(In)Secure digest: “shadowy” Amazon, de-anonymization of Northern Ireland police officers and pseudo-hackers
31.08.2023

In our traditional (in)Secure digest we’ve gathered news on the recent leaks. Plenty of confidential data related incidents happened this month: in Australia, the data on a cybersecurity survey participants was inadvertently disclosed; in Northern Ireland data on police officers was exposed; in India an employee was caught leaking data (once again).

A school bus for a hacker

What happened: fraudsters stole more than $6 million from New Haven schools by impersonating the city school district’s official.

How it happened: like many classic BEC attacks, this story began with the compromise of a legitimate email account. The victim of the hack was the chief operating officer of the New Haven Public School system. The officer was the "perfect" victim for cybercriminals, as he was responsible for reconciling payments from the budget and sending them to the finance department at City Hall for final approval.

After gaining access to his email account, the attackers monitored correspondence with vendors providing various services to the school system. Up to the time of discovery, with the help of impersonation technique, malicious actors managed to successfully perform six different cyberattacks and stole approximately $6 million. 

The mayor's office placed a finance department employee on leave while a financial and information security review was in progress, and suspended all electronic payments to the school system except for payroll transfers. The latter helped prevent a seventh fraudulent transaction in early July.

 

Officers without cover

What happened: the personal data on all officers and civilian employees of the police service in Northern Ireland was accidentally published.

How it happened: A datasheet was mistakenly published in response to a request for information. It contained details of all current members of the Police Service of Northern Ireland (around 10,000 people), such as: 

  • Surname
  • Initial
  • Rank or grade
  • Location and department.

The police received a request from a citizen on 3 August to tell the number of officers at each rank and number of staff at each grade. 

However, inadvertently, instead of a numerical table the large Excel spreadsheet with confidential data was prepared and shared. The file was published online and remained publicly available for about 2.5 hours, lately it was deleted on the PSNI's request.

 

"It wasn't me, it was a hacker."

What happened: an administrator at a Canadian municipality tried to cover up the theft of more than $500,000 with a fictitious cyberattack and forged documents.

How it happened: Amber Fisher worked for the municipality of Gilbert Plains, Manitoba, since 2018. Between September 2020 and June 2021, she made 33 transfers from the municipality's bank account to her personal account. The overall sum of transfers exceeded $500,000 Canadian dollars. The incident was detected in the summer of 2021 after the credit union notified the municipality of a large transfer to Fisher’s account. The official was then suspended from her job.

However, Fisher said she was the victim of a cyberattack and claimed that an investigation was already in process. A week after she was suspended, she returned to her workplace. The municipality's auditors asked her for bank statements several times in late 2021, and in January decided to send a request directly to the credit union. Fisher didn’t provide the statements until March 2022, but it was later discovered that her versions of the documents differed from the originals, probably, they were forged.

She also provided a draft of the audit report, investigating the alleged fraud. It was stated in the document that the official wasn’t involved in illegal activities. But the auditors doubted the authorship of the document. When the auditors shared their suspicions with the municipality's management, the woman was suspended again.

A third-party accounting firm revealed that the employee had transferred $532,000 to her account and also paid herself $15,000 for working extra hours. Gilbert-Plains didn't file a lawsuit against Fisher until a year later, according to which she had only reimbursed $17,000 and owed another $515,000.

 

"Your opinion is very important to us (and not only for us)"

What happened: the Australian government accidentally disclosed the personal data on participants of a cybersecurity related topic survey.

How it happened: The background of the incident is related to the Cyber Warden programme, an initiative, aimed at enhancing of the small companies employees’ competencies in information security related issues. It was initiated by the Council of Small Business Organisations of Australia (COSBOA). At the preparatory phase, a survey by the 89 Degrees East was requested. Between November and December 2022, 2,100 people, both owners and employees of small companies, took part in the online survey.

But the unintentional disclosure of some survey participants’ data happened only six months later. In May, the Australian government awarded the Cyberstrategy programme with a 23 million Australian dollar grant. The budget was allocated without competition, so the government needed to report back to various enquiries about the programme those were sent to the country's Prime Minister.

The government sent documents on Cyberstrategy in response to the requests. Only after the materials were published on the parliamentary website, it was discovered that they also included a report, containing the personal data of more than 50 survey participants:

  • Names
  • Company names
  • Contact details.

 

Renting a car without a driver

What happened: the perpetrators stole 19 cars, by renting them with the help of the stolen data.

How it happened: Tyrell Oliver, 38, and seven accomplices figured out how to defraud a car rental service and not get caught. Firstly, they obtained Americans' credit card data and personal information. Oliver then rented cars using the illegally obtained personal data. His accomplices flew to airports on the US East Coast and in the Midwest and, using fake driver's licences and fake credit cards, took the cars. With the help of this scheme they managed to steal at least 19 vehicles, including BMW X7, GMC Yukon, and Chevrolet Suburban SUVs, the overall price of the cars stolen exceeded $1 million.

In July, charges of wire fraud and identity theft were filed against the group.

 

Printed exam

What happened: A regional Indian official has been caught leaking civil service entrance examination questions for the second time within a 10 years term.

How it happened: on 16 July, the Odisha Staff Selection Commission’s was planning to conduct a junior engineer exam.

Hours before the beginning of the examination, police officers arrested nine people at a hotel in the neighbouring state of West Bengal for leaking the exam questions, and the examination was postponed until early September. Eight more accomplices including the alleged mastermind of the scheme were arrested in late July. It turned out, that the mastermind of the scheme was an official working in the Accountant General’s office in Patna. The fraud scheme was as follows: the group would get a printed copy of the examination questions, deliver it to clients - candidates for the positions for which the test was conducted. If the questions on the exam matched the ones provided by the fraudsters, the examinees had to pay half the cost of the service immediately and half after the results were announced.

The police have also arrested the culprit behind the leak, an employee of the printing office where the exam material was printed. He had been communicating with the group leader over the phone for two months and confirmed five days before the exam that he would be able to provide fraudsters with the exam questions. 

It turned out, that it was the second time that the mastermind behind the scheme participated in fraud schemes with exam questions. He had earlier been caught in a similar incident, leaking examination papers for police entry exams.

 

"Breaking through" Amazon

What happened: a channel for selling insider services on Amazon's platform was detected in Telegram.

How it happened: journalists from CNBC figured out how the black market of intermediary services for sellers on Amazon works on the example of the Telegram channel Amazon Magic. Owners of third-party shops could bypass official procedures to solve problems related to work on the marketplace via this channel and some other groups in social networks and messengers.

For 200-400 dollars, users could order such services as quick restoration of a shop account, temporarily disabled for violations; removal of negative reviews; obtaining information about competitors. For example, according to the price list, for the sum of $180 the owner could get a screenshot of his shop's profile from Paragon, Amazon's internal system, and, having learnt the reasons for the temporary shutdown, make an appeal.

Intermediary services are in demand because the formal account recovery process can take months, what is unacceptably long for a business. According to the investigation, the services are not provided by Amazon employees themselves, but by intermediaries who seek insiders through LinkedIn.

Amazon representatives claim they are aware of the fraud schemes and are working with Telegram and other services to remove intermediary groups, however, the problem has been existing for several years yet.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.