Threat from Phishing Websites Greater than Ever Before

A new phishing activity report published by the Anti-Phishing Working Group (APWG) shows that the threat from phishing websites is greater than any other time in the history of the Internet. The latest phishing activity report shows that in the past six months, the number of phishing websites has increased by a staggering 250%. Most of the new websites were detected in March 2016.

The Rising Threat from Phishing Websites Should Not Be Ignored

APWG was founded in 2003 in response to the rise in cybercrime and the use of phishing to attack consumers. The purpose of the organization is to unify the global response to cybercriminal activity, monitor the latest threats, and share data to better protect businesses and consumers.

In 2004, APWG started tracking phishing and reporting on the growing threat from phishing websites. During the past 12 years, the number of phishing websites being created by cybercriminals has grown steadily; however, the past six months has seen a massive rise in new websites that trick users into revealing sensitive data.

APWG reports that there is an increase in new malicious websites around the holiday season. In the run up to the holiday period when online shopping increases and Internet traffic spikes, there are more opportunities to relieve online shoppers of their credit card details, login credentials, and other sensitive data.

In late 2015, cybercriminals increased their efforts and there was the usual spike in the number of new phishing websites. However, after the holiday period ended APWG expected activity to reduce. That didn’t happen. New sites were still being created at elevated levels.

In the first quarter of 2016, APWG detected 289,371 new phishing websites were created. However, almost half of the new websites – 123,555 of them – were detected in March 2016. Aside from a slight dip in February, the number of new websites created has increased each month. March saw almost twice the number of new sites than were created in December. The figures for Q1 and for March were the highest ever seen.

Retail and Financial Sectors Most Frequently Targeted by Phishers

Phishers tend to favor well-known brands. The phishing activity report indicates little has changed in this regard. Between 406 and 431 brands are targeted each month. Most of the new sites target the retail industry which accounts for 42.71% of the new phishing websites detected in the first quarter of 2016. The financial sector was second with 18.67% of new sites, followed by the payment service industry with 14,74% and the ISP industry with 12.01%. The remaining 11.87% of new sites targeted a wide range of industries. The United States is the most targeted country and hosts the most phishing websites.

While phishing websites are now favored by cybercriminals, emails continue to be used to send malicious links and malware-infected attachments to consumers and businesses. In January, 99,384 phishing email reports were sent to APWG. The number increased to over 229,000 in February and stayed at that level in March.

APWG also tracked malware infections. In the first quarter of the year, 20 million malware samples were intercepted – an average of 6.67 million malware samples a month.

The report shows how critical it is for business to take action to prevent end users from visiting malicious websites and the seriousness of the threat from phishing websites.

One of the best ways that businesses can reduce the risk of employees visiting phishing websites is to use a web filtering solution. By controlling the sites that can be accessed by employees, the risk of phishing, malware infections, and ransomware attacks can be greatly reduced.

Teslacrypt Ransomware Master Key Released

Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers

TeslaCrypt Ransomware Master Key Released

So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom.

Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware.

That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX.

Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections.

The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and pay the ransom.

Kabina asked for the private decryption keys to unlock all four versions of the ransomware. He was answered within one day and was provided the key for the version he claimed to have been infected with. He then sent another message requesting the release of the latest key to unlock v4 of the ransomware, and noticed on the TeslaCrypt page that the gang had announced that the project had been closed. The universal key had been posted on an anonymous .onion page that can be accessed using the Tor browser.

There is a constant battle between security companies and ransomware developers. Oftentimes, ransomware variants contain flaws that allow antivirus companies to develop decryption tools. When these tools are released attackers work rapidly to repair the security flaw and release a new, more robust version of the ransomware. This was the case with TeslaCrypt. Flaws in the first version allowed a tool to be developed. A decryption tool was released, and version 2 of the ransomware was released. TeslaCrypt is now on the fourth version.

As with Cryptowall, TeslaCrypt has now been shut down; however, CryptXXX is still very much active and is still being updated. Furthermore, the attackers have learnt from their mistakes and have developed CryptXXX to be a much harder nut to crack.

