The busiest day of the week for email spam is Tuesday and spammers concentrate on sending messages during working hours, Monday to Friday, according to a 2017 spam study conducted by IBM X-Force.
The study was conducted over a 6-month period from December 2016 to June 2017. The study analyzed more than 20 million spam messages and 27 billion webpages and images a day. The researchers also incorporated data provided by several anti-spam organizations, making the 2017 spam study one of the largest ever conducted.
The 2017 spam study showed the majority of spam emails – 83% – were sent to arrive in inboxes during office hours with Tuesday, Wednesday, and Thursday the spammiest days. Spam volume was much lower on Mondays and Fridays.
While spam is sent 24/7, the busiest times are between 1am and 4pm ET. If an email arrives at an inbox when a worker is at his/her desk, it is more likely to be opened. Spammers therefore concentrate their messages during office hours.
Malicious spam messages increase around the holidays and during tax season when email scams are rife. The increase in numbers of individuals heading online to shop for goods means rich pickings for spammers. Spam volume also increases during sporting events such as the Olympics, the Super Bowl and the Football World Cup, with sports-themed spam messages capitalizing on interest in the events.
Malicious messages aim to get email recipients to reveal their banking credentials, logins and passwords and install malware. The researchers found 44% of spam emails contained malicious code, and out of those emails, 85% were used to spread ransomware.
While the majority of spam messages are automated, the IBM researchers point out that spammers work at their campaigns. There is also considerable manual work required to control botnets and spam mailers. The process is not entirely automated. Considerable work is put into malicious messages that spread ransomware and malware, with these campaigns requiring the highest level of manual control. These campaigns also involve extensive planning to maximize the number of victims.
Spam is sent from countries all around the world, although the biggest percentage hails from India, which sends 30% of all spam emails. South America and China also send a high percentage of global spam. Only 7% of spam emails are sent from the United States and Canada.
Companies are getting better at filtering out spam emails and preventing the messages from reaching inboxes. Spam filtering technology has improved enormously in recent years, meaning fewer messages are being delivered; however, spam is still the main method of distributing malware and phishing scams are rife. Spammers are also getting much better at masking their malicious messages and they frequently change delivery vehicles develop new methods of hiding malicious code to avoid detection.
The researchers say spam email volume has increased fourfold over the past 12 months and malicious messages are now being increasingly targeted at organizations and individuals, rather than being sent randomly in huge spamming campaigns. Targeting allows the attackers to send carefully crafted campaigns which are more likely to result in the recipients taking the desired action.
Two new Locky ransomware spam campaigns have been detected this month, each being used to spread a new variant of the cryptoransomware. The campaigns have been launched after a relatively quiet period for ransomware attacks, although the latest campaigns show that the threat of ransomware attacks in never far away.
Previously, Locky ransomware spam campaigns have been conducted using the Necurs botnet – one of the largest botnets currently in use. One of the campaigns, spreading the Locky variant Lukitus is being conducted via Necurs. The other campaign, which is spreading the Diablo Locky variant, is being sent via a new botnet consisting of more than 11,000 infected devices. Those devices are located in 133 countries according to Comodo Threat Research Labs. The botnet appears to have been built quickly and is understood to be growing, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.
The failure to backup files is likely to prove costly. The ransom demand issued by the attackers ranges between 0.5 and 1 Bitcoin per infected device – approximately $2,150 to $4,300 per machine. There is still no decryptor for Locky ransomware. Victims face file loss if they do not have a viable backup to restore files. Locky ransomware variants remove Shadow Volume Copies to hamper recovery without paying the ransom.
The Diablo Locky variant renames encrypted files with a unique 16-character file name and adds the diablo6 extension, while the Lukitus variant adds the .lukitus extension.
The two new Locky ransomware spam campaigns differ in their method of delivery of the ransomware, although both involve spam email. The Diablo campaign, which started on August 9, uses various attachments including pdf, doc, and docx files, although infection occurs via malicious macros.
Opening the infected documents will present the user with indecipherable data and a prompt to enable macros to view the content of the document. Enabling macro saves a binary to the device, runs it, and downloads the Locky payload.
The email subjects in this campaign are varied, although in many of the emails the attackers claim the attachment is a missed invoice or purchase order.
The Lukitus campaign was first detected on August 16 and has been mostly used in attacks in the United States, UK, and Austria, although there have also been successful attacks in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia.
As with all ransomware attacks via spam email, the best defense is an advanced spam filter to block the emails and prevent them from being delivered to end users. Employees should already have been trained on the threat from ransomware. Now would be a good time to issue a reminder via email to all employees of the current threat.
Recovery without paying the ransom depends on viable backup copies existing. Since Locky can encrypt backup files, backup devices should be disconnected after a backup has been made. Organizations should also ensure three copies of backups exist, on two different media, with one copy stored off site – the 3-2-1 approach to backing up.
The retail industry is under attack with cybercriminals increasing their efforts to gain access to PoS systems. Retail industry data breaches are now being reported twice as frequently as last year, according to a recent report from UK law firm RPC.
Retailers are an attractive target. They process many thousands of credit card transactions each week and store huge volumes of personal information of consumers. If cybercriminals can gain access to Point of Sale systems, they can siphon off credit and debit card information and stolen consumer data can be used for a multitude of nefarious purposes.
Many retailers lack robust cybersecurity defenses and run complex systems on aging platforms, making attacks relatively easy.
While cyberattacks are common, the increase in data breaches does not necessarily mean hacks are on the rise. RPC points out that there are many possible causes of data breaches, including theft of data by insiders. Retailers need to improve they defenses against attacks by third parties, although it is important not to forget that systems need to be protected from internal threats.
Preventing retail industry data breaches requires a range of cybersecurity protections, but technology isn’t always the answer. Errors made by staff can easily result in cybercriminals gaining easy access to systems, such as when employees respond to phishing emails.
Employees are the last line of defense and that defensive line is frequently tested. It is therefore essential to improve security awareness. Security awareness training should be provided to all employees to raise awareness of the threat from phishing, malware and web-based attacks.
Phishing emails are the primary method of spreading malware and ransomware. Training staff how to identify phishing emails – and take the correct actions when email-based threats are received – will go a long way toward preventing retail industry data breaches. Employees should be taught the security basics such as never opening email attachments or clicking hyperlinks in emails from unknown individuals and never divulging login credentials online in response to email requests.
Employees can be trained to recognize email-based threats, although it is important to take steps to prevent threats from reaching inboxes. An advanced spam filtering solution is therefore a good investment. Spam filters can block the vast majority of spam and malicious emails, ensuring employees security awareness is not frequently put to the test. SpamTitan blocks more than 99.9% of spam and malicious emails, ensuring threats never reach inboxes.
Web-based attacks can be blocked with a web filtering solution. By carefully controlling the types of websites employees can access, retailers can greatly reduce the risk of malware downloads.
As the recent WannaCry and NotPetya malware attacks have shown, user interaction is not always required to install malware. Both of those global attacks were conducted remotely without any input from employees. Vulnerabilities in operating systems were exploited to download malware.
In both cases, patches had been released prior to the attacks that would have protected organizations from the threat. Keeping software up to date is therefore essential. Patches must be applied promptly and regular checks conducted to ensure all software is kept 100% up to date.
This is not only important for preventing retail industry data breaches. Next year, the General Data Protection Regulation (GDPR) comes into force and heavy fines await retailers that fail to do enough to improve data security. Ahead of the May 25, 2018 deadline for compliance, retailers need to improve security to prevent breaches and ensure systems are in place to detect breaches rapidly when they do occur.
Several domain spoofing spam campaigns have been detected that are targeting customers of popular UK banks. The spam email campaigns include credible messages and realistic spoofed domains and pose a threat to consumers and businesses alike. The domain spoofing email campaigns are targeting customers of HSBC, Lloyds Bank, Nationwide, NatWest and Santander.
Domain spoofing is the use of a domain similar to that used by a legitimate entity with the aim of fooling email recipients into believing the email and domain is genuine. Domain spoofing is commonly used in phishing attacks, with email recipients fooled into divulging their login credentials or downloading malware. In addition to a similarly named domain, the malicious websites often include the targeted brand’s logos, layouts and color schemes.
According to a warning issued by the SANS Institute’s Internet Storm Center, the latest domain spoofing spam campaigns involve the name of the bank and one of the following additional words: docs; documents; secure; communication; securemessage.
Customers of a targeted back who receive an email and a link from the domain ‘securenatwest.co.uk’ or ‘santandersecuremessage.com’ could easily be fooled into thinking the email is genuine. Other domains being used are hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, and santanderdocs.co.uk. Further, many consumers still believe a website starting with HTTPS is secure. Yet all of these spoofed domains are all encrypted and have SSL certificates.
The domain spoofing spam campaigns involve messages claiming there is a new secure message from the bank along with an attached HTML file. That file downloads a malicious MS Office document containing macros. If those macros are enabled, the malicious payload is delivered. These campaigns are being used to distribute Trickbot malware – a banking Trojan used for man-in-the-middle attacks to steal banking credentials.
HTML documents are used as they download malicious MS documents via an HTTPS connection to reduce the risk of the documents being detected by antivirus software. SANS Institute researcher Brad Duncan pointed out that this method, while not new, can be effective. He also explained that “poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”
The domain spoofing spam campaigns were detected by My Online Security, which notes that “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.”
Businesses can reduce risk by employing a spam filtering solution to prevent the malicious messages from being delivered to end users, ensuring Windows hosts are correctly configured, and ensuring employees are alert to the threat. Macros should be disabled on all devices and employees instructed never to enable macros or enable content on emailed documents.
Security researchers have discovered a wave of cyberattacks on hotel WiFi networks that leverage an NSA exploit – EternalBlue – for a vulnerability that was fixed by Microsoft in March.
The same exploit was used in the WannaCry ransomware attacks in May and the NotPetya wiper attacks in June. Even though the malware campaigns affected hundreds of companies and caused millions (if not billions) of dollars of losses, there are still companies that have yet to apply the update.
The recent cyberattacks on hotel WiFi networks have affected establishments in the Middle East and Europe. Once access is gained to hotel networks, the attackers spy on guests via hotel WiFi networks and steal their login credentials.
Researchers at FireEye discovered the new campaign, which they have attributed to the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is believed to receive backing from the Russian government and has performed many high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.
In contrast to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the latest campaign is being conducted via a spear phishing campaign. The hacking group sends malicious emails to hotel employees and uses email attachments to download their backdoor – Gamefish. In this case, the attachment appears to be a reservation form for a hotel booking. Gamefish is installed if hotel employees run the macros in the document.
Once the backdoor is installed, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once embedded in computers that control the WiFi networks, the attackers can launch attacks on devices that attempt to connect to the hotel WiFi network.
The hackers use the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are attempting to connect to WiFi network resources. Instead of connecting, they connect to Responder which obtains usernames and hashed passwords. That information is transferred to a computer controlled by the attackers. Once the hashed passwords have been cracked they can be used to attack hotel guests.
The names of the affected hotels have not been disclosed, although FireEye has confirmed that at least one Middle Eastern hotel and seven in Europe have been attacked. The hotels were well respected establishments likely to be frequented by high-net worth guests and business travellers.
The advice for travellers is to exercise caution when connecting to hotel WiFi networks, such as avoiding accessing online bank accounts or better still, avoiding connecting to hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a good idea, in this case the attack can occur before a secure VPN connection is made.
FireEye reports that this type of attack is difficult to detect and block. The attackers passively collect data and leave virtually no traces. Once login credentials have been obtained, guests are vulnerable and not just while they are at the hotel. FireEye believes the credentials are then used to attack individuals when they return home and connect to their home networks.
The best way for hotels to prevent cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to installation of the malware. Hotels should ensure all employees are provided with security awareness training and a spam filtering solution such as SpamTitan is deployed to stop malicious emails from being delivered to employees’ inboxes.
Cyberattacks are continuing to rise, according to the latest threat report from NTT Security. Cyberattacks in Q2 2017 jumped considerably, while phishing emails are now being extensively used to spread malware. The majority of cyberattacks in Q2 2017 affected the manufacturing, finance and healthcare industries, which accounted for 72% of all detected attacks.
Cyberattacks in Q2 2017 Increased by Almost a Quarter
Cyberattacks in Q2 2017 were 24% higher than the previous quarter and the manufacturing industry is in hackers’ crosshairs. Manufacturing accounted for 34% of all malicious attacks last quarter, followed by finance with 25% of attacks and healthcare on 13%.
Cyberattacks on manufacturing firms are not limited geographically. Manufacturing was the most attacked industry in five out of the six geographical regions tracked by NTT Security. The attacks have involved ransomware, industrial espionage, sabotage and data theft. Even though cyberattacks on manufacturing firms have increased sharply, 37% of firms in the sector have yet to develop an incident response plan.
Flash Continues to Cause Security Headaches for Businesses
Unpatched vulnerabilities continue to cause headaches for businesses, with Adobe Flash the main culprit. Adobe will finally retire Flash in 2020, but until then, it remains something of a liability. 98% of vulnerabilities corrected by Adobe were in Flash, and in Q2, an Adobe Flash vulnerability was the most commonly exploited. The Adobe Flash remote code execution vulnerability CVE-2016-4116 was exploited in 57% of vulnerability exploitation attacks.
The message to businesses is clear. If Adobe Flash is not essential it should be disabled or uninstalled. If it is necessary, it is essential that patches are applied as soon as humanly possible. NTT Security notes that attacks increase exponentially once proof-of-concept code is published.
Increase in Use of Phishing Emails for Malware Delivery
The NTT Security report shows 67% of malware attacks on organizations were the result of phishing emails. The NTT Security report ties in with the findings of a recent threat report issued by Symantec, which showed that malware emails were at now at the highest levels seen this year.
The use of phishing emails to deliver malware is understandable. The emails target employees – a weak link in most organizations’ defenses. Phishing emails take just a few minutes to craft and can be sent in large volumes quickly and easily. The phishing scams are also highly effective, taking advantages of flaws in human nature.
Many organizations are still only providing annual security awareness training, rather than regular refresher training sessions, ongoing CBT courses and monthly bulletins detailing the new threats. Ineffective spam filtering also results in more messages reaching end users’ inboxes, increasing the chance of one of those emails being opened and malware being downloaded.
Improving defenses against phishing is now critical, yet many organizations are failing to appreciate how serious the threat from phishing really is. The volume of malware infections now occurring via phishing emails should be a wakeup call for organizations.
Technical solutions such as advanced spam filters, link blocking technology such as web filters and employee security awareness training should all now feature in organizations’ cybersecurity defenses.
Global spam email levels have been rising, with spam volume in July soaring to levels not seen since March 2015.
The figures come from the Symantec monthly threat report, which uses data from the Global Intelligence Network (GIN). Last month, global spam email levels increased by 0.6 percentage points to 54.9% of total email volume. The industry that received the most spam emails was the mining sector, with 59.1% of emails categorized as spam.
Spam emails include unsolicited marketing emails, offers of cut price medications and notices about women who have been trawling the internet for a man like you. While many of these emails are simply junk, the volume of malicious messages has been rising. In particular, spam messages containing malware.
Symantec reports that email malware has increased to levels not seen since December 2016. Last month, one in every 359 spam emails was used to deliver malware. The previous month, one in every 451 emails contained malware. The industry that received the most email malware levels was the agriculture, forestry and fishing sector, with one in every 152 emails containing malware.
Malware and Phishing Emails at The Highest Level Seen This Year
Malicious emails are being sent in campaigns targeting medium sized businesses, which registered the highest percentage of malware emails. Businesses with between 251 and 500 employees had the highest volume of malware in their inboxes, according to Symantec’s analysis. Large businesses – organizations with between 1,001 and 1,500 employees – had the highest rate of spam delivery as a whole.
While malware emails increased, the number of malware variants used in those emails dropped to 58.7 million variants from 66.3 million the previous month. Symantec notes that several malware families have now started being spread via email, which has contributed to the malware email volume.
In the past month, malware variants have been detected that are capable of generating their own spam emails from the infected device and sending malware copies to the victims’ entire address books. The Emotet banking Trojan now has this functionality and Reyptson malware also, with the latter sending itself to Thunderbird contacts.
This month, Microsoft has discovered a new tech support scam that is being distributed via spam email. Spam emails spoofing brands are being sent in large campaigns with links to websites that generate popups warning of suspicious activity and malware infections.
Symantec notes the volume of phishing emails has also increased with levels now at a 12-month high. One in 1,968 emails are used for phishing. Phishing attacks on the mining industry sector were the most common with one in 1,263 emails used for phishing, indicating targeted attacks are occurring.
Increase in Global Spam Email Levels Highlights Need for Effective Spam Filtering
The rise in global spam email levels highlights the need for an advanced email spam filter. Spam is a major drain on productivity and malware and phishing attacks are costly to mitigate. Employee security awareness programs are effective at preventing employees from falling for phishing scams, although a technological solution should be implemented to prevent spam emails from reaching inboxes. SpamTitan blocks more than 99.9% of spam and dual antivirus engines prevent the delivery of known malware.
If you want to protect your business, boost productivity and improve your malware defenses, contact the TitanHQ team today.
Trickbot malware is a banking Trojan that has been around for a few years now, although its authors have recently developed a WannaCry ransomware-style worm module that allows it to spread much more rapidly.
The recent NotPetya attacks also included a similar module enabling the malware to be used in devastating attacks that wiped out entire systems.
This new method of speeding up the spread of malware takes advantage of a vulnerability in Windows Server Message Block, which is used to identify all vulnerable computers on a network that connect via the Lightweight Directory Access Protocol (LDAP).
Since the exploit is readily available, cybercriminals can use it in conjunction with malware to spread infections more effectively and quickly. Worms were once popular, although their use has died out. The use of worm-like elements with the WannaCry and NotPetya attacks has shown just how effective they can be, and also served as a reminder of why they were popular in the first place.
Far from isolated malware variants, we could be about to see a rise in the use of worm-like modules. Fortunately, for the time being at least, the worm module in Trickbot malware does not appear to be fully operational. That said, the malware is constantly being redeveloped so it is probable the flaws will be fixed soon.
The malware can gain access to online banking accounts enabling the attackers to empty bank accounts. It is fast becoming one of the most prevalent banking Trojans, according to IBM X-Force. It is currently being used in targeted attacks on organizations in the financial sector around the world, with recent campaigns targeting banks in the UK and United States. The ability to spread throughout a network rapidly will make it much more dangerous.
Aside from the new worm-like module another change has been detected. PhishMe reports that it has identified a change to how the Trojan is distributed. Attacks have occurred via malvertising campaigns this year that redirect web users to sites hosting the Rig exploit kit, although Trickbot is primarily distributed via spam email sent via the Necurs botnet.
The latest change to the Trickbot malware campaign is helping the threat actors to evade anti-virus solutions. Previously, the Trojan has been installed via macro scripts in specially crafted office documents. The latest campaign update sees the attackers use a Windows Script Component (WSC) containing XML-format scripts. The same delivery mechanism has also been used to deliver GlobeImposter ransomware.
Ransomware attacks on small businesses can be devastating. Many small businesses have little spare capital and certainly not enough to be handing out cash to cybercriminals, let alone enough to cover the cost of loss of business while systems are taken out of action. Many small businesses are one ransomware attack away from total disaster. One attack and they may have to permanently shut their doors.
A recent research study commissioned by Malwarebytes – conducted by Osterman Research – has highlighted the devastating effect of ransomware attacks on small businesses.
1,054 businesses with fewer than 1,000 employees were surveyed and asked about the number of ransomware attacks they had experienced, the cost of mitigating those attacks and the impact of the ransomware attacks on their business.
Anyone following the news should be aware of the increase in ransomware attacks. Barely a week goes by without a major attack being announced. The latest study has confirmed the frequency of attacks has increased. More than one third of companies that took part in the survey revealed they had experienced at least one ransomware attack in the past 12 months.
22% of Small Businesses Shut Down Operations Immediately Following a Ransomware Attack
The survey also showed the devastating impact of ransomware attacks on small businesses. More than one fifth of small businesses were forced to cease operations immediately after an attack. 22% of businesses were forced to close their businesses.
Those companies able to weather the storm incurred significant costs. 15% of companies lost revenue as a result of having their systems and data locked by ransomware and one in six companies experienced downtime in excess of 25 hours. Some businesses said their systems were taken out of action for more than 100 hours.
Paying a ransom is no guarantee that systems can be brought back online quickly. Each computer affected requires its own security key. Those keys must be used carefully. A mistake could see data locked forever. A ransomware attack involving multiple devices could take several days to resolve. Forensic investigations must also be conducted to ensure all traces of the ransomware have been removed and no backdoors have been installed. That can be a long-winded, painstaking process.
Multiple-device attacks are becoming more common. WannaCry-style ransomware attacks that incorporate a worm component see infections spread rapidly across a network. However, many ransomware variants can scan neworks and self-replicate. One third of companies that experienced attack, said it spread to other devices and 2% said all devices had been encrypted.
Can Ransomware Attacks on Small Businesses be Prevented?
Can ransomware attacks on small businesses be prevented? Confidence appears to be low. Almost half of respondents were only moderately confident they could prevent a ransomware attack on their business. Even though a third of businesses had ‘anti-ransomware’ defenses in place, one third still experienced attacks.
Unfortunately, there is no single solution that can prevent ransomware attacks on small businesses. What organizations must do is employ multi-layered defenses, although that can be a major challenge, especially with limited resources.
A risk assessment is a good place to start. Organizations need to look at their defenses critically and assess their infrastructure for potential vulnerabilities that could be exploited.
Improving Defenses Against Ransomware
Ransomware attacks on small businesses usually occur via email with employees targeted using phishing emails. Organizations should consider implementing a spam filtering solution to reduce the number of malicious emails that reach inboxes.
Some emails will inevitably slip past these defenses, so it is important for staff to be security aware. Security awareness training should be ongoing and should involve phishing simulations to find out how effective training has been and to single out employees that need further training.
While ransomware can arrive as an attachment, it is usually downloaded via scripts of when users visit malicious websites. By blocking links and preventing end users from visiting malicious sites, ransomware downloads can be blocked. A web filtering solution can be used to block malicious links and sites.
Anti-virus solutions should be kept up to date, although traditional signature-based detection technology is not as effective as it once was. Alone, anti-virus software will not offer sufficient levels of protection.
As was clearly shown by the WannaCry and NotPetya attacks, malware can be installed without any user interaction if systems are not configured correctly and patches and software updates are not applied promptly. Sign up to alerts and regularly check for updated software and don’t delay patching computers.
A ransomware attack need not be devastating. If organizations back up their data to the cloud, on a portable (unplugged) local storage device and have a copy of data off site, in the event of an attack, data will not be lost.
Smishing attacks are on the rise. Cybercriminals have been turning to the Short Message Service – SMS – to conduct phishing campaigns to gather personal information for identity theft and fraud. Smishing is also used to fool mobile device users into installing malware.
Like phishing emails, smishing attacks use social engineering techniques to get users to complete a specific action, often to click on a link that will direct them to a webpage where they are asked to provide sensitive information or to download a file to their device. Most commonly, the aim of smishing is to obtain personal information such as usernames and passwords to online bank accounts.
Many organizations have implemented spam filtering solutions that capture phishing emails and prevent them from being delivered to end users’ inboxes. Security awareness training is also provided, with the threat of phishing explained to employees. However, the best practices that are taught are not always applied to SMS messages and spam controls do not block SMS messages.
In contrast to emails, which are often ignored, people also tend to access their SMS messages much more rapidly than emails. Text messages are typically opened within seconds, or minutes, of them being received. Cybercriminals are well aware that their malicious MS messages will be opened and read.
Cybercriminals use the same techniques for smishing attacks that are used on email phishing scams. The messages inject a sense of urgency, requiring an action to be taken quickly. The messages are designed to grab attention, with security threats one of the most common themes. The attackers typically impersonate banks, credit card companies, email providers, social media networks or online retailers and warn of security issues such as potential fraudulent activity, imminent charges that will be applied or they threaten account closure.
Messages may even appear to have been sent by a contact, either using a stolen mobile or by spoofing someone who is known and trusted. Messages may include a link to an interesting article, a photograph or a social media post for example.
Smishing attacks started with SMS messages, although similar scams are now being conducted on other messaging platforms such as WhatsApp, Skype and Facebook Messenger.
Blocking smishing attacks is difficult. The key to avoiding becoming a victim is awareness of the threat and adopting the same security best practices that can protect end users on email.
- As with email, when receiving an odd message, stop and think about the request. Could it be a scam?
- Even if the message suggests urgent action is required, take time to consider what is being asked. Smishing attacks work because people respond without thinking.
- It is important not to respond to a SMS message that has been sent from an unknown sender. If you respond, the person who sent the message will be aware that messages are being received.
- If a message containing a hyperlink is received, do not click on the link. Delete the message.
- Never send any sensitive information via text message. Legitimate companies will not ask you to send sensitive information by text message.
- If you are concerned about the contents of a text message, check with the institution concerned, but do not use links or telephone numbers sent in the message. Independently verify the phone number and call or find the correct website via the search engines.
- If you are a business that provides employees with access to a WiFi network, it is possible to prevent employees from visiting malicious websites linked in smishing campaigns. WebTitan Cloud for WiFi is a web filter for WiFi networks that prevents users from visiting malicious websites, such as those used in smishing attacks.
A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.
CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.
This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.
IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.
Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.
Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.
More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.
Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.
The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats. Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.
Reyptson ransomware is a new threat that has been discovered in the past few days. The new ransomware variant is currently being used in attacks in Spain, with detected activity rising considerably in the days since its discovery.
There is no free decryptor for Reyptson ransomware at this stage. The ransomware variant encrypts a wide range of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson appended to the file.
Infection will require files to be recovered from backups or the ransom demand must be paid if no backup exists and victims do not want permanent file loss. Users are told they must pay a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.
New cryptoransomware variants are being released on an almost daily basis with the majority spread via spam email. What makes this variant unique is its ability to spread itself following infection. Reyptson is capable of conducting its own email campaigns and spreading itself to a victim’s contacts.
The spam email campaigns are conducted via the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s credentials.
The emails claim to be invoices and include a link for the recipient to download the invoice. Clicking the link will download a compressed .rar file which contains an executable file that appears to be a PDF file. If that executable file is opened; the user will be infected with the ransomware and the process will repeat. According to an analysis by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación.
Recently, global ransomware campaigns have been conducted using exploits stolen from the NSA. Those exploits take advantage of vulnerabilities in software that have not been addressed. Even though patches have been released to correct those vulnerabilities, many companies have yet to update their operating systems. A free scanner called Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still vulnerable and have not been patched.
Patching promptly has always been important, but now even more so. Delaying the updating of software can see organizations infected and the damage can be considerable. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot undo the damage.
However, spam email remains the most common vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an advanced spam filter. A spam filter such as SpamTitan can block these messages and prevent them from being delivered to end users. If the spam emails are not delivered, they cannot be opened by end users.
Prompt patching, user awareness training, spam and web filtering can help organizations reduce the risk of attack. However, it is also essential to ensure multiple backups of data are made to ensure recovery in case of infection. Organizations should adopt the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy stored off site.
One backup copy can be stored locally – on a removable device that is unplugged when backups are completed or are not being used. One copy should be stored in the cloud and one on a backup drive/tape that is stored in a secure location off site that can be used in the event of a disaster.
Law firms in Eire and Northern Ireland are being targeted with a new Supreme Court phishing campaign that is being used to fool recipients into visiting a malicious website.
The email appears to have been sent from the Supreme Court and refers to a new/updated Statutory Instrument. The emails that have been detected so far include a PDF file containing further details, although the attachment will divert the recipient to a malicious domain.
The Supreme Court phishing emails add a sense of urgency, as is common in phishing campaigns, telling the recipient to read the information in the attached document by this Friday.
The emails that have been reported have the subject line – Supreme Court (S.I. No691/2017) – although it is possible there are other variations along the same theme. The Courts Service has confirmed that the emails are not genuine and should be deleted without being opened. The phishing scam has been reported to the Gardaí and the Courts Service IT team is also investigating and a warning has been issued.
Supreme Court phishing scams are common. In February this year, the UK Supreme Court also issued a warning after numerous emails were received claiming to be subpoenas for court appearances in relation to a crime that the recipient had committed. In that case, a link was included to provide the court with all of the necessary information about the case. Receipents of the email were told to submit the information within 12 days or the case would proceed in their absence.
As the UK Supreme Court pointed out, it does not issue subpoenas to appear in court for criminal cases, although many law-abiding citizens would be aware of typical procedures associated with criminal cases. The fear generated by a potential court appearance for an unknown crime would likely see many email recipients open the message, click on the link and reveal their personal information.
The purpose of Supreme Court phishing emails is usually to obtain sensitive information under the guise of confirming the recipient’s identity. The information gathered by the phishing emails can be used for identity theft or other forms of fraud. Emails such as this are also used to spread malware or ransomware.
The emails are designed to scare people into responding and they can be highly effective. However, there are usually a variety of telltale signs that the email is not genuine. Before clicking or taking any requested action, it is important to stop, think and not to panic. Check the email for misspellings, grammatical errors and anything out of the ordinary.
If a link is included in the email, hover the mouse arrow over it to find out the true URL to see if it will direct you to a genuine domain. If the email contains an attachment, do not open it. If you are worried about the email, contact the organization that claims to have sent the message by obtaining the correct contact details from the Internet and verify the authenticity of the request.
In the most part, any serious matter such as a subpoena or important change to legislation would be unlikely to be communicated via email, and certainly not in an email attachment or via a link to a domain.
A U.S senator is urging the Department of Homeland Security and other federal agencies to adopt DMARC to prevent impersonation attacks via email. Over the past few months, several government agencies have been targeted by phishers who have used government domains to send huge numbers of spam emails.
The emails appear legitimate as they have been sent from government-owned domains, and while the text in the emails often contains clues to suggest the emails are not genuine, the official domain adds sufficient authenticity to see many email recipients fooled.
The use of official domains by phishers is nothing new of course, but government-owned domains should be protected to prevent them being used in phishing campaigns. The problem is that in the vast majority of cases, insufficient controls have been implemented to prevent impersonation attacks.
