Hey, there! Log in / Register
Hacker electronically steals several hundred thousand dollars in town funds in Franklin
By adamg on Thu, 10/08/2020 - 9:36pm
Franklin Matters posts a copy of an alert from Town Administrator Jamie Hellen that a town employee provided what should have been secure login information that enabled a hacker to drain $522,000 from town accounts.
Hellen says the hacker used "spear phishing," a form of "social hacking" in which a hacker learns enough about somebody to convince them through e-mail to provide login information. In this case, that meant providing access to the town funds.
Hellen did not provide further details, but said Franklin Police are now working with state and federal authorities to learn what happened and who's to blame, and that the town has hired an outside lawyer for a separate investigation.
Neighborhoods:
Topics:
Free tagging:
Ad:
Support Universal Hub
Help keep Universal Hub going. If you like what we're up to and want to help out, please consider a (completely non-deductible) contribution.
Comments
Who's their IT guy?
Egbert Sousé?
Seriously, it's 2020 and if a simple login/password can access over half a million of a town's treasury without at least one person receiving any notification, then it was only a matter of time. They should also consider themselves lucky it wasn't emptied completely.
The thing is that now in America, crime pays. It's the new defacto law of Trümplandia. Top to Bottom, laws are for "suckers" are "losers", just like our Servicemen and women who die in combat.
So go for yours and grab anything that isn't nailed down. Because our govt is actively emptying the Treasury into Lobbyists bank accounts and Senators are gaming the stock market, so us little people need to find our bootstraps and fend for ourselves.
Take it all, folks. As much as you can.
Because Justice and Liberty are out window.
And we're all on our own.
Happy Friday!
So nothing has changed
from how it has always been.
Nothing
Nothing except for having a career criminal as president. If you really don't think Trump is different from past presidents, I'm afraid you're deluded.
high tech vs old school
You can implement as many pieces of software as you like to protect data, but the weakness is always the users.
https://xkcd.com/538/
Easy enough
No need to pick a lock when you can easily get a helpful person to hold the door open for you.
This is the same town that misplaced lots of mail-in ballots
resulting in a delayed count and result for the Congressional primary. Perhaps they need to replace their town government.
The City Clerk resigned
One would imagine that whoever did this is going to have a few trips to the HR department ahead of them.
Also, as I put it, they have recently instituted a new form of government. They are no longer the Town of Franklin. They are the (city of) the Town of Franklin.
Small-town government
Typically, the only people who take on the aggravation of serving in government in small towns are people who have some vested interest in its decisions: realtors, builders, lawyers for realtors and builders, and persons who see an opportunity in acting as an agent for those people. There are exceptions, but the ones who keep doing it year after year seem to be those vested interests. Actual competence at running governments is not their priority. See also: Republican Party.
Super-common tactic: much easier to get some guileless
schlub to let you in the back door than to try to knock down the portcullis. Chances are they'll never find the perp, and if they do, he'll be operating from a country that doesn't extradite to the US.
I've seen people who should know better fall for this and get canned. Every organization, public or private, needs to train employees to spot social engineering attacks. This is a big, profitable, global criminal enterprise, with state actors helping in many cases. Kim Jong-un practically funds his regime with ransomware. It's only going to get more prevalent.
It's not just guileless schlubs...
I used to have up-to-date knowledge about phishing and online fraud; I've been out of that space for a while, but my understanding is that a well-constructed spear-phishing attack against a sophisticated target (e.g., bank employees who are trained in cybersecurity) still gets a pretty high response rate.
Agreed: I mentioned one former colleague
with similar training (he was C-suite), still got phished (a convincing-looking email from his boss), resulted in expensive consequences, lost his job.
The targeting is getting more sophisticated and aiming for higher-value targets (it's called whale-phishing), because people higher up the org chart have more authority to wire big sums of money, broader access to sensitive data, higher tech admin privileges, etc.
But there's still value in compromising littler fish. Con an employee out of their credentials and you can more convincingly impersonate them to work your way up the chain. And too many organizations don't manage admin privileges effectively, baseline computer and network and data transfer activity in order to be able to detect anomalous behaviors, enforce good password discipline, use two-factor authentication on sensitive accounts, require two-person authorization for big financial transactions, have a programmatic process to install security patches and similar updates in a timely fashion, etc. Lots of vulnerabilities to exploit.
Email
I used to work for a small company where this ALMOST happened. The emails were very realistic. After that the rule was no money transfers without picking up the phone and talking to the person.
It gets worse. The bad guys
are using AI to iterate and refine emails to zero in on what works. It’s an arms race, and the attackers always have the first-mover advantage over the defenders.