titanadmin - Page 10
by titanadmin | Aug 3, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.
Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.
284% Increase in Email Account Compromises in a Year
The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.
Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?
It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.
By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.
If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.
Once One Account is Breached, Others Will Follow
If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.
Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.
Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.
Email Account Compromises Are Costly to Resolve
Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.
Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.
Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.
How to Prevent Email Account Compromises
Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.
To prevent phishing attacks, companies need to:
- Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
- Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
- Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
- Implement two-factor authentication to prevent attempts to access email accounts remotely
- Implement a web filter as an additional control to block the accessing of phishing websites
- Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
- Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.
by titanadmin | Jul 31, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.
UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.
That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.
The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.
The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.
A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.
The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.
This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.
The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.
As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.
by titanadmin | Jul 30, 2018 | Network Security |
A massive cryptocurrency mining campaign has been uncovered by security researchers at Kaspersky Lab – A campaign that has resulted in the creation of a vast network of devices infected with PowerGhost malware.
PowerGhost malware is being installed on all manner of devices including servers, endpoints, and POS devices. Once infected, each device generates a small amount of a cryptocurrency each day by using the device’s processing power to solve complex computational problems.
While a single device can be used to mine a few dollars of cryptocurrency each day, the returns are significant when the attackers are able to infect server farms and add hundreds of thousands of endpoints to their army of cryptocurrency mining slaves.
Once a device is infected, the cryptocurrency mining tool is downloaded and gets to work. A portion of an infected device’s processing power is then dedicated to mining cryptocurrency until the infection is identified and the malware is removed. PowerGhost malware also spreads laterally to all other vulnerable networked devices.
What makes PowerGhost such a difficult threat to detect is the fact that it doesn’t use any files, instead it is capable of mining cryptocurrency from the memory. PowerGhost is an obfuscated PowerShell script that includes various add-on modules, including the cryptocurrency mining component, mimikatz, and the DLLs required for the operation of the miner. Various fileless techniques are used to infect devices, ensure persistence, and avoid detection by anti-virus solutions. The malware also includes shellcode for the EternalBlue exploit to allow it to spread across a network to other vulnerable devices. Attacks are occurring through the exploitation of unpatched vulnerabilities and through remote administration tools.
PowerGhost malware is primarily being used in attacks on companies in Latin America, although it is far from confined to this geographical region with India and Turkey also heavily targeted and infections detected in Europe and North America.
Companies are being targeted. If a foothold can be gained in a corporate network, hundreds, thousands or tens of thousands of devices can be infected and used for cryptocurrency mining. The potential rewards for a successful attack on a medium to large enterprise is substantial.
In addition to cryptocurrency mining, Kaspersky Lab researchers note that one version of the PowerGhost malware is capable of being used for DDoS attacks, offering another income stream for the cybercriminal gang behind the campaign.
Prompt patching, disabling of remote desktop protocol, and the setting of strong complex passwords can help to protect against this PowerGhost malware campaign.
by titanadmin | Jul 26, 2018 | Email Scams, Industry News, Network Security, Phishing & Email Spam, Spam Software, Website Filtering |
One of the world’s biggest shipping firms – Cosco – has experienced a ransomware attack that has seen its local email system and network telephone in the Americas taken out of action as the result of widespread file encryption.
The Cosco ransomware attack is believed to have been contained in the Americas region. As a precaution and to prevent further spread to other systems, connections to all other regions have been disabled pending a full investigation. A warning has also been issued to all other regions warning of the threat of attack by email, with the firm telling its staff not to open any suspicious email communications. IT staff in other regions have also been advised to conduct scans of their network with antivirus software as a precaution.
The attack started on Tuesday, July 24, and its IT infrastructure remains down; however, the firm has confirmed that that attack has not affected any of its vessels which continue to operate as normal. Its main business systems are still operational, although the operators of terminals at some U.S ports are experiencing delays processing documentation and delivery orders.
It would appear that the Cosco ransomware attack is nowhere near the scale of the attack on the world’s biggest shipping firm A.P. Møller-Maersk, which like many other firms, fell victim to the NotPetya attacks last year. In that case, while the malware appeared to be ransomware, it was actually a wiper with no chance of file recovery.
The attack, which affected more than 45,000 endpoints and 4,000 servers, is estimated to have cost the shipping company between $250 million and $350 million to resolve. All servers and endpoints needed to be rebuilt, and the firm was crippled for 10 days. In that case, the attack was possible due to an unpatched vulnerability.
Another major ransomware attack was reported last week in the United States. LabCorp, one of the leading networks of clinical testing laboratories in the United States, experienced a ransomware attack involving a suspected variant of SamSam ransomware. While the variant of ransomware has not been confirmed, LabCorp did confirm the ransomware was installed as a result of a brute force attack on Remote Desktop Protocol (RDP).
Labcorp was both quick to detect the attack and contain it, responding within 50 minutes, although 7,000 systems and 1,900 servers are understood to have been affected. It has taken several days for the systems to be brought back online, during which time customers have been experiencing delays obtaining their lab test results.
Several cybersecurity firms have reported that ransomware attacks are in decline, with cryptocurrency mining offering better rewards, although the threat from ransomware is still ever present and attacks are occurring through a variety of attack vectors – exploitation of vulnerabilities, brute force attacks, exploit kit downloads, and, commonly, through spam and phishing emails.
To protect against ransomware attacks, companies must ensure security best practices are followed. Patches must be applied promptly on all networks, endpoints, applications, and databases, spam filtering software should be used to prevent malicious messages from reaching inboxes, web filters used to prevent downloads of ransomware from malicious websites, and all staff should receive ongoing cybersecurity awareness training.
Additionally, systems should be implemented to detect anomalies such as excessing file renaming, and networks should be segmented to prevent lateral movement in the event that ransomware is deployed.
Naturally, it is also essential that data are backed up regularly to ensure recovery is possible without having to resort to paying the ransom demand. As the NotPetya attacks showed, paying a ransom to recover files may not be an option.
by titanadmin | Jul 25, 2018 | Email Scams, Phishing & Email Spam |
The National Bank of Blacksburg in Virginia has discovered just how important it is to have effective controls in place to protect against phishing. The bank suffered two costly phishing attacks in the space of eight months that have resulted in losses exceeding $2.4 million.
Phishing is the leading tactic used by cybercriminals to gain access to login credentials, steal data, and install malware. Emails are sent to employees with malicious attachments, which if opened, result in the installation of malware. Alternatively, links are sent in emails that direct employees to fraudulent websites where they are fooled into disclosing their login credentials.
The first attack on Blacksburg Bank took place on May 28, 2016. Malware was installed on its systems which gave the attackers access to the STAR Network – The system that manages debit card ATM activity. After gaining access to the STAR Network, the hackers were able to change account balances, remove security measures such as anti-theft and anti-fraud protections, conduct keystroke logging, and authorize withdrawals from customers’ accounts via ATMs.
In the two days that the hackers had access to the system, they were able to make withdrawals at hundreds of ATMs across the country and stole $569,648.24 from customers’ accounts. This was possible without stealing customers cards or using skimmers to create fake bank cards.
The malware was detected on May 30, 2016 and the attack was investigated by the computer forensics firm Foregenix which determined that the malware was installed as a result of an employee being duped by a phishing email.
Eight months later, on January 7, 2017, a similar attack occurred which involved cybercriminals gaining access to the STAR Network. Similarly, access was possible for two days, although in this case approximately $1.8 million was withdrawn from customers’ accounts. Verizon investigated the breach and concluded that access was gained as a result of an employee falling for a phishing scam.
The National Bank of Blacksburg holds an insurance policy against cyberattacks although its insurer, Everest National Insurance Company, has refused to cover the losses. Blacksburg is now suing its insurer for breach of contract.
What these incidents show is just how easy it is for major losses to be suffered as a result of employees falling for phishing scams and the importance of having robust anti-phishing measures in place.
There is no single solution that will provide total protection against phishing, although a good place to start is with an advanced anti spam service such as SpamTitan.
SpamTitan uses dual antivirus engines (Bitdefender and ClamAV) that provides superior protection against phishing and block emails containing malware and malware downloaders. The solution performs multiple checks on each incoming email to determine whether it is genuine, spam, or malicious, including standard checks of email headers, a Bayesian analysis on message content, and greylisting. Together, these controls ensure 99.97% of spam emails are detected and blocked, with a false positive rate of just 0.03%. Independent tests at Virus Bulletin have confirmed a 100% malware detection rate.
No anti-spam solution will block 100% of all spam and phishing emails so it is essential for employees to be trained how to recognize phishing emails. While it was once a best practice to provide annual training, with the volume of phishing emails now being sent and the increased sophistication of attacks, an annual training session is no longer sufficient.
Training needs to be ongoing, with regular training sessions scheduled throughout the year and employees conditioned through phishing simulation exercises. With effective spam filtering and employee security awareness training, the majority of phishing attempts can be thwarted.
by titanadmin | Jul 19, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam |
In 2017, data breach mitigation costs fell year-on year; however, that appears to be a blip. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute (on behalf of IBM Security) has revealed data breach mitigation costs have risen once again.
The Ponemon Institute conducts the Cost of a Data Breach Study every year. For the 2018 study, the Ponemon Institute conducted interviews with 2,200 IT, data security, and compliance professionals from 477 companies in 15 countries, including the United States, United Kingdom, Germany, France, Canada, Brazil, Japan and Australia. The companies represented in the study came from a wide range of industry sectors. Each of those companies had experienced a data breach in the past 12 months.
Naturally, the larger the breach, the higher the cost of mitigation is likely to be. Breaches involving millions of records would naturally cost more to resolve than breaches of 50,000 records. Catastrophic data breaches – those involving millions of records – are not normally included in the study. This year was the first time that mega data breaches – those involving more than 1,000,000 records – were included, although they were treated separately.
The analysis of the main part of the study involved breaches ranging from 2,500 records to a little over 100,000 records. The average breach size was 24,615 records globally, 31,465 records in the United States, 22,800 records in the UK, and 19,200 records in Japan.
The costs associated with those data breaches was analyzed using the activity-based costing (ABC) methodology. The ABC methodology identified four process-related activities and assigned costs based on actual use. Those activities were Detection and Escalation, Post Data Breach Response, Breach Notifications, and Lost Business Cost. The analysis identified the average total cost of a data breach taking all four activity areas into account.
The study also revealed measures taken prior to the breach, during, and after, that can limit losses or increase data breach mitigation costs.
Average Data Breach Mitigation Costs Have Reached $3.86 Million
A data breach now costs an average of $3.86 million to revolve. Last year, the average cost of a data breach was $3.62 million. Data breach costs have therefore increased by 6.4% in the space of a year.
On average, per capita data breach mitigation costs rose by 4.8%, with a data breach costing, on average, $148 per record. Last year, the global average was $141 per record.
In addition to the rising cost, the severity of the breaches also increased, with the data breaches in this year’s sample impacting 2.2% more individuals on average.
Data breaches cost more to resolve in the United States than any other country. The average data breach mitigation costs in the United States is $7.91 million per breach. The lowest costs were in India, where the average breach cost was $1.77 million. The highest per capita costs were also in the United States at £233 per record.
Hackers and malicious insiders caused the most breaches and they were also the costliest to resolve at $157 per record. System glitches cost an average of £131 per record and breaches caused by human error cost the least at $128 per record.
Data breach costs varied considerably by industry sector, with healthcare data breach mitigation costs the highest by some distance at an average of $408 per record, followed by financial services breaches at $206 per record, services at $181 per record, and pharmaceutical industry breaches at $174 per record. Breaches in the education sector cost an average of $166 per record, retail industry breaches were $116 per record, and the lowest data breach mitigation costs were in the public sector at $75 per record.
The study of mega data breaches revealed a breach of 1 million records costs an estimated $39.49 million to resolve, while a breach of 50 million records costs an estimated $350 million. Since there were only 11 breaches of more than 1 million records in the sample it was not possible to accurately calculate the average cost of these breaches.
What Factors Affect Data Breach Mitigation Costs the Most?
For the study, 22 different factors were assessed to determine how they affected data breach mitigation costs. The most important cost saving measures that can be taken to reduce the cost of a data breach are having an incident response team ($14 less per record), widespread use of encryption ($13.1 less per record), BCM involvement ($9.3 less per record), employee training ($9.3 less per record), participation in threat sharing ($8.7 less per record) and use of an artificial intelligence platform ($8.2 less per record).
The main factors that increased data breach mitigation costs were third party involvement ($13.4 more per record), extensive cloud migration at the time of the breach ($11.9 more per record), compliance failures ($11.9 more per record), extensive use of mobile platforms ($10.0 more per record), lost or stolen devices ($6.5 more per record), and extensive use of IoT devices ($5.4 more per record).
With the cost of data breaches rising, more cyberattacks being conducted, and the likelihood of a breach being experienced now higher, it is essential not only for companies to implement layered security defenses, but also to make sure they are prepared for the worst.