Sen. Ron Wyden (D-Oregon) wrote to the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.
DMARC is a proven tool that can help to prevent impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to determine whether the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In short, it will prevent impersonation attacks and protect consumers. If DMARC was used, it would make it much harder for government agencies to be impersonated.
The standard is recommended by the National Institute of Standards & Technology (NIST) as well as the Federal Trade Commission (FTC). DMARC has also recently been adopted in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has reduced impersonation attacks to the tune of 300 million messages in a single year.
The UK’s National Cyber Security Center (NCSC) has also created a central system where it processes all of the DMARC reports from all government agencies to monitor impersonation attacks across all government departments
Currently the Department of Homeland Security does not use DMARC and it is not used on the majority of government owned domains. The U.S. government owns approximately 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.
Impersonation attacks are on the rise and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.
Sen. Wyden suggests the Department of Homeland Security should immediately adopt DMARC and mandate its use across all federal agencies. DHS already scans other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be incorporated into that program. As in the UK, Sen. Wyden suggests a central repository should be created for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks across all federal agencies.
The Ovidiy Stealer is a password stealing malware that will record login credentials and transmit the information to the attacker’s C2 server. As with many other password stealers, information is recorded as it is entered into websites such as banking sites, web-based email accounts, social media accounts and other online accounts.
The good news is that even if infected, the Ovidiy Stealer will not record information entered via Internet Explorer or Safari. The malware is also not persistent. If the computer is rebooted, the malware will stop running.
The bad news is, if you use Chrome or Opera, your confidential information is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, since the malware is being constantly updated it is likely other browsers will be supported soon.
Ovidiy Stealer is a new malware, first detected only a month ago. It is primarily being used in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will spread to other regions.
Researchers at Proofpoint – who first detected the password stealing malware – believe email is the primary attack vector, with the malware packaged in an executable file sent as an attachment. Proofpoint also suggests that rather than email attachments, links to download pages are also being used. Samples have been detected bundled with LiteBitcoin installers and the malware is also being distributed through file-sharing websites, in particular via Keygen software cracking programs.
New password stealers are constantly being released, but what sets the Ovidiy Stealer aside and makes it particularly dangerous is it is being sold online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery via a spam email campaign. Due to the low price there are likely to be many malicious actors conducting campaigns to spread the malware, hence the variety of attack vectors.
Would be attackers willing to part with $13 are able to view the number of infections via a web control panel complete with login. Via the control panel they can manage their account, see the number of infections, build more stubs and view the logs generated by the malware.
Protecting against malware such as Ovidiy Stealer requires caution as it takes time before new malware are detected by AV solutions. Some AV solutions are already detecting the malware, but not all. As always, when receiving an email from an unknown sender, do not open attachments or click on hyperlinks.
Organizations can greatly reduce risk from this password-stealer and other malware spread via spam email by implementing an advanced spam filtering solution such as SpamTitan to prevent malicious emails from reaching end users’ inboxes. SpamTitan uses dual AV engines to maximize detections and blocks over 99.9% of spam email.
You’ve secured the network perimeter, installed a spam filter, trained your employees to recognize phishing emails and have an intrusion detection system in place, but are you deprovisioning former employees to prevent data theft? According to a new report from OneLogin, 58% of companies are lax when it comes to blocking network access when employees leave the company.
For the study, 600 IT professionals with responsibility or partial responsibility for security decisions about hardware, software or cloud services were interviewed. When asked about the time delay between employees leaving the company and their accounts being deactivated, 58% said that it takes more than a day for that to happen and a quarter said it takes more than a week. 28% of respondents said deprovisioning former employees takes a month or longer.
48% of respondents said they were aware that former employees still had access to applications after they had left the company and 44% said they were not confident that deprovisioning former employees had actually occurred.
Even though there is a significant time delay involved in blocking access for former employees, only four out of ten organizations are using a security information and event management solution (SIEM). A SIEM would allow them to monitor app usage by former employees and would alert them if systems were still being accessed, yet only 45% of respondents said they used such a solution.
Organizations are taking a big risk by not ensuring accounts are deactivated before employees walk through the door for the final time. The study revealed that the risk is considerable. When asked if they had suffered data breaches due to former employees, 24% said they had.
Deprovisioning employees is time consuming, especially when they have been employed for a long time and have access to many business applications and networks. 92% of respondents said it takes up to an hour to deprovision employees and many must complete the process manually. Time may be pressed, but failing to block access promptly is a data breach waiting to happen.
Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.
The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.
Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.
The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings. The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”
Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.
The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.
Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.
The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.
Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.
Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.
Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.
IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”
The IRS recommends several measures to reduce risk:
- Educate all employees on the risk from spear phishing and phishing in general
- Ensure strong passwords are used
- Always question emails – Never take them at face value
- Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
- Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
- Use security software to block phishing emails and malware and ensure the software is updated automatically
- Use the security settings in tax preparation software
- Report suspicious emails to the IRS
Trump Hotels has announced that guests at some of its hotels have been impacted by the Sabre Hospitality Solutions data breach and have had their credit/debit card details stolen. Sabre Hospitality Solutions provides the hotel reservation system used at certain Trump Hotels, and it was this system that was compromised not the systems used at Trump Hotels. Sabre’s system is used by more than 32,000 hotels and lodging establishments around the world.
Attackers gained access to the Sabre SynXis Central Reservations system (CRS) which is used by hotels and travel agencies to make hotel bookings. Sabre discovered the breach on June 5, 2017, with the attacker understood to have obtained account credentials that enabled access to the CRS and the payment card data processed through the system.
The data breach affected 13 Trump Hotels (Central Park, Chicago, Doonbeg, Doral, Las Vegas, Panama, Soho, Toronto, Turnberry, Vancouver, Waikiki, DC, Rio de Janeiro) and the Albemarle Estate. Each hotel was affected at a different time and for a different duration, with the first instance occurring on August 10, 2016. The last data access was on March 9, 2017. The hotel reservation system was compromised at most of the affected hotels for a few days up to three weeks in November 2016, with the exception of Trump Las Vegas, Trump Panama, and Trump DC, which saw systems compromised for around four months.
When the Sabre Hospitality Solutions data breach was detected, the company contracted cybersecurity firm Mandiant to conduct a forensic analysis to determine how the breach occurred, which hotels were affected and to ensure that access to its systems was blocked. Sabre reports that after March 9, 2017, no further unauthorized access to its system has occurred.
During the time that access to data was possible, the attackers were able to obtain the names of card holders, card numbers, expiration dates and in some cases, CVV codes. Other information potentially accessed includes guests’ names, addresses, phone numbers and potentially other information, although not Social Security numbers or driver’s licenses.
The Sabre Hospitality Solutions data breach affected many organizations, with Google recently announcing that some of its employees have had information exposed. In the case of Google, it was a travel agency – Carlson Wagonlit Travel (CWT) – that was affected. CWT was one of the companies used by Google to book hotels for its staff.
The hospitality industry has been hit with numerous POS system breaches over the past few years. The industry is an attractive target for cybercriminals. Most hotel bookings are made with credit and debit cards, cybersecurity protections are often poor and once access is gained to the systems it can be months before a data breach is detected.
A variety of attack vectors are used, although login credentials are commonly stolen in phishing attacks. Phishing emails are sent to company employees and social engineering tricks are used to convince those employees to disclose their login credentials or open malicious email attachments that install malware.
Email security solutions that prevent spam emails from being delivered to end users’ inboxes offer protection against phishing attacks. As an additional precaution, security awareness training should be provided to all hotel employees who have access to corporate email accounts.
With SpamTitan installed, hotel chains are well protected from phishing attacks. SpamTitan blocks more than 99.9% of spam emails, adding an important layer of protection for hotels to prevent data breaches.
Phishing and social engineering attacks are the biggest cyber risks faced by organizations. Not only are attacks on the rise, they are becoming more sophisticated. The increase in attacks and cost of mitigating cyber incidents is having a major negative impact on businesses.
Organizations can tackle the problem of phishing and social engineering by implementing technologies that preventing phishing emails from reaching end users’ inboxes and ensuring employees know how to identify threats and response when a malicious email arrives in their inbox.
One of the most effective ways of blocking these phishing and social engineering attacks is implementing an advanced spam filtering solution. SpamTitan blocks more than 99.9% of email spam and uses two antivirus engines to identify and block emails with malicious attachments.
Many organizations provide security training to their employees and teach them to be more security aware, although a new report from the Business Continuity Institute calls for businesses to do more in this regard. In order to tackle phishing and improve resilience to attacks BCI says user education needs to improve.
A one-off training program as part of an employee’s induction is no longer sufficient. Training should be an ongoing process with regular refresher training sessions provided throughout the year. Phishing simulation exercises are also highly beneficial for reinforcing training and gauging how effective training has been.
However, the study suggests only 52% of companies conduct awareness-raising seminars and just 55% conduct regular exercises on likely cybersecurity scenarios. Only 46% run desktop exercises such as attack simulations.
The BCI study confirmed just how often phishing and social engineering attacks result in cyber incidents. The report shows that 57% of cyber incidents involve phishing or social engineering emails. Malware is responsible for 41% of cyber disruptions, with spear phishing emails accounting for 30% of attacks. Ransomware has grown into a major issue in recent months and is behind 19% of cyber disruptions.
The survey was conducted on 734 individuals from 69 countries. Two thirds of respondents had experienced a cybersecurity incident in the past 12 months with 15% saying they had experienced 10 or more disruptions in the past year. 5% said they experienced between 11 and 20 incidents in the past 12 months, a further 5% experienced between 21 and 50 incidents and 5% said they experienced 51 or more incidents. Responding to these incidents takes up valuable time. 67% of attacks take more than an hour to resolve with 16% taking more than four hours.
These incidents are costing businesses dearly. 33% of organizations said the cost of those attacks exceeded €50,000, while 13% of respondents said they had spent over €250,000 remediating attacks. It should be noted that 40% of respondents that took part in the survey were from SMEs with an annual turnover of less than €1 million.
Cybercriminals are only likely to increase their efforts and conduct more phishing and social engineering attacks. It is therefore essential for businesses to have a high commitment to cyber resilience and to do more to improve cybersecurity defenses. The survey suggests only 60% of senior management are committed to improving their defenses, so there is still plenty of room for improvement.
NotPetya ransomware attacks have spread globally, with the latest figures from Microsoft suggesting there are now more than 12,500 reported victims spread across 65 countries. The attacks first started to be reported on Tuesday morning with companies in the Ukraine hit particularly hard.
At first it appeared that the attacks involved Petya ransomware, although it has since been confirmed that this is a new ransomware variant. The ransomware has already attracted a variety of names such as GoldenEye, SortaPetya, ExPetr, and NotPetya. We shall use the latter.
Security researchers believe the NotPetya ransomware attacks started in Ukraine. The first attacks occurred the day before a national holiday – a common time to launch an attack. IT staff were unlikely to be working, so the probability of the attacks being halted before the ransomware was allowed to run would be increased.
The NotPetya ransomware attacks have been discovered to have occurred via a variety of vectors. Ukraine was hit particularly hard, which suggested a country-specific attack vector. Some security researchers have suggested the first attacks occurred via a Ukrainian accounting package called M.E. Doc, with the attackers managing to compromise a software update. M.E.Doc hinted that this may be the case initially, but later denied they were the cause of the attack. If it is true that a software update was involved, it would not be the first time M.E.Doc was attacked. A similar ransomware attack occurred via M.E.Doc software updates in May.
However, that is only one potential attack vector used in the NotPetya ransomware attacks. It has been confirmed that the attackers are also using two NSA exploits that were released by Shadow Brokers in April. As was the case with the WannaCry ransomware attacks, the EternalBlue exploit is being used. The latest attacks are also using another exploit released at the same time called EternalRomance.
In contrast to the WannaCry ransomware attacks last month, the exploits used in the NotPetya ransomware attacks only scan for vulnerable devices on local networks, not via the Internet.
Both exploits will not work if computers have already been patched with MS17-010 released by Microsoft in March. Following the WannaCry attacks, Microsoft also issued a patch for older, unsupported Windows versions to prevent further ransomware attacks.
However, patching would not necessarily have prevented infection. In contrast to WannaCry, NotPetya ransomware attacks have been reported by companies that have patched their computers. Security researchers have confirmed that all it takes for infection to occur is for one computer to have been missed when applying the patches. That allows the attackers to attack that machine, and also any other machines connected to the local network, even if the patch has been applied.
The attacks also appear to be occurring via phishing emails containing malicious Microsoft Office documents. As has been the case with many other ransomware attacks, the failure to implement spam defenses can result in infection. The use of an advanced spam filter such as SpamTitan offers excellent protection against email-based ransomware attacks, preventing those emails from reaching end users’ inboxes.
Upon infection, the ransomware waits one hour before executing and forcing a reboot. When the computer restarts, the ransom note appears. The ransom demand is for $300 per infected machine. In contrast to the majority of ransomware variants, NotPetya does not encrypt files. Instead it replaces the Master File Table (MFT). Since the MFT shows the computer where files are located on the hard drive, without it files cannot be found. Files are not encrypted, but they still cannot be accessed.
Preventing ransomware attacks such as this requires regular patching to address vulnerabilities and anti-spam solutions to prevent malicious emails from being delivered.
Fortunately, NotPetya ransomware attacks can be blocked. Cybereason security researcher Amit Serber has found a way to vaccinate computers against this specific ransomware variant. He suggests IT teams “Create a file called perfc in the C:\Windows folder and make it read only.” This method has been confirmed as effective by other security researchers, although it will not work if infection has already occurred.
Unfortunately, recovery following an attack may not be possible if infected computers cannot be restored from backups. Kaspersky Lab reports there is a flaw in the ransomware saying, “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” Further, the email account used by the attacker to verify ransom payments has been shut down by a German email provider.
The WannaCry ransomware attacks may have attracted a lot of press, but Locky ransomware poses a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was first seen in February last year and rapidly became the biggest ransomware threat. In recent months, Cerber has been extensively distributed, but Locky is still being used in widespread attacks on organizations.
The actors behind Locky ransomware are constantly changing tactics to fool end users into downloading the malware and encrypting their files.
The Necurs botnet has recently been used to distribute Jaff ransomware, although now that a decryptor has been developed for that ransomware variant, the actors behind Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages sent via the Necurs botnet, with some reports suggesting approximately 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.
The new Locky ransomware campaign uses a new variant of the ransomware which does not encrypt files on Windows operating systems later than XP. This appears to be an error, with new, updated version of the ransomware is expected to be launched soon. As with past campaigns, the latest batch of emails uses fake invoices to fool end users into installing the ransomware.
Fake invoices are commonly used to spread ransomware because they are highly effective. Even though these campaigns often include scant information in the email body, many end users open the attachments and enable macros. Doing so results in Locky being downloaded. There is still no free decryptor available to unlock Locky-encrypted files. Infections can only be resolved by paying a sizeable ransom payment or restoring files from backups.
Training end users to be more security aware will help organizations to reduce susceptibility to ransomware attacks, although the best defense against email-based ransomware attacks is to use an advanced spam filtering solution to prevent the messages from reaching end users’ inboxes. If emails are blocked, there is no chance of end users opening malicious attachments and installing the ransomware.
SpamTitan is an email security solution that can block these ransomware emails. SpamTitan blocks more than 99.9% of spam messages and dual anti-virus engines ensure malicious emails do not reach inboxes. While some anti-spam solutions have a high false positive rate and block genuine emails, SpamTitan’s false positive rate is extremely low at just 0.003%.
SpamTitan requires no additional hardware purchases, no staff training and the solution can be installed in a matter of minutes.
If you are unhappy with your current anti-spam solution or have yet to start protecting your inboxes from malicious messages, contact the TitanHQ team today for further information on how SpamTitan can benefit your business. TitanHQ also offers SpamTitan on a 30-day no-obligation free trial to allow you to see the benefits of the solution for yourself before committing to a purchase.
A new Facebook phishing scam has been detected that attempts to fools end users into believing they are on the genuine Facebook site using a technique called URL padding. The attack method is being used in targeted attacks on users of the mobile Facebook website.
As with other Facebook phishing scams, the aim of the attackers is to get end users to reveal their Facebook login credentials. The scam takes advantage of poor security awareness and a lack of attentiveness.
URL padding – as the name suggests – involves padding the URL with hyphens to mask the real website that is being visited. The URLs being used by the attackers start with m.facebook.com, which is the correct domain for the genuine Facebook website. In a small URL bar on mobile phones, this part of the URL will be clearly visible.
What follows that apparent domain is a series of hyphens: m.facebook.com————-. That takes the latter part of the domain outside the viewable area of the address bar. End users may therefore be fooled into thinking they are on the genuine website as they will not see the last part of the URL. If they were to check, they would see that m.facebook.com————- is actually a subdomain of the site they are visiting.
The hyphens would be a giveaway that the site is not genuine, but the attackers add in an additional word into the URL such as ‘validate’ or ‘secure’ or ‘login’ to add authenticity.
The attackers have lifted the login box and branding from Facebook, so the login page that is presented appears to be the same as is used on the genuine site.
One telltale sign that all is not as it appears is the use of hxxp:// instead of https:// at the start of the URL, a sure sign that the site is not genuine. Even so, many Facebook users would be fooled by such a scam. URL padding is also being used to target users of other online services such as Apple iCloud and Comcast.
Facebook accounts contain a wealth of information that can be used in future spear phishing campaigns or attacks on the victims’ contacts. PhishLabs, which discovered the new scam, says the attackers are currently using this phishing scam for the latter and are using the account access to spam end users’ contacts and conduct further phishing campaigns.
While the scam has been detected, it is currently unclear how links to the phishing website are being distributed. While it is possible that they are arriving via spam email, Phishlabs suggests SMS messages or messenger services are being used.
A $1 million ransom payment has been made to cybercriminals who used Erebus ransomware to attack the South Korean web hosting firm Nayana.
Erebus ransomware was first detected in September last year and was downloaded via websites hosting the Rig exploit kit. Traffic was directed to the malicious website hosting the Rig EK via malvertising campaigns. Vulnerable computers then had Erebus ransomware downloaded. This Erebus ransomware attack is unlikely to have occurred the same way. Trend Micro suggests the attackers leveraged vulnerabilities on the comapny’s Linux servers, used a local exploit or both.
The infection spread to all 153 Linux servers used by Nayana. Those servers hosted the websites of 3,400 businesses. All of the firm’s customers appear to have been affected, with website files and databases encrypted.
Nayana was attacked on June 10, 2017 in the early hours. The hosting company responded rapidly. Law enforcement was contacted and it was initially hoped that it would be possible to crack the ransomware and decrypt files without paying the ransom. It soon became clear that was not an option.
Companies can avoid paying ransom payments following ransomware attacks by ensuring backups are made of all data. Having multiple backups increases the likelihood of files being recoverable. In this case, Nayana had an internal and external backup; however, both of those backups were also encrypted in the attack. Nayana therefore had no alternative but to negotiate with the attackers.
While ransom payments for businesses are often in the $10,000 to $25,000 price bracket, the gang behind this attack demanded an astonishing 550 Bitcoin for the keys to unlock the encryption – Approximately $1.62 million. On June 14, Nayana reported that it had negotiated a ransom payment of 397.6 Bitcoin – Approximately $1.01 million, making this the largest ransomware ransom payment reported to date.
That payment is being made in three instalments, with keys supplied to restore files on the servers in batches. When one batch of servers was successfully recovered, the second ransom payment was made. Nayana said that the recovery process would take approximately 2 weeks for each of the three batches of servers, resulting in considerable downtime for the company’s business customers. Nayana experienced some problems restoring databases but says it is now paying the final payment.
This incident shows how costly ransomware resolution can be and highlights how important it is to ensure that operating systems and software are updated regularly. Patches should be applied promptly to address vulnerabilities before they can be exploited by cybercriminals.
Simply having a backup is no guarantee that files can be recovered. If the backup device is connected to a networked machine when a ransomware attack occurs, backup files can also be encrypted. This is why it is essential for organizations to ensure one backup is always offline. It is also wise to segment networks to limit the damage caused by a ransomware attack. If ransomware is installed, only part of the network will be affected.
A recent Southern Oregon University phishing attack has clearly demonstrated why so many cybercriminals have chosen phishing as their main source of income.
Hacking an organization takes considerable planning and effort, typically requiring many hours of hard work and a considerable amount of skill. Phishing on the other hand is easy by comparison, requiring little work. Furthermore, the potential profits from phishing can be considerable.
The Southern Oregon University Phishing Attack Required a Single Email
The Southern Oregon University phishing attack involved a single phishing email. The attackers impersonated a construction company – Andersen Construction – that was building a pavilion and student recreation center at the University.
The attackers spoofed the email address of the construction firm and requested all future payments be directed to a different bank account. The university then wired the next payment to the new account in April. The payment was for $1.9 million.
The university discovered the construction firm had not received the funds three days later. The FBI was contacted as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the attackers have not withdrawn all of the funds from their account, although a sizeable chunk is missing. Joe Mosley, a spokesperson for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
In order to pull off a scam such as this, the attackers would need to know that the construction project was taking place and the name of the firm. Such information is not hard to find and universities often have construction projects taking place.
These attacks are known as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not clear whether the vendors email account had been hacked, but that step may not be required to pull off a phishing attack such as this.
Rise in BEC Attacks Prompts FBI Warning to Universities
In this case, the payment was substantial but it is far from an isolated incident. Last month, the FBI released a public service announcement warning universities of attacks such as this.
The FBI warned that access to a construction firm’s email account is not necessary. All that is required is for the scammer to purchase a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter different.
By the time the university discovered a payment has not been received, the funds have already been cleared from the scammer’s account and cannot be recovered. Payments are commonly of the order of several hundred thousand dollars.
The FBI informed SOU that there have been 78 such attacks in the past year, some of which have been conducted on universities. However, all organizations are at risk from these BEC scams.
The Southern Oregon University phishing attack shows just how easy it can be for scammers to pull off a BEC attack. Protecting against this time of scam requires employees to be vigilant and to exercise extreme caution when requests are made to change bank accounts. Such a request should always be verified by a means other than email. A telephone call to the construction firm could easily have stopped this scam before any transfer was made.
Cybercriminals have been conducting fileless malware phishing attacks and restaurants are in the firing line. Restaurants are being singled out as they tend to have relatively poor cybersecurity defenses and criminals can easily gain access to the credit card details of thousands of customers.
The phishing attacks are used to install fileless malware – malware that remains in the memory and does not involve any files being written to the hard drive. Consequently, fileless malware is particularly difficult to detect. By switching to fileless malware, which most static antivirus solutions do not detect, the criminals can operate undetected.
While fileless malware can be short-lived, only existing in the memory until the computer is rebooted, the latest variants are also persistent. The purpose of the malware is to allow the attackers to install a backdoor that provides access to restaurants’ computer systems. They can then steal the financial information of customers undetected.
The latest fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been attributed to the hacking group FIN7; a group that has close associations with the Carbanak group.
The attacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to open the attached RTF file. RTF files have been discovered that are restaurant themed, named menu.rtf and relating to orders. Some emails appear to have been written to target specific restaurant chains.
One intercepted phishing email claimed to be a catering order, with the attachment containing a list of the items required. In the email, brief instructions explaining when the order is needed and how to view the list of ordered items. The email was brief, but it was particularly convincing. Many restaurants are likely to be fooled by these fileless malware phishing attacks, with access to systems granted for long periods before detection.
FIN7 has recently been conducting attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to deliver the shellcode stage of infection, but in contrast to past attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being written to the hard drive, it is difficult to detect.
Further, the researchers checked the RTF file against VirusTotal and discovered none of the 56 AV vendors are currently detecting the file as malicious.
Corporate phishing emails are one of the biggest cybersecurity risks faced by organizations. Cybercriminals are well aware that even companies with robust cybersecurity defenses are vulnerable to phishing attacks.
Phishing email volume is higher than at any other time in history. Employees are being targeted with threat actors now using sophisticated social engineering techniques to maximize the probability of employees clicking on links, opening infected email attachments or disclosing their login credentials. If corporate phishing emails are delivered to end users’ inboxes, there is a high chance that at least one employee will be fooled. All it takes is for one employee to click on a malicious link or open an infected attachment for malware to be installed or access to sensitive data be provided.
The threat from phishing attacks has been steadily increasing in recent years, although this year has seen phishing attacks soar. A recent study conducted by Mimecast has shown that cybercriminals have been stepping up their efforts in recent months. Last quarter, there was a 400% increase in corporate phishing emails according to the study.
A phishing trends & intelligence report for Q1, 2017 from the security awareness training firm PhishLabs showed that in the first quarter of 2017, overall phishing email volume increased by 20% compared to the previous quarter. 88% of phishing attacks were concentrated on five industries: payment services, financial institutions, cloud storage/file hosting firms, webmail/online services and e-commerce companies.
The anti-phishing training and phishing simulation platform provider PhishMe also noted a major increase in phishing emails in Q1, 2017. The firm’s Q1, 2017 malware review also showed there had been a 69.2% increase in botnet malware usage in the first quarter of this year.
Business email compromise attacks are also on the rise. Proofpoint’s annual Human Factor report showed BEC email attacks rose from 1% of message volume to 42% of message volume relative to emails bearing Trojans. Those attacks have cost businesses $5 billion worldwide.
These studies clearly show that corporate phishing emails are on the rise, highlighting the need for organizations to improve their defenses. The best defense against phishing emails and ransomware attacks is to ensure messages are intercepted and blocked. It is therefore essential for organizations to implement a robust spam filtering solution to prevent malicious messages from reaching end users’ inboxes.
SpamTitan conducts more than 100 checks of incoming emails, ensuring more than 99.98% of spam and malicious emails are blocked. Dual anti-virus engines are used to ensure 100% of known malware and ransomware is intercepted and prevented from being delivered to end users’ inboxes.
If you have yet to implement an advanced spam filtering solution or you are unhappy with your current provider, contact TitanHQ today to find out more about SpamTitan and how it can be used to protect your business from email attacks. SpamTitan is also available on a no obligation, 30-day free trial, allowing you to try the solution for yourself before committing to a purchase.
Microsoft took the decision to issue emergency Windows XP updates to prevent exploitation of the Windows Server Message Block (SMB) vulnerability used to infect worldwide computers with ransomware on May 12, 2017.
The move came as a surprise since the operating system is no longer supported. Extended support came to an end on April 8, 2014. Yesterday, saw further Microsoft Windows XP updates released. The patches prevent further flaws in the operating system from being exploited by cybercriminals in WannaCry ransomware-style attacks.
Microsoft’s Cyber Defense Operations Center head, Adrienne Hall, said “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”
In total, nearly 100 vulnerabilities were patched this Patch Tuesday, including 18 critical flaws that can be remotely exploited by cybercriminals to take full control of vulnerable systems. In some cases, as was the case with the WannaCry ransomware attacks, no user interaction is required for the flaws to be exploited.
One of the flaws – tracked as CVE-2017-8543 – similarly affects the Windows Server Message Block service. Microsoft says CVE-2017-8543 is being actively exploited in the wild, with Windows Server 2008, 2012, and 2016 all affected as well as more recent versions of Windows – v7, 8.1 and Windows 10. It is this flaw that has been patched for Windows Server 2003 and Windows XP. As was the case on May 12, once the attackers infect one device, they can search for other vulnerable devices. Infection can spread incredibly quickly to many other networked devices.
Some security experts have criticized Microsoft for issuing yet more Windows XP updates, arguing that this sends a message to users of outdated operating systems that it is OK not to upgrade the OS. Windows XP has many unpatched flaws, but the recent Windows XP updates suggest that if a particularly serious vulnerability is discovered that is being actively exploited, patches will be issued.
While Microsoft Windows XP updates have been released, this should not be taken as signaling a change in Microsoft’s standard servicing policies. Further patches may not be released for unsupported Windows versions, so organizations should not delay upgrading their OS. Microsoft’s general manager of its Security Response Center, Eric Doerr, said “The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”
In total, there were 95 updates issued this patch Tuesday. Like CVE-2017-8543, a LNK remote code execution vulnerability (CVE-2017-8464) is also being exploited in the wild.
The latest round of updates also includes a patch for a serious flaw in Microsoft Outlook (CVE-2017-8507). Typically, in order to exploit vulnerabilities an end user would be required to open a specially crafted email attachment. However, if an attacker were to send a specially crafted message to an Outlook user, simply viewing the message would allow the attacker to take full control of the machine.
Adobe has also issued a slew of updates to address 21 vulnerabilities spread across four products (Flash, Shockwave Player, Captivate and Adobe Digital editions). 15 of those vulnerabilities have been marked as critical and would allow remote code execution.
As the WannaCry ransomware attacks clearly showed, the failure to apply patches promptly leaves the door wide open to cybercriminals. These updates should therefore not be delayed, especially since two of the flaws are being actively exploited.
Mac users are better protected from ransomware than Windows users, although they now face a new threat: MacRansom. The new ransomware variant may not be particularly advanced, although it is capable of encrypting files.
MacRansom is being offered under a ransomware-as-a-service (RaaS) model with the RaaS advertised to cybercriminals on a Tor network portal. In contrast to many RaaS offerings that require payment to be made before the RaaS can be used, the threat actors behind MacRansom are offering the RaaS free of charge.
Any would-be cybercriminal looking to conduct ransomware attacks can email the creators of the ransomware via a secure Protonmail email address and a version of MacRansom will be created according to the user’s specifications.
The authors of MacRansom claim they are professional engineers and security researchers with extensive experience in software development and a thorough understanding of the MacOS. They claim they have previously worked at Yahoo and Facebook.
The authors claim that MacRansom can be installed and will remain invisible to the victim until the scheduled execution time, when it will complete its encryption routine in under a minute. The ransomware variant uses a 128-bit industrial standard encryption algorithm that cannot be beaten unless the ransom is paid. The authors claim the ransomware leaves no digital traces and that it can be scheduled to run at a specific time set by the user. It can even be triggered when an individual plugs in an external drive into an infected machine to maximize the number of files that are encrypted. However, the ransomware is only capable of encrypting a maximum of 128 files.
