Phishing by SMS: Smishing Attacks on The Rise

Smishing attacks are on the rise. Cybercriminals have been turning to the Short Message Service – SMS – to conduct phishing campaigns to gather personal information for identity theft and fraud. Smishing is also used to fool mobile device users into installing malware.

Like phishing emails, smishing attacks use social engineering techniques to get users to complete a specific action, often to click on a link that will direct them to a webpage where they are asked to provide sensitive information or to download a file to their device. Most commonly, the aim of smishing is to obtain personal information such as usernames and passwords to online bank accounts.

Many organizations have implemented spam filtering solutions that capture phishing emails and prevent them from being delivered to end users’ inboxes. Security awareness training is also provided, with the threat of phishing explained to employees.  However, the best practices that are taught are not always applied to SMS messages and spam controls do not block SMS messages.

In contrast to emails, which are often ignored, people also tend to access their SMS messages much more rapidly than emails. Text messages are typically opened within seconds, or minutes, of them being received. Cybercriminals are well aware that their malicious MS messages will be opened and read.

Cybercriminals use the same techniques for smishing attacks that are used on email phishing scams. The messages inject a sense of urgency, requiring an action to be taken quickly. The messages are designed to grab attention, with security threats one of the most common themes. The attackers typically impersonate banks, credit card companies, email providers, social media networks or online retailers and warn of security issues such as potential fraudulent activity, imminent charges that will be applied or they threaten account closure.

Messages may even appear to have been sent by a contact, either using a stolen mobile or by spoofing someone who is known and trusted. Messages may include a link to an interesting article, a photograph or a social media post for example.

Smishing attacks started with SMS messages, although similar scams are now being conducted on other messaging platforms such as WhatsApp, Skype and Facebook Messenger.

Blocking smishing attacks is difficult. The key to avoiding becoming a victim is awareness of the threat and adopting the same security best practices that can protect end users on email.

  • As with email, when receiving an odd message, stop and think about the request. Could it be a scam?
  • Even if the message suggests urgent action is required, take time to consider what is being asked. Smishing attacks work because people respond without thinking.
  • It is important not to respond to a SMS message that has been sent from an unknown sender. If you respond, the person who sent the message will be aware that messages are being received.
  • If a message containing a hyperlink is received, do not click on the link. Delete the message.
  • Never send any sensitive information via text message. Legitimate companies will not ask you to send sensitive information by text message.
  • If you are concerned about the contents of a text message, check with the institution concerned, but do not use links or telephone numbers sent in the message. Independently verify the phone number and call or find the correct website via the search engines.
  • If you are a business that provides employees with access to a WiFi network, it is possible to prevent employees from visiting malicious websites linked in smishing campaigns. WebTitan Cloud for WiFi is a web filter for WiFi networks that prevents users from visiting malicious websites, such as those used in smishing attacks.

Ransomware and Phishing Attacks in 2017 Have Soared

A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.

CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.

This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.

IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.

Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.

Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.

More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.

Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.

The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats.  Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.

Reyptson Ransomware Spreads Itself by Emailing Itself to Contacts

Reyptson ransomware is a new threat that has been discovered in the past few days. The new ransomware variant is currently being used in attacks in Spain, with detected activity rising considerably in the days since its discovery.

There is no free decryptor for Reyptson ransomware at this stage. The ransomware variant encrypts a wide range of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson appended to the file.

Infection will require files to be recovered from backups or the ransom demand must be paid if no backup exists and victims do not want permanent file loss. Users are told they must pay a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.

New cryptoransomware variants are being released on an almost daily basis with the majority spread via spam email. What makes this variant unique is its ability to spread itself following infection. Reyptson is capable of conducting its own email campaigns and spreading itself to a victim’s contacts.

The spam email campaigns are conducted via the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s credentials.

The emails claim to be invoices and include a link for the recipient to download the invoice. Clicking the link will download a compressed .rar file which contains an executable file that appears to be a PDF file. If that executable file is opened; the user will be infected with the ransomware and the process will repeat. According to an analysis by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación.

Recently, global ransomware campaigns have been conducted using exploits stolen from the NSA. Those exploits take advantage of vulnerabilities in software that have not been addressed. Even though patches have been released to correct those vulnerabilities, many companies have yet to update their operating systems. A free scanner called Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still vulnerable and have not been patched.

Patching promptly has always been important, but now even more so. Delaying the updating of software can see organizations infected and the damage can be considerable. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot undo the damage.

However, spam email remains the most common vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an advanced spam filter. A spam filter such as SpamTitan can block these messages and prevent them from being delivered to end users. If the spam emails are not delivered, they cannot be opened by end users.

