Beware of These World Cup 2018 Phishing Scams

World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.

World Cup 2018 Phishing Scams Detected!

The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.

Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.

Fake Tickets and Fake Touts

With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.

Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.

Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.

Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.

Competition Scams

Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.

Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners

Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.

Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.

Cheap Travel Accommodation Scams

Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.

These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.

Team and Match News and World Cup Gossip

As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.

How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam

These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.

Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:

  • Only buy tickets from the official FIFA website
  • Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
  • Never buy products or services advertised in spam email
  • Never opening attachments in World Cup-themed emails from unknown senders
  • Do not click hyperlinks in emails from unknown senders
  • Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
  • Ensure all software, including browsers and plugins, is patched and kept fully up to date
  • Ensure anti-virus software is installed and is kept up to date
  • Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
  • Stay alert – If an offer seems to good to be true, it most likely is

Cybersecurity Breaches Survey Shows Almost Half of UK Businesses Experienced a Cyberattack in 2017

The UK Government’s Department for Digital, Culture, Media, & Sport has published its Cybersecurity Breaches Survey for 2018. The survey, conducted by Ipsos MORI, was a quantitative and qualitative survey conducted in the winter of 2017 on 1,519 UK businesses and 569 UK registered charities.

The purpose of the cybersecurity breaches survey was to identify the nature and significance of cyberthreats, determine how prevalent cyberattacks are, and what is being done to prevent such attacks.

The cybersecurity breaches survey revealed UK businesses and charities are being targeted by cybercriminals intent on gaining access to sensitive information, email accounts, corporate networks, and bank accounts and attacks are on the rise.

43% of businesses and 19% of charities experienced a cybersecurity breach or cyberattack in the past 12 months with large businesses and charities more likely to be attacked. 72% of large businesses – those with more than 250 employees – and 73% of large charities – with incomes over £5 million – experienced a cyberattack in the past year.

While not all security breaches result in material losses such as theft of data or personal information, when there is a material outcome the costs can be significant. The average costs of breaches with a material outcome is £3,100 for businesses and £1,030 for charities, although the larger the business, the greater the cost. Medium sized businesses have average costs of £16,100 and large businesses have an average breach cost of £22,300.

The high probability of a breach occurring and the high cost of remediating breaches has seen cybersecurity become a priority for senior managers. The percentage of businesses (74%) and charities (53%) that say cybersecurity is a high priority has risen year on year and the percentage of businesses (30%) and charities (24%) that say cybersecurity is a low priority has fallen once again. Cybersecurity is also now a high priority for many small businesses (42%) having risen from 33% last year when the survey was conducted. Cybersecurity may be a high priority, but just 3 out of 10 businesses and under a quarter of charities have board members with a responsibility for cybersecurity.

The most common type of breaches and cyberattacks involve fraudulent emails directing employees to malicious websites. 75% of UK businesses and 74% of UK charities that experienced a breach in the past year experienced these types of attacks. Email impersonation attacks were the second most common breach type with 28% of UK businesses and 27% of UK charities saying they had experienced these types of incidents in the past 12 months.

Not only are these types of attacks common, they also cause the most disruption. 48% of UK businesses and charities said fraudulent emails and being directed to malicious websites caused the most disruption out of all cybersecurity breaches experienced, well ahead of malware infections which were rated as the most disruptive cyberattacks by 13% of UK businesses and 12% of UK charities.

The cybersecurity breaches survey clearly highlights the importance of implementing robust defenses to prevent malicious emails from being delivered to employees’ inboxes and to ensure staff are well trained and taught how to identify malicious emails.

TitanHQ offers two cybersecurity solutions that can help UK businesses block the most common and most disruptive types of cyberattack. SpamTitan is a powerful spam filtering solution that blocks more than 99.97% of spam emails and 100% of known malware from being delivered to end users’ inboxes.

WebTitan is a cloud-based web filtering solution that prevents employees from visiting malicious websites, such as those used in phishing emails to steal credentials and spread malware.  Implementing these solutions is far cheaper than having to cover the cost of remediating cyberattacks.