The Ransomware is capable of checking if it is in a virtual environment, whether it is being debugged or if it has been installed in a non-Mac environment, in which case it will exit.
Security researchers at Fortinet – Rommel Joven and Wayne Chin Low – signed up for the RaaS and obtained a sample, but noted that under some circumstances it may not be possible to decrypt encrypted files even if the ransom is paid. They said, “A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated.” However, to find out, victims will be required to pay a ransom payment of 0.25 Bitcoin – around $700.
Fortunately, infection requires the victim to run a file with an unidentified developer. They will therefore need to confirm they wish to do that before the file is run. This warning should be sufficient to prevent many end users from proceeding.
A University of Alaska phishing attack has potentially resulted in attackers gaining access to the sensitive information of 25,000 staff, students and faculty staff.
The University of Alaska phishing attack occurred in December last year, although affected individuals have only just been notified. The phishing emails were sent to university employees. One or more individuals responded and were fooled into following the threat actors’ instructions.
Details of the exact nature of the phishing emails were not disclosed; however, as with other phishing scams, the emails appeared genuine and looked professional. By responding to the emails, the employees accidentally disclosed their usernames and passwords to the attackers. The attack resulted in ‘several’ email accounts being compromised.
The emails in the compromised accounts contained a range of sensitive information including names and Social Security numbers. In total, around 25,000 staff, students and faculty members had their information exposed.
The investigation into the University of Alaska phishing attack could not confirm whether any of the emails in the accounts were accessed or if information was copied by the attackers, although it remains a distinct possibility.
Due to the sensitive nature of data in the accounts, the University of Alaska had to inform all affected individuals by mail and offer credit monitoring and identity theft protection services. Victims will also be protected by a $1 million identity theft insurance policy.
A forensic analysis had to be conducted to determine the exact nature of the attack and which individuals had been affected – A process that took around 5 months. Staff had to be provided with additional training to improve awareness of credential phishing scams and were retrained correct handling of sensitive information. The notifications and mitigations came at a considerable cost.
The University of Alaska phishing attack was just one of many phishing attacks that have taken place in the United States over the past few months. The phishing attacks all have a common denominator. Employees were targeted, phishing emails reached inboxes, and end users followed the instructions in the emails.
Training staff to be aware of the threat of phishing can reduce susceptibility, although training did not prevent the University of Alaska phishing attack.
Even after receiving security awareness training, employees can make mistakes. A technology solution should therefore be implemented to stop phishing emails from being delivered to end users’ inboxes.
SpamTitan from TitanHQ offers excellent protection against phishing attacks, blocking more than 99.9% of spam, phishing emails and other malicious messages. SpamTitan is quick and easy to install, cost effective to implement and easy to maintain.
With SpamTitan installed, organizations can protect themselves against phishing attacks and avoid the considerable cost of data breaches.
For more information on SpamTitan and other TitanHQ security products, contact the sales team today and take the first step toward improving your defences against phishing attacks.
The Texas-based online hotel booking website Hotels.com is notifying customers that some of their sensitive information has been exposed. The Hotels.com breach potentially involved usernames and passwords, email addresses, and the last four digits of site users’ credit card numbers.
Users’ accounts were hacked between May 22 and May 29, although at this stage it is unclear exactly how many individuals have been affected. While full credit card numbers were not obtained, the Hotels.com breach will see users face an elevated risk of phishing attacks.
Phishing emails come in many guises, although it is common for users of a site that has experienced a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive information has been compromised; however, the emails do not come from the company that experienced the breach. Instead, it is the cybercriminals who conducted the attack, or individuals who have bought stolen data from the attackers, that send the emails.
A typical phishing scenario sees individuals informed that their usernames and passwords have been compromised. A link is included in the emails to allow the user to reset their password or activate additional security controls on their account.
That link will direct the user to a phishing website where further information is obtained – the missing digits from their credit card number for example – or other personal information. Alternatively, the link could direct the user to a malicious website containing an exploit kit that downloads malware onto their computer.
Hotels.com customers were targeted in a 2015 phishing campaign which resulted in many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.
The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was gained, a letter emailed to affected users suggests the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have resulted from password reuse.
Reusing passwords on multiple online platforms is a bad idea. While it is easier to remember one password, a breach at any online website means the attackers will be able to access accounts on multiple sites.
To prevent this, strong, unique passwords should be used for each online account. While these can be difficult to remember, a password manager can be used to store those passwords. Many password managers also help users generate strong, unique passwords. Users should also take advantage of two-factor authentication controls on sites whenever possible to improve security.
Since many businesses use hotel booking websites such as Hotels.com, they should be particularly vigilant for phishing emails over the coming weeks, especially any related to hotels.com. To protect against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, reducing the risk of those messages being delivered to end users. Along with security awareness training and phishing simulation exercises, businesses can successfully defend against phishing attacks.
A critical Samba flaw has been discovered that has potential to be exploited and used for network worm attacks similar to those that resulted in more than 300,000 global WannaCry ransomware infections.
Samba is used to provide Windows-like file and print services on Unix and Linux servers and is based on the Windows Server Message Block (SMB) protocol that was exploited in the recent WannaCry ransomware attacks. The wormable remote code execution vulnerability has been identified in versions 3.5.0 an above.
The Samba flaw – tracked as CVE-2017-7494 – has existed for around 7 years, although no known attacks are understood to have occurred. That may not remain the case for long.
Samba is commonly installed on enterprise Linux servers, with around 104,000 machines believed to be vulnerable, per a recent search conducted by Rapid7 researchers. The Samba flaw can be exploited easily, requiring just a single line of code.
The Samba vulnerability has been rated as critical, although the good news is Samba has already issued an update that addresses the vulnerability. The patch can be applied to versions 4.4 and above. Any organization that is using an unsupported version of Samba, or is unable to apply the patch, can use a workaround to address the Samba vulnerability and secure their Linux and Unix servers.
The workaround is straightforward, requiring the addition of the following parameter to the [global] section of your smb.conf
nt pipe support = no
After the parameter has been added, the smbd daemon must be restarted. This will prevent clients from accessing any named pipe endpoints.
US-CERT has advised all organizations to apply the patch or use the workaround as soon as possible to prevent the vulnerability from being exploited.
If a threat actor were to exploit the Samba flaw, it would allow them to “upload a shared library to a writable share, and then cause the server to load and execute it.” A malicious file could be remotely uploaded on any vulnerable device. That could be ransomware, a network worm, or any other malicious file. That file could then be executed with root access privileges.
NAS devices also use Samba and may also be vulnerable to attack. Malicious actors could target NAS devices and access or encrypt stored data. Many organizations use NAS devices to store backups. An attack on those devices, using ransomware for instance, could be devastating. Bob Rudis, chief data scientist at Rapid7, said “A direct attack or worm would render those backups almost useless. Organizations would have little choice but to pay the ransom demand.
A proof-of-concept exploit for the Samba vulnerability is available to the public. It is therefore only a matter of time before the vulnerability is exploited. The patch or workaround should therefore be applied ASAP to mitigate risk.
TitanHQ announced a new partnership with Purple, the intelligent spaces company, which is now using the WebTitan WiFi filtering solution to control the content that can be accessed through its WiFi networks.
Businesses are now realizing they can attract more customers by providing free WiFi access, with Purple allowing businesses to get something back from providing free WiFi access to customers.
Purple provides WiFi analytics and marketing solutions allowing businesses to get more out of their WiFi networks. Those services have proven incredibly popular, with Purple rapidly expanding its business to serve clients in more than 70 countries.
Businesses are facing increasing pressure not only to provide Internet access to customers, but also to ensure that the Internet can be accessed safely and securely. The recent WannaCry ransomware attacks have highlighted just how important Internet security has now become. An Internet content filtering solution is therefore necessary to ensure inappropriate website content can be filtered out and malicious websites are blocked.
TitanHQ’s website content filtering solution – WebTitan – is the global leading content filtering solution for WiFi networks. Each day, WebTitan detects and blocks more than 60,000 different types of malware and ransomware, preventing users from infecting their devices. The solution is managed from a web-based control panel and can instantly be applied to any number of global WiFi access points.
The solution can be easily configured, has no latency, and allows precise control over the types of content that can be accessed through WiFi networks.
Following the rollout of WebTitan, which took just a few days, Purple customers have started benefitting from the industry-leading WiFi filtering solution.
James Wood, Head of Integration at Purple, communicated Purple’s unique requirements to TitanHQ which was able to provide a solution that exactly matched the company’s needs. Wood said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
The solution was ideal for Purple. Woods explained that “Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
More and more companies are realizing that it is no longer sufficient to just offer free WiFi access to customers. Customers now want to be reassured that they can access the Internet securely. TitanHQ CEO Ronan Kavanagh said “Content filtering for Wi-Fi will be a given in service terms over the next few years. Purple again is leading the way with their focus on this area.”
In the United States, the healthcare industry is being targeted by cybercriminals, with phishing attacks on healthcare organizations one of the easiest and most common methods of gaining access to email accounts and protected health information.
A phishing email is sent to a healthcare employee along with a seemingly legitimate reason for revealing their login credentials. Doing so will give the attackers access to an email account and the protected health information of patients in those emails.
Emails accounts contain a wealth of information that can be used for further attacks. A compromised email account can be used to send further phishing emails within a company. One response to a phishing email can see many email accounts compromised. A single phishing email can result in a major security incident and costly data breach.
There have been many phishing attacks on healthcare organizations this year and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal.
Any breach of protected health information that results in more than 500 records being exposed is investigated by OCR. During investigations of phishing attacks on healthcare organizations, OCR often finds that Health Insurance Portability and Accountability Act Rules have been violated. Healthcare organizations are discovered not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to identify the risk of phishing and take appropriate steps to reduce risk to an acceptable level.
When organizations are found to have violated HIPAA Rules, heavy fines may follow. Recently, OCR has investigated several healthcare phishing attacks and has taken some cases forward to settlement. The HIPAA fines can be considerable.
In 2015, OCR announced its first HIPAA settlement for a phishing attack. University of Washington Medicine was fined $750,000 as a result of a malware installation that occurred when an employee responded to a phishing email. In that case, 90,000 patients had their information revealed to the attackers.
A HIPAA penalty for a phishing attack was also announced last month, with the Colorado based Metro Community Provider Network (MCPN) having to pay OCR $400,000 to resolve HIPAA violations discovered during the investigation of the phishing attack. The phishing attack resulted in an email account being compromised, and along with it, the protected health information of 3,200 patients.
The employee did not reveal their email credentials in that case, at least not directly. Instead, the response to the email resulted in a malware installation that gave the attacker access to the email account.
Phishing attacks on healthcare organizations are to be expected. OCR is aware that it may not be possible to prevent 100% of phishing attacks, 100% of the time. Not all phishing attacks on healthcare organizations will therefore result in a HIPAA fine. However, failing to reduce risk to an acceptable level is another matter. If healthcare organizations do not do enough to prevent phishing attacks, fines are likely to result.
So, how can phishing attacks on healthcare organizations be prevented and what can healthcare organizations do to reduce risk to a level that will be deemed acceptable by OCR?
The HIPAA Security Rule requires protections to be put in place to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not specify exactly which security solutions should be used, there are two essential anti-phishing controls that should be employed.
A spam filtering solution should be used to prevent phishing and other malicious emails from being delivered to end users’ inboxes. It would be hard to argue that the threat from phishing has been reduced to an acceptable level if no controls are in place to block phishing emails from being delivered.
Healthcare employees must also receive security awareness training. All employees should be informed of the risk of phishing and the methods used by cybercriminals to gain access to computers and data. They should be taught best practices and shown how to identify phishing emails and other malicious email threats. By blocking phishing emails and training end users, the risk from phishing can be significantly reduced.
Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.
An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.
The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.
The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.
Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.
Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.
Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.
The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.
A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine. It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.
On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.
The cost of ransomware attacks cannot be totaled by the amounts illegally earned by cybercriminals through ransom payments. In fact, the ransom payments are just a tiny fraction of the costs experienced by businesses that have been attacked with ransomware.
Take the recent WannaCry ransomware attacks as an example. The individuals behind that campaign were charging $300 per infected device to supply the keys to decrypt data. The amount gathered by those individuals was a little over $100,000 on Monday this week, even though the attacks involved data being encrypted on approximately 300,000 devices.
However, the cost of ransomware attacks is far higher. The biggest cost of ransomware attacks for most businesses is downtime while the infection is dealt with. Even if the ransom is paid, businesses often lose a week or more while the infection is removed and systems are brought back online. One Providence law firm suffered 3 months of downtime while systems remained locked!
Then there is the continued disruption while businesses catch up from the loss of productivity in the aftermath following the attack. The NHS was still experiencing disruption more than a week after the attacks on Friday 12, May.
Ransomware attacks can also involve loss of data and damage a company’s reputation. Typically, following a ransomware attack, a forensic analysis of IT systems must be conducted to ensure all traces of malware have been removed. Checks also must be performed to look for backdoors that may have been installed. Many businesses do not have the staff to perform those tasks. Cybersecurity experts must therefore be brought in. Additional cybersecurity solutions must also be purchased to ensure further attacks are prevented. The cost of ransomware attacks is therefore considerable.
The WannaCry ransomware attacks have been estimated to have cost businesses more than $1 billion. KnowB4 CEO Stu Sjouwerman said “The estimated damage caused by WannaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide.”
The cost of ransomware attacks in 2015 was an estimated $325 million, although figures from the FBI suggest that total was reached in the first quarter of the year. The final cost of ransomware attacks in the year was estimated to have reached $1 billion. Recently, Cybersecurity Ventures predicted the cost of ransomware attacks in 2017 will reach an incredible $5 billion. Given the expected costs of the recent WannaCry ransomware attacks, that could turn out to be an incredibly conservative estimate.
Cybercriminals are not concerned about the damage caused by the attacks, only the amount they can extort from businesses. The returns may be relatively low, but they are sufficiently high to make the attacks profitable. More and more individuals are also getting in on the act by using ransomware-as-a-service. Not only are ransomware attacks likely to continue, major cybercriminal gangs are likely to increase the scale of the attacks.
Businesses should be aware of the huge cost of ransomware attacks and take appropriate action to prevent those attacks from occurring. Having a backup of data may ensure that a ransom payment does not need to be made, but it will do little to prevent huge losses from being suffered if ransomware is installed.
Preventing ransomware attacks requires security awareness training for employees, advanced spam filters to stop ransomware from being delivered to end users’ inboxes, web filters to block individuals from accessing malicious URLs, endpoint protection systems to detect and block ransomware downloads, advanced firewalls and antivirus and antimalware solutions.
Fortunately, with appropriate defenses in place, it is possible to block ransomware attacks. Those solutions do come at a cost, but considering the losses from a successful ransomware attack, they are a small price to pay.
A recent wave of DocuSign phishing emails has been linked to a data breach at the digital signature technology provider. A hacker gained access to a ‘non-core’ system that was used to send communications to users via email and stole users’ email addresses.
DocuSign reports that the peripheral system was compromised and only email addresses were accessed and stolen. No other data has been compromised as a result of the cyberattack. The data breach only affected DocuSign account holders, not registered users of eSignature.
It is currently unclear exactly how many email addresses were stolen, although the DocuSign website indicates the firm has more than 200 million users.
The attacker used customers’ email addresses to send specially crafted DocuSign phishing emails. The emails containing links to documents requiring a signature. The purpose of the emails was to fool recipients into downloading a document containing a malicious macro designed to infect computers with malware.
As is typical in phishing attacks, the DocuSign phishing emails appeared official with official branding in the headers and email body. The subject lines of the email were also typical of recent phishing campaigns, referring to invoices and wire transfer instructions.
The san Francisco based firm has been tracking the phishing emails and reports there are two main variations with the subject lines: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature,” or “Completed *company name* – Accounting Invoice *number* Document Ready for Signature.”
The emails have been sent from a domain not linked to DocuSign – a sign that the emails are not genuine. However, due to the realism of the emails, many end users may end up clicking the link, downloading the document and infecting their computers.
Recipients are more likely to click on links and open infected email attachments if they relate to a service that the recipient uses. Since DocuSign is used by many business users, there is a significant threat of a network compromise if end users open the emails and follow the instructions provided by the threat actors.
Businesses can reduce the risk of malicious emails reaching end users inboxes by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam emails and 100% of known malware using dual antivirus engines for maximum protection.
To find out more about SpamTitan and other antimalware controls to protect your business, contact the TitanHQ team today.
A new encryptor – Jaff ransomware – could be heading your way via email. Jaff ransomware is being distributed by the individuals responsible for distributing the Dridex banking Trojan and Locky ransomware. The gang has also previously used Bart ransomware to encrypt files in an attempt to extort money from businesses.
In contrast to Locky and many other ransomware variants, the individuals behind Jaff ransomware are seeking a huge ransom payment to unlock files, suggesting the new variant will be used to target businesses rather than individuals. The ransom demand per infected machine is 1.79 Bitcoin – around $3,300. The WannaCry ransomware variant only required a payment of $300 per infected machine.
The distributors have used exploit kits in the past to spread infections, although spam email is used for the latest campaign. Whether that will remain the only distribution mechanism remains to be seen. Millions of spam email messages have already sent via the Necurs botnet, according to Proofpoint researchers who identified the new encryptor.
The emails have a PDF file attachment rather than a Word document. Those PDF files contain embedded Word documents with macros that will download the malicious payload. This method of distribution has been seen with Locky ransomware in recent weeks.
The change in file attachment is believed to be an attempt to get users to open the attachments. There has been a lot of publicity about malicious Word documents attached to emails from unknown senders. The change could see more end users open the attachments and infect their devices.
Opening the PDF file will present the user with a screen advising them that the contents of the document are protected. They are prompted to ‘enable editing’ by ignoring the security warning and enabling macros. Enabling macros will result in infection. Jaff ransomware will then search for and encrypt a wide range of file types including images and multimedia files, databases, office documents and backups.
There is no known decryptor for Jaff ransomware. Recovery will depend on a viable backup existing that has not been encrypted by the ransomware. The alternatives are to pay the sizable ransom payment or permanently lose files.
To protect against the threat, an advanced spam filtering solution should be implemented to prevent the emails from reaching end users’ inboxes. As a failsafe, employees should be warned about the threat of ransomware and instructed not to open any file attachments from unknown senders. They should also be alerted to the threat from PDF files containing embedded word documents.
Who Conducted the WannaCry Ransomware Attacks?
The WannaCry ransomware attacks that started on Friday May 12 rapidly spread to more than 150 countries. While the attacks have been halted, IT security professionals are still scrambling to secure their systems and the search is now on for the perpetrators.
Malware researchers are analyzing the ransomware code and attack method to try to find clues that will reveal who conducted the WannaCry ransomware attacks.
At this stage in the investigation, no concrete evidence has been uncovered that links the attacks to any individual or hacking group, although a Google security researcher, Neel Mehta, has found a possible link to the Lazarus Group; a hacking organization believed to be based in China with links to North Korea.
The Lazarus Group is thought to be behind the attack on Sony Pictures in 2014 and the major heist on the Bangladesh central bank in February this year. While the link between the Lazarus Group and North Korea has not been comprehensively proven, the U.S. government is sure the group has been backed by North Korea in the past.
WannaCry Ransomware Code has been Reused
Mehta discovered parts of the ransomware code from the latest attacks were the same as code in a 2015 backdoor used by the Lazarus Group, suggesting the WannaCry ransomware attacks were conducted either by the Lazarus Group or by someone who has access to the same code.
Mehta also compared the code from the latest WannaCry ransomware variant and the backdoor to an earlier version of WannaCry ransomware from February and found code had been shared between all three. Symantec’s researchers have confirmed the code similarities.
Whether the Lazarus Group conducted the attacks is far from proven, and there is no evidence to suggest that were that to be the case, that the group had any backing from North Korea. The group could have been acting independently.
While some have called this link ‘strong evidence’, it should be explained that comparing code between malware samples does not confirm origin. Code is often reused and it is possible that the actors behind this campaign may have put in a false flag to divert attention from themselves onto the Lazarus Group and North Korea.
While the false flag idea is possible and plausible, Kaspersky Lab believes it is improbable and that the similarities in the source code point the finger of blame at the Lazarus Group.
Many Questions Remain Unanswered
The link with the Lazarus Group/North Korea is now being investigated further, but there are currently many questions unanswered.
The ransomware included a self-replicating function making it act like a worm, allowing it to rapidly spread to all vulnerable computers on a network. The sophistication of the attack suggests it was the work of a highly capable organization rather than an individual. However, the kill switch in the ransomware that was discovered by UK researcher ‘Malware Tech,’ allowed the infections to be halted. Such an ‘easily found’ kill switch would be atypical of such a sophisticated hacking group.
Previous attacks linked with the Lazarus Group have also been highly targeted. The WannaCry ransomware attacks over the weekend were purposely conducted in multiple countries, including China and Russia. The widespread nature of the attacks would be a departure from the typical attack methods used by Lazarus.
There are doubts as to whether North Korea would back an attack on its neighbours and allies, and while financially motivated attacks cannot be ruled out, past state-sponsored attacks have had a political purpose.
At this stage, it is not possible to tell who conducted the WannaCry ransomware attacks, but the latest discovery is an important clue as to who may be responsible.
On Friday May 12, a massive WannaCry ransomware campaign was launched, with the UK’s National Health Service (NHS) one of the early victims. The ransomware attack resulted in scores of NHS Trusts having data encrypted, with the infection rapidly spreading to networked devices. Those attacks continued, with 61 NHS Trusts now known to have been affected. Operations were cancelled and doctors were forced to resort to pen and paper while IT teams worked around the clock to bring their systems back online.
Just a few hours after the first reports of the WannaCry ransomware attacks emerged, the scale of the problem became apparent. The WannaCry ransomware campaign was claiming tens of thousands of victims around the world. By Saturday morning, Avast issued a statement confirming there had been more than 57,000 attacks reported in 100 countries. Now the total has increased to more than 200,000 attacks in 150 countries. While the attacks appear to now be slowing, security experts are concerned that further attacks will take place this week.
So far, in addition to the NHS, victims include the Spanish Telecoms operator Telefonica, Germany’s rail network Deutsche Bahn, the Russian Interior ministry, Renault in France, U.S. logistics firm FedEx, Nissan and Hitachi in Japan and multiple universities in China.
The WannaCry ransomware campaign is the largest ever ransomware attack conducted, although it does not appear that many ransoms have been paid yet. The BBC reports that the WannaCry ransomware campaign has already resulted in $38,000 in ransom payments being generated. That total is certain to rise over the next few days. WannaCry ransomware decryption costs $300 per infected device with no free decryptor available. The ransom amount is set to double in 3 days if payment is not made. The attackers threaten to delete the decryption keys if payment is not made within 7 days of infection.
Ransomware attacks usually involve malware downloaders sent via spam email. If emails make it past anti-spam solutions and are opened by end users, the ransomware is downloaded and starts encrypting files. WannaCry ransomware has been spread in this fashion, with emails containing links to malicious Dropbox URLs. However, the latest WannaCry ransomware campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1). The exploit for the vulnerability – known as ETERNALBLUE – has been packaged with a self-replicating payload which can spread rapidly to all networked devices. The vulnerability is not a new zero day however. In fact, Microsoft patched the vulnerability in its MS17-010 security bulletin almost two months ago. The problem is many organizations have not installed the update and are vulnerable to attack.
The ETERNALBLUE exploit was reportedly stolen from the National Security Agency by Shadow Brokers, a cybercriminal gang with links to Russia. ETERNALBLUE was allegedly developed as a hacking weapon to gain access to Windows computers used by enemy states and terrorists. Shadow Brokers managed to steal the tool and published the exploit online in mid-April. While it is not known whether Shadows Brokers is behind the attack, the publication of the exploit allowed the attacks to take place.
The exploit allows the attackers to drop files on a vulnerable system, with that file then executed as a service. The dropped file then downloads WannaCry ransomware, which searches for other available networked devices. The infection spreads before files are encrypted. Any unpatched device with port 445 open is vulnerable.
The WannaCry ransomware campaign would have resulted in far more infections had it not been for the actions of a security researcher in the UK. The researcher –@MalwareTechBlog – found a kill switch to prevent encryption. The ransomware attempts to communicate with a specific domain. If communication is possible, the ransomware does not proceed with encryption. If the domain cannot be contacted, files are encrypted.
@MalwareTechBlog discovered the reference to the nonsense domain, saw that it was unregistered and bought it. By doing so, the ransomware attack was thwarted. The domain checking mechanism was presumably added to prevent the ransomware from running in a sandbox environment.
However, a new version of the ransomware without the kill switch has reportedly already been released, which could see the victim count increase substantially over the next few days. Organizations that have not applied Microsoft’s patch are advised to do so as a priority to block the attack.
The massive ransomware attack should serve as reminder to all organizations of the importance of applying patches promptly. That will be a particularly painful reminder for many organizations that fell victim to this preventable ransomware attack.
A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.
RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware. In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.
Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.
Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.
To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.
So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.
New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.
The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.
Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.
For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.
A Sabre Corporation data breach has potentially resulted in the theft of credit card details and PII from the SynXis Hospitality Solutions reservation system. The Sabre Corporation data breach was acknowledged in Sabre Corp’s Q2 10-Q filing with the Securities and Exchange Commission. Few details about the security incident have been released as the incident is currently under investigation.
What is known is the incident affects SynXis, a cloud-based SaaS used by more than 36,000 independent hotels and global hotel chains. The system allows employees to check room availability, pricing and process bookings.
Sabre Corporation recently discovered an unauthorized third party gained access to the system and potentially viewed the data of a subset of Sabre Corp’s hotel clients. Information potentially compromised as a result of the Sabre Corporation data breach includes the personally identifiable information and payment card information of hotel guests.
At this stage, Sabre Corporation is still investigating the breach and has not disclosed how the individual gained access to the payment system or when access was first gained. Sabre Corp is currently trying to determine exactly how many individuals have been affected, although affected companies have now been notified of the incident.
Sabre Corp has confirmed that the security breach only affected its SynXis Central Reservations system and unauthorized access has now been blocked. Law enforcement has been alerted to the incident and cybersecurity firm Mandiant contracted to conduct a full forensic investigation of its systems.
The Sabre Corporation data breach is the latest in a string of cyberattacks on hotel chains. Hyatt Hotels Corp, Kimpton Hotels and Restaurants, Omni Hotels & Resorts, Trump Hotels, Starwood Hotels & Resorts, Hilton Hotels, HEI Hotels & Resorts and InterContinental Hotels Group have all experienced data breaches in recent months that have resulted in the attackers gaining access to their card payment systems.
While the method used to gain access to Sabre’s system is not yet known, similar cyberattacks on hotel reservation and payment systems have involved malware and compromised login credentials.
If malware is installed on systems it can be used to monitor keystrokes and record login credentials. The sharing of login credentials and poor choices of passwords can also allow attackers to gain access to login credentials.
To protect against cyberattacks, hotels and their contracted SaaS providers should use layered defences including multiple systems to prevent the downloading of malware and multi-factor authentication to reduce the risk from compromised login credentials being used to gain access to POS systems.
Web filters should be used to control employees’ Internet access and downloads, an antispam solution used to prevent malicious emails from reaching end users’ inboxes and anti-virus and anti-malware solutions should be kept up to date and set to scan networks regularly.
Organizations in the hospitality sector must also ensure they have the basics correct, such as changing default passwords, using strong passwords and employing good patch management policies.
The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.
The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.
In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.
Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.
The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.
Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.
Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.
Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.
IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.
Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.
The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.
IC3 lists the five most common types of business email compromise scams as:
- Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
- An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
- A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
- The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
- A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.
There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.
- Using a domain-based email account rather than a web-based account for business email accounts
- Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
- Implement a two-step verification process to validate all transfer requests
- Use two-factor authentication for corporate email accounts
- Never respond to an email using the reply option. Always use forward and type in the address manually
- Register all domains that are similar to the main domain used by the company
- Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
- Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers
A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.
In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.
The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’
This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.
Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.
The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.
Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.
If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.
The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.
Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.
Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.
Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.
Employees Still Lack Security Awareness
Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.
A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.
Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.
When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.
How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.
The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.
20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.
How to Improve Defenses Against Email Attacks
Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.
Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.
Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.
A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.
The General Data Protection Regulation (GDPR) is a new data privacy and security law in Europe that comes into force next year, but does GDPR apply to American companies? As many U.S. companies have recently discovered, not only does GDPR apply to American companies, doing business within the EU is likely to be extremely costly for companies that do not comply with GDPR.
Any organization or individual that does business within any of the 28 EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Romania, Slovakia, Spain, Sweden and the United Kingdom) must comply with GDPR or face heavy penalties.
The penalty for non-compliance with GDPR for enterprises is up to 20,000,000 Euros ($23,138,200) or 4% of the annual global turnover of the company for the previous fiscal year, whichever is the greatest. An enterprise found not to have complied with GDPR will also be subjected to regular, periodic data protection audits to ensure its policies and procedures are updated and the firm continues to comply with GDPR.
So, what is the regulation and how does GDPR apply to American companies? What do U.S firms need to do to comply with GDPR?
How Does GDPR Apply to American Companies?
The main purpose of GDPR is to give EU citizens greater control over how their personal data is collected, protected and used. While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. That includes any online business that owns a website that is accessible by EU citizens if that website collects user data.
Since the definition of personal information includes online identifiers such as cookies, GDPR has implications for huge numbers of U.S businesses. GDPR applies to all companies that do business with persons based in EU member states, with the exception of law enforcement agencies or when data are collected for national security activities.
To continue to do business in the EU, most companies will have to implement additional privacy protections and adopt end-to-end data protection strategies.
The EU classes personal data as “Any information relating to an identified or identifiable natural person,” which includes a wide range of information from names, addresses, telephone numbers and email addresses to bank information and credit card details, photos, posts on social media websites, medical information, and even an individuals IP address.
Even when controls have been implemented to keep data secure, it may still be necessary to overhaul systems to ensure sufficient protections are in place. Companies must be aware where data are stored and employees must be trained to ensure they are aware of their responsibilities with regards to the use of data.
