For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.

Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would Keel’s third six-year term in that role.

The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.

“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.

A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.

KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.

On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”

“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”

A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included employer, name, address, phone, taxable income, tax refund amount, and bank account number.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond.

On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.

Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.

The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.

“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.

As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.

Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.

Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.

While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.

Tax-related identity theft occurs when someone uses a stolen identity and Social Security number (SSN) to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.

But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.

A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.

Read More

New Check Point data found Microsoft was impersonated in 38% of all brand phishing attacks in Q1 2024, up from 33% in Q4 2024

Read More

Brian Krebs reported that X (formerly known as Twitter) started automatically changing twitter.com links to x.com links. The problem is: (1) it changed any domain name that ended with “twitter.com,” and (2) it only changed the link’s appearance (anchortext), not the underlying URL. So if you were a clever phisher and registered fedetwitter.com, people would see the link as fedex.com, but it would send people to fedetwitter.com.

Thankfully, the problem has been fixed.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a digital era marked by rapidly evolving threats, the complexity of cybersecurity challenges has surged, pressing organizations to evolve beyond traditional, tech-only defense strategies. As the cyber landscape grows more intricate, there’s a pivotal shift towards embracing methods that are not just robust from a technical standpoint but are also deeply human-centric. This also means that a significant percentage of employees, driven by the high demands of operational pressures, may engage in risky cybersecurity behaviors.

Such statistics illuminate the urgent need for a more nuanced approach to cybersecurity—one that not only fortifies defenses but also resonates with and supports the people behind the screens. Integrating human-centric design with continuous threat management emerges as a forward-thinking strategy, promising a balanced blend of technical excellence and user empathy to navigate the complex cybersecurity challenges of today and tomorrow.

Embracing the Human Element in Cybersecurity

Diving into the realm of human-centric security design and culture, it’s clear that the future of cybersecurity isn’t just about the latest technology—it’s equally about the human touch. This approach puts the spotlight firmly on enhancing the employee experience, ensuring that cybersecurity measures don’t become an unbearable burden that drives people to take shortcuts. By designing systems that people can use easily and effectively, the friction often caused by stringent security protocols can be significantly reduced.

Gartner’s insights throw a compelling light on this shift, predicting that by 2027, half of all Chief Information Security Officers (CISOs) will have formally embraced human-centric security practices. This isn’t just a hopeful guess but a recognition of the tangible benefits these practices bring to the table—reducing operational friction and bolstering the adoption of essential controls. This strategic pivot also acknowledges a fundamental truth. When security becomes a seamless part of the workflow, its effectiveness skyrockets. It’s a win-win, improving both the user experience and the overall security posture.

CTEM: Your Cybersecurity Compass in Stormy Seas

Imagine that your organization’s cybersecurity landscape isn’t just a static battleground. Instead, it’s more like the open sea, with waves of threats coming and going, each with the potential to breach your defenses. That’s where Continuous Threat Exposure Management (CTEM) sails in, serving as your trusted compass, guiding you through these treacherous waters.

CTEM isn’t your average, run-of-the-mill security tactic. It’s about being proactive, scanning the horizon with a spyglass, looking for potential vulnerabilities before they even become a blip on a hacker’s radar. Think of it as your cybersecurity early-warning system, constantly on the lookout for trouble, ensuring you’re not just reacting to threats but actively preventing them.

Again, Gartner’s insights into the future of cybersecurity reveal that by 2026, those organizations that strategically direct their security budgets towards CTEM will likely see a downturn in the number of breaches they suffer. This prediction stems from the efficiency CTEM brings into the security strategy, allowing organizations to prioritize and address the most critical vulnerabilities with precision. Rather than spreading their efforts thinly across all possible threats, firms can concentrate on fortifying their defenses where it counts the most. This focused approach transforms cybersecurity measures from a broad, somewhat random guard into a finely tuned, strategic defense system.

So, one could claim that embracing CTEM isn’t just about adopting new technology at this point. It’s a mindset shift. It’s accepting and recognizing the fact that in the vast ocean of the internet, being proactive isn’t just smart—it’s essential. With CTEM, you’re not just charting a safer course for your organization; you’re setting sail toward a future where cybersecurity is woven into the very fabric of your operations, a testament to your commitment to safeguarding your digital realm.

Fortifying Defenses with Identity Fabric Immunity

The more we navigate further into the realm of sophisticated cybersecurity strategies, the concept of Identity Fabric Immunity stands out as a monumental innovation. This approach is designed to weave a comprehensive net of identity verification and management across an organization’s entire digital landscape. By 2027, the ambition is clear: drastically minimize the potential for attacks and significantly reduce the financial fallout from any breaches that do occur.

Integrating Identity Fabric Immunity with human-centric design principles presents a unique opportunity to bolster our cybersecurity defenses. This blend ensures that our security measures are not only technologically advanced but also intuitively aligned with the natural behaviors and needs of our users. It’s about creating a security infrastructure that is both invisible and effective, reducing friction for legitimate users while seamlessly guarding against unauthorized access.

This strategic fusion aims to prevent rather than just react to threats, marking a shift towards a more proactive and user-friendly cybersecurity stance. By prioritizing the user experience in the context of robust security measures, we can create an environment where safety and usability coexist harmoniously, setting a new standard for what it means to be secure in the digital age.

Imagining Tomorrow’s Success Stories

Exploring how organizations might integrate human-centric security design, Continuous Threat Exposure Management (CTEM), and Identity Fabric Immunity reveals promising futures. This visionary blend not only aims to strenghten defenses against cyber threats but also to smooth out the user experience by mixing advanced security protocols with a deep understanding of human behavior.

Focusing on designs that marry security with user-friendliness, HealthSecure could position itself as a patient care leader. This approach underscores the power of merging technology with an understanding of human needs. Delving into resources like SaaS Security would undeniably offer rich insights for establishing such cybersecurity benchmarks, ensuring digital environments are both secure and accessible. HealthSecure, facing the critical job of protecting patient data while keeping healthcare access fluid, could redefine patient care standards.

The combination of Identity Fabric Immunity and CTEM within HealthSecure’s framework highlights the immense value of this integrated strategy. It promises to bolster the company’s defenses and diminish the financial and reputational damage from potential breaches. This strategy doesn’t just protect patient information; it improves user experiences, setting the stage for a cybersecurity model that’s strong, intuitive, and deeply resonant with human elements.

A New Era Begins Soon?

The future beckons with the promise of more resilient digital defenses, yet the journey there is fraught with hurdles. The need for organizations to continually adapt to new threats and technologies can be daunting. Resistance to change, a natural human tendency, poses another significant barrier, especially in established organizations with deep-rooted processes.

However, the fact remains that the cybersecurity landscape is evolving, and with it, our approaches must also transform. The integration of human-centric design alongside advanced frameworks like CTEM and Identity Fabric Immunity isn’t just beneficial; it’s becoming essential. These strategies promise a more adaptable, resilient cybersecurity posture, finely tuned to the complexities of human behavior and the cunning of cyber threats. Organizations are encouraged to embrace these forward-thinking strategies, laying the groundwork for a secure digital future that values both technological robustness and the human experience.

Read More

Two open source organizations have revealed attempts to socially engineer project takeovers

Read More

Malicious bots now represent a third of all internet traffic, says Imperva

Read More