Prompt patching, user awareness training, spam and web filtering can help organizations reduce the risk of attack. However, it is also essential to ensure multiple backups of data are made to ensure recovery in case of infection. Organizations should adopt the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy stored off site.

One backup copy can be stored locally – on a removable device that is unplugged when backups are completed or are not being used. One copy should be stored in the cloud and one on a backup drive/tape that is stored in a secure location off site that can be used in the event of a disaster.

Supreme Court Phishing Scam Targets Law Firms in Ireland

Law firms in Eire and Northern Ireland are being targeted with a new Supreme Court phishing campaign that is being used to fool recipients into visiting a malicious website.

The email appears to have been sent from the Supreme Court and refers to a new/updated Statutory Instrument. The emails that have been detected so far include a PDF file containing further details, although the attachment will divert the recipient to a malicious domain.

The Supreme Court phishing emails add a sense of urgency, as is common in phishing campaigns, telling the recipient to read the information in the attached document by this Friday.

The emails that have been reported have the subject line – Supreme Court (S.I. No691/2017) – although it is possible there are other variations along the same theme.  The Courts Service has confirmed that the emails are not genuine and should be deleted without being opened. The phishing scam has been reported to the Gardaí and the Courts Service IT team is also investigating and a warning has been issued.

Supreme Court phishing scams are common. In February this year, the UK Supreme Court also issued a warning after numerous emails were received claiming to be subpoenas for court appearances in relation to a crime that the recipient had committed. In that case, a link was included to provide the court with all of the necessary information about the case. Receipents of the email were told to submit the information within 12 days or the case would proceed in their absence.

As the UK Supreme Court pointed out, it does not issue subpoenas to appear in court for criminal cases, although many law-abiding citizens would be aware of typical procedures associated with criminal cases. The fear generated by a potential court appearance for an unknown crime would likely see many email recipients open the message, click on the link and reveal their personal information.

The purpose of Supreme Court phishing emails is usually to obtain sensitive information under the guise of confirming the recipient’s identity. The information gathered by the phishing emails can be used for identity theft or other forms of fraud. Emails such as this are also used to spread malware or ransomware.

The emails are designed to scare people into responding and they can be highly effective. However, there are usually a variety of telltale signs that the email is not genuine. Before clicking or taking any requested action, it is important to stop, think and not to panic. Check the email for misspellings, grammatical errors and anything out of the ordinary.

If a link is included in the email, hover the mouse arrow over it to find out the true URL to see if it will direct you to a genuine domain. If the email contains an attachment, do not open it. If you are worried about the email, contact the organization that claims to have sent the message by obtaining the correct contact details from the Internet and verify the authenticity of the request.

In the most part, any serious matter such as a subpoena or important change to legislation would be unlikely to be communicated via email, and certainly not in an email attachment or via a link to a domain.

Federal Agencies Urged to Use DMARC to Prevent Impersonation Attacks

A U.S senator is urging the Department of Homeland Security and other federal agencies to adopt DMARC to prevent impersonation attacks via email. Over the past few months, several government agencies have been targeted by phishers who have used government domains to send huge numbers of spam emails.

The emails appear legitimate as they have been sent from government-owned domains, and while the text in the emails often contains clues to suggest the emails are not genuine, the official domain adds sufficient authenticity to see many email recipients fooled.

The use of official domains by phishers is nothing new of course, but government-owned domains should be protected to prevent them being used in phishing campaigns. The problem is that in the vast majority of cases, insufficient controls have been implemented to prevent impersonation attacks.

Sen. Ron Wyden (D-Oregon) wrote to the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.

DMARC is a proven tool that can help to prevent impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to determine whether the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In short, it will prevent impersonation attacks and protect consumers. If DMARC was used, it would make it much harder for government agencies to be impersonated.

The standard is recommended by the National Institute of Standards & Technology (NIST) as well as the Federal Trade Commission (FTC). DMARC has also recently been adopted in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has reduced impersonation attacks to the tune of 300 million messages in a single year.

The UK’s National Cyber Security Center (NCSC) has also created a central system where it processes all of the DMARC reports from all government agencies to monitor impersonation attacks across all government departments

Currently the Department of Homeland Security does not use DMARC and it is not used on the majority of government owned domains. The U.S. government owns approximately 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.

Impersonation attacks are on the rise and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.

Sen. Wyden suggests the Department of Homeland Security should immediately adopt DMARC and mandate its use across all federal agencies.  DHS already scans other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be incorporated into that program. As in the UK, Sen. Wyden suggests a central repository should be created for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks across all federal agencies.