Organizations will need to provide customers – and website visitors – with detailed information on data that are collected and how data will be used. Consent must be obtained before any data are collected and consent must be obtained from a parent or custodian of a minor.
There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.
Organizations must appoint a Data Protection Officer who is knowledgeable about GDPR and will oversee compliance if their core activities are data collection, storage or data processing. That individual must also have a thorough understanding of the company’s organizational and technical infrastructure.
Organizations also need to implement appropriate policies, procedures and technologies to ensure that the data of EU citizens can be permanently erased. GDPR includes the right to be forgotten – termed ‘Right to Erasure’.
The legislation that GDPR replaces only required data to be deleted when it caused substantial damage or distress. However, from next year, an EU citizen can request that all data collected on them be permanently deleted if the information is no longer needed for the purpose that it was originally collected. Data must also be deleted if consent to use the data is withdrawn or if the processing of data is unlawful and breaches GDPR.
Many U.S. companies already have technologies in place that will comply with the data protection requirements of GDPR, but the right to erasure requirement could pose problems.
Symantec recently conducted a survey that revealed 9 out of 10 businesses were concerned that they would not be able to comply with the right to erasure requirement of GDPR, with only 4 out of 10 businesses already having a system in place that could potentially allow all data to be deleted.
Compliance with GDPR in the United States
A recent survey conducted by PricewaterhouseCoopers on large multinational companies in the United States shows efforts are already underway to ensure compliance with the EU regulation. More than half of surveyed firms said GDPR is now their main data protection priority, with 92% saying compliance with GDPR is a top priority this year. The cost of compliance is considerable. 77% of surveyed firms said they are planning to spend more than $1 million on GDPR compliance, with one of the main spending priorities being improving their information security defenses.
Many companies are starting to ask how how does GDPR apply to American companies, but a study conducted by NTT Security suggests that three quarters of U.S. businesses are ignoring GDPR because they do not believe the regulation applies to them. Ignorance could prove very costly indeed. Further, time is running out. For many companies, compliance with GDPR will not be a quick process and the deadline is fast approaching. GDPR comes into effect on May 25, 2018. Miss the deadline and fines await.
A law firm ransomware attack has resulted in business files being left encrypted and inaccessible for three months, causing considerable billing losses for the firm.
Why did the law firm not simply pay the ransom demand to regain access to their files? Well, they did. Unfortunately, the attackers took the money and did not supply viable keys to unlock the encrypted files. Instead, they had a much better idea. To issue another ransom demand to try to extort even more money from the law firm.
The law firm, Providence, RI- based Moses Afonso Ryan Ltd, was forced to negotiate with the attackers to gain access to its data. It took more than three months and ransomware payments of $25,000 to finally regain access to its files. However, the ransomware payment represented only a tiny proportion of the cost of the attack. During the three months that data were locked, the firm’s lawyers struggled to work.
Moses Afonso Ryan made a claim against its insurance policy for lost billings as a result of the attack; however, the insurer, Sentinel Insurance Co., has refused to pay the bill. The law firm claims to have lost $700,000 as a result of the attack in lost billings alone. The firm has recently filed a U.S. District Court lawsuit against its insurer claiming breach of contract and bad faith for denying the claim.
The law firm ransomware attack involved a single phishing email being opened by one of the firms’ lawyers. That email has so far cost the firm more than $725,000 and the losses will continue to rise.
Important lessons can be learned from this law firm ransomware attack. First, the importance of training all staff members on the risk of ransomware attacks and teaching security best practices to reduce the risk of attacks being successful.
Since phishing emails are now highly sophisticated and difficult to identify, technical solutions should be implemented to prevent emails from reaching employees’ inboxes. Endpoint protection systems can reduce the risk of ransomware being installed and can detect infections rapidly, limiting the damage caused.
All businesses should take care to segment their networks to ensure that a ransomware infection on a single computer does not result in an entire network being impacted.
It is also essential for backups to be performed regularly and for those backups to be tested to ensure data can be recovered. This law firm cyberattack clearly demonstrated that organizations cannot rely on attackers making good on their promise to unlock data if the ransom is paid.
There have been cases where the attackers have not been able to supply a functional key to unlock data, and numerous examples of attackers issuing further ransom demands in an attempt to extort even more money out of companies.
Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.
Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.
However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).
NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.
Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.
With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.
The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.
Cyberattacks on educational institutions are occurring at an alarming rate. While the education sector has not been as heavily targeted as the financial services and healthcare in recent years, that is no longer the case. Cybercriminals and state-actors now have the education sector in their crosshairs.
Cybercriminals have realized that cyberattacks on educational institutions can be highly profitable, with this year seeing a sharp rise in attacks.
Schools, colleges and higher education institutions hold vast quantities of data that can be used for fraud and identity theft. As we have already seen this year, cyberattacks on educational institutions are now much more common. The first quarter of the year saw a rise in W-2 phishing attacks, with criminals managing to obtain the tax information of many thousands of staff members. Those data were used to file fraudulent tax returns. Student records can be used for identity theft and can be sold for big bucks on darknet marketplaces. Attacks aimed at obtaining the personal data of students have similarly increased.
Educational institutions also conduct extensive research. The past year has seen a sharp rise in espionage related cyberattacks on educational institutions. Criminals are also conducting attacks to gain access to bank accounts. This year, two major cyberattacks on educational organizations have resulted in bank transfers being made to criminals’ accounts. At the start of the year, a phishing attack on the Cleveland Metropolitan School District resulted in more than $100,000 being obtained by the attackers. Denver Public Schools was also attacked, with the attackers redirecting $40,000 in payroll funds to their own accounts.
The recently published Data Breach Investigation Report from Verizon clearly shows the new attack trend. Over the past year, there have been 455 incidents reported by educational institutions, 73 of which have resulted in the theft of data.
While many industries see cyberattacks conducted for financial reasons, in education, financial gain was only the motive behind 45% of cyberattacks. 43% of attacks involved espionage and 9% of attacks were conducted for fun. Out of all reported data breaches, 26% involved espionage. Last year the percentage was just 5%.
Attacks are coming from all angles – Internal attacks by students; attacks by cybercriminals looking to steal data, and state-sponsored actors looking to steal research. The latter accounted for more than half of data breaches in the past year.
The Verizon report indicates hacking is the biggest threat. 43% of breaches were due to hacks, although social attacks and malware were also common. Verizon reports that almost 44% of breaches involved social and around a third involved malware. Social attacks and malware have increased considerably over the course of the past year. The most common social attack was phishing via email.
As long cyberattacks on educational institutions remain beneficial or profitable, cyberattacks will continue. Educational institutions therefore need to take steps to improve their security posture. Since social attacks such as phishing are commonplace, and malware infections commonly occur via email, educational institutions need review their email defenses.
Password policies should be introduced to ensure strong passwords are set on email accounts and policies introduced to ensure passwords are regularly changed. Spam filtering solutions should be implemented and all staff and students should receive training on security awareness. Verizon suggests staff and students should be encouraged or rewarded for reporting phishing and pretexting attacks.
There was some good news in the latest installment of the Symantec Internet Security Threat Report. Web-based attacks have fallen year on year, but ransomware attacks on businesses have sky rocketed. Sabotage and subversion attacks have also risen sharply in the past 12 months.
The Internet Security Threat Report shows that exploit kit and other web-based attacks fell by 30% in 2016, but over the same period, ransomware attacks on businesses increased by 36%.
Ransomware has proved popular with cybercriminals as attacks are easy to perform and money can be made quickly. If an attacker succeeds in encrypting business data, a ransom must be paid within a few days. In the United States, where the majority of ransomware attacks occur, 64% of businesses pay the ransom.
Web-based attacks on the other hand typically take longer and require considerably more technical skill. Cybercriminals must create and host a malicious site and direct end users to the site. Once malware has been downloaded, the attackers must move laterally within the network and find and exfiltrate sensitive data. The data must then be sold.
Ransomware attacks on businesses are far easier to conduct, especially using ransomware-as-a-service. All that is required is for criminals to pay to rent the ransomware, set their own terms, and distribute the malware via spam email. Many ransomware authors even provide kits with instructions on how to customize the ransomware and conduct campaigns. The appeal of ransomware is clear. It is quick, easy and profitable to conduct attacks.
The Symantec Internet Security Threat Report charts the rise in popularity of ransomware. Symantec detected 101 separate ransomware families in 2016. In 2014 and 2015 the count was just 30. Symantec’s ransomware detections increased from 340,665 in 2015 to 463,841 in 2016. Ransomware as a service has played a major role in the increase in attacks.
Ransom demands have also increased in the past year. In 2015, the average ransom demand was $294 per infected device. In 2016, the average ransomware demand had increased to $1,077.
Fortunately, good data backup policies will ensure businesses do not have to pay to unlock their data. Unfortunately, even if data can be recovered from backups, ransomware attacks on businesses are costly to resolve. Cybersecurity firms need to be hired to conduct analyses of networks to ensure all traces of ransomware (and other malware) have been removed. Those firms must also check to make sure no backdoors have been installed.
Ransomware attacks on businesses typically see computers locked for several days, causing considerable loss of revenue for companies. Customer breach notifications may also need to be issued. Ransomware attacks can cost tens or hundreds of thousands of dollars to resolve, even if no ransom is paid.
Since ransomware is primarily distributed via spam email, businesses need to ensure they have appropriate email defenses in place. An advanced spam filter with an anti-phishing component is essential, along with other endpoint protection systems.
Symantec’s figures show that spam email volume has remained constant year on year, with spam accounting for 53% of email volume in 2016.
In 2016, one in 2,596 emails involved a phishing component, down from one in 965 in 2014. Phishing attacks may be down, but malware attacks increased over the same period.
Malware-infected email attachments and malicious links to malware-infected websites accounted for one in every 131 emails in 2016, up from 1 in 220 in 2015 and 1 in 244 in 2014. In 2016, 357 million new malware variants were detected, up from 275 million in 2014.
The decline in web-based attacks is certainly good news, but it doesn’t mean the threat can be ignored. Last year there were 229,000 web-based attacks tracked by Symantec. While that is a considerable decrease from the previous year, web-based attacks still pose a significant threat to businesses.
Web-based attacks could also increase this year. The Symantec Internet Security Threat Report indicates 9% of websites have critical bugs that could be easily exploited by cybercriminals allowing them to hijack the websites. Worryingly, Symantec reports that 76% of websites contain bugs that could potentially be exploited.
The Symantec Internet Security Threat Report shows data breaches have remained fairly constant over the past two years. In 2014, widely reported to be ‘the year of the data breach’, Symantec recorded 1,523 data breaches. The following year that fell to 1,211 breaches. Last year, there was little change, with 1,209 breaches reported.
The halt in the rise in data breaches suggests organizations are getting better at protecting their networks and data. However, large data breaches are increasing. Last year there were 15 data breaches that involved the theft of more than 10 million records, up from 11 in 2014.
Protecting against data breaches and cyberattacks requires comprehensive, multi-layered security defenses. TitanHQ offers a range of cybersecurity solutions for SMEs to help them improve their security posture and protect against web-based and email-based security threats.
For more information on how you can improve your security posture, contact the TitanHQ team today.
A Shoney’s Restaurants malware infection has resulted in the theft of customers’ payment card details. Hackers managed to install malware on the POS system used by dozens of Shoney’s restaurants
Shoney’s is a 70-year-old Nashville, Tennessee-based restaurant chain that operates approximately 150 restaurants across the Southern United States, Midwest and lower Atlantic region. The chain serves customers in 17 states, although only selected restaurants in Alabama, Arkansas, Georgia, Florida, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Virginia were affected. At least 37 restaurants were affected.
Financial institutions identified a trend in credit card fraud and were able to determine that all of the affected cardholders had visited a Shoney’s Restaurant. Best American Hospitality Corp., which manages and operates a number of Shoney’s establishments, was notified of a potential cyberattack and started an investigation. Kroll Cyber Security LLC was hired to conduct an investigation into the attack.
Kroll’s investigation revealed the malware enabled the attackers to steal cardholder names, credit card numbers, CVV codes, and expiry dates, although in some cases, cardholder names were not obtained. It is unclear how many individuals have been impacted, although any individual who visited one of the affected restaurants and paid by credit card has potentially had their information stolen. The malware was capable of reading data from the magnetic strips of payment cards as the information was routed through its computer system.
Access to the POS system is understood to have first been gained on December 27, 2016, although some restaurants were not infected until January 11. The Shoney’s Restaurants malware infection was contained on March 6, 2017, according to a press release issued by Best American Hospitality Corp.
The Shoney’s Restaurants malware attack is the latest is a slew of POS system breaches that have hit the hospitality sector hard. Earlier this year, the Arby’s restaurant chain was attacked and had credit card data stolen, while Wendy’s suffered a major credit card breach last year. Hotels have also been attacked, with more than 1,100 Intercontinental Hotel Group hotels discovered to have had malware installed that accessed its POS system.
Cyberattacks on the hospitality sector are to be expected. Hotels and restaurants are visited by tens of thousands of customers, and payment by credit card is common. Card details can be stolen and encoded onto magnetic strips on blank cards and used for fraudulent purchases. Each card number can allow criminals to steal hundreds, if not thousands of dollars.
All too often, data breaches occur due to poor security practices such as the failure to use strong passwords or failing to change default passwords. Other basic security failures that can open the door to attackers include failing to use web and email security products, not using two-factor authentication and not implementing security patches promptly. Businesses should also conduct regular vulnerability scans and penetration tests to ensure all of their systems are secure.
If you would like advice on web and email security protections that can prevent hackers from gaining access to your POS system and installing malware, contact the TitanHQ team today and find out how you can improve your resilience against malware and cyberattacks.
2017 was the year when Locky Ransomware first arrived on the scene, with the ransomware variant fast becoming the biggest ransomware threat. Locky infections rose rapidly following its release in February and continued to rise in the first half of the year. The ransomware variant was initially installed via exploit kits, although as exploit kit activity fell, the developers switched to spam email as the primary attack vector.
As 2016 progressed, Locky activity declined. While Locky infections continue, it is no longer the biggest ransomware threat. Locky now accounts for just 2% of infections. A new report from Malwarebytes has revealed that the biggest ransomware threat – by some distance – is Cerber ransomware.
Cerber ransomware is now behind 90% of all global ransomware infections, with those attacks performed using many different variants of the ransomware. Cerber has even surpassed TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the start of 2017, Cerber’s ‘market share’ stood at 70%, although that increased to 90% by the end of Q3.
The secret of the success of Cerber lies not only in the sophistication of the ransomware, but how it is being used and distributed. Cerber ransomware has become the biggest ransomware threat because it is not only the authors that are using it to attack organizations. There is now an army of affiliates using the ransomware. Those affiliates do not need programming experience and neither much in the way of technical skill. Their role is simple. They are simply distributors who get a cut of the profits for any ransoms they manage to generate.
Ransom payments are likely with Cerber infections. There is no decryptor for the ransomware as no flaws have been discovered. Files locked by Cerber cannot be unlocked without the decryption keys, and only the attackers have access to those. The encryption used is of military-grade, says Malwarebytes. Further, a computer does not even need to be connected to the Internet in order for files to be encrypted. The latest variants also include a host of new defenses to prevent detection and analysis.
The primary attack vector used is email. Cerber is distributed in spam email, with infection occurring when a user opens an infected email attachment. That triggers the downloading of Cerber from the attacker’s Dropbox account.
With the new defenses put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to remain the main ransomware threat throughout Q2. Attacks will continue and likely increase, and new variants will almost certainly be released.
All organizations can do is to improve their defenses against attack. Cybersecurity solutions should be employed to prevent spam emails from being delivered to end users. Staff should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Organizations should also use security tools to detect endpoint infections.
Since even with advanced security defenses infections are still possible, it is essential that all data are backed up and those backups tested to ensure they will allow encrypted data to be recovered.
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.
A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.
The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.
HIPAA Compliance and Phishing
The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.
OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules. Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.
What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.
These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.
The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.
Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email – a spam filtering solution can be classed as an essential security control.
The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.
HIPAA Penalties for Phishing Attacks
OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.
The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.
In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware. OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”
Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.
Microsoft has finally patched a zero-day vulnerability in Microsoft Word that has been exploited by cybercriminals for months. Recently, the vulnerability has been exploited by the gang behind the Dridex banking Trojan.
The remote code execution vulnerability (CVE-2017-0199) affects the Windows Object Linking and Embedding (OLE) application programming interface. The vulnerability is a logic flaw rather than a programming error, which makes defending against attacks difficult.
The bug affects RTF files. The spam email campaigns use RTF files containing an embedded OLE2Link object, which downloads an HTA (HTML Application) file containing malicious code when the document is opened. No user interaction other than opening the file is required to infect the end user’s device.
There is some debate as to how long the vulnerability has been actively exploited in the wild. Attacks may have been occurring as early as November 2016 according to SophosLabs, although certainly since the start of 2017. Over the past two months, the vulnerability has been extensively exploited to deliver the Dridex banking Trojan.
The zero-day vulnerability in Microsoft Word has been exploited for espionage purposes in Russian speaking countries, while FireEye observed the exploit being used to distribute Latentbot malware. Latentbot is an information stealer with the ability to corrupt hard drives.
Many security companies have been tracking the vulnerability, although it was McAfee that announced the existence of the actively exploited flaw on Friday last week. The flaw exists in virtually all Microsoft Word versions and does not require macros to be enabled in order for malicious code to run.
Employees are advised never to enable macros on documents unless they are 100% certain that a document is legitimate; however, this zero-day exploit does not rely on macros. Simply opening the Word document on an unpatched Office installation is likely to result in infection.
This makes the vulnerability particularly dangerous. Any end user that opens a specially crafted Word document would automatically run the code which would see the Dridex Trojan (or another malware) downloaded. One protection that can prevent the malicious code from running is to enable Protected View mode. However, the code will run when Protected View is turned off.
The malicious emails sent out in at least one campaign have the subject line “scanned data” with the RFT file attachments containing the word ‘scan’ followed by a random string of numbers, according to Proofpoint.
To protect against this exploit, the patches for both Office and Windows that were released by Microsoft on Tuesday April 11, 2017 should be applied. However, in order to apply the security update, Service Pack 2 for Office 2010 must be installed.
If it is not possible to apply the Microsoft updates immediately, you can configure your spam filter to block RTF files or add RTF files to the list of documents to block in the Microsoft Office Trust Center.
Yesterday, the U.S. Department of Justice announced that one of the leading email spammers has been arrested as part of an operation to disrupt and dismantle the infamous Kelihos botnet.
The Kelihos botnet is a network of tens of thousands of computers that are used to launch massive spamming campaigns comprising millions of emails. Those spam emails are used for a variety of nefarious purposes including the distribution of ransomware and malware. The botnet has been extensively used to spread fake antivirus software and spread credential-stealing malware.
Computers are added to the Kelihos botnet using malware. Once installed, Kelihos malware runs silently and users are unaware that their computers have been hijacked. The Kelihos botnet can be quickly weaponized and used for a variety of malicious purposes. The botnet has previously been used for spamming campaigns that artificially inflate stock prices, promote counterfeit drugs and recruit people to fraudulent work-at-home schemes.
Pyotr Levashov is believed to operate the botnet in addition to conducting a wide range of cybercriminal activities out of Russia. In what turned out to be an unwise move, Levashov left the relative safety of his home country and travelled to Barcelona, Spain on holiday. Levashov was arrested on Sunday, April 9 by Spanish authorities acting on a U.S. issued international arrest warrant.
Levashov is suspected of playing a role in the alleged Russian interference in the U.S. presidential election in 2016, although Levashov is best known for his spamming activities, click fraud and DDoS attacks.
Levashov, or Peter Severa as he is otherwise known, is heavily involved in distributing virus spamming software and is believed to have written numerous viruses and Trojans. Spamhaus lists Levashov in seventh place on the list of the 10 worst spammers.
Levashov is believed to have run multiple operations that connected virus developers with spamming networks, and is suspected of running the Kelihos botnet, the Waledac botnet – which was taken down in 2010 – and the Storm botnet. Levashov was indicted for his role in the latter in 2009, although he managed to avoid extradition to the United States. At the time, Storm was the biggest spamming botnet in operation and was used to send millions of emails every day. Levashov also moderates many spamming forums and is well known in underground circles. Levashov is believed to have been extensively involved in spamming and other cybercriminal activities for the past 20 years; although to date he has avoided prosecution.
A statement released by the U.S. Department of Justice reads, “The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks.”
The DOJ operation also involved the takedown of domains associated with the Kelihos botnet starting on April 8, 2017. The DOJ says shutting down those domains was “an extraordinary task.”
While it is certainly good news that such a high profile and prolific spammer has been arrested and the Kelihos botnet has been severely disrupted, other spammers are likely to soon take Levashov’s place. Vitali Kremez, director of research at Flashpoint said his firm had seen chatter on underground forums indicating other major spammers are responding to the news of the arrest by taking acting to secure their own operations. There may be a blip in email spam volume, but that blip is only likely to be temporary.
The importance of anti-phishing training for staff members has been highlighted this week following a major incident in Denver. A targeted Denver Public Schools phishing scam saw at least 30 members of staff divulge their usernames and passwords to scammers.
The Denver Public Schools phishing scam enabled attackers to gain access to accounts, which allowed information to be gained to access to the school district’s payroll system. The attackers changed the routing numbers for payments to employees and directed the payments to their own accounts. More than $40,000 that had been set aside to pay staff wages was stolen.
Staff members have now been paid and efforts are continuing to recover the stolen funds. At least 14 direct deposits were made and have not been recovered. The school district is hoping that the payments will be covered by an insurance policy. The incident has been reported to the Colorado Bureau of Investigation and the incident is being investigated to try to identify the individuals behind the scam.
The Denver Public Schools phishing scam was highly convincing; however, questions will be asked about how so many employees fell for the scam and disclosed their login credentials. The school district has confirmed that efforts were made to educate its employees on the risk of phishing prior to the attack taking place.
Denver Public Schools employs 13,991 members of staff. The response percentage was therefore very low, but it can only take one individual to respond to such a scam for serious financial harm to be caused.
A Bad Year for Phishing Attacks on Schools
Phishing attacks on schools are commonplace, but this year has seen attacks soar. For instance, in 2017, there have been 141 reported W-2 phishing scams, 33 of which affected schools, colleges and universities.
While phishing scams used to be fairly easy to detect, now they are becoming much more sophisticated. It is now not easy to tell a phishing email from a real email request. The attackers use spoofing techniques to make the emails appear as if they have been sent from within the organization. Genuine email accounts may even be compromised and used for phishing attacks. Last month, the Digital Citizens Alliance reported finding millions of .edu email addresses listed for sale on the dark web. Those email addresses are often used for phishing scams as they are trusted.
Phishing emails are often free from the spelling and grammatical errors that were commonly seen in spam emails in years gone by. The emails often contain lifted branding, images and formatting, which makes them highly convincing. The requests for information may also seem reasonable.
How to Prevent Phishing Attacks
Providing anti-phishing training for staff is now an essential cybersecurity defense; however, it is also important to ensure that training has had the desired effect and has been taken onboard. Schools should therefore conduct dummy phishing exercises to identify the effectiveness of their training programs. Research has shown that with practice, employees get much better at identifying phishing scams.
Technological solutions should also be implemented to prevent spam emails from reaching end users’ inboxes. Advanced anti-spam solutions such as SpamTitan do not rely on blacklists to identify emails as spam. Blacklists are used along with a host of front end controls and emails are subjected to Bayesian analyses to identify common spam signatures. Rules can be set to reduce the risk of email spoofing.
If you are interested in finding out more about the range of technological solutions that can be employed to reduce the risk of phishing attacks, contact the TitanHQ team today.
A recent report from IBM X-Force has highlighted the massive growth in tax-related email spam this year. Between December 2016 and February 2017, tax-related email spam increased by an incredible 6,000%.
A rise in tax-related email spam is to be expected during tax season. It is the time of year when tax returns are submitted and criminals can make substantial profits. If tax information is stolen and a fraudulent tax return is submitted prior to the individual submitting their own return, thousands of dollars in refunds can be obtained. With such high returns from each set of tax information, it is no surprise that tax-related scams are so prevalent.
This year, has seen many different scams detected, although one of the most successful is the W-2 phishing scam. The scam involves a tax fraudster impersonating the CEO, CFO or another executive, and emailing a request for W-2 Forms to members of the payroll department.
As we have seen on numerous occasions this year, the emailed lists can contain thousands of employees’ sensitive information. Usually, every employee that has taxable earnings for the previous fiscal year. To date, there have been 141 reports of successful scams. The largest breach was reported by American Senior Communities. The tax information of more than 17,000 members of staff were emailed to scammers.
The IRS said it was one of the most dangerous email phishing scams seen in recent years. It’s too early to tell how much in fraudulent refunds have been paid out by the IRS, although last year the total was around $5.8 billion. This year that total is expected to rise.
W-2 form phishing scams may be the most common type of tax-related email scams seen this year, but there are many. Most are delivered by email, although website phishing attacks have also been highly prevalent.
Cybercriminals have been impersonating tax software companies and have been sending out fake marketing emails encouraging consumers to visit spoofed websites. They are then relieved of their personal information. Information gathered via the online forms enable fraudsters to steal identities and file fraudulent tax returns in the victims’ names.
Tax season is also a time when malware infections spike. Tax-related email spam is sent with malicious email attachments. Opening those attachments results in malware or ransomware being downloaded to the victims’ computers.
Cybercriminals use a wide variety of techniques to steal credentials. Social engineering techniques are used to fool email recipients into believing requests for information are genuine. Attackers use typosquating and URL hijacking to make their malicious websites appear legitimate. The phishing templates used by some cybercriminals are so convincing it is almost impossible to distinguish them from genuine emails. The correct branding is used, links are masked, and support is even offered for uploading tax-related documentation. In many cases, the emails contain the IRS logo and victims are fooled into supplying their credentials. The scams are often successful, even though the IRS does not initiate contact with taxpayers via email.
To protect against attacks and fraud, consumers can set an IRS IP PIN on their accounts. That pin number must be used to file a tax return. Provided the PIN is not disclosed, individuals will be protected from fraudulent tax filings.
Many Americans leave filing their tax returns to the last minute; however, this year the scammers started sending tax-related email spam early. The late filing of tax returns gives cybercriminals plenty of time to submit fake returns. Tax returns should be filed as soon as a W-2 Form is received to reduce the risk of becoming a victim of fraud.
Businesses can protect themselves against W-2 phishing scams by implementing an advanced spam filtering solution to block spam emails. However, staff should also receive anti-phishing training and policies should be implemented that require any request for W-2 Forms to be verified with the sender of the email by telephone.
Businesses are still being targeted by scammers so they should be on their guard. They should also ensure that they are prepared well in advance for the tsunami of tax-related email spam that will start to arrive from December 2017.
The Inland Revenue Service has issued a new warning to tax professionals about a new IRS e-Services phishing scam.
With the tax return deadline fast approaching it is the last chance for the fraudsters to steal identities and file fraudulent tax returns. The past few days has seen a surge in phishing attacks on tax professionals.
The purpose of the IRS e-Services phishing scam is to obtain tax professionals’ e-Services usernames and passwords. The emails use a variety of subject lines that have been crafted to attract attention and ensure the emails are opened.
The emails claim to have been sent by the IRS about issues with the user’s e-Services account. The emails warn that the user’s e-Services account has been closed, suspended or blocked. In order to reactivate the account or prevent its closure, the email recipient is required to login to their account.
A link is supplied in the email that enables the recipient to take the required action. Clicking on the link will direct the user to a login page that closely resembles the IRS e-Services portal. Entering in a username and password into the login page will see the details captured by the attackers.
In response to the high volume of phishing attacks on tax professionals, the IRS has been improving account security in recent weeks. The IRS has been asking tax professionals to revalidate their accounts to prevent delays when accessing their e-Services accounts. The attackers appear to be taking advantage and piggybacking on those recent communications.
The IRS warns all tax professionals that if for any reason their e-Services account has been closed, they should contact the e-Services Help Desk to reactivate their account, but never to click on any links contained in emails. While links to malicious websites are used for this scam, users should also be wary about any attachments sent in e-Services emails.
This tax season has seen a major increase in tax-related email scams, most notably a massive rise in W-2 Form phishing scams. At least 140 successful W-2 Form phishing attacks have already been announced, although with two weeks left of tax season that figure is certain to rise. K12 schools, colleges and other higher education institutions have been extensively targeted this year, as has the healthcare industry. Some of the phishing scams have resulted in thousands of employees’ tax details being obtained by fraudsters.
The last few days before the April 18 deadline for submitting tax returns is likely to see many more phishing attacks performed. All businesses should therefore be on their guard and should exercise extreme caution.
Today is World Backup Day: An annual event that started in 2010 to raise awareness of the importance of backing up data.
Backups are used to recover data in the event of disaster; however, having a backup of data does not necessarily mean data can be recovered. Restoring files from backups is not always effective. Backups can be corrupted and the restoration of files can fail.
While World Backup Day raises awareness of the importance of backing up data, we would like to emphasize the importance of testing backups and reviewing backup strategies to ensure they are effective. Don’t wait until disaster strikes to ensure your strategies are effective and files can be recovered. By then it will be too late.
How Common is Data Loss?
Recent research conducted by Kroll OnTrack has revealed an alarming number of companies have experienced data loss, even when backups of data were performed. Kroll polled 1,000 companies in the United States, Europe, and Australia and discovered that a third of companies had experienced a data loss incident.
Out of those companies, 35% did not have a current backup and experienced data loss as a direct result. Two thirds (67%) of organizations were able to recover the majority of their data from backup files, while 13% said they could recover up to three quarters of their data. Corrupted backup files were cited as the reason for data loss by 12% of companies, but a quarter of companies that lost data said their backup system did not work as it should.
A quarter of companies that backed up their data said they did not test those backups to make sure files could be recovered. A quarter said they tested backups once a week to ensure data were recoverable, and 30% tested their backups on a monthly basis.
Backups are an organization’s insurance against data loss. Just as an insurance policy should not be taken out until the fine print has been read, backups should not be trusted until they have been tested.
