Law Firm Phishing

A good article about how a NY law firm (Debevoise) attacked a phishing website but attacking the domain name.

https://www.reuters.com/legal/litigation/debevoise-fries-phishers-cyberpiracy-case-take-heed-law-firms-2022-08-31/

Some WIPO decisions regarding Australian law firms:

https://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-1721.html

https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2015-1452

Consequential Loss After Hacking Decision from the USA

An interesting decision from the United States (11th Circuit appeals court) in Silvertop Systems -- decision here.

There is an interesting discussion of consequential loss, that starts at the heading "LMT's Counterclaim for Breach of Contract"

Facts were these:

·         Supplier (Silverpop) provided an email marketing service.  Customers loaded up email addresses and Supplier would send out mass emails in a form specified by the customer to addresses on the list.

·         Hackers got into the Supplier’s system and got access to several customer’s marketing lists, including LMT’s list.

·         The contract between Silverpop and LMT had a confidentiality clause (obligation to protect the list against unauthorised disclosure to third parties) and an exclusion of consequential loss.

·         Amongst the claims and counterclaims, was a claim from LMT that Silverpop had breached the confidentiality obligation and that the damage suffered by LMT was the sale value of the marketing list, which they said was now worthless.

This is what the court decided – assuming it was correct that the value of the marketing list was now zero, that was a consequential loss.  The court discussed the difference between general damages and consequential damages (which is remarkably similar to the old English decision of Hadley v Baxendale).  The direct loss which would have been recoverable by LMT if there had been a breach of the confidentiality obligation was the loss of the value of the service (but that is not what LMT claimed).

Employees Violating Computer Misuse Policy

In July, the Fourth Circuit weighed in on the scope of the Computer Fraud and Abuse Act (CFAA) in WEC Carolina Energy Solutions, LLC v. Miller and found that the CFAA is not broad enough to impose liability on an employee who has lawful access to his employer's electronic information but later misuses that information - such as by stealing the employer's electronic trade secrets. In taking this narrow approach to the CFAA and siding with the Second and Ninth Circuits, the Fourth Circuit has widened the circuit split over whether the CFAA applies to disloyal employees who violate the computer use policies of their employer. In this Legal Alert, Audra Dial and John Moye discuss the Fourth Circuit's recent ruling and its impact for employers drafting computer use policies as well as companies pursuing trade secret claims through the CFAA.

See kilpatrickstockton.com

New Cyber Data Laws

See Cyber Data Law story.

"NEW laws will allow authorities to collect and monitor Australians' internet records, including their web-browsing history, social media activity and emails. But the laws, which will specifically target suspected cyber criminals, do not go as far as separate proposed laws designed to retain every Australian internet user's internet history for two years in the name of national security. Under the laws passed yesterday, Australian state and federal police will have the power to compel telcos and internet service providers to retain the internet records of people suspected of cyber-based crimes, including fraud and child pornography. Only those records made after the request will be retained, but law enforcement agencies will be prevented from seeing the information until they have secured a warrant."

Class 4 - Spam, crime and phishing

Next week we will be looking at spam, crime and phishing.

Please look at the relevant chapters of the textbook (chapter 11 and part of chapter 3) as well as the following materials.


Spam

Australian law - Spam Act 2003 (Cth)
US law - CAN-SPAM Act
EU directive - Directive on privacy and electronic communications (Article 13)
Australian Communications and Media Authority (ACMA)
Internet industry Spam Code of Practice

How effective are these laws?

Crime
Australian law - Criminal Code 1995 (Cth), Criminal Code 1899 (Qld)
Scale of cybercrime - Symantec report
Australian Federal Police
Lulzsec
Cost - here and here

Is cybercrime underreported? Australian Institute of Criminology

Phishing
Australian government - Scamwatch
Anti Phishing Working Group
Domain-based Message Authentication, Reporting & Conformance

What is the best way to respond to phishing - raising awareness, enacting legislation or cutting off scam emails before they arrive?

JotForm Shut Down by US Secret Service

The strange case of the US Secret Service having a website taken down, by having the domain name registrar (GoDaddy) block the use of the domain name.
See here and Wired and eWeek.
Maybe a good reason to use a non-U.S. domain name registrar?

Hilton Hacked

From an email from Hilton Hotels:

Dear Customer:

We were notified by our database marketing vendor, Epsilon, that we are among a group of companies affected by a data breach. How will this affect you? The company was advised by Epsilon that the files accessed did not include any customer financial information, and Epsilon has stressed that the only information accessed was names and e-mail addresses. The most likely impact, if any, would be receipt of unwanted e-mails. We are not aware at this time of any unsolicited e-mails (spam) that are related, but as a precaution, we want to remind you of a couple of tips that should always be followed:

• Do not open e-mails from senders you do not know

• Do not share personal information via e-mail

Spam Crime and Phishing (Week 5)

For this lecture we will be discussing:

Spam
Australian legislation - Spam Act 2003
How many prosecutions have been brought in Australia? Is the Spam Act an effective deterrent?
ACMA
IIA Spam Code
US (CAN SPAM Act) and recent court action by Microsoft
What other jurisdictions have enacted Spam legislation?
Spam Laws

Crime
AFP - e-crime
Lack of reporting?
Hacking examples

Phishing
Phishing attacks - Westpac ATO Canada CRA
Top 10 countries for phishing
Anti-phishing website

TripAdvisor and Crime

"To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of the vulnerability and shut it down. We're taking this incident very seriously and are actively pursuing the matter with law enforcement. How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident. The reason we are going directly to you with this news is that we think it's the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously. I'd also like to reassure you that TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list. We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community. Steve Kaufer
Co-founder and CEO More information"

Week 5 will cover the three related issues of SPAM, CRIME and PHISHING

You should review the following for some background understanding (as well as the material referred to in the study guide):

Spam

Spam Act
ACMA
IIA Code

Crime

Australian Federal Police
Costs - UK
On the rise - US
Recent case

Phishing

Anti-Phishing
Westpac
SARS

Is legislation or technology/awareness the solution? Which countries have attempted to combat phishing by legislation?

Cyber-criminals gettting smarter

According to a report by Symantec, cyber-criminals are focusing less on destroying data and increasingly on attacks designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence.

Read a summary of the report here. And this is how The Australian reported the story.

New Phishing Law Used

America Online has filed three lawsuits under Virginia's anti-phishing law. Read more here.

Do we need such new specialised legislation to combat phishing, or can existing laws be used.

Spam containment?

CNN reports on the new strategy for dealing with spam: containment.

Phishing

pFor tomorrows class, we will look at:
http://www.antiphishing.org/phishing_archive/
westpac_03-26-04.htm

Once the bad guys get your account details, how do they get your money?