There is also clearly a problem with training in the UK. Only 20% of UK businesses and 15% of UK charities have had staff attend internal or external cybersecurity training in the past year, even though security awareness training has clearly been shown to be effective at reducing susceptibility to email-based attacks.

TSB Phishing Scams Soar as Hackers Capitalize on Bank’s IT Misfortunes

According to data from the UK’s fraud tracking team, Action Fraud, there has been a massive rise in TSB phishing scams in the past few weeks. Customers of TSB have been duped into handing over their online banking credentials to scammers. Action Fraud is now receiving around 10 complaints a day from TSB customers who have fallen for phishing scams.

A Nightmare Scenario for TSB Customers

The problem that made the scams possible was the separation of the TSB banking system from Lloyds Bank, of which TSB was part until 2015. TSB moved over to a new core banking system provided by Banco Sabadell, the Spanish bank which took over TSB. That transition happened in April. Unfortunately for TSB and its customers, it did not go smoothly.

While migrating customer information to the new core banking system, many customers were locked out of their accounts and were unable to access their money. Some customers were presented with other customers’ bank accounts when they logged in online, and there have been cases of customers having money taken from their accounts without authorization, and transfers have been made to the wrong bank accounts. It is almost June, and the problems have still not been completely resolved.

Customers starting to experience problems over the weekend of 21/22 April and the problems were understandably covered extensively by the media with many customers taking to Social Media sites to vent their spleens over the chaos. For scammers, this was too good an opportunity to miss.

Action Fraud had received more than 320 reports of TSB phishing scams in the first three weeks in May. There were only 30 reports of such scams in the entire month of April. That’s an increase of 969%.

TSB Phishing Scams Soar

The situation was ideal for scammers. Many TSB customers could not access their accounts, so there was little chance of customers realizing they had been defrauded until it was too late.

TSB staff were overworked dealing with the IT problems and its helplines were overwhelmed with calls from customers unable to access their money. When customers realized they had been scammed they were unable to contact the bank quickly. There have been reports of customers seeing money taken from their accounts while they were logged in, yet they could not get through to customer support to stop transfers being made.

The TSB phishing scams used a combination of SMS messages, emails, and telephone calls to obtain customers banking credentials. As is typical in these types of scams, customers were sent links and were asked to use them to login to their accounts. The websites the bank’s customers visited looked exactly how they should. The only sign that the website was not genuine was the URL, otherwise the website was a carbon copy of the genuine TSB website.

Many victims of the scam had received an email or text messages, which was followed up with a voice call to obtain the 2-factor authentication code that would allow the scammers to gain access to the victim’s account. While the requests from the scammers may have seemed unusual or suspicious, this was an unusual situation for TSB customers.After that information was obtained, the scammers went to work and emptied bank accounts.

According to data from cybersecurity firm Wandera, TSB has now jumped to second spot in the list of the financial brands most commonly used in impersonation attacks. Prior to the IT problems, TSB wasn’t even in the top five.

With the bank’s IT issues ongoing, the TSB phishing scams are likely to continue at high levels for some time to come. The advice to TSB customers is to be extremely wary of any email, text message or call received from TSB bank. Scammers can spoof email addresses and phone numbers and can make text messages appear as if they have been sent by someone else.

Data Breach Costs Have Increased by 36% for SMBs in the Past Year

Data breach costs have risen considerably in the past year, according to a recent study of corporate IT security risks by Kaspersky Lab. Compared to 2016, the cost of a data breach for enterprises increased by 24% in 2017, and by even more for SMBs, who saw data breach costs rise by 36% in 2017.

The average cost of data breach recovery for an average-sized enterprise is now $1.23 million per data breach, while the cost for SMBs is now $120,000 per incident.

For the study, Kaspersky Lab surveyed 6,614 business decision makers. Respondents were asked about the main threats they have to deal with, cybersecurity incidents they have experienced in the past year, how much they spent resolving those incidents, and how that money was spent.

When a data breach is experienced, the costs can quickly mount. Enterprises and SMBs must contain the attack, scan systems for malware and backdoors, and pay for improvements to security and infrastructure to prevent similar attacks from occurring in the future. Staff need to receive additional training, new staff often need to be brought in, and third-parties hired to assist with recovery and security assessments.

