short-form content,” added Wrieden.

Cyjax urges investors to exercise caution and scepticism as the crypto market continues its upward trajectory, particularly when engaging with social media platforms and seemingly attractive investment opportunities.

For tech leaders and investors navigating the volatile crypto market, staying informed and adopting robust security measures are essential to safeguarding investments against the ever-evolving threat landscape.

Wrieden concluded: “Crypto is continuing to rise, and the opportunities seem endless, but investors should be careful who they can trust because they’re not the only ones that see profits…”

The post Cryptocurrency market faces surge in scams amid investment boom appeared first on TechInformed.