The World Backup Day pledge is “I solemnly swear to backup my important documents and precious memories on March 31st.” However, to that we add, “I also swear to test my backups to make sure my important documents can be recovered.”
Ransomware – A Major Data Loss Risk for All Businesses
The past 12 months have clearly highlighted the importance of backing up data. Ransomware attacks soared in 2016. Ransomware is a form of malware that locks files with powerful encryption. A ransom demand is then issued to supply the key to unlock the data. Without access to that key, data will remain locked forever if a backup of data does not exisit.
The only way to unlock files is to pay a sizable ransom payment. That payment could be tens of thousands of dollars. In February, last year, Hollywood Presbyterian Medical Center was forced to pay a ransom of $17,000 to obtain the key to unlock ransomware-encrypted data after it was discovered files could not be recovered from backups.
Ransomware has fast become one of the biggest cybersecurity threats. Research conducted by Kaspersky Lab revealed the number of ransomware variants increased 11-fold between Q1 and Q3, 2016, by which time 32,091 different ransomware variants had been detected. By Q3 2016, a business was being attacked with ransomware every 40 seconds and 42% of small to medium sized businesses had been attacked with ransomware. 32% of businesses were forced to pay the ransom in order to recover their data.
While ransomware attacks have soared, the malicious software is only the third main cause of data loss. Hardware failure poses the biggest risk followed by the loss or theft of devices. Software errors and data loss due to system upgrades round off the top five list.
A Good Data Backup Strategy
Backup systems can be used to continuously backup data, but at the very least a daily backup should be made. Those backups should be tested at least once a week to ensure data can be successfully recovered.
To prevent data loss and maximize the probability of data recovery, organizations should use the 3-2-1 approach. Each organization should ensure they have three copies of data. The original and two backups. Those backups should be stored on two different media and one of those copies should be stored off site. The easiest option to satisfy those requirements is to have a physical copy on a storage device and a backup in the cloud. Since ransomware can encrypt data on network drives and connected storage devices, a local drive should be disconnected after the backup has been made.
Take out some time this World Backup Day to test your backups and review your backup strategies and ensure that you will be able to recover your data if disaster strikes.
The 2017 IBM X-Force Threat Intelligence Index has been released this week. The report provides an insight into the main cybersecurity threats faced by all industries and major cyberattack trends, data breaches and security incidents experienced by U.S. organizations in 2016.
Last year’s IBM X-Force Threat Intelligence Index showed healthcare was the industry most heavily targeted by cybercriminals. However, the 2017 IBM X-Force Threat Intelligence Index shows cybercriminals changed their focus in 2016. Last year, the financial services was hit the hardest. The healthcare dropped down to fifth place.
The healthcare industry did not suffer mega data breaches of the same scale as 2015 – which saw a 78.8 million-record cyberattack on Anthem Inc., and 10 million record+ data breaches at Premera Blue Cross and Excellus BlueCross BlueShield. However, there were security breaches aplenty. 2016 was the worst ever year for healthcare industry breaches, with more incidents reported than any other year in history.
Those breaches resulted in far fewer records being exposed or stolen. The 2017 IBM X-Force Threat Intelligence Index indicates there was an 88% drop in exposed or stolen healthcare records in 2016 compared to the previous year. Around 12 million healthcare records were exposed or stolen in 2016.
The 2017 IBM X-Force Threat Intelligence Index also shows that there was a shift in the nature of attacks, with cybercriminals targeting unstructured data rather than structured data. Data breaches involving email archives, intellectual property, and business documents all rose in 2016.
The healthcare industry may not have seen so many records exposed, but that was certainly not the case across all industry sectors. 2016 was a very bad year for cyberattacks. In 2015, around 600 million records were exposed or stolen. In 2016 the total jumped to an incredible 4 million records, helped in no small part by the 1.5 billion record breach at Yahoo and the discovery of massive data breaches at LinkedIn, MySpace, and Dropbox. It is therefore no surprise that IBM called 2016 The Year of the Mega Data Breach.
Top of the list of attacked industries in 2016 was financial services. Both the financial services and healthcare sectors saw a fall in attacks by outsiders, but attacks by malicious insiders and inadvertent actors increased in both industry sectors.
In the financial services, 5% of attacks involved malicious insiders and 53% involved inadvertent actors. In healthcare, 25% of attacks involved malicious insiders and 46% involved inadvertent actors. The financial services saw 42% of attacks conducted by outsiders. Healthcare cyberattacks by outsiders accounted for 29% of the annual total.
According to the 2017 IBM X-Force Threat Intelligence Index, the second most targeted industry was information and communications, followed by manufacturing and retail. All three industries saw increases in attacks by outsiders, which accounted for the vast majority of attacks. 96% of attacks on information and communications were by outsiders, with 91% apiece for manufacturing and retail.
The financial services sector saw a substantial rise in SQLi and OS CMDi attacks in 2016 – The most common attack method for the industry. The main attack method on the information and communications sector involved exploitation of vulnerabilities allowing attackers to trigger buffer overflow conditions. The main attack method on the manufacturing, retail and healthcare industries was also SQLi and OS CMDi attacks, which accounted for 71% of manufacturing industry cyberattacks, 50% of retail cyberattacks, and 48% of healthcare cyberattacks.
The 2017 IBM X-Force Threat Intelligence Index indicates cybercriminals favored older attack methods in 2016 such as ransomware, malware toolkits, and command injection to gain access to valuable data and resources.
Ransomware was big news in 2016. Many cybercriminals turned to ransomware as a quick and easy source of income. Figures from the FBI indicate $209 million in ransom payments were made in the first three months of 2016 alone.
Malware was also extensively used in attacks, with Android malware and banking Trojans big in 2016. Not all attacks targeted organizations for their data. DDoS attacks increased, both in frequency and severity. While attacks of 300+ Mbps were unusual in 2015, they became the norm in 2016. One attack in excess of 1 Tbps was reported.
While 2015 saw exploit kits extensively used to infect endpoints with malware, in 2016 spam email was favored. Spam was a primary attack tool of cybercriminals, especially in the second half of the year. While the first half of the year saw spam email volume remain steady, the 2017 IBM X-Force Threat Intelligence Index indicates there was a significant increase in spam volume in the second half of the year and a massive rise in the number of malicious email attachments.
The 2017 IBM X-Force Threat Intelligence Index shows the vast majority of malicious attachments were ransomware or ransomware downloaders, which accounted for 85% of malicious email attachments.
The increase in the use of spam email as an attack vector shows how important it is for organizations to improve their defenses against email attacks. An advanced spam filter is essential as is training of employees on security best practices and phishing attack prevention.
The Digital Citizens Alliance (DCA) has published new research showing there has been a massive rise in the theft of university email credentials and a massive rise in the sale of email credentials on darknet marketplaces.
This year’s study revealed the theft of university email credentials has grown significantly in the past 12 months. The report shows 13,930,176 stolen email credentials have been discovered to have been listed for sale. This time last year when the darknet was last scraped for stolen credentials there were around 2.8 million stolen credentials listed for sale. The year before that the figure stood at 2.2 million.
While the 13.9 million figure includes email credentials that were stolen over the past 8 years, 76% of those stolen credentials were discovered in the past 12 months.
When the researchers combined all types of credentials from multiple sectors they discovered there had been a 547% increase in credentials finding their way onto darknet marketplaces over the past three years.
The fivefold increase in the theft of university email credentials in a single year is a massive spike, which has been attributed to major data breaches at third party websites rather than cyberattacks on universities. The researchers say the massive 1-billion record data breach at Yahoo, the huge breach at LinkedIn and other large-scale cyberattacks on Dropbox, Weebly, MySpace and others are to blame.
The email credentials of university staff and students are being sold on underground marketplaces for between $3.50 to $10 each. While many actors had listed the email credentials for sale, some individuals were trading credentials and others were offering the stolen credentials for free.
The study only looked at theft of university email credentials at the top 300 higher education institutions. Smaller universities were excluded from the study. The stolen credentials were sorted into different higher education institutions to determine which were the worst affected. The universities with the highest numbers of stolen credentials were found to be:
- University of Michigan – 122,556
- Pennsylvania State University – 119,350
- University of Minnesota – 117,604
- Michigan State – 115,973
- Ohio State – 114,032
- University of Illinois (Urbana-Champaign) – 99,375
- New York University – 91,372
- University of Florida – 87,310
- Virginia Polytechnic Institute and State University – 82,359
- Harvard University – 80,100
The researchers were unable to determine why mid-west universities were the worst affected, although they hypothesized that it may be simply due to the size of the universities and the number of students, staff members, and alumni for those universities.
The researchers also looked at the size of the university and compared this to the number of stolen email credentials to gain a better understanding of demand for email addresses from specific universities and to ‘level the playing field’. Some universities appeared in the top ten of both lists, while smaller but more prestigious universities shot up the rankings. When ordered by the ratio of stolen email accounts to the total number of enrolled students and staff the top ten list changed to:
- Massachusetts Institute of Technology
- Carnegie-Mellon University
- Cornell University
- Baylor University
- Virginia Polytechnic Institute and State University
- Pennsylvania State University
- University of Michigan
- Kent State University
- Bowling Green State University
It is easy to see why the theft of university email credentials is such a problem. Edu email addresses are valuable to cybercriminals. They can be used in spear phishing and phishing campaigns but they also allow the users to obtain student discounts with retailers or when purchasing items such as software. Microsoft for instance offers a discount for students purchasing its Office products. The discounts can be considerable.
University email addresses are also highly valuable due to the data contained in those accounts. Information in the accounts can be mined and a huge amount of information can be gathered, from medical records to ID numbers and passwords to the weekends when students are likely to be away.
While email addresses and passwords were discovered, the researchers were unable to tell if the passwords were real and current and could be used to gain access to the accounts. The researchers also found that some of the email addresses appeared to have been spoofed or were incorrect accounts. While these posed less of a threat, the credentials were still of value to cybercriminals.
Phishing attacks do not need correct email addresses to be successfully used. Providing the correct format for emails is used, the email addresses can add credibility to phishing campaigns.
Adam Benson, Executive Director of the DCA said “Higher Education Institutions have deployed resources and talent to make university communities safer, but highly-skilled and opportunistic cyber criminals make it a challenge to protect large groups of highly-desirable digital targets.”
“We shared this information from cybersecurity researchers to create more awareness of just what kinds of things threat actors are capable of doing with an .edu account.” Said Benton.
While large scale third party data breaches were partly to blame, cyberattacks on universities still occur. To prevent theft of university email credentials the researchers suggest cybersecurity programs need to be conducted and awareness needs to be raised on the importance of using strong passwords.
Training should be provided to make sure staff and students are aware of the techniques used by criminals such as phishing. They should also be warned of the risk of clicking on links sent in emails. The researchers suggest tests should be conducted to see who clicks on malicious links. Conducting those tests is not a witch hunt, rather, it can give universities a better idea about how easy staff and students are being duped. Universities should also consider the use of multi-factor authentication to make accounts more secure.
Figures from Trustwave show there has been a steady decline in exploit kit activity over the past year. Exploit kits were once one of the biggest cybersecurity threats. In late 2015 and early 2016 exploit kits were being extensively used to spread ransomware and malware. Now exploit kit activity has virtually dropped to nothing.
Exploit kits are toolkits that are loaded onto malicious or hijacked websites that probe for vulnerabilities in browsers and plugins such as Adobe Flash Player and Java. When a new zero-day vulnerability was discovered, it would rapidly be added to exploit kits and used to silently download ransomware and malware onto web visitors’ computers. Any individuals that had failed to keep their browsers and plugins up to date would be at risk of being infected. All that would be required was make them – or fool them- into visiting a malicious website.
Links were sent via spam email, malvertising was used to redirect web visitors and websites were hacked and hijacked. However, the effort required to develop exploits for vulnerabilities and host exploit kits was considerable. The potential rewards made the effort more than worthwhile.
Exploit kits such as Angler, Magnitude and Neutrino no longer pose such a big threat. The actors behind the Angler exploit kit, which was used to spread Locky ransomware in early 2016, were arrested. Law enforcement agencies across the world have also targeted gangs running these exploit kits. Today, exploit kit activity has not stopped entirely, but it is nowhere near the level seen in the first half of 2016.
While this is certainly good news, it does not mean that the threat level has reduced. Ransomware and malware are still major threats, all that has happened is cybercriminals have changed tactics for distributing the malicious programs. Exploit kits are not dead and buried. There has just been a lull in activity. New exploit kits are undoubtedly being developed. For the time being, exploit kit activity remains at a low level.
Now, the biggest threat comes from malicious spam email messages. Locky and other ransomware variants are now almost exclusively spread via spam email messages. Cybercriminals are also developing more sophisticated methods to bypass security controls, trick end users into opening infected email attachments, and improve infection rates.
Much greater effort is now being put into developing convincing phishing and spear phishing emails, while spam emails are combined with a wide range of social engineering tricks to get end users to open infected email attachments. End users are more knowledgeable and know not to click on suspicious email attachments such as executable files; however, malicious Word documents are another matter. Office documents are now extensively used to fool end users into installing malware.
With cybercriminals now favoring spam and phishing emails to spread malware and ransomware, businesses need to ensure their spam defenses are up to scratch. Employees should continue to be trained on cybersecurity, the latest email threats should be communicated to staff and advanced spam filters should be deployed to prevent messages from being delivered to end users.
Security researchers in Israel have developed a proof-of-concept exploit called DoubleAgent that takes advantage of vulnerabilities in antivirus products to turn them against users. The exploit could potentially be incorporated into DoubleAgent malware, although there have been no known attacks that take advantage of the flaws in AV products to the researchers’ knowledge.
The proof-of-concept was developed by Cybellum researchers, who say that most third-party Windows antivirus products are susceptible and could potentially be hijacked. To date only three AV companies have confirmed that they are developing patches to block potential DoubleAgent malware attacks – AVG, Trend Micro and Malwarebytes.
The attack involves the Microsoft Application Verifier, which is used to check for bugs in programs that run on Windows. The researchers use DLL hijack techniques to fool the verifier using a malicious DLL. They claim the technique could be used to insert a custom verifier into any application.
DoubleAgent malware may not yet have been developed to exploit the zero-day vulnerability, although the researchers say they have used their proof-of-concept to take full control of the Norton Security AV program – many other AV products are also susceptible to this type of attack.
The Cybellum-developed DoubleAgent malware could be used in a number of different attack scenarios, all of which are particularly chilling.
Since the antivirus program can be pwned by an attacker, it could be turned on the user and used as malware. Antivirus software is trusted, so any actions taken by the AV program would be treated as legitimate. The researchers warn that the AV program could be turned into a double agent and do anything the attackers wanted.
The AV solution could be instructed to whitelist certain other programs allowing an attacker to install any malware undetected. Once installed, the malware would run totally undetected and the user would be unaware that their AV software had been rendered virtually useless. The AV software would also be prevented from flagging data exfiltration or communications with the attacker’s C&C.
An attacker could cripple a company’s applications using the DoubleAgent malware. If a legitimate program used by the company is marked as malicious by its antivirus software program, it would be prevented from running. It would therefore be possible to perform Denial of Service attacks. Also, since AV software has the highest level of privileges, it could be used to perform any number of malicious actions, such as deleting data or formatting a hard drive. That means a ransomware-style attack could be performed or the company’s computer systems could be sabotaged.
Fortunately, only Cybellum has the code and AV companies that have been found to be susceptible to such an attack have been notified. Patches are therefore likely to be developed to prevent such an attack.
The SANS Internet Storm Center reports that the Blank Slate spam campaign which was first detected in July last year is now being used to spread Cerber ransomware, rather than previous favorites Locky and Sage 2.0.
In the majority of cases, emails used to spread ransomware and other nasties use a variety of social engineering techniques to trick end users into opening the email attachments and infecting their computers. However, the Blank Slate spam campaign opts for simplicity. The spam email messages contain no text, hence the name ‘blank slate’.
Without any social engineering tactics, infection rates are likely to be much lower. However, researchers suggest that more email messages are likely to get past security defenses using this technique. Since more emails are delivered to end users’ inboxes, this is likely to make up for the fact that fewer attachments will be opened. The blank slate spam campaign is believed to be spread via botnets.
Cerber ransomware has been a major threat over the past 12 months. The ransomware is frequently updated to ensure it avoids detection. The latest blank slate spam campaign is being used to spread the latest form of the ransomware, which hides malicious code inside Nullsoft Scriptable Install System (NSIS) installers.
Security researchers at Palo Alto Network’s Unit 42 team report that Cerber ransomware is being hosted on around 500 separate domains. When domains are detected by hosting companies they are rapidly shut down; however, new domains are then registered by the criminals to take their place.
Since new domains can easily be registered using stolen credentials, the costs to cybercriminals are low. The cost of signing up for a new domain are negligible. Burner phones can be purchased cheaply and the numbers provided when registering domains, email addresses can be registered free of charge, and stolen credit card details can be used to make payment. There is no shortage of stolen credit card numbers to use. However, the rewards from Cerber ransomware infections are high. Now, the keys to decrypt data locked by Cerber ransomware costs victims 1 Bitcoin – around $1,000.
A recent survey conducted by CBT Nuggets has revealed that even tech savvy people are prone to commit cybersecurity howlers and place themselves, and their organization, at risk. In fact, far from intelligence preventing individuals from suffering online identity theft and fraud, it appears to make it far more likely.
The survey, which was conducted on 2,000 respondents, showed that people who believed they were tech savvy were actually 18 times more likely to become victims of online identity theft.
The more educated individuals were, the more likely they were to become victims of cybercrime. The survey revealed that high school graduates were less likely to be victims of cybercrime than individuals who had obtained a Ph.D.
24% of respondents with a Ph. D said they were a victim of identity theft compared to 14% who had a Bachelor’s degree, 13% who were educated to college level and 11% who had been educated only to high school level.
Women were found to be 14% more likely to have their identities stolen than men, and millennials were less likely to suffer identity theft than Baby Boomers and Generation X.
Interestingly, while the vast majority of malware targets Windows users, the survey revealed that users of Apple devices were 22% more likely to be victims of identity theft than Windows users, although Android phone users were 4.3% more likely than iPhone users to suffer identity theft.
There were some interesting results about the level of care used when venturing online. Even though the risk of cyberattacks on law firms has increased in recent years and law firms are a major target for cybercriminals, lawyers were less likely than other professionals to follow online security best practices.
69% of respondents from the legal profession did not follow online security best practices because they were too lazy to do so. Only people in ‘religious industries’ fared worse on the laziness scale (70%).
46% of healthcare industry professionals said they were too lazy when it came to cybersecurity, a particular worry considering the value of healthcare data and the extent to which cybercriminals are conducting attacks on the healthcare industry. The most common reason given for lax security and taking risks online was laziness, being too busy and it being inconvenient to follow security best practices.
65.9% of respondents believed they faced a medium or high risk of being hacked, yet only 3.7% of respondents said they followed all of the basic security recommendations. Perhaps that’s why so many people felt they faced a medium or high risk of being hacked!
One of the biggest risks taken by respondents was avoiding using public Wi-Fi networks. Only 11.8% of respondents said they avoided connecting to the Internet on public Wi-Fi networks. However, when it comes to divulging sensitive information while connected to a public Wi-Fi network, people were more savvy. 83.3% said they avoided transmitting sensitive information when connected to public Wi-Fi networks. Only 40.6% of respondents said they updated their devices every time they were prompted to do so.
The survey also showed which states were the worst for identity theft. While Florida often makes the headlines, the state ranked in the bottom ten for identity theft, with just 11% of respondents from the state saying they had suffered identity theft. The worst states were Maryland with 28% of respondents saying they were victims of identity theft, followed by Alabama with 26% and Kentucky with 22%. The safest states were Alabama (6%) and Louisiana (5%).
An investigation into a November Metropolitan Urology ransomware attack has revealed that the attackers may have gained access to the protected health information (PHI) of almost 18,000 former patients.
The Metropolitan Urology ransomware attack occurred on November 28, 2016 and impacted two servers used by the medical group. While the ransomware successfully encrypted a wide range of files, it was not initially known whether any data covered by Health Insurance Portability and Accountability Act Rules had been accessed.
An external computer security firm was contracted to conduct an investigation, which revealed on January 10, 2017 that PHI was potentially accessed by the attackers. Names, procedural codes, dates of service, account numbers, control numbers, and other ID numbers were all potentially viewed. In total, 17,364 patients who had visited Metropolitan Urology centers for treatment between 2003 and 2010 were impacted by the Metropolitan Urology ransomware attack.
The Metropolitan Urology ransomware attack is the latest in a long list of ransomware attacks on U.S. healthcare providers in recent months. The healthcare industry is being extensively targeted by cybercriminals who know that healthcare providers are heavily reliant on data and need access in order to continue to provide medical services to patients. If patient data are encrypted and systems taken out of action, there is a high probability that a ransom demand will be paid.
However, in the case of the Metropolitan Urology ransomware attack, computers were recovered by the IT security firm and it would appear that a ransom was not paid. The same cannot be said of Hollywood Presbyterian Medical Center. In January, a ransom payment of $17,000 was made to recover files that had been encrypted by ransomware. Many other healthcare providers have similarly paid to have their data decrypted.
HIPAA and Ransomware Attacks
In July last year, following a spate of healthcare ransomware attacks, the Department of Health and Human Services’ Office for Civil Rights – which enforces HIPAA Rules – confirmed ransomware attacks are reportable security breaches. All HIPAA breaches must be reported to OCR within 60 days of the discovery of the breach and patients must similarly be notified of any incidents in which their PHI has been compromised.
A HIPAA breach is classed as “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.”
Not all forms of ransomware involve the exfiltration of data, but a ransomware infection still counts as a HIPAA Privacy Rule breach. OCR confirmed that the encryption of PHI does count at a HIPAA breach because the information has been disclosed to a third party.
Ransomware incidents are therefore reportable and warrant notifications to be issued to patients unless the covered entity can demonstrate there is a “low probability that PHI has been compromised.”
OCR suggests that the way to do this is to conduct a risk assessment and investigate the nature and extent of PHI that has been viewed, the individuals that may have accessed the PHI, whether the PHI was stolen or viewed, and the extent to which the risk to PHI has been mitigated.
The covered entity should also determine which malware variant was used and the algorithmic processes used by that malware to encrypt data. Demonstrating a low probability of a PHI compromise may therefore prove problematic for healthcare organizations, especially smaller healthcare organizations with limited resources.
Protecting Healthcare Computers from Ransomware Attacks
Protecting against ransomware attacks requires investment in a wide range of different solutions. Organizations can focus on preventing ransomware from being installed by blocking the main vectors used to spread infections. Spam filtering solutions can be highly effective at blocking email-borne threats. Preventing suspicious emails from being delivered reduces reliance on end users being able to identify emails as malicious and stops them from opening infected attachments and clicking on malicious links.
To block web-borne attacks, healthcare organizations can implement a web filtering solution to control the file types that can be downloaded. The solution can also be used to block websites known to contain malware or exploit kits. A web filter can be configured to prevent end users from accessing certain types of websites that carry a high risk of infection.
Endpoint security solutions can help to detect ransomware infections, allowing rapid action to be taken to reduce the extent of an infection. Computers and/or servers can then be isolated to prevent the spread of the ransomware to other connected devices.
However, since it is not possible to reduce risk of infection with ransomware to zero, organizations must ensure that data is backed up and can be recovered in the event that computers are encrypted. Multiple backups should be performed, and backup files should be stored on air-gapped devices and in the cloud.
For further information on protecting your organization from the threat of ransomware, contact the TitanHQ team today.
The Solicitors Regulation Authority in the United Kingdom has recently issued a warning about law firm email scams following a sharp rise in law firm cyberattacks.
According to SRA figures, almost 500 UK law firms have been targeted by cybercriminals. One of the most common law firm email scams seen in recent weeks involves an attacker sending an email to a solicitor pretending to be a new client. While the attacker could claim to have any number of legal problems in the initial email, one of the favored themes is a property or business that is about to be purchased or sold.
Legal services are requested and, when the solicitor replies, the attacker sends an email containing a malicious email attachment. The email attachment does not contain the malware, instead a malicious macro is embedded in the document. A believable explanation for the inclusion of the macro is provided in the document to allay suspicion. If the macro is enabled, a script is run that downloads the malicious payload. The download occurs silently so the solicitor is unlikely to be aware that their computer has been infected.
The malware then collects and exfiltrates sensitive data, or provides access to the solicitor’s computer allowing the attacker to search for any useful data. Keyloggers can also be installed to log keystrokes on the infected computer and collect login information for email and bank accounts.
The SRA has emphasized there is a high risk of attack, suggesting UK solicitors should treat cybercrime as a priority risk. Action should be taken promptly to mitigate the risk and ensure that the firm’s data are secured. The SRA warns that a cyberattack can cause considerable damage to a firm’s reputation and could result in significant harm to clients. Clients and the law firm can suffer considerable financial losses as a result of these scams.
Not all cyberattacks on law firms involve malware. Phishing is also a major risk. Many law firm email scams attempt to get solicitors to reveal sensitive information such as login credentials, passwords, or other confidential information. These law firm email scams are not easy to identify. Cybercriminals invest considerable time and effort into building up relationships with solicitors via email or over the telephone to build trust. Once a personal relationship has been established it is far easier for the scammers to fool solicitors into revealing sensitive information.
The seriousness of the threat is clear from the reports of cybercrime received by the SRA from solicitors over the past year. The SRA says more than £7 million of clients’ money has been stolen from solicitors in 2016.
The advice to law firms on reducing cybersecurity risk is:
- Make sure all data are backed up and stored securely on a drive that is not connected to a computer
- Make use of secure cloud services for storing sensitive data and accessing and processing information
- Keep software up to date. Patches and software/system updates should be applied promptly
- Solicitors should consider using encryption services for all stored data, especially on mobile devices
- Antivirus and antimalware systems should be installed and set to update definitions automatically. Regular scans of systems should also be scheduled.
As an additional protection against law firm email scams, solicitors should implement an advanced antispam solution to prevent phishing and other malicious emails from being delivered.
To protect against malicious links and redirects from malvertising, solicitors should consider implementing a web filtering solution. A web filter can be used to block visits to webpages known to contain malware.
The world’s largest spam operation has been exposed, and along with it, a massive database of email addresses. More than 1.37 billion email addresses, names, addresses, and IP addresses were in the database, which was exposed as a result of an error made during a backup. The company behind the operation is the email marketing firm River City Media – A legitimate email marketing company that uses some decidedly shady email marketing practices.
So how large is the world’s largest spam operation? According to MacKeeper researchers, the company behind the massive spamming campaigns were sending up to one billion spam email messages every day. However, due to the leak, life is likely to get a lot tougher for the email marketing firm. Its entire infrastructure has now been added to the spamming blacklist maintained by Spamhaus: The world leader in providing up to date threat intelligence on email spam and related spamming activity.
So how does a database from the world’s largest spam operation get released on the Internet? Faulty backups! The company failed to configure their Rsync backups correctly, resulting in those backups being available online without any need for a password. The database was discovered by MacKeeper security researcher Chris Vickery.
The revelation that such a large database had been obtained was huge news. In fact, it even drew a response from the Indian government, which felt it necessary to explain that it was not the source of the leak. The Indian government’s federal ID system is one of a very small number of databases that contain that number of records.
The number of records in the database is so large that almost everyone that uses email would either be on the list or would know someone that is.
How does a company amass so many email addresses? According to Vickery, there are various methods used, although he said “credit checks, education opportunities, and sweepstakes,” are typically used to obtain the email addresses, as are legitimate marketing campaigns from major brands. Users divulge their email addresses during these campaigns in order to receive a free gift, special offer, or an online service. Hidden away in the terms and conditions, which few people read, is confirmation that the information collected will be shared with marketing partners. Those marketing partners then share addresses with their partners, and their partners’ partners, and so on. Before long, the email addresses will be made available to a great deal of spammers.
When spammers use those addresses, there is a high probability that the domains used for sending the marketing messages will be blocked. To get around this, companies such as RCM use warm up accounts to send out their campaigns.
New campaigns will be sent to the warm up accounts, and provided they do not generate complaints, the sender of the emails will be marked as a good sender. With a good reputation, the spammers will be able to scale up their operation and send out billions of messages. If at any point messages start to be rejected or complaints start to be received, the domain is dropped and the process starts again. That way, RCM is able to bypass spam filtering controls and continue to send messages.
A detailed insight into the world’s largest spam operation and the techniqus used to send spam messages has been published by CSO Online, which worked with Vickery, MacKeeper, and Spamhaus following the discovery of the huge database.
Free Dharma ransomware decryption is now possible following the publication of the decryption keys used by the cybercriminal gang behind the ransomware.
The Dharma ransomware decryption keys have now been used to develop a decryptor to unlock Dharma-encrypted files. If your organization has been attacked with Dharma ransomware, you can unlock your files by using the Dharma ransomware decryptor developed by Kaspersky Lab or ESET. A ransom no longer needs to be paid.
The decryptor available from ESET will unlock files encrypted by Dharma and its predecessor, Crysis. Kaspersky Lab has added the keys to its Rakhni ransomware decryptor.
It is easy to determine which ransomware variant has been used by checking the file extension on ransomware-encrypted files. Dharma ransomware adds the ‘.dharma’ extension to files after they have been encrypted.
The keys to unlock the encryption were posted on a BleepingComputer tech support forum last week by an individual with the username ‘gektar’. Where that individual obtained the decryption keys is unknown, although both Kaspersky Lab and ESET have confirmed that the decryption keys are genuine. The decryption keys will work for all variants of Dharma ransomware.
The name gektar is not known to security researchers. No other online posts are believed to have been made with that username. The username seems to have been created solely to post the decryption keys. It would appear the individual responsible wants to keep a low profile.
Unfortunately, there are now more than 200 ransomware families, with many different ransomware variants within each of those families. Dharma may be no more, but the ransomware threat is still severe. There are still no decryptors available for the biggest ransomware threats: Locky, Samsa (Samsam) and CryptXXX, which are still being extensively used by cybercriminal gangs to extort money out of businesses.
