Further lessons from Travelex

At the bottom of a Travelex update on their incident, I spotted this yesterday:

Customer Precautions
Based on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. 

Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.

At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. 

I'm waffling on about corporate identity theft, flowing on from the original incident.

I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypothetical information risks and see where it leads.

Firstly, corporate identity theft may not be as well publicised as personal identity theft but it is a genuine risk, as demonstrated through incidents such as: 
  • Scammers seizing control of DNS records to redirect traffic from corporate websites to their own; 
  • Scammers using fraudulently obtained or fake digital certificates, or exploiting browser vulnerabilities, to undermine HTTPS controls; 
  • Phishing where victims are socially-engineered into believing they are interacting with the lure organization's website; 
  • Fake apps, spyware and bank Trojans designed to steal login credentials and other confidential information while maintaining the facade of normality; 
  • Cybersquatters registering domains similar to legitimate corporate domains with different extensions, typos or lookalike characters, intending to mislead visitors; 
  • Counterfeiting, where branding, logos, packaging etc. are used to dupe victims (consumers and sometimes also retailers and corporate customers) into buying fake and usually substandard products; 
  • Various telephone, email and social media scams involving misrepresentation and other social engineering methods to mislead and defraud victims who mistakenly believe they are dealing with legitimate companies, authorities or other trusted bodies. 
Secondly, the breadth and depth of network security compromise involved in major ransomware and other malware incidents suggests an even more sinister threat: the ransom demand is merely a dramatic, shocking point in the course of the incident, an incident that started at some prior point when the first corporate system was hacked or infected. Since then, possibly for days, weeks or months, the perpetrators would presumably have been surreptitiously roaming around the network 'behind enemy lines', exploring the topography and mapping out controls, installing and preparing to trigger the ransomware (perhaps also disabling the backups), stealing and exfiltrating corporate information to reinforce the ransom demands (perhaps selling or disclosing it for kicks, or stashing it away for a rainy day) and who knows what else. 

It is feasible, then, for the cybercriminals to have taken command of Travelex's external relations, including the website, the current holding pages and Tweets. They could all be fakes, the hackers pressing home management's powerlessness. How would we tell? Even the Travelex CEO's talking-heads videoblog concerning the incident could be part of the scam. Like many of their retail customers, I have no idea whether the person we've seen in the video is really their CEO or an actor, an imposter, perhaps a deepfake video animation.

Even if you find that lurid scenario untenable, there are less extreme possibilities worth considering. The fact is it's no simple matter to lock down a complex global corporate network following such a compromise, shutting out the hackers while also releasing official information, patching and securing systems, recovering compromised data and services, resuming internal corporate comms and keeping various external stakeholders in touch with developments. Maybe the hackers still have partial access (e.g. through covert backdoors) and limited control, enough to observe and meddle with the recovery activities, discredit and disrupt comms and so restrict management's freedom of action.

As with the Sony incident 5 years ago, there's a lot we can learn from Travelex's misfortune, through a blend of observation, analysis and supposition. All it take is some appreciation of the information risk and security aspects, a vivid imagination, and the ability to draw out general lessons from the specific case. For example, under crisis conditions, normal internal and external corporate communications may be disrupted and untrustworthy ... so what can be done now to prepare for that eventuality? Recovering from a major cyber incident takes rather more than just 'invoking the IT disaster recovery plan'! February's security awareness module will have a gripping story to tell, for sure!