Infosec In Brief New York State is suing bank-owned peer-to-peer payment app Zelle, claiming that the banks behind it knew fraud was rampant on the platform but allowed scammers to conduct business with impunity.

New York Attorney General Letitia James’ office last week announced that it had sued Early Warning Services, LLC (EWS), the company behind Zelle, accusing it of fraud and seeking an unspecified amount of monetary restitution from the company on behalf of New York residents who were victims of fraud on the platform between 2017 and 2023.

EWS’ member banks include JPMorgan Chase, Bank of America, and Wells Fargo, which tasked the company with creating a bank-owned alternative to P2P platforms like Venmo, PayPal and Cash App. Zelle, which launched in 2017, was the answer EWS developed, and James’ office said it was a mess from the start.

EWS designed Zelle without critical safety features, allowing scammers to easily target users

“EWS designed Zelle without critical safety features, allowing scammers to easily target users and steal over $1 billion,” the NYAG’s office said. Zelle allegedly lacked important verification steps during registration that allowed users to sign up with accounts that closely mimicked known brands. Then the scammers used those legit-sounding accounts in schemes that used deceptive tactics like convincing users to send a delinquent bill payment through Zelle.

Because Zelle was designed to facilitate rapid payments, fraud victims were left with little in the way of restitution. James’ office claimed banks would typically tell victims that there was no way to retrieve stolen funds.

“When Zelle launched, EWS did not require participating banks to report scams,” the AG’s office continued, adding that even when the company received fraud reports it rarely removed fraudsters’ accounts with any timeliness. Even when the company developed safeguards, it ultimately “failed to adopt them,” James’ office noted.

Elected officials have complained about rampant fraud on Zelle, and the feds even launched an investigation during the Biden administration. James’ office noted that the matter was shuttered as the Biden Justice Department wound down, leading to this latest lawsuit.

“I look forward to getting justice for the New Yorkers who suffered because of Zelle’s security failures,” James said in a statement.

Netflix isn’t emailing you a job offer, sorry

The team at antivirus software vendor Malwarebytes received an email that claimed to be from Netflix seeking “a visionary marketing leader” for a VP position at the company – an obvious scam that was definitely sent to the wrong person.

Malwarebytes reported that clicking on the link to schedule an interview with “Netflix” immediately produced up a website block noting that the site was a phishing domain. Bypassing that led to a webpage that was a “mix of content copied from the actual Netflix site and of the phishing campaign,” which ultimately tries to hijack Facebook credentials. Even clicking on “Continue with Email” on the fake signup page redirects to Facebook, per Malwarebytes.

If you don’t have endpoint protection that blocks webpages (from Malwarebytes or anyone else, for that matter), then catching this campaign relies on looking at URLs (all of them are phishy looking, with missing letters and other suspicious signs).

Canadian Parliament hacked

An unknown malicious actor last week breached the Canadian House of Commons, CBC News reported last Thursday.

Parliament hasn’t revealed many details of the attack, but Canada’s Communications Security Establishment (CSE) confirmed the incident and investigation to public broadcaster the Canadian Broadcasting Corporation. According to an internal email acquired by the news agency, the stolen data included employee names, job titles, office locations, email addresses and information about their government-managed hardware.

While Canadian officials have yet to determine who was behind the attack, discovered on Friday, August 7, a recent bulletin from the CSE warned that China, Iran and Russia are all increasingly targeting Canadian systems for various reasons.

China, the CSE claimed, often wants to break into Canadian systems to access intellectual property, while Iran spies on its foes. Russia, while not the top threat (that’s China, the CSE noted), is targeting Canada due to its role in NATO and support for Ukraine.

Adding insult to injury: Crypto scam victims being targeted by fake lawyers

Scammers are posing as lawyers and offering to recover funds stolen from victims of cryptocurrency scams.

The FBI last week warned: “This scheme combines a number of exploitation tactics including targeting vulnerable populations, particularly the elderly; exploiting victims’ emotional state and financial need to recover funds from a previous scam; and giving victims the sense of safety and security by impersonating or falsely affiliating themselves with multiple government entities.”

Signs of these scams are not hard to detect, as the fake lawyers won’t provide credentials, ask victims to send payment to a third party, or seek payment in crypto or gift cards.

Kryptos solution for sale

Erected in 1990 by US sculptor Jim Sanborn at CIA headquarters, the sculpture Kryptos contains an encrypted message that nobody has completely solved for nearly 30 years. In November, the 30th anniversary of its installation, the secret could be revealed.

Sanborn’s original drafts and proof-of-concept prototype will hit the auction block in November, when RR Auctions expects it to fetch between $300,000 and $500,000. The original plaintext of the message, scale models of the sculpture, and coding charts used to encrypt the message are all included in the lot.

Crypto-crackers have already deciphered three of the four panels on Kryptos, revealing a series of cryptic messages that, according to Sanborn, just might point to a fifth, as yet undiscovered riddle to tackle.

Whoever wins the auction is under no obligation to reveal the sculpture’s secrets.

“One bidder will acquire what Sanborn alone has possessed since 1990: the complete solution to Kryptos,” RR Auctions said in its description of the event. “While the copper sculpture will remain forever at Langley, its greatest secret passes to a new guardian.” ®