BugDrop Malware Turns on Microphones and Exfiltrates Recordings

BugDrop malware is a new and highly advanced email-borne threat detected in the past few days. While attacks are currently concentrated on companies in Ukraine, BugDrop malware attacks have already started in other countries. Companies in Austria, Russia and Saudi Arabia have also been attacked.

Due to the nature of the attacks, it is clear that the actors behind the new malware have access to significant resources. So far, BugDrop malware is known to have stolen an incredible 600 GB of data from around 70 confirmed targets. At the rate that the malware is stealing data, the storage required will be considerable. This is therefore unlikely to the work of an isolated hacker. A significant cybercriminal group or most likely, a foreign-government backed hacking group, is likely to be responsible for the attacks.

Companies involved in scientific research, critical infrastructure, news media, engineering, and even human rights organizations have been targeted.

The malware will steal documents stored on infected computers and networks to which the computer connects. Passwords are stolen and screenshots are taken. However, rather than simply gain access to intellectual property and other sensitive data, the malware has another method of obtaining information. BugDrop malware, as the name suggests, bugs organizations and records audio data.

The malware turns on the microphone on an infected computer and records conversations, which accounts for the huge volume of data stolen. The stolen files are then encrypted and uploaded to the attackers’ Dropbox account. Files are retrieved from the Dropbox account and are decrypted. The resources required for analyzing such huge volumes of data – including audio data – are considerable, as are the storage requirements.

The CyberX researchers who discovered the malware suggest that Big Data analytics are likely used rather than manually checking the stolen data. Either way, such an operation must be heavily staffed, which points to a state-sponsored group. CyberX says “Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience.”

Since data exfiltration occurs via Dropbox, data exfiltration may not be detected. Many companies allow their employees to access Dropbox and connections to the storage service are often not monitored. Encryption is used, preventing many anti-virus solutions from detecting attacks or sandboxing the malware. The attacks also involve reflective DLL injection – since code is run in the context of other processes, detection is made more difficult.

BugDrop malware is being distributed via spam email using malicious macros in Word documents. If macros are enabled, the malware will be installed when the document is opened. Since many companies now automatically block macros and require them to be enabled on each document, the attackers prompt the user to enable macros by saying the document was created in a newer version of Microsoft Office. To view the contents of the document, macros must be enabled. The Word documents contains a professional image from Microsoft, including branding and Office logos, to make the warning appear genuine.

New Statistics Released on Corporate Email Security Threats

Google has released its latest statistics on the main corporate email security threats, with the search engine giant’s report also delving into the latest email-borne attacks on corporate Gmail account users. The report follows on from a presentation at the RSA Conference, which provided more detail on the biggest corporate email security threats that now have to be blocked.

According to Google’s data, spam is still a major problem for businesses. While the barrage of unsolicited emails is a nuisance that results in many hours of lost productivity, corporate users face a much bigger threat from spam. Malicious messages are a major menace.

Cybercriminals are targeting corporate users to a much higher extent than personal email account holders. The reason is clear. There is more to be gained from infecting corporate computers with malware than personal computers. Businesses are much more likely to pay ransoms if data are encrypted by ransomware. The data stored by businesses has much higher value on the darknet, and plundering business bank accounts nets far higher rewards.

It is therefore no surprise to hear that Google’s stats show that businesses are 6.2 times as likely to receive phishing emails and 4.3 times as likely to be targeted with malware-infected emails. Spam on the other hand is more universal, with business emails accounts 0.4 times as likely to be spammed than personal accounts.

Main Corporate Email Security Threats by Business Sector

Corporate email security threats are not spread evenly. Cybercriminals are conducting highly targeted attacks on specific industry sectors. Google’s data show that nonprofits are most commonly targeted with malware, receiving 2.3 times as many malware-infected emails as business accounts. The education sector is also being extensively targeted. Schools, colleges and universities are 2.1 times as likely to be sent malware-infected emails, followed by government industries, which are 1.3 times as likely to be targeted than businesses.

However, when it comes to email spam and phishing attacks, it is the business sector which is most commonly targeted. Currently, email spam is the biggest problem for businesses in the IT, housing, and entertainment industries, while phishing attacks are much more commonly conducted on IT companies, arts organizations and the financial sector.

Malicious Spam Poses a Major Risk to Corporations

As we have seen on so many occasions in the past two years, email is a major attack vector for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and conduct credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.