Companies need to assume a breach will be experienced and policies and procedures need to be developed to deal with the breach when it happens. An incident response team should be prepared to spring into action to ensure everyone known what needs to be done when disaster strikes. The sooner a breach is identified and mitigated, the lower the breach mitigation costs will be.
by titanadmin | Jul 12, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Website Filtering |
There has been a major increase in cryptojacking attacks in recent months. Many cybercriminal gangs now favoring this method of attack over ransomware and other forms of malware and are taking advantage of the high value of cryptocurrencies.
As with ransomware attacks, cybercriminals need to install malicious code on computers. Instead of encrypting files like ransomware, the code is used to mine for cryptocurrency. Mining cryptocurrencies involves a computers CPU being used to solve complex computational problems, which are necessary for verifying cryptocurrency transactions and adding to the blockchain. In exchange for verifying transactions, the miner is paid a small amount for the effort.
Devoting one computer to the task of cryptocurrency mining could generate a few dollars a day. Using multiple computers for the task can generate a substantial return. The more computers that are used, the more blocks can be added to the blockchain and the greater the profits. When a network of cryptocurrency mining slave computers can be amassed, the profits can be considerable. According to Kaspersky Lab, one cryptojacking gang that focusses on infecting enterprise servers and spreading the malicious code using NSA exploits, has generated around 9,000 Monero, which equates to $2 million.
Not all computers are suitable for mining cryptocurrency. One cybercriminal gang has got around this by developing malware that can decide whether to deploy a cryptocurrency miner or ransomware, with the decision based on the processing power of the computer. If its not suitable for use mining cryptocurrency, ransomware is deployed. This tactic helps maximize profits after compromising a device.
The use of cryptocurrency miners increased sharply last year as the value of cryptocurrencies started to soar. The price of those cryptocurrencies may have fallen, but cryptojacking attacks are still on the rise. The volume of new cryptojacking malware variants has also increased considerably over the past few months. Figures from McAfee indicate the number of cryptojacking malware variants increased by a staggering 1,189% in the first three months of 2018 alone, rising from around 400,000 malware variants to more than 2.9 million.
Over the same time frame, there has been a fall in the number of ransomware attacks. In Q1, ransomware attacks fell by around 32%, indicating threat actors who previously used ransomware to make money have changed their tactics and are now using cryptocurrency miners.
Ransomware attacks falling by a third is certainly good news, although the threat from ransomware cannot be ignored. Steps must be taken to prevent the installation of the file encrypting code and good backup practices are essential to ensure files can be recovered in the event of an attack. Certain industries face a higher risk of ransomware attacks than others, such as the healthcare industry, where attacks are still rife.
Cryptojacking attacks are more widespread, although the education sector has proven to be a major target. Many mining operations have been discovered in the education sector, although it is unclear whether these mining operations are legitimate, computers are being used by students to mine cryptocurrency, or if educational institutions are being targeted.
One thing is clear. As the value of cryptocurrencies rose, the number of mining attacks increased. That suggests that should prices fall, cybercriminals will switch to other types of attacks, and there could be a resurgence in ransomware attacks.
It could be argued that the installation of cryptocurrency mining malware on a computer is far less of a problem than ransomware or other forms of malware. When the CPU is mining cryptocurrency, the user is likely to find their computer somewhat sluggish. This can result in a drop in productivity. Heavy processing can also cause computers to overheat and hardware damage can result.
Cryptojacking malware is usually installed by a downloader, which can remain on a computer. If the profits from mining cryptocurrency fall, new malware variants could easily be downloaded in its place. Cryptocurrency mining malware can also be bundled with other malware variants that steal sensitive information. Cryptojacking attacks are therefore a major threat.
Protecting against cryptojacking attacks involves the same security controls that are used to block other forms of malware. Cryptojacking malware can be installed by exploiting vulnerabilities so good patch management is essential. Spam and phishing emails are used to install malware downloaders, so an advanced spam filtering solution is a must. Web filters can prevent web-based mining attacks and malware downloads and offer an important extra layer of protection. It is also important not to neglect end users. Security awareness training can help to eradicate risky behaviors.
Additionally, security audits should be conducted, first to scan for the presence of cryptojacking malware, which includes searching for anomalies that could indicate the presence of the malware. Those audits should include servers, end points, POS systems, and all other systems. Any system connected to the network could potentially be used for mining cryptocurrency.
by titanadmin | Jul 6, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Rakhni ransomware, a malware variant first detected in 2013, has spawned many variants over the past three years and is still an active threat. Rakhni ransomware locks files on an infected device to prevent the user from accessing their data. A ransom demand is issued and if payment is made, the attackers will supply the keys to unlock the encryption. If the ransom is not paid the files will remain encrypted. In such cases, the only option for file recovery is to restore files from backups.
Now the developers of Rakhni ransomware have incorporated new functionality. Checks are performed on an infected device to determine whether it has sufficient processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be downloaded. If not, ransomware will be deployed.
This new development should not come as a major surprise. The massive rise in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for cybercriminals than ransomware. When ransomware is installed, many victims choose not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be installed, it gets straight to work generating money for the attackers. Ransomware attacks are still a major threat, although many cybercriminals have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more common than ransomware attacks.
However, not all computers have sufficient CPU processing power to make cryptocurrency mining worthwhile, so the method used by the threat actors behind Rakhni ransomware helps them maximize their profits.
The new Rakhni ransomware campaign was detected by researchers at Kaspersky Lab. The malware used is Delphi-based and is being distributed in phishing emails containing a Microsoft Word file attachment.
The user is advised to save the document and enable editing. The document contains a PDF file icon which, if clicked, launches a fake error message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the error message.
When the error box is closed, the malware performs a series of checks on the machine to identify the processes running on the device and assesses those processes to determine if it is running in a sandbox environment and the likelihood of it being able to run undetected. After these checks have been performed the system is assessed to determine its capabilities.
If the machine has more than two processors and does not have a Bitcoin folder in the AppData folder, a cryptocurrency miner will be installed. The cryptocurrency miner uses fake root certificates which show the program has been issued by Microsoft Corporation to help disguise the miner as a trusted application.
If a Bitcoin folder does exist, certain processes will be stopped, and Rakhni ransomware will be downloaded and run. If there is no Bitcoin folder and only one processor, the malware will use its worm component and twill attempt to spread to other devices on the network where the process starts over.
Advanced anti-virus software can provide protection against this attack, while spam filtering solutions can prevent the phishing emails from being delivered to end users. Businesses should also ensure that their employees are made aware of the risk of these types of attacks through security awareness training. Employees should be instructed never to open attachments in emails from unknown senders and taught the warning signs of a potential attack in progress. Naturally, good data backup practices are essential to ensure that if all other controls fail, files can be recovered without paying a ransom.
by titanadmin | Jul 5, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
A major Children’s Mercy Hospital phishing attack has highlighted the importance of implementing effective spam filtering controls and the need to provide security awareness training to end users.
Phishing is a method of fraudulently obtaining sensitive information through deception. While attacks can occur over the telephone, via social media sites, or through text messages and chat platforms, the most common attack vector is email.
Convincing emails are sent to end users urging them to open an email attachment or to click on a malicious link. Attachments are used to install malware, either directly through malware attached to the email, or more commonly, using macros or other malicious code in documents which download scripts that in turn download the malicious payload.
In the case of embedded hyperlinks in emails, they typically direct an end user to a website that asks them to login. The website could ask for their email credentials, appear to be a Google login box, Dropbox login page, or other file sharing platform. Disclosing login credentials on that webpage sends the information to the attackers. These login pages are convincing. They look exactly like the sites that they are spoofing.
That was the case with the Children’s Mercy Hospital phishing attack. The Kansas City, MO, hospital received several phishing emails which directed employees to fake login pages on criminally-controlled websites.
The phishing attack occurred on or shortly before December 2, 2017. On Dec 2, Children’s Mercy’s security team identified authorized access to two employees’ email accounts. Access to the accounts was blocked the same day and the passwords were reset. Two weeks later, on December 15 and Dec 16, two further email accounts were accessed by unauthorized individuals. Again, unauthorized access was detected and blocked the same day. A fifth email account was accessed on January 3, 2018 with access blocked the following day.
The prompt action in response to the Children’s Mercy phishing attack limited the potential for those email accounts to be abused. When criminals gain access to email accounts they often use them to send further phishing emails. Since those emails come from a legitimate email account, the recipients of the messages sent from that account are more likely to open the emails as they come from a trusted source. That is why business email compromise scams are so effective – because employees trust the sender of the email and take action as requested in the belief that they are genuine communications.
In the case of the Children’s Mercy phishing attack, the criminals acted quickly. Following a forensic investigation into the attacks, Children’s Mercy discovered on January 19, 2018, that even though access to the accounts was promptly blocked, the attackers had successfully downloaded the mailboxes of four of the five employees. The messages contained a wide range of protected health information (PHI) of 63,049 patients.
The PHI included information such as name, gender, age, height, weight, BMI score, procedure dates, admission dates, discharge dates, diagnosis and procedure codes, diagnoses, health conditions, treatment information, contact details, and demographic information.
While Social Security numbers, insurance information, and financial data were not obtained – information most typically required to commit fraud – such detailed information on patients could be used in impersonation attacks on the patients. It would be quite easy for the attackers to pretend they were from the hospital and convince patients to provide their insurance information for example, which could then be used for medical identity fraud.
Due to the scale of the attack and number of emails in the compromised accounts, it has taken a considerable time to identify the individuals affected. The Kansas City Star reports that some patients are only just being notified.
In response, the hospital implemented 2-factor authentication and other technical controls to prevent further attacks.
2-factor authentication is an important security measure that provides protection after a phishing attack has occurred. If login credentials are supplied, but the location or the device used to access the account is unfamiliar, an additional method of authentication is required before access to the account is granted – a code sent to a mobile phone for example.
Two of the most effective security controls to prevent credential theft via phishing are spam filters and security awareness training.
An advanced spam filter is an essential security measure to block phishing attacks. The changing tactics of cybercriminals means no spam filtering solution will be able to block every single phishing email, although SpamTitan, a highly effective spam filtering solution with advanced anti-phishing protections, blocks more than 99.97% of spam and malicious emails to ensure they do not arrive in end users’ inboxes.
Security awareness training helps to prevent employees from clicking on the small percentage of messages that get past perimeter defenses. Employees need to be trained to give them the skills to identify phishing attempts and report them to their security teams. An ongoing training program, with phishing simulation exercises, will help to condition employees to recognize threats and respond appropriately. Over time, phishing email detection skills will improve considerably.
An effective training program can limit the number of employees that respond to phishing attacks, either preventing the attackers from gaining access to email accounts or severely limiting the number of employees who respond and disclose their credentials.
The Children’s Mercy phishing attack is one of many such attacks on healthcare organizations and businesses, and as those attacks increase and more data is obtained by criminals, implementing advanced phishing protections has never been more important.
For further information on email security controls that can prevent phishing attacks, contact the TitanHQ team today and enquire about SpamTitan.
by titanadmin | Jun 29, 2018 | Internet Security, Network Security, Website Filtering |
A recent survey of members of the Spiceworks community investigated the use of web filtering by businesses and the effect of web filtering on security and productivity. The survey was conducted on 645 members of its professional network based in the United States and Europe from a wide range of industries including healthcare, finance, and manufacturing.
Web filtering is an important security control that can provide an additional layer of protection against malware and phishing attacks. Web filters can also be used to improve the productivity of the workforce by limiting access to certain types of websites. The Internet can help to improve productivity, although it can also prove a temptation for workers and a major distraction. When a complicated report must be produced, cat videos can be especially tempting.
The survey sought to find out more about the effect of web filtering on security and productivity, how web filters are being used by businesses, the amount of time that employees are wasting on personal Internet use, and the types of websites that businesses are blocking to improve productivity.
Web Filtering is Used by the Majority of Businesses
The survey revealed widespread use of web filters by businesses. Overall, 89% of organizations have implemented a web filter and use it to block certain types of productivity-draining Internet content such as social media websites, dating sites, gambling sites, and streaming services.
The larger the business, the more likely it is that Internet content control will be implemented. 96% of large organizations (1,000+ employees) use web filters to limit employee Internet activity. The percentage drops to 92% for mid-sized businesses (100-999 employees) and 81% for small businesses (up to 99 employees). 58% of organizations said they use a web filtering solution to monitor Internet use by employees.
The survey asked IT professionals who have not implemented a web filtering solution how many hours they think employees are wasting on personal Internet use each week. 58% of employees were thought to waste around 4 hours a week on personal internet use and around 26% of workers spend more than 7 hours a week on non-work-related websites. Without a web filter, most employees will spend around 26 days a year on personal Internet use which, based on average earnings, corresponds to $4,500 paid per employee to slack off on the Internet.
Compare that to the figures for companies that restrict access to at least one category of website and the percentages fall to 43% of employees spending more than 4 hours a week on personal Internet use and 18% who spend more than 7 hours a week on non-work-related websites. The biggest drain of productivity was social media sites, with the figures falling to 30% of employees spending more than 4 hours a week on non-work-related sites when social media sites were blocked.