The best defense that businesses can adopt to ensure ransomware-encrypted files can be recovered for free is to ensure that backups of critical files are made on a daily basis. Those backups should be stored on an air-gapped device and also in the cloud.
Recovery from backups and removing ransomware infections can be a labor-intensive and time-consuming process, so anti-ransomware defenses should also be employed to prevent infection. We recommend using SpamTitan to block ransomware emails from being delivered to end users’ inboxes and WebTitan to prevent drive-by ransomware downloads.
A recently published study from the Federal Trade Commission’s (FTC) Office of Technology Research and Investigation has revealed that anti-phishing technologies are not being widely adopted by U.S. businesses.
While there are several anti-phishing technologies that could be adopted by businesses to reduce susceptibility to phishing attacks, relatively few businesses are taking full advantage of the latest anti-phishing solutions.
Phishing is a type of online scam primarily conducted via email, although the same type of scam can occur online on malicious websites. The email version of the scam involves sending an email request to an employee in which the attacker claims to be a well-known source. That could be an Internet service provider, a well-known company such as Amazon or Netflix, or the CEO or CFO of the employee’s company. The target is asked to send sensitive personal or business information.
Typically, the attackers request financial information, logins, or as we have seen on numerous occasions this year, employees’ W-2 Form data. The information is then used for identity theft and fraud. In the case of the W-2 Form phishing scams, the information is used to file fraudulent tax returns in employees’ names.
Phishing is one of the biggest cybersecurity threats that businesses must mitigate. A separate study conducted by PhishMe showed that the vast majority of cyberattacks start with a phishing email. The largest ever healthcare data breach – which resulted in the theft of 78.8 million health insurance members’ credentials from Anthem Inc. – occurred as a result of an employee responding to a phishing message.
The FTC’s research revealed that most businesses have now implemented authentication controls, but little else. The FTC study (performed by OTech) found that 86% of businesses were using the Sender Policy Framework (SPF) to determine whether emails that claim to have been sent from a business were actually sent from the domain used by that business.
While this is an important anti-phishing control, SPF alone is insufficient to protect businesses from phishing attacks. SPF controls can be bypassed.
The FTC study found that fewer than 10% of businesses were using Domain Message Authentication Reporting & Conformance (DMARC) to receive intelligence on the latest spoofing attempts used to bypass SPF controls. DMARC allows businesses to automatically reject unauthenticated messages, yet few use the technology.
While not covered by the FTC study, one of the best additional anti-phishing technologies is a spam filtering solution such as SpamTitan.
SpamTitan blocks 99.97% of spam email messages, 100% of known malware via its dual anti-virus engines, while a powerful anti-phishing component looks for common signatures of phishing emails and prevents them from being delivered.
The threat from phishing is growing. A study from the Anti-Phishing Working Group revealed there was a 65% increase in phishing attacks in 2016 compared to 2015. Last year, 1,220,523 phishing attacks were reported. With attacks increasing at such a rate, and given the number of phishing attacks on businesses so far in 2017, more must be done to prevent attacks.
Is your business doing enough to prevent phishing attacks? What anti-phishing technologies has your business adopted to prevent employees being scammed?
Law firms are prime targets for cybercriminals, so it is perhaps unsurprising that there has been an increase in law firm cyberattacks in recent months. With the threat level now at unprecedented levels, protections must be increased to keep data secure.
Many law firm cyberattacks are targeted, with hackers seeking access to highly sensitive data, although law firms can just as easily fall victim to random attacks. Those attacks still have potential to cause considerable harm.
A recent security incident has showed just how easy it is for cybercriminals to conduct attacks and take advantage of unpatched vulnerabilities.
Zero-Day WordPress Vulnerability Discovered
WordPress is a flexible website content management system. It requires relatively little skill to update and WordPress sites can be easily managed. It is therefore no surprise that it has become one of the most popular website content management systems. There are more than 60 million websites running WordPress, with the platform popular with many SMBs, including law firms.
However, the popularity of the platform makes it a target for cybercriminals. Zero-day WordPress vulnerabilities provide cybercriminals with access to the sites and their associated databases.
When a new zero-day vulnerability is discovered, WordPress rapidly issues a patch. One zero-day WordPress vulnerability was recently discovered and the platform was updated rapidly as usual. Users of the site were urged to update to version 4.7.2 as a matter of urgency.
The reason for urgency was not announced until a week later after a significant proportion of WordPress sites had been updated. However, once the vulnerability was disclosed, hackers were quick to take advantage. Within 48 hours of the REST API vulnerability being disclosed, hackers started exploiting it on a grand scale. Sucuri was tracking the attacks and monitoring its WAF network and honeypots closely to see if hackers were actively exploiting the flaw.
The cybersecurity firm reports that it identified four different hacking groups that were exploiting the WordPress vulnerability. They were performing scans to find sites still running outdated WordPress versions and once vulnerable sites were identified they were attacked.
Law Firm Cyberattacks See Websites Defaced
The failure to update WordPress promptly resulted in more than 100,000 websites being attacked, according to figures from Google. Websites were defaced, additional pages added and the sites used for SEO spam. In this case, the aim was not to gain access to data nor to load malware onto the sites, although that is not always the case.
The speed at which the WordPress flaw was exploited shows how important it is to keep WordPress sites updated. Due to the popularity of the platform, had the hacking groups loaded malware onto sites, the number of individuals who could have been infected with malware would have been considerable.
The potential fallout from a website being hacked and defaced, or worse, from malware being loaded, can be considerable. Many small law firms were attacked as a result of failing to update their WordPress site within a week of the update being issued.
A defaced website, in the grand scheme of things, is a relatively quick fix, although such an attack does not inspire confidence in a company’s ability to keep sensitive data protected. For a law firm, that could mean the difference between getting a new client and that individual seeking another law firm.
In this case, the law firm cyberattacks could have been prevented with a quick and simple update. In fact, WordPress updates can be scheduled to occur automatically to keep them secure.
The take home message is not to ignore security warnings, to ensure that someone reads the messages sent from WordPress, and better still, to set updates to occur automatically.
BugDrop malware is a new and highly advanced email-borne threat detected in the past few days. While attacks are currently concentrated on companies in Ukraine, BugDrop malware attacks have already started in other countries. Companies in Austria, Russia and Saudi Arabia have also been attacked.
Due to the nature of the attacks, it is clear that the actors behind the new malware have access to significant resources. So far, BugDrop malware is known to have stolen an incredible 600 GB of data from around 70 confirmed targets. At the rate that the malware is stealing data, the storage required will be considerable. This is therefore unlikely to the work of an isolated hacker. A significant cybercriminal group or most likely, a foreign-government backed hacking group, is likely to be responsible for the attacks.
Companies involved in scientific research, critical infrastructure, news media, engineering, and even human rights organizations have been targeted.
The malware will steal documents stored on infected computers and networks to which the computer connects. Passwords are stolen and screenshots are taken. However, rather than simply gain access to intellectual property and other sensitive data, the malware has another method of obtaining information. BugDrop malware, as the name suggests, bugs organizations and records audio data.
The malware turns on the microphone on an infected computer and records conversations, which accounts for the huge volume of data stolen. The stolen files are then encrypted and uploaded to the attackers’ Dropbox account. Files are retrieved from the Dropbox account and are decrypted. The resources required for analyzing such huge volumes of data – including audio data – are considerable, as are the storage requirements.
The CyberX researchers who discovered the malware suggest that Big Data analytics are likely used rather than manually checking the stolen data. Either way, such an operation must be heavily staffed, which points to a state-sponsored group. CyberX says “Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience.”
Since data exfiltration occurs via Dropbox, data exfiltration may not be detected. Many companies allow their employees to access Dropbox and connections to the storage service are often not monitored. Encryption is used, preventing many anti-virus solutions from detecting attacks or sandboxing the malware. The attacks also involve reflective DLL injection – since code is run in the context of other processes, detection is made more difficult.
BugDrop malware is being distributed via spam email using malicious macros in Word documents. If macros are enabled, the malware will be installed when the document is opened. Since many companies now automatically block macros and require them to be enabled on each document, the attackers prompt the user to enable macros by saying the document was created in a newer version of Microsoft Office. To view the contents of the document, macros must be enabled. The Word documents contains a professional image from Microsoft, including branding and Office logos, to make the warning appear genuine.
Google has released its latest statistics on the main corporate email security threats, with the search engine giant’s report also delving into the latest email-borne attacks on corporate Gmail account users. The report follows on from a presentation at the RSA Conference, which provided more detail on the biggest corporate email security threats that now have to be blocked.
According to Google’s data, spam is still a major problem for businesses. While the barrage of unsolicited emails is a nuisance that results in many hours of lost productivity, corporate users face a much bigger threat from spam. Malicious messages are a major menace.
Cybercriminals are targeting corporate users to a much higher extent than personal email account holders. The reason is clear. There is more to be gained from infecting corporate computers with malware than personal computers. Businesses are much more likely to pay ransoms if data are encrypted by ransomware. The data stored by businesses has much higher value on the darknet, and plundering business bank accounts nets far higher rewards.
It is therefore no surprise to hear that Google’s stats show that businesses are 6.2 times as likely to receive phishing emails and 4.3 times as likely to be targeted with malware-infected emails. Spam on the other hand is more universal, with business emails accounts 0.4 times as likely to be spammed than personal accounts.
Main Corporate Email Security Threats by Business Sector
Corporate email security threats are not spread evenly. Cybercriminals are conducting highly targeted attacks on specific industry sectors. Google’s data show that nonprofits are most commonly targeted with malware, receiving 2.3 times as many malware-infected emails as business accounts. The education sector is also being extensively targeted. Schools, colleges and universities are 2.1 times as likely to be sent malware-infected emails, followed by government industries, which are 1.3 times as likely to be targeted than businesses.
However, when it comes to email spam and phishing attacks, it is the business sector which is most commonly targeted. Currently, email spam is the biggest problem for businesses in the IT, housing, and entertainment industries, while phishing attacks are much more commonly conducted on IT companies, arts organizations and the financial sector.
Malicious Spam Poses a Major Risk to Corporations
As we have seen on so many occasions in the past two years, email is a major attack vector for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and conduct credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.
Given the massive increase in malware and ransomware variants in the past two years, blocking spam and malicious messages is now more important than ever. Additionally, the cost of mitigating data breaches is rising year on year (According to the Ponemon Institute). Malware and ransomware infections can be extremely costly to resolve, while successful phishing attacks can net cybercriminals huge sums from selling stolen corporate data and making fraudulent bank transfers. Those costs must be absorbed by businesses.
Protecting Your Organization from Email-Borne Threats
Fortunately, it is possible to mitigate corporate email security threats by using an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam messages and boasts a low false positive rate of just 0.03%. A powerful anti-phishing component prevents phishing emails from being delivered to end users, while dual anti-virus engines (Kaspersky Lab/ClamAV) are used to scan all incoming (and outgoing) messages for malicious links and attachments.
If you want to improve your defenses against the latest corporate email security threats, contact the TitanHQ team today. Since SpamTitan is available on a 30-day free trial, you can also see for yourself how effective our product is at protecting your organization from email-borne threats before committing to a purchase.
A fresh round of email warnings for Yahoo account holders has been sent; however, cybercriminals are taking advantage: A new Yahoo breach phishing campaign has been detected that piggybacks on the latest news.
New Warnings for Yahoo Email Account Holders
Yahoo has been sending fresh warnings to account holders explaining that their accounts may have been compromised as a result of the Yahoo cyberattacks in 2013 and 2014. The Yahoo cyberattacks were the largest ever seen, resulting in the theft of 1 billion and 500 million users’ credentials. Yahoo has now confirmed that the attacks involved the use of forged cookies to bypass its security controls.
Yahoo’s CISO Bob Lord has told account holders in the email that “We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016.” As was the case in previous Yahoo warnings, accounts should be reviewed for any suspicious activity and users should not click on links or open attachments from unknown senders.
Yahoo Breach Phishing Campaign Detected
Many active Yahoo account holders are concerned about email security following news of the cyberattacks in 2013/2014 and cybercriminals have been quick to take advantage. The fresh round of email warnings has only heightened fears, as well as the risk for account holders. Cybercriminals have been piggybacking on the latest news of account breaches and have been sending their own messages to Yahoo email users. The latest Yahoo breach phishing email campaign play on users’ fears over the security of their accounts. The Yahoo breach phishing emails attempt to fool security conscious account holders into clicking on malicious phishing links and revealing sensitive information.
In the latest round of warnings, Yahoo urged users to take advantage of Yahoo’s password-free security service – the Yahoo Account Key authentication service. The latest round of Yahoo breach phishing emails offer account holders the option of upgrading the security on their accounts as well. To improve take up, the attackers add urgency by saying the target’s account has been temporarily limited for failing an automatic security update. A link is supplied for users to click to re-verify account ownership. If they fail to click on the link and update their details, they will be permanently locked out of their account.
The Yahoo breach phishing campaign is likely to claim many victims, although the phishing emails are fairly easy to identify as fake. The emails appear to have come from an account called ‘Mail’, although checking the actual email address will reveal that the email was not sent from a domain used by Yahoo. There are also some errors with the structure of the email. Slight grammatical errors are a tell-tale sign that the emails are not genuine.
However, not all Yahoo breach phishing emails contain errors. Some have been highly convincing. Users are therefore advised to exercise extreme caution when using their Yahoo accounts and to be on high alert for Yahoo breach phishing emails.
Cost of the Yahoo Cyberattacks
The Yahoo cyberattacks of 2013 and 2014 have cost the company dearly. While it is unclear what the final cost of the Yahoo cyberattacks will be, it will certainly be well in excess of $250 million – That is the price reduction Verizon Communications is seeking following the revelation that Yahoo account holders’ credentials were stolen in the two massive cyberattacks reported last year. The purchase price of $4.8 billion, which was agreed in the summer of 2016, is to be reduced. There was talk that the deal may even not go ahead as a result of the Yahoo cyberattack revelations. While Yahoo will not want a price reduction, there are likely to be a few sighs of relief. Verizon were rumored to be looking for a $1 billing reduction in the price just a few weeks back.
In the United Kingdom and Eire, homebuyers and sellers are being targeted by cybercriminals using a new solicitor email scam. The scam, which involves mimicking a solicitor, is costing victims thousands. There have also been some reported cases of cybercriminals sending solicitors emails claiming to be their clients and requesting changes of bank details. Any pending transfers are then made to the criminals’ accounts.
Since funds for home purchases are transferred to solicitors’ accounts before being passed on to the sellers, if cybercriminals are able to change the bank details for the transfers, the funds for the purchase will be paid directly into their accounts.
While email spoofing is commonplace, this solicitor email scam often involves the hacking of solicitors’ email accounts. Once access has been gained, cybercriminals search for emails sent to and from buyers and sellers of homes to identify potential targets. While the hacking of email accounts is occurring, there have also been instances where emails between buyers, sellers, and their solicitors have been intercepted. When bank details for a transfer are emailed, the hackers change the bank information in the email to their own and then forward the email on.
The solicitor email scam is highly targeted and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be made. Since the potential rewards are considerable, cybercriminals are willing to put the time and effort into the scam and be patient. Buyers, sellers, and solicitors are well researched and the emails are highly convincing.
Instances of this conveyancing scam have been increasing in recent months and it has now become the most common cybercrime affecting the legal sector. The Law Society, a representative body for solicitors in the UK, has issued a warning about the conveyancing scam due to an increased number of complaints, although it is currently unclear how many fraudulent transfers have been made.
There is of course an easy way for solicitors to prevent such a scam from being successful, and that is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details by telephone. Alternatively, policies can be developed requiring bank account information to only be sent via regular mail.
The Solicitors Regulation Authority advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be convenient, but with such large sums being transferred it pays to exercise caution.
While this solicitor email scam is common in the UK and Eire, legal firms in the United States should also exercise caution. Since the conveyancing scam is proving to be lucrative, it will only be a matter of time before U.S. lawyers are targeted.
Cyberattacks on law firms have been steadily increasing over the past three years. According to data from PwC’s annual Law Firms Survey last year, 73% of the UK’s top 100 law firms have been attacked by cybercriminals in the past year. In 2014/2015, 62% of the top 100 law firms were attacked. The previous year the figure stood at 45%. In the past two years, cyberattacks on law firms have increased by a staggering 60%.
According to PwC’s figures, large law firms are the most frequently targeted. 90% of the top 25 legal firms had experienced a cyberattack in the past 12 months. The types of attacks are highly varied, although the most common way attacks occur is via the firm’s email system.
Spear phishing emails are sent to solicitors in an attempt to obtain banking credentials and access to email accounts. When solicitors respond to these phishing emails and divulge their banking credentials, client funds are transferred to the criminals’ accounts. According to the survey, 84% of legal firms said they had experienced a phishing attack in the past year.
Solicitors in the UK and Ireland and attorneys in the United States are also being sent bogus emails that claim to be from home buyers or sellers. Instructions are provided asking for funds to be transferred to alternate accounts. Hackers eavesdrop on email conversations and are aware when funds are about to be transferred. They then sent an email to an attorney/solicitor posing as the buyer/seller of a property and provide alternate bank accounts asking for the funds to be transferred to the new account.
Buyers and sellers of properties are also targeted in a similar fashion. They are sent emails with the hacker claiming to be their solicitor. Alternate bank account details are provided for transfers. This is now one of the main types of cyberattacks on law firms and their clients.
Direct attacks on networks still occur, with hackers taking advantage of vulnerabilities in security defenses. However, law firm hacking only accounts for around 16% of incidents. Malware is a much bigger threat. Malware is delivered via spam email or drive-by downloads from the Web. 55% of legal firms say they have experienced a malware attack in the past 12 months. Malware can be ransomware – which locks computers with powerful encryption until a ransom payment is made or keyloggers that record sensitive data such as usernames and passwords. Malware can also enable criminals to gain access to systems to steal sensitive data and extort money out of law firms.
Law firm cyberattacks can be costly to resolve; however, the biggest cost can be loss of reputation. If law firms suffer cyberattacks and client data is stolen or exposed, reputations can be permanently damaged. Legal firms that are unable to ensure that their clients’ information remains confidential may find the cost of removing malware the least of their problems.
To prevent phishing emails and malware from being delivered to inboxes, an advanced spam filter is required. SpamTitan includes a powerful anti-phishing component that recognizes the common signatures of phishing emails and ensures they are not delivered. SpamTitan also blocks 100% of known malware and ransomware, ensuring end users do not receive malicious email attachments and links to malware-ridden websites.
To find out how SpamTitan can improve your security posture, contact the TitanHQ team today and take the first step toward preventing your law firm from being added to next year’s PwC’s law firm cyberattack statistics.
Anti-phishing training can help an organization improve its security posture. However, even with training on phishing email identification, employees still fail to spot many email scams. Anti-phishing training alone is insufficient to prevent successful phishing attacks.
The Threat from Phishing is Growing
Your business is likely to be bombarded with phishing emails, especially at this time of year. Tax season sees millions of emails sent to businesses by cybercriminals who want access to employees’ W-2 Forms. However, phishing is a year-round problem. It has been estimated that an astonishing 156 million phishing emails are now being sent every single day.
As we have already seen this year, phishing scams can be highly convincing. Many businesses have discovered employees have responded to these scams in the belief that the email requests are genuine. The cost of those phishing attacks can be considerable for businesses, their customers and their employees.
Anti-Phishing Training Alone will Not Prevent Successful Phishing Attacks
To ensure employees are prepared, many businesses provide employees with anti-phishing training. They teach staff members how to identify phishing scams and the tell-tale signs that email requests are not genuine.
How effective is anti-phishing training? A recent analysis by Diligent showed that the average score on its phishing test was 76%. That means employees are failing to identify phishing scams 24% of the time and all it takes is one response to a phishing email for an employee’s email account to be compromised, a network login to be handed to cybercriminals, or the W-2 Forms of an entire workforce to be emailed to tax fraudsters.
Fortunately, as PhishMe’s data shows, with practice, employees get much better at identifying phishing emails. Providing training and conducting follow up tests using dummy phishing emails helps to show where training has failed. This allows organizations to provide further training to employees whose phishing email identification skills are poor. However, even with training and testing it will never be possible to ensure that 100% of employees identify 100% of phishing emails 100% of the time.
The Best Phishing Defense is to Prevent Phishing Emails from Being Delivered
Training should be provided and employees’ anti-phishing skills should be tested with dummy phishing exercises, but organizations should ensure that phishing emails are not delivered to end users’ inboxes. That means an advanced, powerful spam filtering solution is required.
SpamTitan blocks 99.97% of spam emails from being delivered. SpamTitan also includes a powerful anti-phishing component to block phishing attacks. However, blocking potentially malicious emails is only part of the story. It is also important to choose a solution that does not prevent genuine emails from being delivered.
Independent tests by VB Bulletin confirm SpamTitan has a consistently low false positive rate. Only 0.03% of genuine emails trigger SpamTitan’s anti-spam filters. The excellent catch rates and low false positives have seen SpamTitan win 36 consecutive VB Bulletin Anti-Spam Awards.
SpamTitan is available as a gateway appliance or a cloud-based solution, with both requiring minimal IT support. To suit the needs of service providers, the cloud-based version is available in a private cloud and is supplied in white-label format ready for rebranding.
The cost-effective solution is easy to implement, use and maintain and can be used to protect a limitless number of email accounts.
If you want to keep your employees’ inboxes free from phishing emails, malware, and ransomware, call the TitanHQ Sales Team today and say a fond farewell to email spam.
Another school phishing email attack has resulted in the W-2 Form data of school employees being emailed to tax fraudsters. This time, it was employees of Mercer County Schools in West Virginia whose data have been compromised.
The FBI has been called in to investigate the W-2 phishing scam and the IRS has been notified of the incident, while affected employees have been offered services to help them protect their identities.
The school phishing email attack is just one of many such attacks that have occurred this year. While businesses have been extensively targeted in the past, phishing attacks on schools are now commonplace. The problem has become so severe that the IRS recently issued a warning to schools of the risk of phishing email attacks, saying “This is one of the most dangerous email phishing scams we’ve seen in a long time.”
The Mercer County School District phishing attack was almost a carbon copy of many other tax season attacks this year. Already, there have been more than 29,000 victims of these attacks and there is still two months of tax season remaining.
The school phishing email attack involved the sending of an email to an employee in the HR/payroll department requesting a copy of W-2 Forms for all employees that worked in the previous fiscal year. The email was sent from an email account that was very similar to that used by the chief supervisor.
The email contained a slight variation from the genuine email address, which was enough to fool the recipient into thinking the email had been sent from the supervisor’s account. The employee then sent the W-2 forms of 1,800 staff members to the attackers as requested.
Databreaches.net has been tracking this year’s W-2 phishing scams and is maintaining a list of all organizations that have been scammed into revealing W-2 Form data. The list shows that school districts are being extensively targeted. Successful W-2 phishing attacks have been reported by the following schools and school districts in the past 6 weeks:
- Argyle School District, TX
- Belton Independent School District, TX
- Bloomington Public Schools, MN
- College of Southern Idaho, ID
- Davidson County Schools, NC
- Dracut Schools, MA
- Lexington School District 2, SC
- Manatee County School District, FL
- Mohave Community College, AZ
- Morton School District, IL
- Odessa School District, WA
- Tipton County Schools, TN
The Manatee County School District phishing attack resulted in the W-2 Form data of 7,900 employees being emailed to the scammers: The biggest school phishing email attack of the year to date. The Bloomington Public Schools attack also resulted in thousands of employees’ W-2 Forms being disclosed.
There are a number of measures that can be taken to reduce the risk of phishing attacks such as these. Training should be provided to HR and payroll staff and they should be instructed to carefully check senders’ email addresses to ensure the correct account has been used. Policies should also be developed requiring any W-2 Form requests to be verified with the sender via the telephone. It is also essential to implement a spam filtering solution with a powerful anti-phishing component. This will help to ensure that the emails are not delivered. A spam filtering solution will also block malware and ransomware emails from being delivered. The latter types of malicious emails have also been a major problem for school districts over the past year.
Email archiving is essential for most businesses; however, many businesses are not using a cloud-based email archiving solution. In fact, a large number rely on email backups, even though backups are impractical and data loss is a very real concern. But what are the benefits of secure, cloud-based email archiving over backups?
Loss of Email Simply isn’t an Option
Hillary Clinton could easily explain one of the most important benefits of a cloud-based email archiving solution. If an email archive is stored locally, should the device on which that archive is stored be lost or stolen, the entire archive would never be seen again. That is exactly what happened last year.
Donald Trump was quick to citizen Hillary Clinton. Not only was that archive lost, it could potentially have been accessed by an unauthorized individual. Donald Trump is keen not to make a similar mistake. He has reportedly started using a messaging app that deletes all messages once they have been read. Such an app would certainly prevent accidental disclosure, although it would not be an option for many businesses as regulations require emails to be kept for a number of years.
Loss of email is simply not an option in regulated industries. Big fines await companies who do not archive or backup their emails. Emails must be securely stored and made available to auditors or organizations will be in violation of the Sarbanes-Oxley Act, FINRA, HIPAA, and the Gramm-Leach-Billey Act to name but a few. If a backup or local email archive is lost, the consequences can be severe.
Take healthcare organizations for example. If a laptop computer is stolen and email backups containing electronic protected health information were on the device, those data could potentially be accessed by an unauthorized individual. That would be a violation of HIPAA Rules. The Office for Civil Rights could easily fine a healthcare organization millions of dollars for such a data breach. If emails are archived and stored in the cloud, such a breach would not occur in the event of device loss or theft.
Emails Must Be Found Quickly for Legal Discovery
If a lawsuit is filed against a company, it may be necessary to provide copies of emails as part of legal discovery. While many companies store old emails in backups, searching for emails can be a difficult, expensive and long-winded process. For an average-sized organization searching for emails could take weeks, even though emails need to be found in minutes. With an email archiving solution, archived messages can be searched and retrieved in a matter of seconds or minutes, not weeks.
Secure, Cloud-Based Email Archiving Resolves Storage Headaches
Considering the volume of emails now being sent, and the requirement for those emails to be kept for years in many cases, the space required for storing email is considerable. A recent report from Radicati Group suggests the average employee sends or receives 121 emails a day. For an organization with 500 employees that is 60,500 emails a day. With 22 working days each month, that amounts to 15,972,000 emails a year. Each of those emails may only be a few KB, but over a year the storage space required is substantial. Cloud-based email archiving not only allows millions of emails to be stored, there is no need for organizations to purchase any hardware for storage. All emails are securely stored in the cloud.
ArcTitan – Secure, Cloud-Based Email Archiving for Enterprises of All Sizes
The benefits of secure, cloud-based email archiving are clear. So what options are available that provide all of the benefits of cloud-based email archiving in an easy to use, cost effective package? To meet businesses’ email archiving needs, TitanHQ developed ArcTitan – a secure, cloud-based email archiving solution that allows organizations to meet compliance requirements, search email archives quickly, and retrieve messages in minutes. ArcTitan has excellent scalability, and can be used for old email storage by companies with ten to 10,000+ email accounts.
Emails can be archived from anywhere at any time, and messages can be accessed via a mail client or browser. Furthermore, with a pay as you go subscription, cloud-based email archiving is affordable for businesses of all sizes.
To find out more about the benefits of ArcTitan, contact the TitanHQ sales team today!
Spammers and scammers are constantly updating their malware distribution tactics to ensure their malicious payloads are delivered to unsuspecting end users. However, Microsoft has spotted a major change to malware distribution tactics used by cybercriminals. The change has prompted the software giant to issue a new warning.
Malware, including ransomware, is commonly distributed via spam email. Links to malicious websites are used in an attempt to bypass spam filter controls; however, malicious attachments are the delivery mechanism of choice for many cybercriminal gangs. Malicious links are commonly blocked by web filtering solutions – WebTitan for example prevents all users from visiting websites known to be malicious.
To bypass spam filter controls, attachments rarely include the actual malware or ransomware files, instead the files contain scripts that download the malicious payload.
Due to the ease at which these malicious downloaders are being identified, malware distribution tactics have been changed. Rather than use these suspect files, cybercriminals have switched to file types that are less obviously malicious. Microsoft has noticed a trend for using LNK files and SVG files containing malicious PowerShell scripts.
LNK files are Windows shortcut files which usually point to some form of executable file. SVG (Scalable Vector Graphics) files are image files, and are much more innocuous. These files are typically opened with image software such as Adobe Creative Suite or Illustrator. Double clicking on these malicious LNK and SVG files will launch PowerShell scripts that download malware or ransomware.
Protecting against these types of attacks may seem fairly straightforward. It is possible, for example, to set restrictions on PowerShell commands to prevent them from running. However, even with restrictions in place, those policies can be easily bypassed. Intel Security has recently explained one such method: “PowerShell’s Get-Content can access the content of a .ps2 malware script and pass it to Invoke-Expression (iex) for execution.”
Ransomware attacks on British schools have soared in recent weeks. The problem has become so serious that the British National Fraud and Cyber Crime Reporting Center, also known as Action Fraud, has issued a new ransomware warning to British schools.
Ransomware has grown in popularity with cybercriminals over the past 2 years, with attacks on organizations around the world soaring in 2016. 2017 may only be a few weeks old, but ransomware attacks are continuing at the high levels seen in 2016. Security experts predict that 2017 will see even more cyberattacks on schools and other educational institutions. Ransomware the attack method of choice.
Ransomware is a form of malware that encrypts data on a compromised system. A wide range of file types are locked with powerful encryption and a ransom demand is issued. If payment is made, the attackers claim they will supply the key to unlock the encryption. Without the key – the sole copy is held by the attackers – data will remain locked forever.
Some forms of ransomware have been cracked and free decryptors made available, but they number in the few. The majority of ransomware variants have yet to be cracked. Recovery depends on payment of the ransom or the wiping of the attacked system and restoration of files from backups.
While a standard charge per encrypted device was the norm early last year, ransomware is now more sophisticated. The attackers are able to set their payment demand based on the types of files encrypted, the extent of the infection, and the perceived likelihood of the victim paying up. Ransomware attacks on British schools have seen ransom demands of an average of £8,000 issued.