Data breach recovery can take time and considerable effort. Additional wages have to be paid to staff assisting in the recovery process, there can be losses due to system downtime, repairing damage to a brand prove costly, credit monitoring and identity theft recovery services may have to be provided to breach victims, insurance premiums rise, credit ratings drop, and there may also be regulatory fines to cover.

The largest component of data breach costs is making emergency improvements to security and infrastructure to prevent further attacks, which is around $193,000 per breach for enterprises, the second biggest cost for enterprises is repairing reputation damage, which causes major increases in insurance costs and can severely damage credit ratings. On average, this costs enterprises $180,000. Providing after-the-event security awareness training to the workforce was the third biggest cost for enterprises at $137,000.

It is a similar story for SMBs who typically pay around $15,000 for each of the above three cost categories. A lack of inhouse expertise means SMBs often have to call in cybersecurity experts to assist with making improvements to security and for forensic analyses to determine how access to data was gained.

Data breaches affecting third-party hosted infrastructure are the costliest for SMBs, followed by attacks on non-computing connected devices, third party cloud services, and targeted attacks. For enterprises, the costliest data breaches are targeted attacks followed by attacks on third-party infrastructure, attacks on non-computing connected devices, third party cloud services, and leaks from internal systems.

The high cost of recovering from a data breach means a successful cyberattack on an SMB could be catastrophic, forcing the company to permanently shut its doors. It is therefore no surprise that businesses are allocating more of their IT budgets to improving their security defenses. Enterprises are now spending an average of $8.9 million on cybersecurity each year, while SMBs spend an average of $246,000. Even though the cost of additional cybersecurity defenses is high, it is still far lower than the cost of recovering from data breaches.

While data breach prevention is a key driver for greater investment in cybersecurity, that is far from the only reason for devoting a higher percentage of IT budgets to security. The main drivers for increasing security spending are the increasing complexity of IT infrastructure (34%), improving the level of security expertise (34%), and management wanting to improve security defenses (29%).

VPNFilter Malware Installed on More than Half a Million Routers

A suspected nation-state sponsored hacking group has succeeded in infecting at least half a million routers with VPNFilter malware.

VPNFilter is a modular malware capable of various functions, including the monitoring of all communications, launching attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been installed. While most IoT malware infections – including those used to build large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive such a reset.

The malware can be installed on the type of routers often used by small businesses and consumers such as those manufactured by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security researchers at Cisco Talos who have been monitoring infections over the past few months.

The ultimate aim of the attackers is unknown, although the infected devices could potentially be used for a wide range of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as was the case with BlackEnergy malware.

Since it is possible for the malware to disable Internet access, the threat actors behind the campaign could easily prevent large numbers of individuals in a targeted region from going online.

While the malware has been installed on routers around the world – infections have been detected in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased significantly in the past few weeks.

While the investigation into the campaign is ongoing, the decision was taken to go public due to a massive increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more significant threat.

While the researchers have not pointed the finger at Russia, they have identified parts of the code which are identical to that used in BlackEnergy malware, which was used in several attacks in Ukraine. BlackEnergy has been linked to Russia by some security researchers. BlackEnergy malware has been used by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not concrete proof of any link to Russia.

The FBI has gone a step further by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the sophisticated nature of the malware means it is the work of a particularly advanced hacking group.

Most of the attacked routers are aging devices that have not received firmware updates to correct known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely clear exactly how devices are being infected although the exploitation of known vulnerabilities is most probable, rather than the use of zero-day exploits; however, the latter has not been ruled out.

Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain used by the malware to communicate with the threat group behind the campaign. Without that domain, the attackers cannot control the infected routers and neither identify new devices that have been infected.

Ensuring a router is updated and has the latest firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Unfortunately, it is not easy to tell if a vulnerable router has been infected. Performing a factory reset of a vulnerable router is strongly recommended as a precaution.

Rebooting the device will not eradicate the malware, but it will succeed in removing some of the additional code downloaded to the device. However, those additional malware components could be reinstalled once contact is re-established with the device.