What are the Most Commonly Blocked Websites?
How are web filters used by businesses and what types of website are most commonly blocked? Unsurprisingly, the most commonly blocked websites were illegal sites and inappropriate sites (pornography for example). Both categories were blocked by 85% or organizations.
After that, the most commonly blocked category of content was dating sites – blocked by 61% of organizations. Businesses are more permissive about the use of social media websites, with only 38% blocking those sites, while instant messaging services were blocked by 34% of organizations. Even though they can be a major drain on bandwidth, streaming services were only blocked by 26% of companies.
What are the Main Reasons for Implementing a Web Filter?
While Internet content control – in some form – has been implemented by the majority of companies, it was not the main reason for implementing a web filter. Money could be saved by improving productivity, but the biggest reason for implementing a web filter was security. 90% of businesses said they had implemented a web filter to protect against malware and ransomware infections and with good reason: Inappropriate Internet access leads to data breaches.
38% of surveyed companies said they had experienced a data breach in the past 12 months as a result of employees visiting non-work-related websites, most commonly webmail services (15%) and social media sites (11%).
Other reasons for implementing a web filter were to block illegal activity (84%) and discourage inappropriate Internet access (83%). 66% of organizations use a web filter to avoid legal liability while 57% used web filters to prevent data leakage and block hacking.
Web Filtering from TitanHQ
TitanHQ has developed an innovative web filtering solution for businesses that helps them improve their security posture, block malware downloads, prevent employees from visiting phishing websites, and limit personal Internet use.
WebTitan Cloud is a 100% cloud-based web filtering solution that can be easily implemented by businesses, without the need for any hardware purchases or software downloads. The solution has excellent scalability, is cost effective, and easy to configure and maintain.
The solution provides Internet content control and malware protection regardless of the device being used to access the Internet and the solution can provide malware protection and allow content control for on-site and remote workers.
Granular controls ensure accurate content filtering without overblocking, time-based filters can be set to restrict access to certain websites at busy times of the day, and different policies can be applied at the organization, department, group, or individual level.
If you have not yet implemented a web filtering solution, are unhappy with your current provider or the cost of your solution, contact the TitanHQ team today and find out more about WebTitan.
by titanadmin | Jun 28, 2018 | Internet Security, Phishing & Email Spam |
A database of U.S. consumer information has been left unsecured online by the marketing firm Exactis. At 340 million records, this is the largest data breach of 2018.
The Largest Data Breach of 2018 by Some Distance
You will probably be unaware of the existence of the Palm Coast, FL-based data broker Exactis, but chances are the firm has heard of you. The firm holds 3.5 billion consumer, business and digital records while its email database contains 500 million consumer emails and 16 million business emails.
One database maintained by the firm contains around 340 million records, including 230 million consumer records and 110 million records of businesses. That database was recently discovered to have been left exposed on the Internet. The database could be accessed without any authentication. Anyone who knew where to look would have been able to access the database. At least one person did.
Security researcher Vinny Troia who runs NightLion Security, a New York consultancy firm, was searching online for instances of Elasticsearch databases. Troia was curious about the security of the databases as they are designed to be easily queried over the Internet. Troia searched for the databases using the search engine Shodan. Shodan is a search engine that allows people to find specific types of computers that are connected to the Internet.
Troia discovered more than 7,000 Elasticsearch databases that were visible on publicly accessible servers with U.S. IP addresses and set about determining which, if any, had data exposed on the Internet. He wrote a script that queried those databases and searched for keywords that would indicate they contained sensitive information – fields such as date of birth.
2 Terabytes of Data Exposed
One database stood out due to the amount of data it contained – around 2 terabytes of data. The database was not protected by a firewall and could be accessed without authentication. The database was discovered to contain huge numbers of detailed records about consumers. Troia noted, “It seems like this is a database with pretty much every U.S. citizen in it… it’s one of the most comprehensive collections I’ve ever seen.”
He discovered the records contained up to 150 data fields, with highly detailed information on consumers including names, addresses, phone numbers, email addresses and descriptions of the person, including information such as the estimated value of their home, hobbies, mortgage provider, ethnic group, whether the individual owns any stock, their religion, if they have made political donations, number of children, people in the household, whether they are smokers, if they own any pets…the list goes on and on.
While the database did not contain Social Security numbers or financial information, the data could be used by scammers in spear phishing campaigns, telephone scams and social engineering attacks. Around half the records contained email addresses, making it particularly valuable to spammers.
Troia said he is certainly not the only person who has searched for Elasticsearch databases, and the database was easy to find using Shodan: A popular search engine with white hat and black hat hackers. It is unknown whether anyone else found the database, but Troia explains that it would not be hard for anyone to find it. He could not be sure how long the database had been exposed online, but said it was at least 2 months.
After identifying an IP address which he believed belonged to the owner, Troia contacted two hosting companies, one of which notified Exactis. Troia also alerted the FBI. Exactis made contact with Troia and the database has now been secured and is no longer accessible.
At 340 million records, this the largest data breach of 2018 and one of the largest breaches ever discovered. The breach is more than twice the size of the Experian data breach of last year, although not on the scale of the Yahoo data breach that contained around 3 billion records. However, the types of information exposed potentially make the breach far more serious than Yahoo’s.
A database containing such detailed information on consumers should not have been left exposed. Safeguards should have been in place to alert the company that security protections had either been turned off or had not been implemented.
This security breach certainly stands out in terms of scale, but it is sadly only one of many that have been identified in recent months involving databases left freely accessible over the Internet.
by titanadmin | Jun 26, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).
In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.
2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.
Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.
Business Email Compromise Scams – The Main Cause of Losses in 2017
More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.
Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.
BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.
Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information. These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.
Phishing Extensively Used in Internet Crime
Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.
The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.
Ransomware Attack Mitigation Proves Expensive
In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.
Tech Support Fraud Losses Increased by 90%
Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.
These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.
Protecting Against Internet Crime
One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.
Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.
A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.
These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.
by titanadmin | Jun 25, 2018 | Email Scams, Phishing & Email Spam, Spam News, Spam Software |
UK users are being targeted with a fake WannaCry ransomware alert threatening file encryption if a ransom demand is not paid.
Fraudsters Claim WannaCry is Back!
In May last year, WannaCry ransomware attacks brought many companies to a standstill, with the UK’s National Health Service (NHS) a notable victim. Now, a little more than a year later, a new WannaCry ransomware campaign is being run, or so the sender of a batch of phishing emails claims.
Email recipients are told “WannaCry is back!” and are warned that their devices have been hacked and ransomware has been installed.
Email recipients are warned that the threat actors have perfected their ransomware and this time around antivirus software and firewalls will not prevent file encryption. Further, recovery will not be possible if the ransom is not paid.
Failure to pay, or any attempt to try to remove the ransomware without paying the ransom demand will result in permanent file deletion. Further, the ransomware can propagate and infect the local network, cloud data, and remote devices, regardless of operating system.
Email recipients are told that the ransomware has already been deployed and payment of a ransom of 0.1 Bitcoin – Around $650 – must be made to stop the attack. Email recipients are given just 24 hours to pay the ransom before data are permanently deleted.
The email is signed by WannaCry-Hack-Team, and so far, more than 300 copies of the message have been reported to the UK government’s National Fraud and Cyber Crime Reporting Centre, Action Fraud.
A Phishing Scam that Preys on WannaCry Fears
There are some signs that the email is not a genuine threat, and instead is just preying on fears about another WannaCry style attack.
Ransomware attackers encrypt data then ask for a ransom to unlock files. They do not send a warning saying they will encrypt data if a ransom is not paid. That tactic may be used by some DDoS attackers, but not by ransomware threat actors.
Email recipients are told that this version of WannaCry will work on “any version of Windows, iOS, Android, and Linux.” The original version of WannaCry took advantage of a vulnerability in Windows Server Message Block. WannaCry only affected vulnerable Windows devices that had not been patched. The ransomware was not a threat on other operating systems.
Phishing campaigns often include spelling mistakes in the subject line and message body and this email is no different. The subject line is – “Attantion WannaCry”.
This is simply a phishing campaign that attempts to extort money from the recipient. No ransomware has been installed and the attackers cannot encrypt any files.
If you receive such a message threatening file encryption unless you pay a ransom, report the message to Action Fraud (UK), US-CERT (phishing-report@us-cert.gov) in the United States, or the government Fraud and Cyber Crime agency in your country of residence and delete the email and do not pay any Bitcoin ransom.
Of course, not all ransomware threats are as benign as this and many attackers will be able to encrypt your data. To protect against real ransomware threats ensure you create multiple backups of your files, deploy a spam filtering solution, ensure your operating system and all software are kept up to date, and keep your anti-virus protection up to date.
by titanadmin | Jun 14, 2018 | Email Scams, Phishing & Email Spam, Spam News |
A new type of ransomware attack could be on the horizon. The attack method, termed ransomcloud, was developed by a white hat hacker to demonstrate just how easy it is to launch an attack that results in cloud-based emails being encrypted.
A successful attack will see the attacker gain full control of a cloud-based email account, allowing them to deploy a ransomware payload that encrypts all emails in the account. This method could also be used to gain full control of the account to use for spamming and other malicious purposes.
The attack works on all cloud-based email accounts that allow third party applications account access via OAuth, which includes Gmail and Office 365 accounts.
The ransomcloud attack starts with a phishing email. In this example, the message appears to have been sent by Microsoft offering the user the opportunity to sign up and use a new email spam filtering service called AntiSpamPro. The email includes the Microsoft logo and appears to be a new Microsoft service that provides the user with better spam protection.
In order to take advantage of this service, the user is required to click a hyperlink in the email to give authorization for the new service to be installed. Clicking the link will result in a popup window appearing that requires the user to authorize the app to access their email account.
Such a request is perfectly reasonable, as an app that offers protection against spam would naturally require access to the email account. Emails would need to be read in order for the app to determine whether the messages are genuine or spam. Clicking on ‘accept’ would give the attacker full control of the email account via an OAuth token. If access is granted, the user loses control of their email account.
In this example, ransomware is installed which encrypts the body text of all emails in the account. An email then appears in the inbox containing the ransom note. The user is required to pay a ransom to regain access to their emails.
Additionally, the attacker could claim the email account as their own and lock the user out, send phishing emails to all the user’s contacts, access sensitive information in emails, use email information to learn about the individual to use in future attacks such as spear phishing campaigns to gain access to their computer.
The ransomcloud attack method is astonishingly simple to pull off and could be adopted by cybercriminals as a new way of extorting money and gaining access to sensitive information.
by titanadmin | Jun 14, 2018 | Internet Security, Network Security, Website Filtering |
TitanHQ, the award-winning provider of email and web security solutions to SMBs, has partnered with the networking giant Datto. The partnership has seen TitanHQ integrate its cutting-edge cloud-based web filtering solutions – WebTitan Cloud and WebTitan Cloud for Wi-Fi – into the Datto networking range.
Datto was formed in 2007 and fast became the leading provider of MSP-delivered IT solutions to SMBs. The company selects the best products and tools for its MSP partners to allow them to meet the needs of their clients and improve their bottom lines.
The company’s solutions include data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, remote monitoring and management tools, and a wide range of security solutions.
Now that TitanHQ’s DNS-based web filtering solutions have been included, MSPs can offer their clients even greater protection from malware and phishing threats.
WebTitan Cloud and WebTitan Cloud for WiFi use a combination of AI-based services and human-supervised machine learning to block Internet-based threats. The solutions provide real-time protection against malicious URLs and phishing sites by preventing end users from visiting malicious webpages. The solutions also allow companies to carefully control the Internet content that can be accessed through their wired and wireless networks.
The MSP-friendly solutions can be rapidly deployed by MSPs, without the need for site visits, software installations or additional hardware purchases. The multi-tenant solutions allow all client deployments to be managed through a single, intuitive administration console and can be configured in minutes.
MSPs are also offered multiple hosting solutions, including hosting WebTitan in their own environment, and the solutions can be provided in full white-label format.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
TitanHQ is a sponsor of the upcoming DattoCon 2018 conference – The largest MSP event in the United States. The full TitanHQ team will be in attendance and Datto’s MSP partners can come and meet the team and see WebTitan in action.
In addition to showcasing WebTitan Cloud, MSPs will also be able to find out more about SpamTitan – TitanHQ’s 100% cloud-based spam filtering solution, and ArcTitan – Its MSP-friendly email archiving solution.
DattoCon 2018 runs from June 18-20 in Austin, Texas at the Fairmont Austin Hotel. The TitanHQ team will be at booth #66 in the exhibition hall for all three days of the conference.
by titanadmin | Jun 11, 2018 | Internet Security, Network Security |
A recent study of commonly used passwords by Dashlane/Virginia Tech has revealed some of the worst passwords of 2018.
For the study, Virginia Tech researchers provided Dashlane with an anonymized copy of 61.5 million passwords. The password list was created from 107 individual lists of passwords available on forums and in data archives, many of which have come from past data breaches.
