A Review of the Best News of the Week on Identity Management & Web Fraud

15B credentials available on dark web; average price below $16 (SC Media, Jul 08 2020)
There are more than 15 billion stolen account credentials being sold or even shared for free on the dark web, with individual entries selling for an average of $15.43, a new research report states. Roughly one-third of the credentials, or about 5 billion, are unique, according to Digital Shadows…

E-Verify’s “SSN Lock” is Nothing of the Sort (Krebs on Security, Jul 04 2020)
“One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.”

The Fed shares insight on how to combat synthetic identity fraud (WeLiveSecurity, Jul 06 2020)
The Federal Reserve looks at ways to counter what is thought to be the fastest-growing type of financial crime in the country


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Anatomy of a Long-Con Phish (Dark Reading, Jul 02 2020)
A fraudster on LinkedIn used my online profile in an apparent attempt to pull off a wide-ranging scam business venture.

Treasury Releases Fraud and Money Mule ID Tips (Dark Reading, Jul 07 2020)
A new advisory from FinCEN helps financial institutions spot illicit activities and actors.

Russian Cyber Gang ‘Cosmic Lynx’ Focuses on Email Fraud (Dark Reading, Jul 07 2020)
Cosmic Lynx takes a sophisticated approach to business email compromise and represents a shift in tactics for Russian cybercriminals.

How to use G Suite as an external identity provider for AWS SSO (AWS Security Blog, Jul 06 2020)
“Do you want to control access to your Amazon Web Services (AWS) accounts with G Suite? In this post, we show you how to set up G Suite as an external identity provider in AWS Single Sign-On (SSO). We also show you how to configure permissions for your users, and how they can access different accounts.”

Considerations for Seamless CCPA Compliance (Dark Reading, Jul 02 2020)
Three steps to better serve consumers, ensure maximum security, and achieve compliance with the California Consumer Privacy Act.

Fresh Options for Fighting Fraud in Financial Services (Dark Reading, Jul 08 2020)
Fraud prevention requires a consumer-centric, data sharing approach.

Introducing ‘Secure Access Service Edge’ (Dark Reading, Jul 03 2020)
The industry’s latest buzzword is largely a repackaging exercise that bundles a collection of capabilities together and offers them as a cloud-delivered service.

New technique keeps your online photos safe from facial recognition algorithms (Help Net Security, Jul 02 2020)
In one second, the human eye can only scan through a few photographs. Computers, on the other hand, are capable of performing billions of calculations in the same amount of time. With the explosion of social media, images have become the new social currency on the internet.

CCPA enforcement to put pressure on financial organizations’ IT resources (Help Net Security, Jul 02 2020)
Enforcement of the California Consumer Privacy Act (CCPA), which begins on July 1, 2020, is going to put additional pressure on already overstretched IT resources and budgets, Netwrix reveals. Increase in DSARs According to the survey, 32% of financial organizations have already seen an increase in data subject access rights requests (DSARs) since the CCPA came into force on January 1, 2020.

Nigerian Man Charged With Cyber Fraud Against US Companies (SecurityWeek, Jul 06 2020)
A Nigerian national appeared in federal court in Chicago Friday accused of orchestrating an international cyber fraud scheme that federal prosecutors say defrauded U.S. businesses in six states out of tens of millions of dollars.

BEC Busts Take Down Multimillion-Dollar Operations (Dark Reading, Jul 06 2020)
The two extraditions of business email compromise attackers indicate a step forward for international law enforcement collaboration.

IT pros indicted after arranging credit card payments for weed startup (Ars Technica, Jul 08 2020)
The marijuana industry is in a legal twilight zone that makes payments difficult.

Does First Amendment let ISPs sell Web-browsing data? Judge is skeptical (Ars Technica, Jul 07 2020)
Maine privacy law survives initial ruling on free-speech and preemption claims.

Federal Judge Upholds Maine’s Strict Internet Privacy Law (SecurityWeek, Jul 08 2020)
A federal judge on Tuesday rejected a challenge by internet service providers and upheld Maine’s “opt-in” web privacy law, one of the strictest in the nation.

New Fraud Ring “Bargain Bear” Brings Sophistication to Online Crime (Dark Reading, Jul 08 2020)
The ring tests the validity of stolen credentials to be used in fraud through an online marketplace.

Fraudsters Conducting Malvertising Campaign Via Inactive Domains (Infosecurity Magazine, Jul 09 2020)
Many of the second hand pages download the Shlayer Trojan

Russian Fraudsters Test Stolen Credit Cards Using Ecommerce Sites (Infosecurity Magazine, Jul 08 2020)
Fake product listings demonstrate link between content and payment fraud