Given the massive increase in malware and ransomware variants in the past two years, blocking spam and malicious messages is now more important than ever. Additionally, the cost of mitigating data breaches is rising year on year (According to the Ponemon Institute). Malware and ransomware infections can be extremely costly to resolve, while successful phishing attacks can net cybercriminals huge sums from selling stolen corporate data and making fraudulent bank transfers. Those costs must be absorbed by businesses.

Protecting Your Organization from Email-Borne Threats

Fortunately, it is possible to mitigate corporate email security threats by using an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam messages and boasts a low false positive rate of just 0.03%. A powerful anti-phishing component prevents phishing emails from being delivered to end users, while dual anti-virus engines (Bitdefender/ClamAV) are used to scan all incoming (and outgoing) messages for malicious links and attachments.

If you want to improve your defenses against the latest corporate email security threats, contact the TitanHQ team today. Since SpamTitan is available on a 30-day free trial, you can also see for yourself how effective our product is at protecting your organization from email-borne threats before committing to a purchase.

Yahoo Breach Phishing Campaign Takes Advantage of Latest Yahoo Warnings

A fresh round of email warnings for Yahoo account holders has been sent; however, cybercriminals are taking advantage: A new Yahoo breach phishing campaign has been detected that piggybacks on the latest news.

New Warnings for Yahoo Email Account Holders

Yahoo has been sending fresh warnings to account holders explaining that their accounts may have been compromised as a result of the Yahoo cyberattacks in 2013 and 2014. The Yahoo cyberattacks were the largest ever seen, resulting in the theft of 1 billion and 500 million users’ credentials. Yahoo has now confirmed that the attacks involved the use of forged cookies to bypass its security controls.

Yahoo’s CISO Bob Lord has told account holders in the email that “We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016.” As was the case in previous Yahoo warnings, accounts should be reviewed for any suspicious activity and users should not click on links or open attachments from unknown senders.

Yahoo Breach Phishing Campaign Detected

Many active Yahoo account holders are concerned about email security following news of the cyberattacks in 2013/2014 and cybercriminals have been quick to take advantage. The fresh round of email warnings has only heightened fears, as well as the risk for account holders. Cybercriminals have been piggybacking on the latest news of account breaches and have been sending their own messages to Yahoo email users. The latest Yahoo breach phishing email campaign play on users’ fears over the security of their accounts. The Yahoo breach phishing emails attempt to fool security conscious account holders into clicking on malicious phishing links and revealing sensitive information.

In the latest round of warnings, Yahoo urged users to take advantage of Yahoo’s password-free security service – the Yahoo Account Key authentication service. The latest round of Yahoo breach phishing emails offer account holders the option of upgrading the security on their accounts as well. To improve take up, the attackers add urgency by saying the target’s account has been temporarily limited for failing an automatic security update. A link is supplied for users to click to re-verify account ownership. If they fail to click on the link and update their details, they will be permanently locked out of their account.

The Yahoo breach phishing campaign is likely to claim many victims, although the phishing emails are fairly easy to identify as fake. The emails appear to have come from an account called ‘Mail’, although checking the actual email address will reveal that the email was not sent from a domain used by Yahoo. There are also some errors with the structure of the email. Slight grammatical errors are a tell-tale sign that the emails are not genuine.

However, not all Yahoo breach phishing emails contain errors. Some have been highly convincing. Users are therefore advised to exercise extreme caution when using their Yahoo accounts and to be on high alert for Yahoo breach phishing emails.

Cost of the Yahoo Cyberattacks

The Yahoo cyberattacks of 2013 and 2014 have cost the company dearly. While it is unclear what the final cost of the Yahoo cyberattacks will be, it will certainly be well in excess of $250 million – That is the price reduction Verizon Communications is seeking following the revelation that Yahoo account holders’ credentials were stolen in the two massive cyberattacks reported last year. The purchase price of $4.8 billion, which was agreed in the summer of 2016, is to be reduced. There was talk that the deal may even not go ahead as a result of the Yahoo cyberattack revelations. While Yahoo will not want a price reduction, there are likely to be a few sighs of relief. Verizon were rumored to be looking for a $1 billing reduction in the price just a few weeks back.

Solicitor Email Scam Targets Homebuyers and Sellers

In the United Kingdom and Eire, homebuyers and sellers are being targeted by cybercriminals using a new solicitor email scam. The scam, which involves mimicking a solicitor, is costing victims thousands. There have also been some reported cases of cybercriminals sending solicitors emails claiming to be their clients and requesting changes of bank details. Any pending transfers are then made to the criminals’ accounts.