Ransomware Attacks on British Schools are Targeted, Not Random
Many ransomware attacks are random – Spam emails are sent in the millions in the hope that some of them reach inboxes and are opened by employees. However, ransomware attacks on British schools have seen a different approach used. Recent attacks have been highly targeted.
Rather than send emails out en masse, the spate of recent ransomware attacks on British schools start with a phone call. In order to find their target, the attackers call the school and ask for the email address of the head teacher. The email address is required because sensitive information needs to be sent that should only be read by the head teacher. Information such as mental health assessment forms and teacher guidance forms.
An email is then crafted and sent to the head teacher; addressed to that individual by name. While there are many types of ransomware emails, a number of recent ransomware attacks on British schools involved an email that appears to have been sent by the Department of Education. Other cases have involved the impersonation of the Department of Work and Pensions and telecom providers.
In the text of the email the attacker explains that they have sent some information in an attached file which is important and needs to be read. The attached file, usually in compressed format such as .ZIP or .RAR, contains files that install ransomware if opened.
How to Prevent Ransomware Attacks
Ransomware attacks on British schools can be highly sophisticated, although risk can be effectively mitigated.
- Ensure all staff with computer access are made aware of the risk of ransomware attacks
- Provide cybersecurity training to all staff, including how to identify ransomware and phishing emails
- Never open attachments or visit links in emails sent from unknown senders
- Implement a spam filter to capture and quarantine malicious spam emails
- Use a web filtering solution to prevent staff members from visiting malicious links and from downloading ‘risky’ files
- Ensure all software is kept up to date and patches are applied promptly
- Keep all anti-virus and anti-malware solutions up to date, setting updates to occur automatically
- Restrict the use of administrator accounts – Only use accounts with high levels of privileges for specific tasks
It is also essential to ensure that backups of all data are made on a daily basis and backup devices are disconnected after backups have been performed. Data should ideally be backed up to the cloud and on a physical backup device. In the event of an attack, data can then be recovered without paying the ransom.
University phishing scams targeting students have increased in recent months. Targeting some of the most well educated individuals may not appear to be the most rewarding strategy for scammers, but students are falling for these university phishing scams in their droves.
University Phishing Scams are Becoming Difficult to Identify
Awareness of phishing tactics has certainly improved thanks to educational programs, email warnings, and media coverage of phishing attacks, but in response, cybercriminals have got better at scamming. Today, phishing emails can be difficult to identify. In fact, in many cases, it is virtually impossible to tell a genuine email from a scam.
While students may be aware of the risks of clicking links in emails from unknown senders, the same cannot be said when the emails are sent from a contact. Emails from university IT departments, professors and colleagues are likely to be opened. Students’ guard is let down when the sender of the email is known.
When a convincing request is included, students often respond and have no idea that they have been scammed into revealing their login credentials or disclosing other sensitive information. All it takes is for one email account of a student to be compromised to start the process. Emails are then sent to that individual’s email address book. A number of those contacts respond. The same happens with their contacts and so on. Given that there are supposedly six degrees of separation between all individuals on the planet, it is easy to see how fast malware infections can spread and how multiple email accounts can be compromised rapidly.
University phishing scams have been increasing for some time, although the past few months have seen even more scams emails sent. Recently, the University of Connecticut sent warnings out to students following a spate of phishing scams. Some of those scams involved the impersonation of the University president. Students at the University of Georgia have also been targeted.
In the case of the latter, one student’s email account was compromised after she responded to a phishing email sent from UGA associate. The email did not arouse any suspicions because the contact was known. In the email the student was told that it was important for her to change her password. Failure to do so would result in her being locked out of her email account. She responded by clicking the link and changing her password. However, what she had done was disclose her old password and her new one to the attacker.
The attacker then used those credentials to set up a mail forwarder on the email account. The student only found out after querying why she was no longer receiving emails with the IT help desk. After investigating, the mail forwarder was discovered.
Other students were similarly targeted and their emails accounts were used to send out huge volumes of spam emails. It was only when spamming complaints were received about the compromised accounts that the problem was identified.
These university phishing scams are conducted for a wide range of nefarious purposes. Spamming and mail forwarders may cause limited harm, but that may not always be the case. Malware infections can result in serious financial harm to students and universities. Ransomware installations can occur after students respond to phishing campaigns, and those attacks can cost tens of thousands of dollars to resolve.
How to Protect Students and Networks from the Scammers
Since these phishing scams are now so hard to identify, training on email and cybersecurity best practices is no longer as effective as it once was. Technological solutions are therefore required to prevent emails from being delivered and to stop end users from being directed to malicious websites.
SpamTitan is an ideal spam filtering solution for universities. SpamTitan blocks 99.97% of spam emails and 100% of known malware. The solution is cost effective to install, easy to administer, and no additional hardware is required or any software updates necessary.
When used in conjunction with WebTitan – TitanHQ’s powerful web filtering solution –all attempts to visit malicious links and known phishing websites can be blocked.
Both solutions are available on a 30-day no obligation free trial. If you want to ensure your students and university networks are properly protected, contact the TitanHQ sales team today to register for the trials and discover the difference that each solution can make.
Sophisticated phishing emails and elaborate web-based scams are being used to target students at the University of Connecticut. The extent to which students have been targeted with these scams has prompted UConn Chief Information Officer and Provost for Information Technology to send a warning to all students to be on high alert.
A number of students at the university have received sophisticated phishing emails in recent months that appear to have been sent from University President Susan Herbst. Like many universities and other educational establishments, the email system is protected with a spam filter. The majority of spam and scam emails are filtered out, although some do make it through. If these emails are delivered to students, there is a high probability that they will be opened. After all, the messages do appear to have been sent from the University president.
The emails contain malicious attachments or links to websites that attempt to steal login information and the scam is sophisticated and highly convincing. Many students would be unaware that they have been scammed after disclosing their login credentials.
The same can be said of malware infections, which usually occur silently when a malicious website is visited. Criminals are attempting to install key-loggers that record all sensitive data entered on compromised computers.
These scams are intended to get students to disclose their bank account information, credit card data, or Social Security numbers and personal information. The attackers can then use this information for a wide range of nefarious purposes including identity theft.
Sophisticated Phishing Emails are the New Norm
Email scams of old were quite easy to identify. They often included many grammatical and spelling mistakes and included offers that sounded too good to be true. However, today, sophisticated phishing emails are the new norm and they can be very difficult to identify. Emails are sent from authority figures, are grammatically perfect, and the attackers use wide range of social engineering techniques to get victims to disclose sensitive data or take a particular action.
The scammers are also increasingly sending highly targeted emails. These ‘spear phishing’ emails use personal information unique to the recipient to add credibility. Information is often obtained from social media and professional networking sites.
One of the latest UConn email scams includes information about Blackboard Inc., the Mail Service used by UConn. The attachment has the title “Exclusive Important Announcement from President Susan Herbst.”
Warnings have been issued by email to all students alerting them to this scam and advising them to exercise caution when using email and surfing the Internet. Students have been told not to login on any websites that do not have a valid security certificate.
A Spam Filter and Web Filter in Tandem Offer Greater Protection Against Phishing Attacks
Users should always exercise caution when using email. Attachments from unknown senders should not be opened and links contained in emails from unfamiliar sources should not be visited. However, curiosity often gets the better of students and malicious links are often unwittingly visited.
For this reason, in addition to using an advanced spam filtering solution – such as SpamTitan – universities and other educational establishments should also employ a web filtering solution. The spam filter will block the vast majority of malicious messages. The web filter will ensure that malicious websites and infected webpages cannot be visited. In tandem, a spam filter and web filter will offer far greater protection against phishing attacks and malware/ransomware infections.
A W-2 Form phishing scam that has been extensively used to con businesses out of the tax information of their employees is now being used on educational institutions. School districts need to be on high alert as cybercriminals have them fixed in their cross-hairs.
Over the past few weeks, many school districts have fallen victim to the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information sent to fraudsters. The data are used to file fraudulent tax returns in victims’ names.
At face value, the W-2 Form phishing scam is one of the simplest con-tricks used by cybercriminals. It involves sending an email to a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any employee send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the information. This is why the W-2 Form phishing scam is so effective. In many cases, suspicions are not aroused for a number of days after the emails have been sent. By that time, fraudulent tax returns may have been filed in the names of all of the victims.
It is unknown how many school districts have been targeted to date with this W-2 Form phishing scam, although 10 school districts in the United States have announced that their employees have fallen for the scam this year and have emailed W-2 Form data to the attackers. In total, 23 organizations have announced that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 organizations fell for similar scams last year.
Due to the number of attacks, the IRS issued a warning in early 2016 to alert all organizations to the threat. The increase in attacks in 2017 has prompted the IRS to issue a warning once again. While corporations are at risk, the IRS has issued a warning specifically mentioning school districts, as well as non-profits and tribal organizations.
The IRS warning explains how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks occurred relatively late in the tax season. Cybercriminals are attempting to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be issued.
A variety of spoofing techniques are employed to make the email appear like it has come from the email account of an executive or other individual high up in the organization. In some cases, criminals have first compromised the email account of a board member, making the scam harder to identify.
This year has also seen a new twist to the scam with victims targeted twice. In addition to the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is made to the payroll department. Some organizations have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same attackers.
Protecting against these scams requires a combination of technology, training and policy/procedural updates. The first step for all organizations – including school districts – is to send an email to all HR and payroll staff warning them about these phishing scams. Staff must be made aware of the scam and told to be vigilant.
Policies and procedures should be updated requiring payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the information.
An advanced spam filter – such as SpamTitan – can also greatly reduce the risk of W-2 Form scam emails being delivered to end users’ inboxes. Blocking suspicious emails will reduce reliance on training and user awareness of these scams. The spam filter will also be effective at blocking further scams and other malicious emails from being delivered.
Osiris ransomware is the latest variant of Locky. As with other versions of the ransomware, there is no free way of unlocking encrypted files if a viable backup of data does not exist.
Cybercriminals use a variety of techniques and attack vectors to spread malicious files such as ransomware and malware. Exploit kits are popular as they can be hidden on websites and used to silently probe visitors’ browsers for vulnerabilities in plugins such as Adobe Flash, Microsoft Silverlight, and Oracle Java. Those vulnerabilities are leveraged to download malware. Malvertising – malicious web adverts – are often used to direct users to these malicious webpages; however, all too often, links to these websites are sent via spam email.
The rise in malware and ransomware attacks over the past few years has prompted many organizations to start providing security awareness training to staff members. Employees are instructed never to click on a link contained in an email unless they are sure that it is genuine.
However, even with security awareness training, a great many employees inadvertently infect their computers with malware or accidentally download ransomware. One of the biggest problems is not malicious links in spam email but malicious attachments. Cybercriminals have increased the use of malicious file attachments in the last year, especially to infect end users with ransomware.
One of the biggest ransomware threats in the past 12 months has been Locky. Locky has been spread via exploit kits in the past, although spam email is now primarily used to infect users.
Office Macros Used to Infect Computers with Osiris Ransomware
The gang behind Locky frequently updates the ransomware, as well as the methods used to fool end users into installing the malicious file-encryptor. The latest Locky variant – Osiris ransomware – encrypts files and adds the .osiris extension to encrypted files.
Locky is commonly spread via malicious macros in Word documents. Typically, the malicious Word documents claim to be invoices, purchase orders, or notifications of missed parcel deliveries.
However, a recent campaign used to distribute the Osiris ransomware variant switches from .DOC files to Excel spreadsheets (.XLS). Recipients of the emails are told the Excel spreadsheet is an invoice. Opening the attached Excel spreadsheet will not automatically result in an Osiris ransomware infection if macros have not been set to run automatically. The user will be presented with a blank spreadsheet and a prompt to enable macros to view the content of the file.
Clicking on ‘Enable Content’ will launch a VBA script that downloads a Dynamic Link Library (DLL) file, which is automatically executed using the Windows file Rundll32.exe. That DLL file is used to download Osiris ransomware. Osiris ransomware encrypts a wide range of file types and deletes Windows Shadow Volume Copies, preventing the user from restoring the computer to the configuration before the ransomware was installed. The only option for recovery from an Osiris ransomware infection is to pay the ransom demand or to wipe the system and restore files from backups.
Protecting Networks From E-Mail-Based Ransomware and Malware Attacks
An advanced spam filtering solution such as SpamTitan can be used to block the vast majority of email-borne threats. SpamTitan performs a wide range of front line tests to rapidly identify spam email and prevent it from being delivered, including RBL, SPF, Greylisting and SMTP controls.
SpamTitan uses two enterprise-class anti-virus engines to scan for malicious attachments – Kaspersky Anti-Virus and ClamAV – to maximize detection rates.
Host-based tests are performed to examine mail headers, while the contents of messages are subjected to a Bayesian analysis to identify common spam signatures and spam-like content. Messages are also scanned for malicious links.
These extensive tests ensure SpamTitan blocks 99.97% of spam emails, preventing malicious messages from being delivered to end users. SpamTitan has also been independently tested and shown to have an exceptionally low false positive rate of just 0.03%.
If you want to keep your network protected from malicious spam emails and reduce reliance on employees’ spam detection abilities, contact the TitanHQ team today. SpamTitan is available on a 30-day free trial, allowing you to fully test the product and discover the difference SpamTitan makes at your organization before committing to a purchase.
Its tax season in the United States, which means the start of scamming season. W2 phishing scams and other tax-related email and telephone scams are rife at this time of year. Businesses need to be particularly careful. There have already been a number of victims of W2 phishing scams and the year has barely started.
2016 Saw a 400% Rise in Tax Season Phishing and Malware Incidents
Tax season in the United States runs from the start of January to April 15. It is the time of year when Americans calculate how much tax they need to pay from the previous financial year. It is also a busy time for cybercriminals. They will not be filing their own tax returns however. Instead they are concentrating on filing tax returns on behalf of their victims.
In order for tax refunds to be fraudulently filed, cybercriminals need information about their victims. Given the number of data breaches that have resulted in the theft of Social Security numbers in the past 12 months, 2017 could well be a record year for tax scams.
However, while past data breaches can provide cybercriminals with the information they need to file fraudulent tax returns, tax season usually sees a massive increase in phishing scams. The sole purpose of these scams is to get victims to reveal their Social Security numbers and the other personal information necessary to file tax returns.
Since the IRS started allowing Americans to e-file their tax returns, scammers had a new option for filing fraudulent tax returns. Phishing emails claiming to have been sent by the IRS request the recipients update their IRS e-file. A link is included in the emails for this purpose. Clicking on the link in the emails will not direct the recipient to the IRS website, but a spoofed version of the site. The information entered online is then used to e-file on behalf of the victims and the scammers pocket the tax refunds.
In 2016, the IRS reported a massive increase in phishing and malware incidents. These scams and malware infections increased by an incredible 400%. The massive rise in scams prompted the IRS to issue a warning to Americans about the scams, with the IRS confirming that it does not initiate contact with taxpayers by email to request personal or financial information.
2017 is likely to be no different. Until April 15, tax-related scams are likely to be rife. All Americans should therefore be wary and must exercise caution.
Tax Season Sees a Massive Rise in W2 Phishing Scams
While consumers are at risk. Businesses in the United States are also extensively targeted at this time of year. The scammers impersonate CEOs, CFOs, and other individuals with authority and make requests for W2 data and other financial information about employees. The requests can be highly convincing and each year many employees fall for these types of scams. The scammers are well aware that some employees would be nervous about questioning a request that has been emailed from their SEO or CFO.
It is difficult to determine how many attempted W2 phishing scams took place last year, but in the first quarter of 2016, at least 41 U.S companies reported that they were the victims of successful W2 phishing scams. Employees were sent email requests to send W2 data by return and they responded. By doing so, employees’ tax information was sent directly to the scammers’ inboxes.
2017 is not yet a month old, yet already W2 phishing scams have been reported. The week, the Tipton County Schools District in western Tennessee reported that it had fallen victim to one of these W2 phishing scams. The attacker had posed as the director of the schools and had requested W2 tax data on all employees. W2 form data were then emailed to the attacker by an employee.
A similar email phishing scam was reported to have been used to attack 8 school districts in Missouri, according to a report by the Missouri Department of Elementary and Secondary Education. In this case, only one of the eight school districts responded to the scam: An employee from the Odessa School District was fooled and send the tax details of the district’s employees to the attackers.
It is not only schools that are being targeted. A hospital in Campbell County, Wyoming was attacked this week. According to a Campbell County Health news release, a hospital executive was impersonated in this attack. A 66-year old hospital worker fell for the scam and emailed W-2 information about employees as requested.
Preventing successful W2 phishing scams requires a combination of technological solutions, employee training, and updates to policies and procedures. All employees with access to sensitive data must be advised of the risk and told to exercise caution. Policies should be introduced that require all email requests for employees’ tax information to be authenticated via telephone or other means. Organizations should also implement a robust spam filtering solution to prevent the scam emails from being delivered to employees’ inboxes.
However, if nothing is done to mitigate risk, 2017 is likely to be another record breaking year for the scammers.
You have no doubt heard of Locky and Cryptolocker, but what about Satan ransomware? Unfortunately, you may soon be introduced to this new ransomware variant. No matter where your organization is based, if you do not have a host of cybersecurity defenses to block ransomware attacks, this nasty file-encryptor may be installed on your network.
Satan Ransomware is being offered to any would-be hacker or cybercriminal free of charge via an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is simple. Developers of ransomware can infect more computers and networks if they get an army of helpers to distribute their malicious software. Anyone willing to commit a little time to distributing the ransomware will receive a cut of any profits.
Ransomware authors commonly charge a nominal fee for individuals to participate in these RaaS schemes, in addition to taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS totally free of charge. Anyone who wants to distribute the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The remaining 30% goes to the ransomware authors. The gang behind the RaaS also offers higher percentages as infections increase as a reward for effort. All that is required to get started is to create a username and password. Access to the ransomware kit can then be gained.
What is alarming is how easy it is to participate in this RaaS scheme and custom-craft the malware. The gang behind the campaign has developed an affiliate console that allows the malware to be tweaked. The ransom amount can be easily set, as can the time frame for making payments and how much the ransom will increase if the payment deadline is exceeded.
Help is also offered with the distribution of the malware. Assistance is provided to make droppers that install the malware on victims’ systems. Help is offered to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also offered to encrypt the ransomware to avoid detection. Even multi-language support is provided. Any would-be attacker can craft ransom demands in multiple languages via the RaaS affiliate console.
Satan ransomware performs a check to determine if it is running on a virtual machine. If it is, the ransomware will terminate. If not, it will run and will search for over 350 different file types. Those files will be locked with powerful encryption. File extensions are changed to. stn and the file names are scrambled to make it harder for victims to identify individual files. The ransomware will also wipe all free space on the hard drive before the ransom demand is dropped onto the desktop.
There is no decryptor for Satan ransomware. Recovery without paying the ransom will depend on organizations being able to restore files from backups. Since the ransomware also encrypts backup files, those backups will have to be in the cloud or on isolated devices.
RaaS is nothing new, but what is so worrying about Satan ransomware is how easy it has been made for affiliates. Next to no skill is required to run a ransomware campaign and that is likely to see many individuals take part in the RaaS program.
Take a look at the list of the worst passwords of 2016 and you would be forgiven for thinking you are looking at the worst password list for 2015. Or 2014 for that matter. Little appears to have changed year on year, even though the risk to network and data security from the use of weak passwords is considerable.
Every year, SplashData compiles a list of the worst 25 passwords of the year. 2017 is the sixth consecutive year when the company has produced its list. Given the number of largescale data breaches that occurred in 2016, it would be reasonable to assume that organizations would take a proactive step and introduce restrictions on the passwords that can be used to secure corporate networks, computers, and email accounts. Many still don’t. It is still possible for end users to use passwords with no capital letters (or no letters at all), no symbols, and consecutive number strings are still permitted.
Should a hacker attempt a brute force attack – attempting to gain access using an automated system that guesses potential password combinations – a weak password would allow access to be gained incredibly quickly.
If any of the passwords from the list of the worst passwords of 2016 were used, it would be like there was no password required at all. How quickly can a hacker crack one of these passwords? According to Random ize, most of the passcodes on the list of the worst passwords of 2016 could be guessed in under a second. BetterBuys is more pessimistic, claiming most could be guessed in about 0.25 milliseconds.
To compile its list, SplashData scraped data dumps that included passwords. 2016 saw a great deal of data published on darknet sites by cybercriminals that had succeeded in breaching company defenses. For its list, SplashData analyzed more than 5 million credentials, most of which came from data breaches in North America and Europe.
The most commonly used password in 2016 was 123456, as it was in 2015. Password was the second most common password in 2016. There was no change in the top two worst passwords even though cybersecurity awareness has increased. As we saw last year, even John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, allegedly used a variation of the word password to “secure” his accounts. That poor choice clearly demonstrated that the use of poor passwords offers very little protection against hackers.
The worst password of 2016 was used on an incredible 4% of user accounts, and almost as many individuals used password. SplashData says around 10% of individuals use a password that was on the list of the 25 worst passwords of 2016.
Some individuals have got clever, or so they think. They use a variation of ‘password’. However, password1 and passw0rd are barely any better. The small change would not delay a hacker by any noticeable degree. Hackers are well aware of the use of numbers to replace letters and other techniques to make passwords more secure, such as adding a digit to the end of a word. – Password1 for example.
SplashData’s List of the Worst Passwords of 2016
If you were wondering how the list has changed year on year, take a look at last year’s list and you will see a number of similarities.
List of the Worst Passwords of 2015
In order to make it harder for hackers, complex passwords should be chosen. Passwords should be at least 9 characters, contain numbers, letters (lower and upper case), and symbols. They should not be words, although pass phrases of 15 or more characters would be acceptable. Passwords should also be changed frequently. The use of a password manager is recommended to ensure that these complex passwords can be remembered.
A spate of Gmail phishing attacks has hit the headlines this week. While the phishing scam is not new – it was first identified around a year ago – cybercriminals have adopted the campaign once more. The phishing emails are used to obtain Gmail login credentials are highly convincing,. A number of different tactics are used to evade detection, some of which are likely to fool even the most security aware individuals.
The Gmail phishing attacks start with an email sent to a Gmail account. Security aware individuals would be wary about an email sent from an unknown source. However, these attacks involve emails sent from a contact in the target’s address book. The email addresses are not masked to make them look like they have come from a contact. The email is actually sent from a contact’s account that has already been compromised.
Email recipients are far more likely to open emails sent from their contacts. Many people do not perform any further checks if the sender is known to them. They assume that emails are genuine solely from the source.
However, that is not the only technique used to fool targets. The attackers also use information that has been taken from the contact’s sent and received messages and add this to the email. An screenshot of an attachment or image that has already been included in a previous email between the contact and the target is included in the message. Even if the target is slightly suspicious about receiving an email, these additional touches should allay concern.
The aim of the email is to get the target to click on the image screenshot. Doing so will direct them to a Gmail login page where the target is required to sign in again. While this is perhaps odd, the page that the user is directed to looks exactly as it should. The page exactly mirrors what the user would normally expect.
Checking the website address bar should reveal that the site is not genuine; however, in this case it does not. The address bar shows the site is secure – HTTPS – and the web address includes accounts.google.com. The only sign of the scam is the inclusion of ‘data.text/html’ before accounts.google.com in the address bar.
Entering in account credentials will send that information directly to the attackers. The response is lightning quick. Account credentials are immediately used to log into the victim’s account. Before the victim even suspects they have been scammed, the entire contents of their Gmail account could be stolen, including sent and received emails and the address book. Contacts will be subjected to these Gmail phishing attacks in the same fashion.
Google is aware of the scam and is currently developing mitigations to prevent these types of attacks from occurring. In the meantime, however, users of Gmail should be particularly wary. Many users just glance at the address bar and look for the HTTPS and the web address. Failure to very carefully check the address bar and protocol before entering login credentials can – and certainly will in this case – result in the user’s account being compromised. Gmail accounts contain a huge amount of personal information. Information that could be used in future spear phishing attacks, extortion attempts, and other scams on the target and their contacts.
A new ransomware variant – Spora ransomware – has been identified by Emisoft which features a new twist. Victims have a wide range of their files encrypted as with other forms of file-encrypting malware, but they are given the option of preventing future ransomware attacks if they pay up.
The attackers would not be able to prevent attacks performed by other gangs – with other ransomware variants – although if the attackers can be believed, victims would only be attacked with Spora once. That is, if they choose the more expensive option of ‘Spora immunity’ rather than just paying to unlock the encryption.
The bad news for the victims is that payment will be required to unlock the infection if a viable backup of data does not exist. At present, there is no decryptor for Spora.
Emisoft reports that the encryption used is particularly strong, and even if a decryptor was developed, it would only be effective against a single user due to the complex method of encryption used – a combination of AES and RSA keys using the Windows CryptoAPI.
In contrast to many ransomware variants that communicate with a command and control server, Spora ransomware does not receive any C&C instructions. This means that files can be encrypted even if the computer has no Internet connection.
The authors have also not set a fixed ransom amount, as this depend on the ‘value’ of the encrypted data. The ransom payment will be set based on who the user is and the files that have been encrypted. Before files are encrypted, a check is performed to see who has been infected. Encrypted files are sorted based on extension type and the information is combined into the .KEY file along with information about the user. The .key file must be supplied in the payment portal. An HTML file is also created on the desktop with details of how payment can be made.
The ransomware is being spread via spam email. Infection occurs when an email recipient opens the infected attachment. The attached file appears to be a genuine PDF invoice, although it includes a double file extension which masks the fact it is actually a .HTA file. Infection occurs via JScript and VBScript contained in the file.
Opening the file launches a Wordpad file which displays an error message saying the file is invalid. In the background, the ransomware will be encrypting data.
Emisoft reports that the ransomware is slick and appears highly professional. Typically, the first versions of ransomware invariably contain multiple flaws that allow decryptors to be developed. In this case, there appear to be none. Spora ransomware also tracks infections via different campaigns. The information will likely be used to determine the effectiveness of different campaigns and could be used to direct future attacks.
The slick design of the HTML ransom note and the payment portal show considerable work has gone into the creation of this new ransomware. Emisoft suggests that Spora ransomware has been developed specifically for the ransomware-as-a-service market.
Prevention remains the best defense. Since Spora ransomware is spread via spam email, blocking malicious messages is the best defense against infection, while recovery will only be possible by paying the ransom demand or restoring data from a backup.
A Barts Health malware attack forced the shutdown of hospital IT systems on Friday last week as the UK NHS Trust attempted to limit the damage caused and contain the infection.
Barts Health is the largest NHS Trust in the United Kingdom, operating six hospitals in the capital: Mile End Hospital, Newham University Hospital, St Bartholomew’s Hospital, The London Chest Hospital, The Royal London Hospital, and Whipps Cross University Hospital.
The Barts Health malware attack occurred on Friday 13, 2016. Given the number of ransomware attacks on healthcare organizations in recent months, rumors started to quickly circulate that this was another healthcare ransomware attack.
A statement was released on Friday claiming the Trust had experienced an ‘IT attack,’ and that as a precaution, a number of drives were taken offline to prevent the spread of the infection. The type of malware that had been installed was not known, although the NHS trust did say in its statement that it did not believe ransomware was involved.
Multiple drives were shut down following the discovery of the malware including those used by the pathology department, although patient data were unaffected and the NHS Trust’s Cerner Millennium patient administration system remained operational, as did the systems used by the radiology department.
Today, Barts Health reports that all of its systems are back online and the infection has been removed. Medical services for patients were not affected, although Barts Health said due to the need for requests to be processed manually, it may take a few days for the pathology department to deal with the backlog.
Barts Health also reiterated that at no point were patient medical records compromised. No mention has been made about how the malware was installed and the type of malware involved was not announced. However, the Barts Health malware attack involved a form of malware that had not previously been seen and was a ‘Trojan Malware.’
The Trust said “whilst it had the potential to do significant damage to computer network files, our measures to contain the virus were successful”.
Ransomware Attacks on UK Hospitals
In November last year, the Northern Lincolnshire and Goole NHS Trust was attacked with ransomware which resulted in IT systems at three hospitals being crippled. As a result of that attack, the NHS Trust was forced to cancel 2,800 operations and appointments while the infection was removed and systems restored. The majority of IT systems had to be taken offline, hence the major disruption to medical services.
While Locky and Samas have been used extensively in attacks on U.S. hospitals, the Northern Lincolnshire and Goole NHS Trust ransomware attack involved a ransomware variant known as Globe2 – A relativity new variant that was first identified in August 2016.
Globe ransomware has been spread primarily via spam email and malicious file attachments. Opening the file attachment triggers the downloading of the ransomware. As with other ransomware variants, the attachments appear to be files such as invoices or medical test results.
Malicious links are also used to spread ransomware infections. Clicking a link directs users to malicious websites where ransomware is automatically downloaded. Fortunately for organizations attacked with Globe ransomware, a decryptor has been developed by Emisoft, which is available for free download.
However, relatively few ransomware variants have been cracked. Recovery can also take time resulting in considerable disruption to business processes. Ensuring backups of all critical data are regularly made will ensure that files can be recovered without giving in to attackers’ demands.
Preventing malware and ransomware attacks requires multi-layered defenses. Since many infections occur as a result of infected email attachments and links, organizations should employ an advanced spam filtering solution such as SpamTitan. SpamTitan has been independently tested and shown to block 99.97% of spam email. SpamTitan will also block 100% of known malware.
A Los Angeles Valley College ransomware attack has resulted in file systems being taken out of action for seven days and considerable costs being incurred to resolve the infection.
Attackers succeeded in taking control of one of the college’s servers on December 30, 2016. When staff returned after the Christmas break they discovered the computer system to be out of action and essential files locked with powerful encryption.
The attackers had succeeded in locking a wide range of file types on network drives and computers. Unfortunately, the college was unable to recover the files from a backup. Administrators therefore faced a tough decision. To try to recover from the attack without paying the ransom and risk file loss or to give in to the attacker’s demands and pay for the keys to unlock the encryption.