CryptXXX is run alongside a program that monitors the system on which it is run to check if it is in a virtual environment or sandbox or otherwise being probed. If abnormal behavior is identified, the encryption routine is restarted. CryptXXX is also spread via spam email, exploit kits, and malvertising. This means that it is much easier to spread and more attacks are likely to occur. Companies and individuals therefore face a much higher risk of an attack.

The release of the TeslaCrypt ransomware master key is therefore only good news if you have been infected with TeslaCrypt. With the move to CryptXXX it is even more important to have solutions in place to prevent attacks, and a plan in place to deal with an attack when it occurs.

Impact of Security Breaches on Brand Image Assessed

A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data.

Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur.

Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere?

What is the Impact of Security Breaches on Brand Image?

The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands.

The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security.

75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity.

Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses.

Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take a considerable amount of time to regain consumers’ trust. More than half of respondents (54%) said that their impression of companies was negatively impacted after a security breach occurred.

Fast action following a data breach can help to restore confidence, but this is expected by consumers. The survey showed that 90% of consumers expect to be notified of a breach of data within 24 hours of an attack taking place, yet this is something that rarely happens. All too often consumers are made to wait weeks before they are informed of a breach of their personal information.

The study also shows that as a result of large-scale breaches consumers are now much less trusting of companies’ ability to keep data secure. They are also much more cautious about providing personal information. 72% of consumers said they now share less information with companies due to the volume of data breaches now being suffered.

The take home message from the survey is organizations must do more to protect consumer data and to prevent data breaches from occurring. If companies invest heavily in cybersecurity and can demonstrate to consumers that they take privacy and security seriously, the negative impact of security breaches on brand image is likely to be reduced.

International Trends in Cybersecurity: 73% of Companies Experienced Security Breach in Past 12 Months

The not-for-profit technology industry association CompTIA recently released its 2016 International Trends in Cybersecurity report after analyzing the current state of cybersecurity and assessing behaviors and techniques currently being used by organizations around the world to tackle the growing risk of cyberattacks.

To compile the report, CompTIA surveyed 1,509 IT security professionals from 12 countries around the world, including Australia, Canada, India, Brazil, Malaysia, Japan, South Africa, the UAE and the UK.

The International Trends in Cybersecurity report shows that information security is still a major concern for IT and business executives, which is perhaps no surprise given the number of cybersecurity threats they now have to deal with. The report showed that over the course of the past 12 months, 73% of organizations had experienced at least one security incident and 60% of those security incidents were classed as serious.

The highest number of security incidents occurred in India, where 94% of companies experienced a security breach in the past 12 months, closely followed by Malaysia on 89%, and Brazil and Mexico with 87% of companies suffering at least one breach. Japan and the UAE fared the best, with just 39% and 40% of companies self-reporting a security breach.

Security incidents involving mobile devices are becoming much more prevalent as the use of the devices increases. 76% of companies across all 12 countries experienced a mobile-related data breach in the past 12 months. In Thailand, 95% of companies had experienced a mobile-related security breach. In the UK, 64% of companies experienced a mobile-related incident. Companies in Japan and the UAE fared the best with 60% of companies experiencing breach of mobile data.

Human error continues to be a major cause of security breaches and the situation is getting worse. Companies are tackling the issue with training to improve awareness of cybersecurity issues and ensure security best practices are adopted.

Nearly 80% of managers responsible for data security expect cybersecurity to become even more important over the next two years. The increasing reliance on mobile technology and cloud computing has required a major rethink about how systems and data need to be protected from attack. These were listed as the main drivers behind changes in cybersecurity practices in 10 out of the 12 countries where respondents were located.

How to Reduce Risk of Malware Infections from Websites

To reduce the risk of malware infections from websites you can avoid certain types of sites that are commonly used by cybercriminals to infect visitors. Sites containing pornography for instance, torrents sites, and online marketplaces selling illegal medication for example. However, while these sites are often compromised with malware or contain malicious code, they are far from the most common sites used by cybercriminals to infect visitors.

The unfortunately reality is that browsing the Internet and only visiting what are perceived to be “safe sites” does not mean that you will not be exposed to maware, malicious code, and exploit kits. Hackers are increasingly compromising seemingly legitimate websites to redirect visitors to sites containing exploit kits that download malware and ransomware.

