The National Cyber Security Centre Finland’s weekly review – 42/2022

Topics covered in this week’s review

• This week’s themes have included scams, phishing and denial-of-service attacks
• Criminals phishing for banking credentials in the name of several Finnish banks
• Many organisations targeted with CEO fraud
• This week’s notable vulnerabilities

This week’s themes have included scams, phishing and denial-of-service attacks.

There have been large numbers of Finnish-language police impersonation scams going around during autumn 2022. Written in poor Finnish, the scam messages arrive by email and include a PDF attachment. The messages claim that the recipient has perpetrated a crime and must pay a fine.

Criminals have also been phishing for banking credentials in the name of nearly all Finnish banks throughout the year. These phishing attempts have included both text messages and emails written in Finnish.

Denial-of-service attacks were reported in higher-than-normal numbers this week. The attacks were short in duration and had no notable impact on the functioning of services.

Criminals phishing for banking credentials in the name of several Finnish banks

During the past week, the NCSC-FI once again received a rising number of reports of various types of bank phishing scams. Compared to the 2022 average, the number of reports was up by 30%. According to the reports, bank phishing messages have been sent out in the name of several banks operating in Finland. There have also been reports of scams phishing for the bank credentials of several different banks simultaneously instead of focusing on a single bank. In most of the recently reported phishing attempts, the victim received a text message that included a link to a phishing site. In addition to text messages, there have been individual reports of phishing attempts utilising other methods as well.

In addition to traditional bank phishing attempts, we have also received reports of fake invoice scams targeting financial sector operators, which are a more recent phenomenon. These involve criminals attempting to impersonate a company’s cooperation partner or service provider. These scams are often highly targeted. The ways in which criminals try to improve the chances of their fake invoices being accepted include building partial fake message chains, the purpose of which is to give the impression that the fake invoice has already been approved by management.

We would like to remind everyone that you should never log in to your online bank or access bank services via a link in a text message or email. If you have lost money as a result of a scam, please contact your bank immediately, file an online police report and also report the scam to the NCSC-FI.

Many organisations targeted with CEO fraud

CEO fraud typically involves criminals impersonating the CEO of an organisation in order to send messages to employees asking them to purchase gift cards or pay invoices. The scammers will often claim that the matter is extremely urgent, thus justifying the bypassing of normal processes. The scammers may also claim that the CEO is currently in a place where they cannot talk or attending a meeting. Reports indicate that these recent CEO fraud messages often originate from an address following the format ‘toimitusjohtajaXXX@gmail.com’, with XXX being a three-digit number.

Criminals can attempt many different types of scams by impersonating a CEO. In addition to CEOs, criminals may also impersonate financial, payroll or HR personnel. Based on reports submitted to the NCSC-FI, CEO fraud attempts are most prevalent in the months preceding the summer holiday season and in September.

In 2019, there was a wave of email scams similar to CEO fraud targeting payroll clerks in particular. At the time, the scam messages contained a request to alter the account information of an employee of the targeted organisation so that their pay would be diverted to a fraudulent account.

During this autumn, there have been reports of CEO fraud messages arriving via email, text messages and WhatsApp messages.

This week’s notable vulnerabilities

Since 2003, the second Tuesday of every month has been known as ‘Patch Tuesday’ on account of being the day on which Microsoft releases security updates for Windows, Office and other associated products. This regular update schedule facilitates forecasting and the planning of operations as companies can expect to receive updates on a specific day. The same update schedule has also been adopted by several other major operators, such as Adobe and Cisco, though some operators, such as Oracle, prefer to maintain a quarterly update release cycle instead. Oracle’s most recent quarterly update containing 370 security patches was released on 20 October, fixing several extremely critical vulnerabilities.

Critical vulnerability in Apache Commons Text component

CVE: CVE-2022-42889
CVSS: 9.8
What: A vulnerability in a component of the Apache Commons Text library that could allow a remote attacker to execute arbitrary code.

Arising from variable interpolation, the vulnerability (CVE-2022-42889) makes it possible for an attacker to execute code on a server without needing to log in. There is a source code example enabling the exploitation of the vulnerability available.

Product: Apache Commons Text software component
Fix: Update Apache Commons Text to version 1.10.0.

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.