The analysis of the list revealed many common themes. These include the names of favorite sports teams: In the UK, common password choices were liverpool, chelsea and arsenal – the leading soccer teams in the premier league.
Popular brand names were also chosen, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those sites.
Bands and movie references were often used, with Spiderman, superman, starwars, and pokemon all common choices as were expressions of frustration – a**hole, bull****, and f***you were often chosen.
The Dashlane report shows that despite warnings about the risk of using easy-to-remember passwords, end users are still choosing weak passwords. One particularly worrying trend is the use of seemingly secure passwords, which are anything but secure.
1q2w3e4r5t6y and 1qaz2wsx3edc may appear to be relatively secure passwords; however, how they are created makes them easy to guess. They are certainly better than “password” or letmein” but not by much.
The passwords are created by a process that Dashlane calls password walking – the use of letters, numbers, and symbols next to each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same technique is used with the incorporation of capital letters and symbols.
The study shows that even though many companies require end users to set strong passwords, employees ignore password advice or choose passwords that pass security checks but are really not that secure.
What Makes a Good Password?
A good password will not be in the dictionary, will not use sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be a minimum of 8 characters and should be unique – never used before by the user, and never reused on a different platform.
Passwords should include at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 letters. Add in capitals and the possible options double to 52. There are 10 digits, increasing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to guess. However, randomly generated passwords are also particularly difficult to remember.
Recently, that problem has been recognized by the National Institute of Standards and Technology (NIST), which has revised its advice on passwords (See special publication 800-63B).
While the use of random strings of characters and symbols makes passwords particularly difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have trouble remembering their passwords and that leads to particularly risky behaviors such as writing the password down or storing it in a browser.
NIST now suggests the use of longer passphrases rather than passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for example. Passphrases are more user-friendly and easier to remember, but are still secure – provided a sufficient number of characters are used. If passphrases are encouraged rather than difficult to remember passwords, end users will be less likely to set passwords that meet strong password guidelines but are not particularly secure – LetMeIn! for example.
The minimum number of characters can be set by each organization, but rather than restricting the characters at 16, companies should consider expanding this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.
Since some end users will attempt to set weak passwords, it is important to incorporate controls that prevent commonly used passwords from being chosen. Each password choice should be checked against a blacklist before it can be set.
Version française de cet article.
by titanadmin | Jun 8, 2018 | Email Scams, Network Security, Spam Advice, Spam News |
A new spam campaign has been identified that uses Excel Web Query files to deliver malware. In this case, the .iqy files are used to launch PowerShell scripts that give the attackers root access to a device. .iqy files are not usually blocked by spam filters, making the technique effective at silently delivering malware.
The spam emails are being delivered via the Necurs botnet. Three spam campaigns have been detected by Barkly that use these attachments, although further campaigns are almost certain to be launched.
Excel Web Query files obtain data from an external source and load it to Excel. In this case, the external data is a formula which is executed in Excel. The formula is used to run PowerShell scripts which, in at least one campaign, downloads a Remote Access Trojan (RAT) called FlawedAmmyy Admin – a tweaked legitimate remote administration tool that gives the attacker full control of a computer, allowing any number of malicious programs to be installed.
The emails masquerade as purchase orders, unpaid invoices, and scanned documents – Common themes used in spam emails to deliver malware. These spam email campaigns often use Word documents with malicious macros. Macros are usually disabled by default. Through security awareness training, end users have been conditioned not to enable macros on documents from unknown senders, thus preventing malware downloads.
Since most end users will not be used to receiving .iqy files, these attachments should arouse suspicion. Microsoft has also built in warnings to prevent these files from being run by end users. If an end user attempts to open one of these files it will trigger a warning alerting the user that the file may not be safe as it enables an external connection. The end user would be required to click enable before the connection is made and data is pulled into Excel. A second warning would then be displayed, again requiring authorization. Only if both warnings are ignored will the script be allowed to run that downloads the malicious payload.
There are two steps you can take to protect your endpoints and networks from these types of attacks. The first is to configure your email spam filter to quarantine any emails containing .iqy attachments. SpamTitan allows certain attachment types to be blocked such as executable files and iqy files. You can set the policy to quarantine, reject, or delete the emails. Since these types of files are not usually sent via email, rejecting the messages or deleting them is the safest option.
You should also cover the use of these files in your security awareness training sessions and should consider sending an email alert to end users warning them about the threat.
Further information on steps you can take to prevent malware infections spread via email can be found in our anti-spam tips page. You can find out more about the capabilities of SpamTitan by calling the sales team:
- USA: +1 5859735070
- UK/EU: +44 (0)2476993640
- Ireland: +353 91 545555
- Mid East: +971 4 3886998
by titanadmin | May 30, 2018 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.
World Cup 2018 Phishing Scams Detected!
The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.
Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.
Fake Tickets and Fake Touts
With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.
Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.
Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.
Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.
Competition Scams
Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.
Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners
Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.
Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.
Cheap Travel Accommodation Scams
Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.
These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.
Team and Match News and World Cup Gossip
As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.
How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam
These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.
Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:
- Only buy tickets from the official FIFA website
- Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
- Never buy products or services advertised in spam email
- Never opening attachments in World Cup-themed emails from unknown senders
- Do not click hyperlinks in emails from unknown senders
- Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
- Ensure all software, including browsers and plugins, is patched and kept fully up to date
- Ensure anti-virus software is installed and is kept up to date
- Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
- Stay alert – If an offer seems to good to be true, it most likely is
by titanadmin | May 28, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Software |
The UK Government’s Department for Digital, Culture, Media, & Sport has published its Cybersecurity Breaches Survey for 2018. The survey, conducted by Ipsos MORI, was a quantitative and qualitative survey conducted in the winter of 2017 on 1,519 UK businesses and 569 UK registered charities.
The purpose of the cybersecurity breaches survey was to identify the nature and significance of cyberthreats, determine how prevalent cyberattacks are, and what is being done to prevent such attacks.
The cybersecurity breaches survey revealed UK businesses and charities are being targeted by cybercriminals intent on gaining access to sensitive information, email accounts, corporate networks, and bank accounts and attacks are on the rise.
43% of businesses and 19% of charities experienced a cybersecurity breach or cyberattack in the past 12 months with large businesses and charities more likely to be attacked. 72% of large businesses – those with more than 250 employees – and 73% of large charities – with incomes over £5 million – experienced a cyberattack in the past year.
While not all security breaches result in material losses such as theft of data or personal information, when there is a material outcome the costs can be significant. The average costs of breaches with a material outcome is £3,100 for businesses and £1,030 for charities, although the larger the business, the greater the cost. Medium sized businesses have average costs of £16,100 and large businesses have an average breach cost of £22,300.
The high probability of a breach occurring and the high cost of remediating breaches has seen cybersecurity become a priority for senior managers. The percentage of businesses (74%) and charities (53%) that say cybersecurity is a high priority has risen year on year and the percentage of businesses (30%) and charities (24%) that say cybersecurity is a low priority has fallen once again. Cybersecurity is also now a high priority for many small businesses (42%) having risen from 33% last year when the survey was conducted. Cybersecurity may be a high priority, but just 3 out of 10 businesses and under a quarter of charities have board members with a responsibility for cybersecurity.
The most common type of breaches and cyberattacks involve fraudulent emails directing employees to malicious websites. 75% of UK businesses and 74% of UK charities that experienced a breach in the past year experienced these types of attacks. Email impersonation attacks were the second most common breach type with 28% of UK businesses and 27% of UK charities saying they had experienced these types of incidents in the past 12 months.
Not only are these types of attacks common, they also cause the most disruption. 48% of UK businesses and charities said fraudulent emails and being directed to malicious websites caused the most disruption out of all cybersecurity breaches experienced, well ahead of malware infections which were rated as the most disruptive cyberattacks by 13% of UK businesses and 12% of UK charities.
The cybersecurity breaches survey clearly highlights the importance of implementing robust defenses to prevent malicious emails from being delivered to employees’ inboxes and to ensure staff are well trained and taught how to identify malicious emails.
TitanHQ offers two cybersecurity solutions that can help UK businesses block the most common and most disruptive types of cyberattack. SpamTitan is a powerful spam filtering solution that blocks more than 99.97% of spam emails and 100% of known malware from being delivered to end users’ inboxes.
WebTitan is a cloud-based web filtering solution that prevents employees from visiting malicious websites, such as those used in phishing emails to steal credentials and spread malware. Implementing these solutions is far cheaper than having to cover the cost of remediating cyberattacks.
There is also clearly a problem with training in the UK. Only 20% of UK businesses and 15% of UK charities have had staff attend internal or external cybersecurity training in the past year, even though security awareness training has clearly been shown to be effective at reducing susceptibility to email-based attacks.
by titanadmin | May 26, 2018 | Email Scams, Internet Security, Phishing & Email Spam, Spam Advice, Spam News |
According to data from the UK’s fraud tracking team, Action Fraud, there has been a massive rise in TSB phishing scams in the past few weeks. Customers of TSB have been duped into handing over their online banking credentials to scammers. Action Fraud is now receiving around 10 complaints a day from TSB customers who have fallen for phishing scams.
A Nightmare Scenario for TSB Customers
The problem that made the scams possible was the separation of the TSB banking system from Lloyds Bank, of which TSB was part until 2015. TSB moved over to a new core banking system provided by Banco Sabadell, the Spanish bank which took over TSB. That transition happened in April. Unfortunately for TSB and its customers, it did not go smoothly.
While migrating customer information to the new core banking system, many customers were locked out of their accounts and were unable to access their money. Some customers were presented with other customers’ bank accounts when they logged in online, and there have been cases of customers having money taken from their accounts without authorization, and transfers have been made to the wrong bank accounts. It is almost June, and the problems have still not been completely resolved.
Customers starting to experience problems over the weekend of 21/22 April and the problems were understandably covered extensively by the media with many customers taking to Social Media sites to vent their spleens over the chaos. For scammers, this was too good an opportunity to miss.
Action Fraud had received more than 320 reports of TSB phishing scams in the first three weeks in May. There were only 30 reports of such scams in the entire month of April. That’s an increase of 969%.
TSB Phishing Scams Soar
The situation was ideal for scammers. Many TSB customers could not access their accounts, so there was little chance of customers realizing they had been defrauded until it was too late.
TSB staff were overworked dealing with the IT problems and its helplines were overwhelmed with calls from customers unable to access their money. When customers realized they had been scammed they were unable to contact the bank quickly. There have been reports of customers seeing money taken from their accounts while they were logged in, yet they could not get through to customer support to stop transfers being made.
The TSB phishing scams used a combination of SMS messages, emails, and telephone calls to obtain customers banking credentials. As is typical in these types of scams, customers were sent links and were asked to use them to login to their accounts. The websites the bank’s customers visited looked exactly how they should. The only sign that the website was not genuine was the URL, otherwise the website was a carbon copy of the genuine TSB website.
Many victims of the scam had received an email or text messages, which was followed up with a voice call to obtain the 2-factor authentication code that would allow the scammers to gain access to the victim’s account. While the requests from the scammers may have seemed unusual or suspicious, this was an unusual situation for TSB customers.After that information was obtained, the scammers went to work and emptied bank accounts.
According to data from cybersecurity firm Wandera, TSB has now jumped to second spot in the list of the financial brands most commonly used in impersonation attacks. Prior to the IT problems, TSB wasn’t even in the top five.
With the bank’s IT issues ongoing, the TSB phishing scams are likely to continue at high levels for some time to come. The advice to TSB customers is to be extremely wary of any email, text message or call received from TSB bank. Scammers can spoof email addresses and phone numbers and can make text messages appear as if they have been sent by someone else.
by titanadmin | May 25, 2018 | Industry News, Internet Security, Network Security |
Data breach costs have risen considerably in the past year, according to a recent study of corporate IT security risks by Kaspersky Lab. Compared to 2016, the cost of a data breach for enterprises increased by 24% in 2017, and by even more for SMBs, who saw data breach costs rise by 36% in 2017.
The average cost of data breach recovery for an average-sized enterprise is now $1.23 million per data breach, while the cost for SMBs is now $120,000 per incident.
For the study, Kaspersky Lab surveyed 6,614 business decision makers. Respondents were asked about the main threats they have to deal with, cybersecurity incidents they have experienced in the past year, how much they spent resolving those incidents, and how that money was spent.
When a data breach is experienced, the costs can quickly mount. Enterprises and SMBs must contain the attack, scan systems for malware and backdoors, and pay for improvements to security and infrastructure to prevent similar attacks from occurring in the future. Staff need to receive additional training, new staff often need to be brought in, and third-parties hired to assist with recovery and security assessments.
Data breach recovery can take time and considerable effort. Additional wages have to be paid to staff assisting in the recovery process, there can be losses due to system downtime, repairing damage to a brand prove costly, credit monitoring and identity theft recovery services may have to be provided to breach victims, insurance premiums rise, credit ratings drop, and there may also be regulatory fines to cover.