Los Angeles Valley College Ransomware Attack Nets Criminal Gang $28,000
Due to the extent of the infection and the number of devices affected, the ransom payment was considerable. The attackers set the price at $28,000 for the decryption keys. The ransom demand was high but the college had little in the way of options.
The ransom note that was loaded onto the college’s X-drive said if the ransom was not paid within 7 days, the unique keys to unlock the encryption would be permanently deleted. That would likely have resulted in all of the locked files being permanently lost.
The college enlisted help from cybersecurity experts to determine the likelihood of files being recovered without paying the ransom. However, college administrators were advised to dig deep and pay the attackers for the key. While there is no guarantee that paying the ransom would result in viable keys being supplied, the college’s cybersecurity experts said there was a high probability of data recovery if the ransom was paid and a very low probability of data being recovered if the ransom demand was ignored. The likely cost of resolving the infection without paying the ransom was also estimated to be higher than attempting to remove the infection. The decision was therefore made to pay the attackers in Bitcoin as requested.
The attackers made good on their promise and supplied the keys to unlock the data. Now IT staff must apply those keys and remove the encryption on the server, network drives, and the many infected computers. Fortunately for the college, a cyber insurance policy will pay out and cover the cost of the ransom and resetting systems. However, there will be other costs that need to be covered, which will must be paid by the district.
Recovery from the Los Angeles Valley College ransomware attack will not be a quick and simple process, even though the decryption keys have been supplied by the attackers. The district’s Chief Information Officer Jorge Mata said “There are often a lot of steps where there’s no coming back, and if you pick the wrong path, there’s no return.” The recovery process therefore requires care and precision and cannot be rushed. The process could well take a number of weeks. The main priority is to recover the email system. Other systems and devices will then be methodically restored.
Los Angeles Valley College Ransomware Attack One of Many Such Attacks on Educational Institutions
The Los Angeles Valley College ransomware attack has hit the headlines due to the extent of the infection and high ransom demand, but it is one of many such attacks to have occurred over the past 12 months. Educational institutions have been heavily targeted by attackers due to the value of college and school data. Educational establishments cannot risk data loss and are therefore likely to pay the ransom to regain access to files.
In the past few months, other educational institutions in the United States that have been attacked with ransomware include M.I.T, University of California-Berkeley, and Harvard University as well as many K-12 schools throughout the country. Figures from Malwarebytes suggest that 9% of ransomware attacks targeted educational establishments.
How Can Educational Institutions Protect Against Ransomware Attacks?
There are a number of steps that educational institutions can take to reduce the risk of ransomware attacks and ensure that recovery is possible without having to resort to paying a ransom. The most important step to take is to ensure that all data is backed up regularly, including the email system. Backups should be stored on air-gapped devices, not on network drives. A separate backup should be stored in the cloud.
However, backups can fail and files can be corrupted. It is therefore important that protections are implemented to prevent ransomware from being delivered via the two most common attack vectors: Email and the Internet.
Email is commonly used to deliver ransomware or malicious code that downloads the file-encrypting software. Preventing these malicious emails from being delivered to staff and students’ inboxes is therefore essential. An advanced spam filter such as SpamTitan should therefore be installed. SpamTitan blocks 99.97% of spam emails and 100% of known malware.
To protect against web-borne attacks and prevent exploit kit activity and drive-by downloads, schools and colleges should use a web filter such as WebTitan. WebTitan uses a variety of methods to block access to malicious webpages where malware and ransomware is downloaded. WebTitan can also be configured to prevent malicious third-party adverts from being displayed. These adverts – called malvertising – are commonly used to infect end users by redirecting their browsers to websites containing exploit kits.
For further information on SpamTitan and WebTitan, to find out more about how both anti-ransomware solutions can prevent infection, and to register for a free 30-day trial of both products, contact TitanHQ today.
Apple malware infections are relatively rare, although Mac users should not get complacent. New threats do appear from time to time and cybercriminals do target Mac users. This month another malware variant has been discovered – a type of screen locker – that is linked to a tech support scam and its Mac users that are being targeted.
The attack starts when the user clicks on a malicious link in a spam email message, although links on social media sites could also be used to direct end users to the malicious website where the attack occurs. When the malicious website is visited, malicious code on the site causes a denial-of-service attack which freezes the device as its memory is consumed.
The method of locking the computer depends on the version of OS X installed on the device. On older OS X versions, a visit to the malicious website will trigger the creation of multiple emails until the Macs memory is overloaded. The emails have the subject “Warning: Virus Detected”. Since no memory is available, users will not be able to launch any other programs. The email messages are only created as drafts – they are not delivered – although this will be sufficient to freeze the device.
Additionally, a message is loaded into the draft folder containing a phone number to call to have the virus removed. While the message appears to have been sent by Apple, this is part of the scam. This is how the attackers make their money. Removal of the infection will require payment. The attackers appear to be after credit card numbers.
The second variant of the attack affects newer OS X versions. Rather than trigger draft emails, a similar style of attack occurs via iTunes. Multiple iTunes windows are launched, similarly using up the Macs memory. As with the first attack, a message also appears with a telephone number to call to remove the infection.
These tech support scams may not involve any downloaded malware, although responding to this type of scam and providing credit card details will result in multiple payments being taken until the card provider blocks the card or credit limits are reached.
Tech support scams such as this frequently target Windows users via Firefox, IE, Edge or Chrome browsers. Multiple browser windows are launched with a tech support number displayed. A call is required to unlock the infection.
These browser-locking attacks are relatively common. Only last month, Symantec identified a new campaign which locks the screen on Windows computers and displays a browser window detailing imagery from the police force of the country where the user is based – Most of the attacks occurred in the US (FBI) and Europe (Europol).
Users are advised that they have been caught engaging in illegal online activity, usually related to pornography or child abuse. A code must be obtained from the police department to unlock the screen. A phone number is supplied which the user must call to make payment. The attackers rely on victims’ fear and embarrassment to obtain payment.
Research conducted by the anti-phishing training company PhishMe has shown a worrying increase in phishing attacks in 2016 and has highlighted the importance of taking steps to reduce the risk of spear phishing attacks.
Unfortunately, cybercriminals are becoming much more adept at crafting highly convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails and the campaigns are becoming much harder to identify.
Unfortunately responding to these emails can result in email and network credentials being compromised, malware and ransomware being installed on corporate networks, and sensitive data being emailed to the attackers.
The study of phishing attacks in 2016 showed attacks increased by 55% year on year. PhishMe research shows that out of the successful data breaches in 2016, 90% started with a spear phishing email.
In 2016, business email compromise attacks rose by an incredible 1300%, while ransomware attacks increased 400%. Cybercriminals are attacking companies with a vigor never before seen and unfortunately many of those attacks have been successful.
The figures from the U.S. Department of Health and Human Services’ Office for Civil Rights – which tracks U.S. healthcare data breaches – show that 2016 was the worst ever year on record for healthcare data breaches. At least 323 breaches of more than 500 records occurred in 2016. Undoubtedly many more breaches have yet to be discovered.
Cybercriminals and hackers have employees firmly in their crosshairs. Unfortunately, employees are easy targets. A recent survey conducted by cybersecurity firm Avecto showed that 65% of employees are now wary about clicking on links emailed to them by strangers. Alarmingly, that means 35% are not.
The same survey showed that 68% of respondents have no concerns about clicking on links sent by their friends and colleagues. Given the extent to which email addresses and passwords have been compromised in the last year, this is incredibly worrying. 1 billion Yahoo accounts were breached and 117 million email addresses were compromised as a result of the LinkedIn breach. Gaining access to email accounts is not a problem for cybercriminals. If those accounts are used to send spear-phishing emails, the chance of links being clicked are very high. Unfortunately, all it takes is for one email account to be compromised for access to a network to be gained.
The risk of spear phishing attacks was clearly demonstrated in 2015 when the largest ever healthcare data breach was discovered. 78.8-million health plan members’ records were stolen from Anthem Inc. That breach occurred as a result of an employee of one of the insurer’s subsidiaries responding to a spear phishing email.
Anthem Inc., is the second largest health insurer in the United States and the company spends many tens of millions of highly complex cybersecurity defenses. Those multi-million dollar defenses were undone with a single email.
Organizations must take steps to reduce the risk of speak phishing attacks. Unfortunately, there is no single solution to eradicate risk. A multi-layered defense strategy is required.
An advanced anti-spam solution is essential to prevent the vast majority of spam and phishing emails from being delivered to end users. SpamTitan for example, blocks 99.97% of spam email and 100% of known malware.
Employees must be trained and their training must be tested with phishing exercises. Practice really does make perfect when it comes to identifying email scams. Endpoint defenses should also be employed, along with anti-virus and antimalware software.
The risk of spear phishing attacks will increase again in 2017. Doing nothing to improve cybersecurity defenses and combat the spear phishing risk could prove to be a very costly mistake.
Last month, L.a. County reported one of the largest phishing attacks in the United States. A single phishing campaign directed at Los Angeles County employees saw an incredible 108 individuals fall for the scam. Each employee that responded to the campaign inadvertently divulged their email credentials to the attacker. 108 email accounts were compromised as a result of the one phishing campaign.
While it is not known whether the individual behind the campaign successfully retrieved any data from L.A County email accounts, the compromised email accounts were a treasure trove of sensitive information. The email accounts contained the sensitive information of more than 750,000 individuals.
While the announcement of the phishing attack was only made in December, the actual incident occurred on May 13, 2016. In contrast to the phishing and spam email campaigns of old that contained numerous spelling mistakes, grammatical errors, and bordered on the unbelievable, this campaign was expertly crafted. The attacker used realistic text and images, hence the reason why such a large number of employees fell for the scam.
Fortunately for L.A. County, the phishing attack was identified promptly – within 24 hours – therefore limiting the damage caused. A detailed forensic investigation revealed that 756,000 individuals had their sensitive information – including Social Security numbers and protected health information- exposed as a result of the attack.
There was further good news. The lengthy investigation confirmed the identity of the attacker, a Nigerian national – Austin Kelvin Onaghinor. A warrant has been issued for his arrest. Bringing that individual to justice may be another matter. Extraditing foreign nationals to the United States can be a difficult and long winded process. However, L.A District Attorney Jackie Lacey has vowed to “aggressively to bring this criminal hacker and others to Los Angeles County, where they will be prosecuted to the fullest extent of the law.”
Phishing attacks on this scale are unfortunately not that rare. Cybercriminals are becoming much better at crafting convincing emails and gaining access to corporate email accounts. All too often, the phishing attacks are not identified quickly, giving criminals plenty of time to exfiltrate data from compromised accounts. Many phishing campaigns are conducted to obtain network credentials and other information that can be used to gain a foothold in corporate networks. Once access is gained, all manner of nefarious activities take place.
This L.A. County phishing scam clearly demonstrates that employees are the weakest link in the security chain, which is why cybercriminals are committing more time and effort into phishing attacks. It is far easier to compromise an email account or gain access to a network if an employee provides their login credentials than attempting to find a chink in advanced cybersecurity defenses.
Protecting against phishing attacks requires an advanced spam filtering solution. Without such a solution in place, organizations have to rely on employees identifying emails as malicious. Something which is becoming much harder to do as cybercriminals perfect their social engineering techniques.
Blocking phishing emails and preventing them from being delivered to inboxes is the single-most effective solution to counter the phishing threat. Along with staff anti-phishing training and anti-phishing exercises, organizations can mount a defense against such attacks and avoid the not inconsiderable mitigation costs. Providing credit monitoring and identity theft protection services to 756,000 individuals is a sizeable cost for any organization to absorb.
2016 was a particularly bad year for data breaches. A large number of huge data breaches from years gone by were also discovered in 2016.
The largest breach of 2016 – by some distance – affected Yahoo. The credentials of more than 1 billion users were obtained by the gang behind the attack. A massive cyberattack on MySpace was discovered, with the attackers reportedly obtaining 427 million passwords. 171 million vk.com account details were stolen, including usernames, email addresses, and plaintext passwords. 2016 also saw the discovery of a massive cyberattack on the professional networking platform LinkedIn. The credentials of more than 117 million users were stolen in the attack. Then there was the 51-million iMesh account hack, and 43 million Last.fm accounts were stolen….to name but a few.
The data stolen in these attacks are now being sold on darknet marketplaces to cybercriminals and are being used to commit a multitude of fraud.
One of the biggest threats for businesses comes from business email compromise (BEC) scams. BEC scams involve an attacker impersonating a company executive or vendor and requesting payment of a missed invoice. The attacker sends an email to a member of the accounts team and requests payment of an invoice by wire transfer, usually for several thousand dollars. All too often, even larger transfers are made. Some companies have lost tens of millions of dollars to BEC fraudsters.
Since the email appears to have been sent from a trusted email account, transfer requests are often not questioned. Cybercriminals also spend a considerable amount of time researching their targets. If access to corporate email accounts is gained, the attackers are able to look at previous emails sent by the targets and copy their writing style.
They learn about how transfer requests are usually emailed, the terms used by each company and executive, how emails are addressed, and the amounts of the transfers that have been made. With this information an attacker can craft convincing emails that are unlikely to arouse suspicion.
The scale of the problem was highlighted earlier this year when the FBI released figures as part of a public awareness campaign in June. The FBI reported that $3.1 billion had been lost as a result of BEC scams. Just four months earlier, the losses were $2.3 billion, clearly showing that the threat was becoming more severe.
This year also saw a huge increase in W-2 scams in the United States. W-2 data is requested from HR departments in a similar manner to the BEC scams. Rather than trying to fool email recipients into making fraudulent transfers, the attackers request W-2 data on employees in order to allow them to file fraudulent tax returns in their names. The IRS issued a warning earlier this following a huge increase in W2 attacks on organizations in the United States.
Companies large and small were targeted, with major attacks conducted on Seagate, Snapchat, Central Concrete Supply Co. Inc, and Mainline Health. Between January and March 2016, 55 major – and successful – W-2 scams were reported to the IRS.
Attackers do not even need email account passwords to conduct these attacks. Email addresses of CEOs and executives can easily be spoofed to make them appear that they have been sent internally. The sheer number of stolen email addresses – and in many cases also passwords – makes the threat of BEC and W-2 attacks even greater. Security experts predict next year will be even tougher for businesses with even more cyberattacks than in 2016.
Improve Your Defenses Against Email-Borne Threats in 2017
Reducing the risk of these attacks requires multi-layered defenses. It is essential that all employees authorized to make corporate bank transfers receive training on email security and are alerted to the risk of BEC scams. Policies should be introduced that require bank transfer requests to be authorized by a supervisor and/or authenticated by phone prior to the transfer being made.
All employees should be instructed to use strong passwords and never to share work passwords anywhere else online. Many employees still use the same password for work as for personal accounts. However, if one online platform is breached, it can give the attackers access to all other platforms where the same password has been used – including corporate email accounts.
Organizations should also implement controls to block phishing and spear phishing attacks. Blocking phishing emails reduces reliance on the effectiveness of anti-phishing training for employees.
SpamTitan is a highly effective tool for blocking malicious spam emails, including phishing and spear phishing emails. SpamTitan uses a range of techniques to identify spam and scam emails including Bayesian analyses, greylisting and blacklists. SpamTitan incorporates robust anti-malware and anti-phishing protection, as well as outbound email scanning to block spam and scams from corporate email accounts. SpamTitan is regularly tested by independent experts and is shown to block 99.97% of spam email with a low false positive rate of just 0.03%.
2016 may have been a particularly bad year for data breaches and the outlook doesn’t look good for 2017, but by taking affirmative action and implementing better defenses against email-borne attacks, you could ensure that your company is not added to the 2017 list of data breach and scam statistics.
How do spam filters block spam email? Spammers are constantly adapting their strategies to bypass spam filters and deliver more malicious messages to corporate users’ inboxes, so how do antispam solutions keep pace and block these annoying and often malicious messages?
Many anti-spam solutions rely on blacklists to identify spammers’ email addresses and IP addresses. Once a spammer’s IP address has been identified, it is added to a global spam blacklist.
Antispam solutions check incoming messages against these blacklists. As soon as an IP address is blacklisted, any email sent from that IP address is automatically marked as spam and will be deleted or quarantined.
Spammers are aware that the lifespan of an email address for spamming is short. As anti-spam solutions have improved, the time delay between an email address being used for spamming and it being added to a global spam blacklist has reduced considerably. Whereas spammers used to be able to use an email address for weeks before it was identified by anti-spam solutions and blacklisted, now the lag has been reduced to days or even hours.
Spammers therefore have a very small window of opportunity to use email addresses and mail servers for spamming before they are detected and blacklisted.
Snowshoe and Hailstorm Spam Tactics to Get Messages to Inboxes
Spammers have attempted to increase the timespan for using email addresses using a number of methods, the most common being conducting snowshoe campaigns. This tactic involves sending out very low numbers of spam email messages from each IP address. If spam email volume is kept low, there is less chance of the IP address being recognized as used for spamming. To ensure sufficient numbers of messages are sent, spammers use millions of IP addresses. Even using this tactic will not allow the spammers to conduct their activities undetected for very long. Spammers therefore need to constantly add new IP addresses to their spamming networks to enable them to continue conducting their campaigns.
Snowshoe tactics are now widely used and the technique is highly effective, although a new tactic has recently been uncovered that is referred to as hailstorm spamming. Hailstorm spam campaigns similarly involve extremely large numbers of IP addresses, yet they are used very briefly and intensely. Rather than trying to stay under the radar, the spammers use those IP addresses to send huge volumes of messages very quickly.
Researchers at Cisco Talos recently analyzed both tactics and determined that the DNS query volume from a typical snowshoe campaign involved around 35 queries an hour. A hailstorm spam campaign involved around 75,000 queries an hour. The snowshoe campaign would continue at that rate for many hours, whereas the hailstorm spam campaign spiked and then fell to next to nothing. Hailstorm campaigns can therefore be used to deliver huge volumes of emails before the IP addresses are added to blacklists.
How do Spam Filters Block Spam Email?
How do spam filters block spam email when these tactics are used? Snowshoe and hailstorm spam campaigns are effective against antispam solutions that rely on blacklists to identify spammers. Only when an IP address is added to a blacklist will the spam email messages be blocked. Advanced spam solutions offer far greater protection. Blacklist are still used, although a number of other methods of spam detection are employed.
Conducting a Bayesian analysis on all incoming spam email messages greatly reduces the volume of spam email messages that are delivered to end users. A Bayesian analysis involves reading the contents of a message and assessing the words, phrases, headers, message paths, and CSS or HTML contained in the message. While scoring, messages based on content can be effective, Bayesian spam filters also learn as they go. They constantly compare spam emails to legitimate emails and build up the range of spam characteristics that are checked. As spammers change tactics, this is picked up by a Bayesian spam filter and spam messages continue to be filtered.
The use of greylisting is also important in a spam filter. There will be some messages that pass all of the checks and some that monumentally fail. Categorizing these messages as genuine or spam is therefore simple. However, there is a sizeable grey area – messages that could potentially be spam.
If all of these messages are blocked, many genuine emails would not be delivered. If they are all allowed, many spam messages would get through. This would result in poor catch rates or extremely high false positive rates. Greylisting helps in this regard. Suspect messages are returned to the sender’s mail server and a request is made for the message to be resent. Since spammers mail servers are typically constantly busy, these requests are either ignored or they are not dealt with promptly. The time it takes for the message to be resent is therefore a good indicator of whether the message is genuine.
SpamTitan – Keep Your Inboxes Spam Free
SpamTitan uses a range of methods to identify spam emails including blacklists, Bayesian analyses, and greylisting. These checks ensure that more spam emails are identified and blocked, even if IP addresses have yet to be added to spam blacklists. This makes SpamTitan highly effective, even when spammers use snowshoe and hailstorm spamming tactics. By using a range of methods to identify spam emails, spam detection rates are improved and false positives are reduced.
SpamTitan is independently tested every month to determine its effectiveness. SpamTItan is consistently verified as capable of blocking more than 99.97% of spam emails, with a false positive rate below 0.03%.
If you want to find out the difference that SpamTitan makes to the volume of spam messages that are delivered to your employees’ inboxes, why not take advantage of our free, no-obligation 30-day trial. You can implement the solution quickly, evaluate its effectiveness, and you will receive full customer and technical support for the duration of the trial.
To find out more about SpamTitan and the difference it can make to your business, call the TitanHQ sales team today.
All antispam solutions and spam filters check inbound messages for common spam signatures; however, it is also important to choose a solution that performs outbound email scanning. Outbound email scanning ensures spam emails, or emails containing malware, are not sent from an organization’s email accounts or domains.
Your employees would be unlikely to knowingly use their corporate email accounts to send spam emails, but malware infections can allow cybercriminals to gain access to email accounts and use them to send high volumes of spam email messages. Cybercriminals could also compromise email accounts and use an organization’s domain to send malware and ransomware to clients and customers.
Should this happen, it can have a seriously detrimental effect on an organization’s reputation and may result in corporate email accounts or an entire domain being blacklisted.
Blacklists are maintained by a number of organizations – spamhaus.org for example. Internet Service Providers (ISPs), web servers, and antispam solutions check these blacklists before allowing emails to be delivered to end users. If a particular IP address, email account, or domain is listed in one of the blacklist databases, emails sent from the domain, IP address or email account will not be delivered.
Blacklists are updated in real-time and contain many millions of blocked domains and email addresses that have been reported as having been used for unwanted activity such as the sending of spam emails. If emails are sent from a blacklisted account, domain, or IP address those emails will either be directed to a quarantine folder, deleted, or will simply be rejected.
If a business has its domain added to a spam blacklist important emails to clients and customers will not get through. This can prove costly, as real estate firm Keller Williams has recently discovered.
Blacklisted Domains and Email Accounts Can Prove Costly for Businesses
Over the past few days, email messages sent from the kw.com domain used by Keller Williams have been rejected by AOL. Yahoo has been blocking emails from the kw.com account for some time. The problem appears to be the addition of the kw.com domain to spam blacklists.
If a Keller Williams real estate agent needs to send an email to a customer who has an AOL or Yahoo account, it will not be delivered. Agents have therefore been forced to get customers to open Google email accounts in order to send online paperwork or documents requiring e-signatures.
The issue also affects online paperwork sent via the transaction management software program Ziplogix, with one Keller Williams agent also claiming Dotloop is also affected. Some agents at Keller Williams have reportedly had to send important paperwork for listings and sales via personal email accounts to ensure emails are delivered.
The AOL website explains that when domains have been flagged as being abusive, the server will be temporarily blocked until the spamming stops. Until a domain is removed from its blacklist, AOL account holders will be prevented from receiving emails from the blocked domain. Removing the domain from the blacklist can take up to a week.
Removing a domain from the 80+ commonly used spam blacklists can be a time-consuming task; furthermore, if spam emails are sent from the account again, the domain will simply be added to the blacklists once more.
Outbound Email Scanning Prevents the Blacklisting of an Organization’s Domain
Unlike many third-party antispam solutions, SpamTitan checks incoming email messages for spam signatures as well as performing outbound email scanning. If an email account has been compromised and is being used to send spam emails, if malware is sending spam, those messages will be blocked and will not be sent. Outbound email scanning is an important protection that will prevent an organization’s domain or email accounts from being used to send spam or malware.
Organizations can therefore avoid the embarrassment and reputation damage that results from being suspected as engaging in spamming or malware delivery. They can also rest assured that in addition to blocking 99.97% of inbound email spam, their domains and email accounts will not be added to spam blacklists.
‘Tis the season to be jolly, although ‘tis also the season to be infected with malware. The holiday season is an annual highlight for cybercriminals. Holiday season malware infections are to be expected as cybercriminals increase their efforts and try to infect as many users with malware as possible.
Malware is an ever-present threat, but the increase in online activity in the run up to the holiday season means easy pickings for cybercriminals. Consumers are starting to prepare for the holidays earlier, but not as early as the scammers. As consumers head online in their droves, scammers and other cybercriminals are lying in wait.
The advent of Black Friday and Cyber Monday – days where shoppers are offered amazing deals to prompt early Christmas purchases– see a frenzy of online activity. There are discounts aplenty and great deals to be had.
However, not all of those discounts are genuine. Many are scams that are used to phish for sensitive information or spread malware infections. As is the case every year, the holiday season sees a spike in malware infections, with the biggest spike over Thanksgiving weekend. This year has been no exception. Holiday season malware infections have increased significantly year on year.
Holiday Season Malware Infections Rise 118% Above Normal Levels
This year, over the first official shopping weekend of the holiday season, malware infections increased by 106% according to data compiled by the Enigma Software Group. On Cyber Monday, when even more great deals on online purchases are made available, malware infections were 118% higher than normal.
Those figures are only for Windows users. Add in smartphones and Apple devices and the figures would be higher still. The problem is also getting worse. Last year there was a spike of 84% over normal levels during the Thanksgiving weekend.
There have been a number of suggestions put forward as to why the figures are so high this year. One of the main reasons is simply due to the number of shoppers heading online. Each year sees more individuals choosing to go online shopping over Thanksgiving weekend. More online shoppers mean more opportunities to infect users with malware.
However, there are also more actors involved in online scams, malware-as-a-service and ransomware-as-a-service has also grown in popularity, and many cybercriminals have started up affiliate schemes to get more help spreading their malicious software. Individuals who succeed in infecting computers with ransomware are given a cut of the profits and there is no shortage of people willing to try the affiliate schemes to boost their own earnings.
Cybercriminals are also getting better at developing convincing scams and malicious email messages. The grammatical and spelling mistakes that were common in phishing emails in years gone by are largely gone. Now, almost perfect emails are sent and scammers are using a wide range of social engineering techniques to lure end users into clicking on malicious links or opening infected email attachments. Spoofed retail sites are also now commonplace – and extremely convincing.
The growth of social media has also helped boost cybercriminal activity. Malicious posts are being shared online offering discounts, special offers, and unmissable deals. However, all end users get is a malware download.
Avoiding a Bad Start to Holiday Season
To avoid becoming a victim of a scam or having to deal with a malware or ransomware infection, shoppers must be vigilant and exercise more caution. Offers that sound too good to be true usually are. Unsolicited emails should always be treated as suspicious and extra care should be taken when clicking on any link or visiting a retail site.
Businesses should also take extra precautions. A malware or ransomware infection can prove extremely costly to resolve. While warnings should be sent to end users about the risks of holiday season malware infections, technological solutions should also be in place to prevent malicious file downloads.
Antispam solutions are highly effective at blocking malicious messages such as phishing emails and emails containing malware. SpamTitan blocks 99.97% of spam messages, contains a powerful anti-phishing module, and blocks 100% of known malware.
Malicious links on social media sites and on third-party ad networks (malvertisting) are a very real risk. However, a web filter can be used to control access to social media sites, block malicious third-party adverts, and prevent end users from visiting websites known to contain malware.
If you want to keep your network free from malware this holiday season, if you have not already used these two solutions, now is the time. They will also help to keep your network malware free around the year. And with security experts predicting a massive increase in ransomware and malware attacks in 2017, there is no better time to start improving your defenses.
The Federal Trade Commission (FTC) in the United States has responded to the current ransomware epidemic by issuing ransomware advice for businesses and consumers. The FTC ransomware advice for businesses comes following a spate of high profile ransomware attacks on U.S businesses. The threat has prompted many U.S. government agencies to release ransomware advice for businesses in the past few months.
Ransomware is a form of malware that encrypts files on a victim’s computer and prevents them from being accessed. After a computer is infected, the attackers issue a ransom demand. In order to obtain the key to unlock the encryption the victim is required to pay a ransom. The ransom amount can be set by the attackers, although it is often around $500 per infected computer.
Ransomware has proved incredibly popular with cybercriminals as it offers a quick source of revenue. Since payment is made in an anonymous cryptocurrency such as Bitcoin, money can be collected without fear of being caught.
The scale of the problem has been shown by numerous reports by security firms. This month, SentinelOne released the results of a global survey that showed 48% of organizations had experienced at least one ransomware attack in the past 12 months. The companies that had been attacked had been forced to deal with an average of 6 ransomware incidents in the past year.
A report released by Beazley’s Breach Response Unit suggests ransomware attacks between January and September were four times higher than in 2015, while a report from Kaspersky Lab suggests there has been an eightfold increase in attacks in the past year.
Ransomware is installed via a number of different attack vectors. Ransomware gangs use exploit kits on websites that probe for vulnerabilities in browsers. Those vulnerabilities are leveraged to download ransomware. Malvertising is also used. This is the use of third party ad networks to spread malware. Adverts are created containing malicious code which directs users to websites that silently download ransomware. Ransomware downloaders were also allegedly sent out via Facebook Messenger this week.
While not all ransomware attacks result in files being encrypted, attacks carry a significant cost. SentinelOne suggests that in the United States, organizations spend an average of 38 man-hours restoring files from backups after a ransomware attack. Additional investment in security is also required after an attack.
Since ransomware can spread laterally across a network, a single infection can result in many computers being infected. Ransom demands of the order of tens of thousands of dollars are not uncommon. The recent ransomware attack on the San Francisco ‘Muni’ rail system saw a ransom demand of $73,000 issued.
Ransomware Advice for Businesses
Unfortunately, antivirus software can be ineffective at preventing ransomware attacks. Businesses looking to defend against ransomware must therefore use a range of techniques. These include:
- Ensuring all software is kept up to date and patches applied promptly
- Setting antivirus and antimalware programs to update definitions automatically
- Use endpoint security controls to prevent ransomware installations
- Implement a robust spam filter to prevent malicious emails from being delivered to end users
- Use a web filtering solution to prevent employees from visiting malicious websites and to monitor users’ online activities to identify high risk activities
- Use intrusion prevention software
- Train the workforce on security best practices and test knowledge to ensure training has been effective
- Ensure all members of staff are aware who to contact and what to do if they believe they have inadvertently installed malicious software
To avoid paying a ransom, it is essential to ensure that regular backups of data are performed. Multiple backups should be made to minimize the risk of data loss. Those backups should be stored on an air-gapped device to avoid backup files also being encrypted. A ransomware response plan should also be developed to reduce disruption to the business in the event of an attack.