Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label money theft. Show all posts

Flutterwave Hit by Unknow Hackers Lost Millions of Dollars

Flutterwave, Africa's largest startup, suffered a cyberattack resulting in the disappearance of over ₦2.9 billion (~$4.2 million) from its accounts last month. According to the reports, the missing funds were transferred across 28 accounts in 63 transactions in early February by unknown threat actors.
 
Flutterwave is currently investigating the attack with law enforcement agencies to freeze accounts across 27 financial institutions that were involved in the transactions. Following the news about the case, several tweets surfaced regarding the alleged hack, some providing information while others complained about frozen accounts possibly linked to the incident. 

Meanwhile, Flutterwave has denied hacking by saying that “at Flutterwave, we understand that our customer’s personal and financial information is of the utmost importance. We take this responsibility seriously and understand that any potential security breach can cause anxiety and concern among our customers. We want to reassure you that Flutterwave has not been hacked”. 

Following the investigation, a legal request has been made to freeze 107 accounts, including the fifth beneficiary of those accounts, which has been placed on lien/Post-No-Debit (PND) to prevent the account owners from withdrawing any funds. 

These measures have been taken to ensure that the money remains in those accounts until the investigation into the hack is completed and the issue is resolved. The term "fifth beneficiaries" refers to the individuals who received the funds from those 107 accounts. 

“As a financial institution, we monitor transactions through our transaction monitoring systems and 24-hour fraud desk and review any suspicious activity. We collaborate with other financial institutions and law enforcement agencies to keep our ecosystem safe and secure...” 

“…During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible", Flutterwave further added to the statement. 

However, as of now, it is unclear how the threat actors were able to carry out the attack, but some people online are suggesting that the hackers might have tricked the merchants into giving away their security keys. This could have given the threat actors access to the money in the merchants' Flutterwave accounts.

Financial Service API and Web Application Attacks are up by 257%

 



Various cyber security networks are publishing reports and providing data on various ongoing issues and every day there is a new addition of cyber threat and consequently to the security arsenal. However, managing the attack surface (vulnerabilities, attack vectors, etc) is the biggest challenge that modern society is witnessing. 

In today’s hybrid and multi-cloud environments, apps and APIs are potential targets that cyberhackers can and will exploit. Recently, CDN provider Akamai Technologies, Inc., has released new research in which they have disclosed that year-over-year 257% growth has been seen in web application and API attacks on financial service institutions. 

The report indicates a growing risk to the financial services sector and a shift to more advanced and sophisticated cyberattacks. The report also revealed that DDoS attacks on financial services institutions have grown by 22%. 

Furthermore, the study shows that cybercriminals are using techniques in their phishing campaigns to bypass two-factor authentication solutions. 

It is alarming that various institutions are collecting data on recent cybercrime, as we mentioned in the beginning. In this regard, Enemy at the Gates, published a report that revealed that roughly 80 percent of threat attackers aim their efforts at customers of financial services in an attempt to find paths of least resistance for monetary gain. 

“Companies have moved key infrastructure over to APIs, so the criminals are following the revenue. But on top of that, APIs are newer and, in many cases, don’t have the same level of maturity in security processes and controls, so are more vulnerable,” Steve Winterfeld, advisory CISO at Akamai said. 

Along with this, the company recommended a number of steps that enterprises can take to prevent API-driven threats. 
  • Institutions should invest in technologies to automatically discover, validate and catalog APIs, at the same time developing a security strategy that incorporates API security testing and API access control. 
  • Increasing transparency over what internal and third-party APIs are used for as it ensures that enterprises are in a position to start mitigating potential threats across the attack surface. 
  • Updating phishing defenses to counter the latest MFA attacks with FIDO2-compliant capabilities should be the priority for the institutions. 
“Finally, they are easier to automate attacks against as they are designed for automation. These factors combine to make APIs a smart place for attackers to focus. This is also why CISOs need to focus on them,” Winterfeld added.