The largest component of data breach costs is making emergency improvements to security and infrastructure to prevent further attacks, which is around $193,000 per breach for enterprises, the second biggest cost for enterprises is repairing reputation damage, which causes major increases in insurance costs and can severely damage credit ratings. On average, this costs enterprises $180,000. Providing after-the-event security awareness training to the workforce was the third biggest cost for enterprises at $137,000.
It is a similar story for SMBs who typically pay around $15,000 for each of the above three cost categories. A lack of inhouse expertise means SMBs often have to call in cybersecurity experts to assist with making improvements to security and for forensic analyses to determine how access to data was gained.
Data breaches affecting third-party hosted infrastructure are the costliest for SMBs, followed by attacks on non-computing connected devices, third party cloud services, and targeted attacks. For enterprises, the costliest data breaches are targeted attacks followed by attacks on third-party infrastructure, attacks on non-computing connected devices, third party cloud services, and leaks from internal systems.
The high cost of recovering from a data breach means a successful cyberattack on an SMB could be catastrophic, forcing the company to permanently shut its doors. It is therefore no surprise that businesses are allocating more of their IT budgets to improving their security defenses. Enterprises are now spending an average of $8.9 million on cybersecurity each year, while SMBs spend an average of $246,000. Even though the cost of additional cybersecurity defenses is high, it is still far lower than the cost of recovering from data breaches.
While data breach prevention is a key driver for greater investment in cybersecurity, that is far from the only reason for devoting a higher percentage of IT budgets to security. The main drivers for increasing security spending are the increasing complexity of IT infrastructure (34%), improving the level of security expertise (34%), and management wanting to improve security defenses (29%).
by titanadmin | May 24, 2018 | Internet Security, Network Security |
A suspected nation-state sponsored hacking group has succeeded in infecting at least half a million routers with VPNFilter malware.
VPNFilter is a modular malware capable of various functions, including the monitoring of all communications, launching attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been installed. While most IoT malware infections – including those used to build large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive such a reset.
The malware can be installed on the type of routers often used by small businesses and consumers such as those manufactured by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security researchers at Cisco Talos who have been monitoring infections over the past few months.
The ultimate aim of the attackers is unknown, although the infected devices could potentially be used for a wide range of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as was the case with BlackEnergy malware.
Since it is possible for the malware to disable Internet access, the threat actors behind the campaign could easily prevent large numbers of individuals in a targeted region from going online.
While the malware has been installed on routers around the world – infections have been detected in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased significantly in the past few weeks.
While the investigation into the campaign is ongoing, the decision was taken to go public due to a massive increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more significant threat.
While the researchers have not pointed the finger at Russia, they have identified parts of the code which are identical to that used in BlackEnergy malware, which was used in several attacks in Ukraine. BlackEnergy has been linked to Russia by some security researchers. BlackEnergy malware has been used by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not concrete proof of any link to Russia.
The FBI has gone a step further by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the sophisticated nature of the malware means it is the work of a particularly advanced hacking group.
Most of the attacked routers are aging devices that have not received firmware updates to correct known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely clear exactly how devices are being infected although the exploitation of known vulnerabilities is most probable, rather than the use of zero-day exploits; however, the latter has not been ruled out.
Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain used by the malware to communicate with the threat group behind the campaign. Without that domain, the attackers cannot control the infected routers and neither identify new devices that have been infected.
Ensuring a router is updated and has the latest firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Unfortunately, it is not easy to tell if a vulnerable router has been infected. Performing a factory reset of a vulnerable router is strongly recommended as a precaution.
Rebooting the device will not eradicate the malware, but it will succeed in removing some of the additional code downloaded to the device. However, those additional malware components could be reinstalled once contact is re-established with the device.
by titanadmin | May 17, 2018 | Email Scams, Phishing & Email Spam, Spam News |
Several GDPR phishing scams have been detected in the past few days as scammers capitalize on the last-minute rush by companies to ensure compliance ahead of the May 25, 2018 GDPR deadline. Be wary about any GDPR related email requests – they may be a scam.
GDPR Provides Scammers with a New Opportunity
You will probably already be sick of receiving email requests from companies asking if they can continue sending you emails, but that is one of the requirements of GDPR. GDPR requires consent to be obtained to use – or continue to use – personal information. With previous privacy policies failing to comply with the new EU law, email requests are being sent to all individuals on mailing lists and those who have previously registered on websites to re-obtain consent.
All companies that have dealings with EU residents are required to comply with GDPR, regardless of their location. Emails are therefore being sent from companies far and wide. Consumers are receiving messages from companies that they may have forgotten they had dealings with in the past. If personal data is still on file, email requests are likely to be sent asking for permission to retain that information.
The masses of emails now being sent relating to GDPR has created an opportunity for scammers. GDPR phishing scams have been developed to fool users into revealing sensitive information under the guise of GDPR related requests. There have been many GDPR phishing scams identified in recent weeks. It is ironic that a regulation that aims to improve privacy protections for EU residents is being used to violate privacy.
Apple Spoofed in New Phishing Scam
Phishers often spoof large, familiar brands as there is a greater chance that the recipient of the message will have an account with that company. The most popular global brands – Netflix, PayPal, Apple, and Google are all commonly impersonated.
These impersonation scams can be highly convincing. A request is sent via email that seems perfectly reasonable, the emails appear to have been sent from the company, and the email address of the sender is spoofed to appear genuine. The emails contain branding and images which are familiar, and the messages can be almost indistinguishable from genuine communications.
The aim is to get users to click on an embedded hyperlink and visit the company’s website and login. There is usually an urgent call to action, such as a security alert, threat of account closure, or loss of services.
Apple is one such brand that has recently been impersonated in GDPR phishing scams. The aim of the attackers is to get Apple customers to login to a fake site and disclose their credentials. Once the credentials have been obtained, the scammers have access the user’s account, which includes financial information, credit card details, and other personal information.
Airbnb GDPR Phishing Scams Detected
Redscan has detected Airbnb GDPR phishing scams recently. Users of its home sharing platform are required to update their contact details due to GDPR law in order to continue to use the platform. The request is entirely reasonable given so many companies are sending similar emails.
The emails claim to be from Airbnb customer service, contain the correct images and branding, and direct users to a familiar looking website that differs only in the domain name. Users are asked to re-enter their contact information and payment card details.
Watch Out for GDPR Phishing Scams
These scams are just two of several. More can be expected over the coming days in the run up to the compliance deadline and beyond. To avoid falling for the scams, make sure you treat all GDPR-related requests as potentially suspicious.
The easiest way to avoid the scams is to visit the website of the brand by typing the correct address directly into the browser or using your usual bookmark. It should be clear when you login if you need to update your information because of GDPR.
by titanadmin | May 10, 2018 | Internet Security, Network Security, Website Filtering |
Ransomware attacks on businesses appear to be declining. In 2017 and 2018 there has been a marked decrease in the number of attacks. While this is certainly good news, it is currently unclear whether the fall in attacks is just a temporary blip or if the trend will continue.
Ransomware attacks may have declined, but there has been a rise in the use of cryptocurrency mining malware, with cybercriminals taking advantage in the high price of cryptocurrencies to hijack computers and turn them into cryptocurrency-mining slaves. These attacks are not as devastating or costly as ransomware attacks, although they can still take their toll, slowing down endpoints which naturally has an impact on productivity.
While ransomware attacks are now occurring at a fraction of the level of 2016 – SonicWall’s figures suggest there were 184 million attacks in 2017 compared to 638 million in 2016 – the risk of an attack is still significant.
Small players are still taking advantage of ransomware-as-a-service – available through darknet forums and marketplaces – to conduct attacks and organized cybercriminal gangs are conducting targeted attacks. In the case of the latter, victims are being selected based on their ability to pay and the likelihood of a payment being made.
These targeted attacks have primarily been conducted on organizations in the healthcare industry, educational institutions, municipalities and the government. Municipalities are targeted because massive disruption can be caused, and attacks are relatively easy to pull off. Municipalities typically do not have the budgets to devote to cybersecurity.
Attacks in healthcare and education industries are made easier by the continued use of legacy software and operating systems and highly complex networks that are difficult to secure. Add to that the reliance on access to data and not only are attacks relatively easy, there is a higher than average chance of a ransom being paid.
In the past, the aim of ransomware gangs was to infect as many users as possible. Now, targeted attacks are conducted with the aim of infecting as many end points as possible within an organization. The more systems and computers that are taken out of action, the greater the disruption and cost of mitigating the attack without paying the ransom.
Most organizations, government agencies, municipalities, have sound backup policies and can recover all data encrypted by ransomware without paying the ransom. However, the time taken to recover files from backups and restore systems – and the cost of doing so – makes payment of the ransom preferable.
The attack on the City of Atlanta shows just how expensive recovery can be. The cost of restoring systems and mitigating the attack was at least $2.6 million – The ransom demand was in the region of $50,000. It is therefore no surprise that so many victims have chosen to pay up.
Even though the ransom payment is relatively low compared to the cost of recovery, it is still far more expensive than the cost of implementing security solutions to prevent attacks.
There is no single solution that can block ransomware and malware attacks. Multi-layered defenses must be installed to protect the entire attack surface. Most organizations have implemented anti-spam solutions to reduce the risk of email-based attacks, and security awareness training is helping to eliminate risky behaviors and teach security best practices, but vulnerabilities still remain with DNS security often lacking.
Vulnerabilities in DNS are being abused to install ransomware and other malware variants and hide communications with command and control servers and call home addresses. Implementing a DNS-based web filtering solution offers protection against phishing, ransomware and malware by preventing users from visiting malicious websites where malware and ransomware is downloaded and blocking C2 server communications. DNS-based web filters also provide protection against the growing threat from cryptocurrency mining malware.
To mount an effective defense against phishing, malware and ransomware attacks, traditional cybersecurity defenses such as ant-virus software, spam filters, and firewalls should be augmented with web filtering to provide security at the DNS layer. To find out more about how DNS layer security can improve your security posture, contact TitanHQ today and ask about WebTitan.
by titanadmin | May 2, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Software, Website Filtering |
Another school district has fallen victim to a ransomware attack, which has seen files encrypted and systems taken out of action for two weeks. The Leominster school district ransomware attack saw a ransom demand of approximately $10,000 in Bitcoin was issued for the keys to unlock the encrypted files, which includes the school’s entire student database.
School districts attacked with ransomware often face a difficult decision when ransomware is installed. Attempt to restore systems and recover lost data from backups or pay the ransom demand. The first option is time consuming, costly, and can see systems remain out of action for several days. The second option includes no guarantees that the attackers will make good on their promise and will supply valid keys to unlock the encryption. The keys may not be held, it may not be possible to unlock files, or a further ransom demand could be issued. There have been many examples of all three of those scenarios.
The decision not to pay the ransom demand may be the costlier option. The recent ransomware attack on the City of Atlanta saw a ransom demand issued in the region of $50,000. The cost of recovering from the attack was $2.6 million, although that figure does include the cost of improvements to its security systems to prevent further attacks.
School districts are often targeted by cybercriminals and ransomware offers a quick and easy way to make money. The attackers know all too well that data can most likely be recovered from backups and that the ransom does not need to be paid, but the cost of recovery is considerable. Ransom demands are set accordingly – high enough for the attackers to make a worthwhile amount, but low enough to tempt the victims into paying.
In the case of the Leominster ransomware attack, the second option was chosen and the ransom demand of was paid. That decision was taken after carefully weighing up both options. The risk that no keys would be supplied was accepted. In this case, they were supplied, and efforts are well underway to restore files and implement further protections to ensure similar incidents do not occur in the future.
Even though the ransom was paid, the school district was still without access to its database and some of its computer systems two weeks after the attack. Files were encrypted on April 14, but systems were not brought back online until May 1.
Unfortunately for the Leominster School District, ransom payments are not covered by its cyberinsurance policy, so the payment had to come from its general fund.
There is no simple way to defend against ransomware attacks, as no single cybersecurity solution will prove to be 100% effective at blocking the threat. Multiple attack vectors are used, and it is up to school districts to implement defenses to protect the entire attack surface. The solution is to defend in numbers – use multiple security solutions to create layered defenses.
Some of the most important defenses include:
- An advanced firewall to defend the network perimeter
- Antivirus and anti-malware solutions on all endpoints/servers
- Vulnerability scanning and good patch management policies. All software, systems, websites, applications, and operating systems should be kept up to date with patches applied promptly
- An advanced spam filtering solution to prevent malicious emails from being delivered to end users. The solution should block all executable files
- Disable RDP if it is not required
- Provide security awareness training for employees and teach staff and students the skills to enable them to identify malicious emails and stop risky behaviors
- A web filtering solution capable of blocking access to malicious websites
The cost of implementing these solutions is likely to be far lower than the cost of a ransom payment and certainly lower than the cost of mitigating a ransomware attack.
by titanadmin | Apr 27, 2018 | Industry News, Internet Security, Network Security |
The cost of the Equifax data breach has risen to more than $242 million, and that figure will continue to rise and could even double.
