In brief Business email compromise (BEC) continues to be a multibillion-dollar threat, but it’s evolving, with the FBI and other federal agencies warning that cybercriminals have started using spoofed emails to steal shipments of physical goods – in this case, food.
Along with the Food and Drug Administration’s Office of Criminal Investigations and the US Department of Agriculture, the FBI said several US food manufacturers have already fallen victim to scams, many of which involved fake orders for hundreds of thousands of dollars worth of a single item: powdered milk.
The FBI considers BEC attacks to be one of the most financially devastating online crimes, claiming it netted criminals nearly $2.4 billion in 2021 alone. The method involves a criminal compromising a legitimate account and, traditionally, using it to send fake invoices to trick a busy business into paying for a service that wasn’t provided.
“In recent incidents, criminal actors have targeted physical goods rather than wire transfers using BEC tactics. Companies in all sectors—both buyers and suppliers—should consider taking steps to protect their brand and reputation,” the federal agencies said in their joint advisory.
But why powdered milk?
It appears to go back to the Chinese baby formula scare of 2008, in which milk powder adulterated with melamine killed six children and hospitalized thousands more. Chinese parents are allegedly still wary of domestically-made milk powder, which has led to foreign brands commanding a premium inside China.
Rings of powdered milk smugglers have been broken up before – like the Australian ring disrupted in 2019 that was shoplifting powdered milk and reselling it overseas. The escalation from shoplifting to shipmentlifting is, if nothing else, black-market capitalism in action.
In the joint advisory, the FBI, FDA and USDA said one victim was left on the hook for $160,000 worth of stolen milk powder after responding to one fraudulent request, while another had several orders totaling nearly $600,000 picked up without any idea something was wrong until payment wasn’t received.
There’s nothing different about the guidance the agencies put out to avoid a BEC attack that steals physical goods instead of cash: Keep an eye out for typos and slight variances in spelling or business name, ensure hyperlinks in an email redirect to a legitimate URL and when in doubt contact the company directly to verify their request.
The Learning Channel hacked, nearly 1TB of data stolen
Cyber extortion group Karakurt has added The Learning Channel (TLC) to its list of alleged victims, and says it’s ready to leak 931 GB of the company’s “scripts, videos, internal documentation,” and employee information if the company doesn’t pay up by December 23rd.
Karakurt, which is believed to be affiliated with ransomware group Conti, has been on the FBI, CISA and US Treasury Department’s radar since at least this past June, when the agencies issued a joint advisory warning of the threat posed by the group.
The Karakurt gang are believed to gain access by, among other things, buying compromised account credentials. The group has reportedly resorted to harassing and bullying the employees and business partners of its victims in an effort to extort them into paying.
According to the agencies, Karakurt is indiscriminate in its targeting, and has demanded payments of between $25,000 and $13 million to not leak stolen data. Karakurt isn’t known to deal in ransomware, and instead is a pure extortion operation.
TLC is a subsidiary of Discovery, which also operates HGTV, Cinemax and other television networks. Karakurt’s claims to have infiltrated the network are unverified and its ransom demands are unknown. It doesn’t appear Discovery has acknowledged the breach as of writing, and we’ve reached out to learn more.
Cloudflare offers free zero-trust to small critical infrastructure firms
Content delivery network Cloudflare is launching an initiative to protect small businesses operating in critical infrastructure sectors that will provide its zero trust platform free of charge – if they qualify.
Dubbed “Project Safekeeping,” Cloudflare said the initiative is necessary because the volume of attacks faced by companies in critical infrastructure sectors, like healthcare and energy, are overwhelming for even the largest firms.
“Smaller organizations typically do not have the capacity to manage relentless cyber attacks,” Cloudflare said.
The products Cloudflare is prepared to offer will be free and will have no time limit, the company said, and will include real-time app user verification, traffic filtering, cloud application security, data loss prevention, email security and remote browser isolation. DDoS protection and Cloudflare’s web app firewall are also included.
Unfortunately, the list of what it takes to qualify is pretty restrictive.
Only companies located in Australia, Japan, Germany, Portugal and the United Kingdom can apply, and applicants also have to operate in a sector their government has deemed “critical infrastructure.”
Those meeting that pair of criteria will have to face a final filter: A headcount of no more than 50 people and/or an annual revenue/balance sheet total less than $10 million US dollars. There’s no word on whether growth would result in loss of access, but it’s safe to assume Cloudflare would want successful customers to start paying it at some point. ®