It's a Fake. (Or Is It?)

In This Issue:

  • This fake invoice scam is next-level
  • Unfixable iOS vulnerability? Meh.
  • Is the Zendesk breach a big deal?

This Fake Invoice Scam Is Next Level

We've all seen e-mail scams with fake invoices. As a general rule, these have been easy to spot for experienced internet users. For a certain (younger) segment of the population, they've never known a time where these sorts of email scams didn't occur. These scams are so common we almost don't notice them anymore. But what if we didn't, in fact, notice them? What if the fake invoice scam emails were so good, we actually thought they were legitimate?

This is the case with a new generation of fake email scam. These stories have the details: 

One of the most important quotes is: "They also gain access to all of the attachments and links used in the email correspondence, allowing them to create a fake invoice that looks entirely legitimate – because it will be almost an exact copy of template the compromised vendor uses to issue payment requests for legitimate services.

So legitimate is the request, and the timing of the attack so precise, that the customer will be expecting an invoice from the vendor – and the only difference in the invoice is the bank details, which mean that instead of the payment being made to the vendor, the money will be redirected to the bank account of the cyber criminals."

Who Is Reading Your CEO's Email? And How to Stop it has strategies for preventing Business Email Compromise (BEC) attacks, though we here at The Countermeasure humbly submit that such measures are only scratching the surface of what's needed to defend today's mailboxes.



We're well past the point that any one company can defend themselves entirely with internal resources. The bad guys learn from one another. Defenders must as well. Defending modern networks, and especially email, requires products in which any attack against any of the users of that product is learned from in order to defend all users. 

These are typically cloud-based Unified Threat Management (UTM) and/or Advanced Threat Protection (ATP) products backed by a vendor with a threat research team. Scale matters. The more samples that pass through the system, the better the chance that the vendor's AIs and research staff will spot it. Right now, this is our best defense. If, for some reason, you can’t engage with a large vendor who has an active threat lab, investigate whether or not something like this is available in your area: How the City of Angels Is Tackling Cyber Devilry

Read More >

Unfixable iOS Vulnerability? Meh.

There's an unfixable vulnerability affecting iPhones and iPads! Panic! Disaster! Doom! ...ish.

The vulnerability in question requires physical access to the device. To make it work, attackers will have to connect to the device via USB: What can you do about the 'unfixable' exploit affecting almost every iPhone and iPad? While this is certainly a major vulnerability, it does place the issue square into the category of "how much you should panic really depends on your threat model."

If your threat model includes governments or law enforcement agencies, which can require you to physically turn over your phone to them, then it's probably time to pay serious attention to this vulnerability. If your only real concern is someone gaining access to the data on a device after stealing the device, then you can probably mitigate the risk with a more aggressive remote device wiping policy for affected models. 

This isn't to underplay the severity of the vulnerability, however: Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer. But it is worth bearing in mind that when physical device access is required to trigger a vulnerability, there are steps that can be taken short of bulk replacing entire fleets of devices.


The standard advice for these situations is to keep your phone with you at all times, instead of leaving it unattended for random people to rifle through. We hope that most readers would do that anyway; however, we're all human, and we all make mistakes.

Planning for how to deal with mistakes is the job of infosec types, so this vulnerability is an excellent excuse to review device wiping policies.

How hard it is for you to wipe devices remotely? How hard is it for an employee to request a device wipe, or to trigger one themselves?

That said, this vulnerability also means it’s time to carefully reconsider your mobile threat model, and make hard choices about whether or not a fleet refresh is now required.

Read More >

Zendesk Breach a Big Deal? Too Soon to Tell.

Way back in 2016 (remember that fun year?) there was a data breach. No, not that one. Or that one. Or that other was Zendesk discloses 2016 data breach. Compared to other data breaches of the day, it wasn't that large: Zendesk clocks 10,000 accounts accessed by miscreants before November 2016. Despite this, it's generally not a good thing when malefactors get access to your ticketing system. Those ticketing systems tend to contain detailed lists of all the ways in which your IT apparatus is vulnerable.


If you’re a Zendesk user, and there's even a chance that you fall into the scope of the affected users, then it's time to review any outstanding tickets from 2016 or earlier, and start solving any and every remaining vulnerability—with alacrity.

Read More >

Breach Response Report Card

A+ for ANU: ANU incident report on massive data breach is a must-read 

Room for improvement: DoorDash hack spills loads of data for 4.9 million people. Doordash hashed and salted passwords. Huzzah! But we don't know which algorithm was used for hashing, and this could make those passwords vulnerable, if an outdated algorithm was used.

Failing grade: Dunkin do-nots: Deep-fried cake maker did not warn its sugar addicts that crooks raided web accounts, says NY AG. To quote the article: "The Attorney General is now filing suit against the donut chain in hopes of getting back some of the money lost to the thieves, claiming the chain has violated the state's data breach notification statute as well as consumer protection laws that require companies to accurately disclose the measures they take to protect customer accounts."

IoT Gloom and Doom

Podcast of the Week

Smashing Security #148: Billboard boobs, face forensics, and Alexa gets way too personal – Carol Theriault and Graham Cluley, Smashing Security.

Resource of the Week

'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities.  While aimed at municipal governments, this guide contains useful advice for anyone concerned about ransomware.

Provocation of the Week

No matter how many times you change DevOps to DevSecOps, everyone knows you're not really doing the security part... – Jake Williams - @MalwareJake.

Quick Links

Get Your Copy.