According to the Equifax financial report for the first quarter of 2018, the total spent on mitigation and preventative measures to avoid a further security breach is now $242.7 million.
The breach, which was made public in September 2017, affected 147.9 million customers, making it one of the largest data breaches ever discovered and certainly one of the most serious considering the types of data involved. Yahoo may have experienced much larger breaches, but the data exposed in those incidents was far less sensitive.
Fortunately for Equifax, it holds a sizable insurance policy against cybersecurity incidents. The policy will cover up to $125 million of the cost, minus a $7.5 million deductible. That insurance policy has already paid out $60 million, with $10 million in payments received in the first quarter of 2018.
The breakdown of cost of the Equifax data breach so far for Q1, 2018 is:
- $45.7 million on IT security
- $28.9 million on legal fees and investigation of the breach
- $4.1 million on product liability
- $10 million has been recovered from an insurance payout.
The net expenses from the breach in the first quarter of 2018 was $68.7 million. That is on top of the $114 million spent in the final quarter of 2017, which is broken down as $64.6 million on product costs and customer support, $99.4 million on professional fees, minus $50 million that was paid by its insurance carrier. The net spend so far for Q4, 2017 and Q1, 2018 is $140.5 million, although Equifax reports that the total costs related to the cybersecurity incident and incremental IT and data security costs has been $242.7 million.
Equifax has also reported that throughout 2018 and 2019 the firm will be investing heavily in IT and is committed to building an industry-leading data security system, although the firm has not disclosed how much it is expecting to spend, as the company does not have visibility into costs past 2018.
Equifax has predicted that there will be at least a further $275 million in expenses related to the cyberattack which must still be covered, although a further $57.5 million should be covered by its insurance policy.
While considerable costs have been incurred so far, the firm has done little to repair the reputational damage suffered as a result of the breach and has yet to hire many of the new staff it plans to bring in to help with the breach recovery, including a new CTO. The firm has said that it is taking a very aggressive approach in attracting the top talent in both IT and data security.
The high cost of the Equifax data breach to date, and the ongoing costs, is likely to make this the most expensive data breach of all time.
by titanadmin | Apr 26, 2018 | Internet Security, Network Security |
The Atlanta ransomware attack that took IT systems and computers out of action and brought many municipal operations to a grinding halt has proven particularly costly for the city.
On March 22, 2018, ransomware was deployed on its network forcing a shutdown of PCs and systems used by some 8,000 employees. Those employees were forced to work on pen and paper while attempts were made to recover from the attack. With IT systems offline, many municipal services stopped entirely.
The attackers sent a ransom demand for approximately $50,000. By paying the ransom, the city could potentially have been given the keys to unlock the files encrypted by the SamSam ransomware variant used in the attack. However, there are never any guarantees decryption keys will be supplied. Many victims have received further demands for payment after the initial demand was paid, and there have been many cases where the attackers have not made good on their promise and did not supply any valid keys.
It is unclear whether the ransom payment was made, although that appears unlikely. The payment portal used by the attackers went offline shortly after the attack and the cleanup costs following the Atlanta ransomware attack have been considerable. The high cost suggests the city opted to recover its data and restore systems from backups.
In the immediate aftermath of the Atlanta ransomware attack, the city awarded emergency procurements to eight firms to assist with recovery efforts. The total cost of those services was $2,667,328.
The city spent $60,000 on incident response services, $50,000 on crisis communication services, and $60,000 on support staff augmentation. Secureworks was paid $650,000 for emergency incident response services, Two contracts were awarded to assist with its Microsoft cloud and Windows environments, including migrating certain on-premises systems to the cloud. Those two contracts totaled $1,330,000 and a further $600,000 was paid to Ernst & Young for advisory services for cyber incident response. The $2.6 million cost could rise further still.
Paying the threat actors who conducted the Atlanta ransomware attack could well have seen sizable savings made, although it would certainly not have cost $50,000. Some of the costs associated with recovery from the attack have been spent on improving security to prevent further incidents, and certainly to make recovery less costly. Those costs would still have to be recovered even if the ransom was paid.
What is clear however, is that $2.6 million paid on reactive services following a ransomware attack will not give tremendous value for money. Had that amount been spent on preventative measures prior to the attack, the city would have got substantially more value for every buck spent. Some industry experts have estimated the cost of preventative measures rather than reactive measures would have been just 20% of the price that was paid.
The attack revealed the City of Atlanta was unprepared and had failed to implement appropriate defenses. The city was vulnerable to attack due to the failure to apply security best practices, such as closing open ports on its systems and segmenting its network. The vulnerabilities made an attack far to easy. However, it would be unfair to single out the city as many others are in exactly the same position.
This incident should therefore serve as a stern warning to other cities and organizations that the failure to adequately prepare for an attack, implement appropriate defenses, and apply security best practices will likely lead to an incredibly costly attack.
It may be difficult to find the money to spend on ransomware attack prevention measures, but it will be much harder to find five times the cost to implement defenses and respond after an attack has taken place.
by titanadmin | Apr 25, 2018 | Industry News, Network Security |
A warning has been issued to the healthcare industry over an extensive campaign of targeted cyberattacks by the Orangeworm threat group. The Orangeworm threat group has been operating since 2015, but activity has been largely under the radar. It is only recently that the group’s activities have been identified and disclosed.
Attacks have been conducted on a range of industries, although the primary targets appear to be large healthcare organizations. 39% of confirmed attacks by the Orangeworm threat group have been on organizations in the healthcare industry, including large healthcare providers and pharmaceutical firms. IT service providers, manufacturers, and logistics firms have also been attacked, many of which have links to the healthcare industry.
Some of the IT service providers discovered to have been attacked have contracts with healthcare organizations, while logistics firms have been attacked that deliver medical equipment, as have manufacturers of medical devices. The aim appears to be to infect and investigate the infrastructure of the entire supply chain.
The Orangeworm threat group is using a custom backdoor, which is deployed once access to a network is gained. First the backdoor is deployed on one device, giving the Orangeworm threat group full control of that device. The backdoor is then aggressively spread laterally within a network via unprotected network shares to infect as many devices as possible with the Kwampirs backdoor. While some steps have been taken by the group to avoid detection, this lateral worm-like movement is noisy and easily detected. The threat group does not seem to be overly concerned about hiding its activity.
This attack method works best on legacy operating systems such as Windows XP. Windows XP is no longer supported, and even though the continued use of the operating system is risky and in breach of industry regulations, many healthcare organizations still have many devices operating on Windows XP, especially machines connected to imaging equipment such as MRI and X-Ray machines. It is these machines that have been discovered to have been infected with the Kwampirs backdoor.
Once access is gained, the group is spending a considerable amount of time exploring networks and collecting information. While the theft of patient health information is possible, this does not appear to be a financially motivated attack and systems are not sabotaged.
Symantec, which identified a signature which has allowed the identification of the backdoor and raised the alert about the Orangeworm threat group, believes this is a large-scale espionage campaign with the aim of learning as much as possible about the targets’ systems. What the ultimate goal of the threat group is, no one knows.
The method of spreading the backdoor does not have the hallmarks of nation-state sponsored attacks, which tend to use quieter methods of spreading malware to avoid detection. However, the attacks are anything but random. The companies that have been attacked appear to have been targeted and well researched before the attacks have taken place.
That suggests the Orangeworm threat group is a cybercriminal gang or small collective of hackers, but the group is clearly organized, committed to its goals, and is capable of developing quite sophisticated malware. However, even though the group is clearly capable, and has operated under the radar for three years, during that time no updates have been made to their backdoor. That suggests the group has been confident that they would not be detected, or that they simply didn’t see the need to make any updates when their campaign was working so well.
While espionage may be the ultimate aim, the Orangeworm threat group could easily turn to more malicious and damaging attacks. Once the backdoor has been installed on multiple devices, they would be under full control of the hackers. The group has the capability to deploy malware such as wipers and ransomware and cause considerable damage or financial harm.
The ease at which networks can be infiltrated and the backdoor spread should be of major concern for the healthcare industry. The attacks show just how vulnerable the industry is and how poorly protected many organizations are.
The continued use of outdated and unsupported operating systems, a lack of network segmentation to prevent lateral movement once access has been gained, the failure to protect network shares, and poor visibility of the entire network make these attacks far too easy. In fact, simply following security best practices will prevent such attacks.
The attacks by the Orangeworm threat group should serve as a wakeup call to the industry. The next wave of attacks could be far, far worse.
by titanadmin | Apr 24, 2018 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News |
Microsoft has released new figures that show there has been a sizeable increase in tech support scams over the past year. The number of victims that have reported these scams to Microsoft increased by 24% in 2017. The true increase could be much higher. Many victims fail to report the incidents.
According to Microsoft, in 2017 there were 153,000 reports submitted from customers in 183 countries who had been fooled by such a scam. While not all of the complainants admitted to losing money as a result, 15% said they paid for technical support. The average cost of support was between $200 and $400, although many individuals were scammed out of much more significant amounts. While victims may not willingly pay much more to fix the fictitious problem on their computers, if bank account details are provided to the scammers, accounts can easily be drained. One victim from the Netherlands claims a scammer emptied a bank account and stole €89,000.
The rise in complaints about tech support scams could, in part, be explained by more scammers pretending to be software engineers from Microsoft, prompting them to report the incidents to Microsoft when they realize they have been scammed.
However, the rise in tech support scams is backed up by figures released by the FBI. Its Internet Crime Complaint Center (IC3) received 86% more complaints in 2017 from victims of tech support scams. Around 11,000 complaints were received by IC3 about tech support scams last year and more than $15 million was lost to the scams.
It is easy to see why these scams are so attractive for would-be cybercriminals. In many cases, little effort is required to pull off the scam. All that is required in many cases is a telephone. Cold calling is still common, although many of the scams are now much more sophisticated and have a much higher success rate.
Email is also used. Some tech support scams involve warnings and use social engineering techniques to convince the recipient to call the helpline. Others involve malware, sent as an attachment or downloaded as a result of visiting a malicious website via a hyperlink supplied in the email.
Once installed, the malware displays fake warning messages that convince the user that they have been infected with malware that requires a call to the technical support department.
The use of popups on websites is common. These popups cannot be closed and remain on screen. Browser lockers are also common which serve the same purpose. To prompt the user to call the support helpline.
While many more experienced users would know how to close the browser – CTRL+ALT+DEL and shut down the browser via Windows Task Manager – less experienced users may panic and call the helpline number, especially when the popup claims to be from a well-known company such as Microsoft or even law enforcement.
The typical process used in these tech support scams is to establish contact by telephone, get the user to download software to remove a fictitious virus or malware that has previously been installed by the attackers. Remote administration tools are used that allows the scammer to access the computer. The user is convinced there is malware installed and told they must pay for support. Payment is made and the fictitious problem is fixed.
These techniques are nothing new, it is just that more cybercriminals have got in on the act and operations have been expanded due to the high success rate. Fortunately, there are simple steps to take that can prevent users from falling for these tech support scams.
To avoid becoming a victim of such a scam:
- Never open any email attachments you receive from unknown senders
- Do not visit hyperlinks in email messages from unknown senders
- If contacted by phone, take a number and say you will call back. Then contact the service provider using verified contact information, not the details supplied over the telephone
- If you are presented with a warning via a popup message or website claiming your device has been infected, stop and think before acting. Genuine warnings do not include telephone numbers and do not have spelling mistakes or questionable grammar
- If you receive a warning about viruses online and want to perform a scan, download free antivirus software from a reputable firm from the official website (Malwarebytes, AVG, Avast for instance)
- Before making any call, verify the phone number. Use a search engine to search for the number and see if it has been associated with scams in the past
- ISPs and service providers rarely make unsolicited telephone calls to customers about viruses and technical issues and offer to fix the device
If you believe you are a victim of a tech support scam, report the incident to the service provider who was spoofed and notify appropriate authorities in your country of residence.
In the USA, that is the Federal Trade Commission or the FBI’s IC3; in the UK it is the National Fraud and Cyber Crime Reporting Center, the European Consumer Center in Ireland, or the equivalent organizations in other countries.
by titanadmin | Apr 20, 2018 | Email Scams, Phishing & Email Spam, Spam News |
Two new phishing campaigns have been detected in the past few days that have seen phishers sink to new lows. An active shooter phishing campaign has been detected that uses fear and urgency to steal credentials, while a Syrian refugee phishing campaign takes advantage of compassion to increase the probability of victims paying ransom demands.
Active Shooter Phishing Campaign
Mass shootings at U.S schools are on the rise, with the latest incident in Parkland, Florida placing teachers and other staff on high alert to the threat of campus shootings. A rapid response is essential when an active shooter alert is issued. Law enforcement must be notified quickly to apprehend the suspect and children and staff must be protected.
It is therefore no surprise that fake active shooter threats have been used in a phishing campaign. The emails are designed to get email recipients to click without thinking to receive further information on the threat and have been developed to cause fear and panic.
The active shooter phishing campaign was being used in a targeted attack on a Florida school – an area of the country where teachers are hypersensitive to the threat of shootings, given recent events in the state.