Two CBS-affiliated news websites were recently discovered to be hosting malicious adverts that redirect visitors to sites containing the Angler Exploit Kit. MSN has been found to host malvertising in the past, as has Yahoo. A study conducted by anti-virus company Symantec revealed that three quarters of websites contain security vulnerabilities that could potentially be exploited to infect visitors with malware.

High Profile Websites Compromised and Used to Deliver Ransomware to Visitors

This week, two new websites were found to have been compromised and were used to infect visitors with malware.

The celebrity gossip website PerezHilton.com may cause problems for celebrities, but this week it was also causing problems for its visitors. The site attracts millions of visitors, yet few would suspect that visiting the site placed them at risk of having their computer files locked with powerful file-encrypting ransomware.

However, that is exactly what has been happening. Hackers compromised an iframe on the site and inserted malicious code which redirected visitors to a website containing the Angler Exploit Kit. Angler probes visitors’ browsers for security vulnerabilities and exploits them; silently download a payload of malware. In this case, the Angler Exploit Kit was used to push Bedep malware, which in turn silently downloaded CryptXXX ransomware onto the victims’ devices.

A second malvertising campaign was also conducted that redirected visitors to a different website. The exploit kit used to infect redirected visitors was different, but the end result was the same. A malicious payload was downloaded onto their devices.

Another well-known website was also discovered to have been compromised this week. The website of the world renowned French film production company Pathé was discovered to have been compromised. Hackers had managed to embed malicious code in one of the webpages on the site. The code also redirected users to a site hosting the Angler Exploit Kit, which similarly was used to infect visitors with CryptXXX ransomware.

How to Reduce the Risk of Malware Infections from Websites

Exploit kits take advantage of security vulnerabilities in browsers. To reduce the risk of malware infections from websites it is essential that browsers are kept up to date. That includes all browser plugins. If no security vulnerabilities exist, there would be nothing for exploit kits to exploit.

However, zero-day vulnerabilities are emerging all the time and software manufacturers are not always quick to develop fixes. Adobe was alerted to a new zero-day vulnerability a few days ago, yet they only just released a fix. During that time, the vulnerability could have been exploited using exploit kits. Cybercriminal gangs are quick to incorporate new zero-day vulnerabilities into their exploit kits and do so faster than software companies can release fixes. Ensuring all updates are installed promptly is a great way to reduce the risk of malware infections from websites, but additional measures need to be taken.

If you really want to improve your – or your company’s – security posture and really reduce the risk of malware infections from websites, you should use a web filtering solution. This is particularly important for businesses to ensure that employees do not inadvertently compromise the network. It can be difficult to ensure that all devices used to connect to the network are kept 100% up to date, 100% of the time.

A web filtering solution can be configured to block malvertising, blacklists can be used to prevent compromised websites from being accessed, and malware downloads can be prevented. Along with good patch management practices, it is possible to effectively reduce the risk of malware infections from websites.

Adobe and Microsoft Issue Updates to Address Actively Exploited Security Vulnerabilities

This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical.

The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits.

Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory.

The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability.

The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers.

Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to have been exploited in the wild, it will not be long before they are included in exploit kits.

Microsoft may have fixed its actively exploited security vulnerabilities, but despite Adobe issuing patches for Acrobat, ColdFusion, and Reader on Tuesday, Flash remains vulnerable to attack. Adobe has yet to issue a patch for an actively exploited Flash security vulnerability (CVE-2016-4117) that affects version 21.0.0.226 and all earlier versions of the platform. This vulnerability has been included in exploit kits and can be used to take control of devices. In total, Adobe fixed 92 separate vulnerabilities in its Tuesday update.

Between Microsoft and Adobe, 143 vulnerabilities have been addressed this week. With hackers quick to add the vulnerabilities to website exploit kits, it is essential that patches are installed rapidly. These actively exploited security vulnerabilities also highlight the importance of using a web filtering solution to prevent users from visiting compromised websites where the vulnerabilities can be exploited.