Since funds for home purchases are transferred to solicitors’ accounts before being passed on to the sellers, if cybercriminals are able to change the bank details for the transfers, the funds for the purchase will be paid directly into their accounts.

While email spoofing is commonplace, this solicitor email scam often involves the hacking of solicitors’ email accounts. Once access has been gained, cybercriminals search for emails sent to and from buyers and sellers of homes to identify potential targets.  While the hacking of email accounts is occurring, there have also been instances where emails between buyers, sellers, and their solicitors have been intercepted. When bank details for a transfer are emailed, the hackers change the bank information in the email to their own and then forward the email on.

The solicitor email scam is highly targeted and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be made. Since the potential rewards are considerable, cybercriminals are willing to put the time and effort into the scam and be patient. Buyers, sellers, and solicitors are well researched and the emails are highly convincing.

Instances of this conveyancing scam have been increasing in recent months and it has now become the most common cybercrime affecting the legal sector. The Law Society, a representative body for solicitors in the UK, has issued a warning about the conveyancing scam due to an increased number of complaints, although it is currently unclear how many fraudulent transfers have been made.

There is of course an easy way for solicitors to prevent such a scam from being successful, and that is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details by telephone. Alternatively, policies can be developed requiring bank account information to only be sent via regular mail.

The Solicitors Regulation Authority advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be convenient, but with such large sums being transferred it pays to exercise caution.

While this solicitor email scam is common in the UK and Eire, legal firms in the United States should also exercise caution. Since the conveyancing scam is proving to be lucrative, it will only be a matter of time before U.S. lawyers are targeted.

Cyberattacks on Law Firms on the Rise

Cyberattacks on law firms have been steadily increasing over the past three years. According to data from PwC’s annual Law Firms Survey last year, 73% of the UK’s top 100 law firms have been attacked by cybercriminals in the past year. In 2014/2015, 62% of the top 100 law firms were attacked. The previous year the figure stood at 45%. In the past two years, cyberattacks on law firms have increased by a staggering 60%.

According to PwC’s figures, large law firms are the most frequently targeted. 90% of the top 25 legal firms had experienced a cyberattack in the past 12 months. The types of attacks are highly varied, although the most common way attacks occur is via the firm’s email system.

Spear phishing emails are sent to solicitors in an attempt to obtain banking credentials and access to email accounts. When solicitors respond to these phishing emails and divulge their banking credentials, client funds are transferred to the criminals’ accounts. According to the survey, 84% of legal firms said they had experienced a phishing attack in the past year.

Solicitors in the UK and Ireland and attorneys in the United States are also being sent bogus emails that claim to be from home buyers or sellers. Instructions are provided asking for funds to be transferred to alternate accounts. Hackers eavesdrop on email conversations and are aware when funds are about to be transferred. They then sent an email to an attorney/solicitor posing as the buyer/seller of a property and provide alternate bank accounts asking for the funds to be transferred to the new account.

Buyers and sellers of properties are also targeted in a similar fashion. They are sent emails with the hacker claiming to be their solicitor. Alternate bank account details are provided for transfers. This is now one of the main types of cyberattacks on law firms and their clients.

Direct attacks on networks still occur, with hackers taking advantage of vulnerabilities in security defenses. However, law firm hacking only accounts for around 16% of incidents. Malware is a much bigger threat. Malware is delivered via spam email or drive-by downloads from the Web. 55% of legal firms say they have experienced a malware attack in the past 12 months. Malware can be ransomware – which locks computers with powerful encryption until a ransom payment is made or keyloggers that record sensitive data such as usernames and passwords. Malware can also enable criminals to gain access to systems to steal sensitive data and extort money out of law firms.

Law firm cyberattacks can be costly to resolve; however, the biggest cost can be loss of reputation. If law firms suffer cyberattacks and client data is stolen or exposed, reputations can be permanently damaged. Legal firms that are unable to ensure that their clients’ information remains confidential may find the cost of removing malware the least of their problems.

To prevent phishing emails and malware from being delivered to inboxes, an advanced spam filter is required. SpamTitan includes a powerful anti-phishing component that recognizes the common signatures of phishing emails and ensures they are not delivered. SpamTitan also blocks 100% of known malware and ransomware, ensuring end users do not receive malicious email attachments and links to malware-ridden websites.

To find out how SpamTitan can improve your security posture, contact the TitanHQ team today and take the first step toward preventing your law firm from being added to next year’s PwC’s law firm cyberattack statistics.