Three active shooter phishing email variants were reported to the anti-phishing and security awareness platform provider KnowBe4, all of which were used to direct recipients to a fake Microsoft login page where they were required to enter in their login credentials to view the alert. Doing so would give those credentials to the attacker.
The email subject lines used – although other variants could also be in use – were:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
It is likely that similar campaigns will be conducted in the future. Regardless of the level of urgency, the same rules apply. Stop and think about any message before taking any action suggested in the email.
Syrian Refugee Phishing Campaign
Phishing campaigns often use crises, major world events, and news of sports tournaments to get users to click links or open email attachments. Any news that is current and attracting a lot of interest is more likely to result in users taking the desired action.
There have been several Syrian refugee phishing campaigns run in recent months that take advantage of compassion to infect users with malware and steal their credentials. Now researchers at MalwareHunterTeam have identified a ransomware campaign that is using the terrible situation in Syria to convince victims to pay the ransom – By indicating the ransom payments will go to a very good cause: Helping refugees.
Infection with what has been called RansSIRIA ransomware will see the victim presented with a ransom note that claims all ransom payments will be directed to the victims of the war in Syria. A link is also provided to a video showing the seriousness of the situation in Syria and links to a WorldVision document explaining the plight of children affected by the war.
While the document and images are genuine, the claim of the attackers is likely not. There is no indication that any of the ransom payments will be directed to the victims of the war. If infected, the advice is not to pay and to try to recover files by other means. If you want to do your bit to help the victims of the war, make a donation to a registered charity that is assisting in the region.
by titanadmin | Apr 19, 2018 | Industry News, Internet Security, Network Security |
What is the future of the system administrator? What can sysadmins expect over the coming months and years and how are their jobs likely to change? Our predictions on what is likely to happen to the role in the foreseeable future.
What Does the Future of the System Administrator Have in Store?
The system administrator is an important role in any organization. Without sysadmins to deal with the day to day IT problems faced by organizations, the business would grind to a halt. Sysadmins also play an essential role in ensuring the security of the network by taking proactive steps to keep systems secure as well as responding to threats before they result in a data breach. With more cyberattacks occurring, increasingly complex IT systems being installed, and the fast pace of technological development, one thing is for sure: The future of the system administrator is likely to continue to involve long hours and hard work.
It is also easy to predict that the future of the system administrator will involve major changes to job descriptions. That has always been the case and never more so than now. There will be a continued need for on the job training and new systems and processes must continue to be learned. Being a System administrator is therefore unlikely to be boring.
According to data from the US Bureau of Labor Statistics, there is likely to be sustained growth in the profession for the next two years. While the forecast was previously 12% growth, this has now been reduced to 6% – similar to other occupations. The increased automation of many sysadmin tasks is partly responsible for this decline in growth, since businesses are likely to need less staff as manual processes are reduced. That said, the figures indicate demand for IT workers will remain high. Even with newer, faster technology being implemented, staff are still required to keep everything running smoothly.
XaaS, the Cloud, Virtualization, and VoIP Use to Grow
Unfortunately, while automation means greater efficiency, it can entail many hidden costs. For a start, with more automation it can become harder to determine the source of a problem when something goes wrong. Increased automation also means the system administrator must become even more knowledgeable. Automation typically involves scripting in various languages, so while you may have been able to get away with knowing Python or Windows PowerShell, you will probably need to become proficient in both, and maybe more.
If you are considering becoming a system administrator, now is the time to learn your first scripting language, as it will make it easier to learn others on the job if you understand the basics. It will also help you to get the job in the first place. The more you know, the better.
Use of the cloud is increasing, especially for backup and archiving, which in turn has reduced the need for server-centered tasks. While there has been a reduction in labor-intensive routine data operations, there has been a rise in the need to become proficient in the use of Application Programming Interfaces (APIs).
While many functions are now being outsourced through XaaS, it is still important to understand those functions. The future of the system administrator is likely to require XaaS to be screened and assessed to make sure those services match the IT needs of the organization. Sales staff will likely say their XaaS meets all business needs. Having an SA that understands the functions, the technology, and the needs of the business will be invaluable for screening out the services that are unsuitable.
To cut costs, many businesses are turning to VoIP. While this does offer considerable cost savings, businesses cannot tolerate less than the 99.999% of uptime offered by phone companies. The future of the system administrator is therefore likely to involve a thorough understanding of the dynamics of network load.
Virtualization has also increased, with a myriad of virtual networks making the SA’s job more complex. That means knowledge of switching and routing will have to improve.
Communication, Collaboration, and Negotiation Skills Required
The SA’s job no longer just involves studying manuals and learning new systems. SAs are now expected to be able to communicate more effectively, understand the business, and collaborate with others. SAs will need strong communication skills, must become excellent collaborators, and also be skilled at negotiation. Fortunately, there are many courses available that can help SAs improve in these areas.
by titanadmin | Apr 17, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Providing security awareness training for employees helps to eradicate risky behaviors that could potentially lead to a network compromise. Training programs should cover all the major threats faced by your organization, including web-based attacks, phishing emails, malware, and social engineering scams via the telephone, text message, or social media channels.
All too often, businesses concentrate on securing the network perimeter with firewalls, deploying advanced anti-malware solutions, and implementing other technological controls such as spam filters and endpoint protection systems, yet they fail to provide effective security awareness training for employees. Even when security awareness training programs are developed, they are often once-a-year classroom-based training sessions that are forgotten quickly.
If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training will not have been effective.
The threat landscape is changing rapidly. Cybercriminals often change their tactics and develop new methods to attack organizations. If your security program does not incorporate these new methods of attack, and you do not provider refresher security awareness training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data and the integrity of your network.
Many Businesses Fail to Provide Effective Security Awareness Training for Employees
One recent study has highlighted just own ineffective many security awareness training programs are. Positive Technologies ran a phishing and social engineering study on ten organizations to determine how effective their security awareness programs were and how susceptible employees are to some of the most common email-based scams.
These include emails with potentially malicious attachments, emails with hyperlinks to websites where the employee was required to enter their login credentials, and emails with attachments and links to a website. While none of the emails were malicious in nature, they mirrored real-world attack scenarios.
27% of employees responded to the emails with a link that required them to enter their login credentials, 15% responded to emails with links and attachments, and 7% responded to emails with attachments.
Even a business with 100 employees could see multiple email accounts compromised by a single phishing campaign or have to deal with multiple ransomware downloads. The cost of mitigating real world attacks is considerable. Take the recent City of Atlanta ransomware attack as an example. Resolving the attack has cost the city $2.7 million, according to Channel 2 Action News.
The study revealed a lack of security awareness across each organization. While employees were the biggest threat to network security, accounting for 31% of all individuals who responded to the emails, 25% were team supervisors who would have elevated privileges. 19% were accountants, administrative workers, or finance department employees, whose computers and login credentials would be considerably more valuable to attackers. Department managers accounted for 13% of the responders.
Even the IT department was not immune. While there may not have been a lack of security awareness, 9% of responders were in IT and 3% were in information security.
The study highlights just how important it is not only to provide security awareness training for employees, but to test the effectiveness of training and ensure training is continuous, not just a once a year session to ensure compliance.
Tips for Developing Effective Employee Security Awareness Training Programs
Employee security awareness training programs can reduce susceptibility to phishing attacks and other email and web-based threats. If you want to improve your security posture, consider the following when developing security awareness training for employees:
- Create a benchmark against which the effectiveness of your training can be measured. Conduct phishing simulations and determine the overall level of susceptibility and which departments are most at risk
- Offer a classroom-style training session once a year in which the importance of security awareness is explained and the threats that employees should be aware of are covered
- Use computer-based training sessions throughout the year and ensure all employees complete the training session. Everyone with access to email or the network should receive general training, with job and department-specific training sessions provided to tackle specific threats
- Training should be followed by further phishing and social engineering simulations to determine the effectiveness of training. A phishing simulation failure should be turned into a training opportunity. If employees continue to fail, re-evaluate the style of training provided
- Use different training methods to help with knowledge retention
- Keep security fresh in the mind with newsletters, posters, quizzes, and games
- Implement a one-click reporting system that allows employees to report potentially suspicious emails to their security teams, who can quickly take action to remove all instances of the email from company inboxes
Lire cet article en français.
by titanadmin | Apr 13, 2018 | Industry News, Internet Security, Network Security |
The SamSam ransomware attacks are continuing and the threat actors behind the campaign are showing no sign of stopping. So far in 2018 there have been at least 10 attacks in the United States, although many more may have gone unreported. Most of the known attacks have hit government agencies, municipalities, and healthcare organizations – all of whom are required to disclose attacks.
The attacks have caused massive disruption, taking computers, servers, and information systems out of action for several days to several weeks. Faced with the prospect of continued disruption to essential business processes, some organizations have chosen to pay the ransom – a risky strategy since there is no guarantee that the keys to unlock the encryption will work or even be supplied.
Others have refused to be extorted, often at great cost. One U.S. healthcare provider, Erie County Medical Center, took six weeks to fully recover from the attack. Mitigating the attack has cost several million dollars.
Multiple SamSam ransomware attacks are possible as the Colorado Department of Transportation discovered. After recovering from an attack in February, a second attack occurred in March.
It is not only financial harm that is caused by the attacks. Another hospital was attacked, and its outpatient clinic and three physician hospitals were unable to view histories or schedule appointments. The ransomware attack on the electronic medical record provider AllScripts saw its EMR systems taken out of action for several days. During that time, around 1,500 medical centers were unable to access patient health records resulting in many cancellations of non-critical medical appointments.
The March SamSam ransomware attack on the City of Atlanta brought many government services to a grinding halt. The extensive attack forced the shutdown of many systems, many of which remained inaccessible for six days. Bills and parking tickets couldn’t be paid and court proceedings had to be cancelled. The huge backlog of work continued to cause delays when systems were restored.
While the SamSam ransomware attacks have been concentrated on just a few industry sectors, the attacks are not necessarily targeted. What the victims have in common is they have been found to have easily exploitable vulnerabilities on public facing servers. They were attacked because mistakes had been made, vulnerabilities had not been patched promptly, and weak passwords had been set.
The threat actors behind the latest SamSam ransomware attacks have not been confirmed, although researchers at Secureworks believe the attacks are being conducted by the Gold LOWELL threat group. It is not known whether they are a defined group or a network of closely affiliated threat actors. What is known, whether it is GOLD LOWELL or other group, is they are largely staying under the radar.
What is more certain is the SamSam ransomware attacks will continue. In the first four weeks of January, the Bitcoin wallet used by the attackers showed $325,000 of ransom payments had been paid. The total in April is likely to be substantially higher. Hancock Health, one of two Indiana hospitals attacked this year, has confirmed that it paid a ransom demand of approximately $55,000 for the keys to unlock the encryption. As long as the attacks remain profitable and the threat actors can stay under the radar, there is no incentive to stop.
In contrast to many threat actors that use phishing emails and spam messages to deliver ransomware downloaders, this group exploits vulnerabilities on public-facing servers. Access is gained to the network, the attackers spend time navigating the network and moving laterally, before the ransomware payload is finally deployed. Detecting network intrusions quickly may prevent file encryption, or at least limit the damage caused.
The ongoing campaign has now prompted the U.S. Department of Health and Human Services’ Healthcare Cybersecurity Integration and Communications Center (HCCIC) to issue a warning to healthcare organizations about the continued threat of attacks. Healthcare organizations should heed the advice of the HCCIC and not only implement defences to block attacks but also to prepare for the worst. If contingency plans are made and incident response procedures are developed in advance, disruption and cost will be kept to a minimum.
That advice from the HCCIC to prevent SamSam ransomware attacks is:
- Conduct vulnerability scans and risk assessments to identify potential vulnerabilities
- Ensure those vulnerabilities are remediated
- Ensure patches are applied promptly
- Use strong usernames and passwords and two-factor authentication
- Limit the number of users who can login to remote desktop solutions
- Restrict access to RDP behind firewalls and use a VPN or RDP gateway
- Use rate limiting to stop brute force attacks
- Ensure backups are made for all data to allow recovery without paying the ransom and make sure those backups are secured
- Develop a contingency plan to ensure that the business can continue to function while the attack is mitigated
- Develop procedures that can easily be followed in the event of a ransomware attack
- Implement defenses capable of detecting attacks quickly when they occur
- Conduct annual penetration tests to identify vulnerabilities and ensure those vulnerabilities are rapidly addressed
by titanadmin | Apr 9, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Under Armour has experienced a massive MyFitnessPal data breach that has resulted in the personal information of 150 million users being accessed and stolen by a hacker.
The data relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking platform. The types of data stolen in the MyFitnessPal data breach include hashed usernames, passwords and email addresses.
While payment card data is held by Under Armour, the information is processed and stored separately and was unaffected. Other highly sensitive information typically used for identity theft and fraud such as Social Security numbers was not obtained by the attacker.
The MyFitnessPal data breach is notable for the sheer volume of data obtained and is the largest data breach to be detected this year; however, the theft of hashed data would not normally pose an immediate risk to users. That is certainly the case for the passwords, which were hashed using bcrypt – a particularly strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not offer the same level of protection. It is possible to decode SHA-1 hashed data, which means the information could potentially be accessed by the attacker.
Further, the attacker has had the data for some time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was detected – some six weeks before the announcement about the data breach was made.
Given the method used to protect the usernames and passwords, the data can be considered accessible and it is almost certain the person or persons responsible for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who can.
While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.
While MyFitnessPal accounts may remain secure, that does not mean that users of MyFitnessPal will be unaffected by the breach. The attacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing campaigns.
Under Armour started notifying affected users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to prevent their account from being accessed. Users also need to be alert to the risk from phishing.
Phishing campaigns related to the MyFitnessPal data breach can be expected although the attackers will likely develop a variety of phishing emails to target breach victims.
An incident of the scale of the MyFitnessPal data breach also poses a risk to businesses. If an employee was to respond to a phishing campaign, it is possible that they could download malware onto their work device – an action that could result in the business network being compromised.
Attacks on this scale are becoming far more common, and with huge volumes of email addresses now being used for phishing campaigns, advanced anti-spam services for businesses are now a necessity.
If you have yet to implement a spam filter, are unhappy with your current provider and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.
by titanadmin | Apr 6, 2018 | Email Scams, Phishing & Email Spam, Spam News |
A recent Lazio phishing scam has potentially resulted in a €2 million loss for the Italian Serie A football team, which made the final installment of a transfer of a football player to the bank account of a scammer.
The Lazio phishing scam involved some insider knowledge as the scammer was aware that part of the transfer fee for a player was outstanding. An email was carefully crafted and sent to the Italian football team that appeared to have come from representatives of the Dutch football club Feyenoord. In the email the outstanding balance for the player Stefan de Vrij was demanded. Stefan de Vrij had joined Lazio from Feyenoord in 2014.
The email looked official and appeared to have been sent from a legitimate source. The accounts department at the Italian club responded and proceeded with the transfer of funds – approximately $2,460,840 – to the bank account as requested. However, the bank account details supplied in the email were not those of Feyenoord.
When Feyenoord was contacted, the club denied all knowledge of any email communication about the player and confirmed that no funds had been received. The money had been paid to a Dutch bank account, but not one held by any staff at the club, nor any representative of the player.
The payment has been tracked and Lazio is attempting to recover the funds. It is not yet known whether the money has been recovered and if that will be possible.
The Lazio phishing scam has certainly made the headlines, but many similar attacks go unreported. Scams such as this are commonplace, and businesses are being fooled into making huge transfers of funds to criminals’ accounts.
While this attack clearly involved some insider knowledge, that information can easily be gained with a simple phishing email. If the CFO of an organization can be fooled into revealing their email login credentials, the account can be accessed and a treasure trove of information can be found. The account can then be used to send an email request to a member of the accounts department or a company that is in the process of making a sizeable purchase.
The attacker can match the writing style of the CTO and copy the usual format of email requests. All too often the recipient is fooled into making the transfer.
This type of scam is called business email compromise – or BEC – and it is costing businesses billions. One recent report estimates the total losses to BEC attacks alone is likely to reach $9 billion in 2018.
These scams are far different to the typical phishing scams of years gone by where huge numbers of emails were sent in the hope of a few individuals responding. These attacks are highly targeted, the recipient is extensively researched, and a great deal of time is spent conducting the attack. As the Lazio phishing scam showed, it is certainly worth the time and effort.
Businesses need to protect themselves against these types of phishing attacks, but there is no silver bullet. Layered defenses are essential. Businesses need to develop an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is a must, DMARC should be implemented to prevent brand abuse, and security awareness training for staff is essential. Policies should also be developed and implemented that require two-factor verification on any wire transfer over a certain threshold.
Even if an email filter could not block the Lazio phishing email and the email was so believable to fool a security aware employee, a quick telephone call to confirm the request could have highlighted the scam for what it was.
by titanadmin | Mar 31, 2018 | Internet Security, Network Security |
Several new AutoHotKey malware variants have been discovered in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The latest discovery – Fauxpersky malware – is very efficient at stealing passwords.
AutoHotKey is a popular open-source scripting language. AutoHotKey make it easy to create scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to interact with the local file system and the syntax is simple, making it straightforward to use, even without much technical knowledge. AutoHotKey allows scripts to be compiled into an executable file that can be easily run on a system.
The usefulness of AutoHotKey has not been lost on malware developers, and AutoHotKey malware is now used for keylogging and to install other malware variants such as cryptocurrency miners, the first of the latter was discovered in February 2018.
Several other AutoHotKey malware variants have since been discovered with the latest known as Fauxpersky, so named because it masquerades as Kaspersky antivirus.
Fauxpersky Malware
Fauxpersky malware lacks sophistication, but it can be considered a significant threat – One that has potential to cause considerable harm. If undetected, it allows the attackers to steal passwords that can be used for highly damaging attacks and give the attackers a foothold in the network.
Fauxpersky malware was discovered by security researchers Amit Serper and Chris Black. The researchers explained in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could allow the authors to steal passwords to gain access to data.
Fauxpersky infects USB drives which are used to spread the malware between devices. The malware can also replicate across the system’s listed drives. Communication with the attackers is via a Google Form, that is used to send stolen passwords and keystroke lists to the attackers’ inbox. Since the transmission is encrypted, it doesn’t appear to be data exfiltration by traffic monitoring systems.
Once installed it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware records all keystrokes made on a system and also adds context to help the attackers determine what the user is doing. The name of the window where the text is being typed is added to the text file.
Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. The researchers reported the new threat to Google which rapidly took down the malicious form although others may well be created to take its place.
AutoHotKey Malware Likely to become More Sophisticated
AutoHotKey malware is unlikely to replace more powerful scripting languages such as PowerShell, although the rise in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped any time soon. AHK malware has now been discovered with several obfuscation functions to make it harder to detect, and many AV vendors have yet to implement the capability to detect this type of malware. In the short to medium term, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to steal passwords.
by titanadmin | Mar 30, 2018 | Internet Security, Network Security |
A disaster recovery plan will help to ensure your business continues to function when disaster strikes, and you can recover as quickly as possible. Developing a disaster recovery plan in advance is essential as it will allow you to prevent many lost hours in the early stages of an attack when rapid action is critical.
When Disaster Strikes You Must be Ready for Action
When disaster strikes, you need to act fast to get your systems back online and return to normal business operations. One of the biggest problems for many organizations, is the amount of time that is lost immediately after a cyberattack is discovered. When staff are scrambling around not knowing what to do, precious minutes, hours, and even days can be lost.
The first few hours after a cyberattack can be critical. The time it takes to respond can have a significant impact on the cost of mitigating the attack and the harm caused. In the case of ransomware, that could be movement within your network, with one infected endpoint becoming two, then 4, then 8 and so on until files on your entire network are encrypted. Each lost minute can mean hours of extra work and major productivity losses.
The only way to ensure the fastest possible response is to be prepared for the unexpected. That means you must have a disaster recovery plan formulated that is easily accessible and can be followed by all staff involved in the breach response. Staff not responsible for recovery must be aware how they must operate in the absence of computers and critical systems to ensure the business does not grind to a halt.
Developing a Disaster Recovery Plan
There are many potential disaster scenarios. Natural disasters such as earthquakes, floods, tornados can cause major disruption, as can terrorist attacks and sabotage. The most likely disaster scenario in the current climate is a cyberattack.
All of these disaster scenarios threaten your systems and business data, so your disaster recovery plan must ensure your systems are protected and the confidentiality, integrity, and availability of data is safeguarded while you respond.
While the threat may be similar for all scenarios, priorities will be different for each situation and the order of actions and the actions themselves will be specific to different threats. It is therefore essential to plan for each of the likely disasters and to develop procedures for each. For example, your plan should cover a cyberattack affecting each specific location that you operate, and a separate plan developed for a ransomware attack, malware infection, and system outage.
Assess Business Impact and Set Priorities
A cyberattack could take out multiple systems which will all need to be restored and brought back online. That process could take days or weeks, but some systems must take priority over others. After your disaster recovery policy has been developed, you must set priorities. To effectively prioritize you will need to perform a business impact analysis on all systems. You should conduct a BIA to determine the possible financial, safety, contractual, reputational, and regulatory impact of any disaster and assess the impact on confidentiality, integrity, and availability of data. When the BIA has been completed, it should make it clear what the priorities are for recovery.
Everyone Must Know Their Role
When disaster strikes, everyone in the IT department must be aware of their responsibilities. You must know who will need to be called in when the attack occurs outside office hours, which means you must maintain up to date contact information such as phone numbers, addresses, and email addresses. You will also need to have a list of contractors and cybersecurity firms that can assist. You must know which law enforcement agencies to contact and any regulators or authorities that should be notified. All employees within the organization must be aware how their day-to-day activities will change and the role they will play, and what you will say to your customers, clients, and business associates.
Testing, Testing, Testing
You will naturally have developed a disaster recovery plan and emergency mode operations plan, but those plans rarely need to be put into action. You therefore need to be 100% sure that your disaster recovery plan developed a couple of years previously will work as planned. That is unlikely unless it is thoroughly tested and is regularly updated to take hardware, software, and business changes into account.
Your disaster recovery plan must be tested to make sure that it will work in practice. That means testing individual aspects against specific scenarios and also running through a full test – like a fire drill – to make sure that the whole plan works.
Don’t wait until disaster strikes before developing a disaster recovery plan and don’t wait for a disaster to find out all of your planning has been in vain as system changes have rendered the plan unworkable.
by titanadmin | Mar 29, 2018 | Network Security, Phishing & Email Spam, Spam Advice, Spam News |
No matter how many cybersecurity solutions you have deployed or the maturity of your cybersecurity program, it is now essential for develop and effective security awareness program and to ensure all employees and board members are trained how to recognize email threats.
Threat actors are now using highly sophisticated tactics to install malware, ransomware, and obtain login credentials and email is the attack method of choice. Businesses are being targeted and it will only be a matter of time before a malicious email is delivered to an employee’s inbox. It is therefore essential that employees are trained how to recognize email threats and told how they should respond when a suspicious email arrives in their inbox.
The failure to provide security awareness training to staff amounts to negligence and will leave a gaping hole in your security defenses. To help get you on the right track, we have listed some key elements of an effective security awareness program.
Important Elements of an Effective Security Awareness Program
Get the C-Suite Involved
One of the most important starting points is to ensure the C-Suite is on board. With board involvement you are likely to be able to obtain larger budgets for your security training program and it should be easier to get your plan rolled out and followed by all departments in your organization.
In practice, getting executives to support a security awareness program can be difficult. One of the best tactics to adopt to maximize the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial benefits that come from having an effective security awareness program. Provide data on the extent that businesses are being attacked, the volume of phishing and malicious emails being sent, and the costs other businesses have had to cover mitigating email-based attacks.
The Ponemon Institute has conducted several major surveys and provides annual reports on the cost of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of stats. Present information clearly and show the benefit of the program and what you require to ensure it is a success.
Get Involvement from Other Departments
The IT department should not be solely responsible for developing an effective security awareness training program. Other departments can provide assistance and may be able to offer additional materials. Try to get the marketing department on board, human resources, the compliance department, privacy officers. Individuals outside of the security team may have some valuable input not only in terms of content but also how to conduct the training to get the best results.
Develop a Continuous Security Awareness Program
A one-time classroom-based training session performed once a year may have once been sufficient, but with the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer enough.
Training should be an ongoing process provided throughout the year, with up to date information included on current and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for everyone. Develop a training program using a variety of training methods including annual classroom-based training sessions, regular computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues fresh in the mind.
Use Incentives and Gamification
Recognize individuals who have completed training, alerted the organization to a new phishing threat, or have scored highly in security awareness training and tests. Try to create competition between departments by publishing details of departments that have performed particularly well and have the highest percentage of employees who have completed training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.
Security awareness training should ideally be enjoyable. If the training is fun, employees are more likely to want to take part and retain knowledge. Use gamification techniques and choose security awareness training providers that offer interesting and engaging content.
Test Employees Knowledge with Phishing Email Simulations
You can provide training, but unless you test your employees’ security awareness you will have no idea how effective your training program has been and if your employees have been paying attention.
Before you commence your training program it is important to have a baseline against which you can measure success. This can be achieved using security questionnaires and conducting phishing simulation exercises.
Conducting phishing simulation exercises using real world examples of phishing emails after training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be turned into a training opportunity.
Comparing the before and after results will show the benefits of your program and could be used to help get more funding.
Train your staff regularly and test their understanding and in a relatively short space of time you can develop a highly effective human firewall that complements your technological cybersecurity defenses. If a malicious email makes it past your spam filter, you can be confident that your employees will have the skills to recognize the threat and alert your security team.
by titanadmin | Mar 28, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice |
A city of Atlanta ransomware attack has been causing havoc for city officials and Atlanta residents alike. Computer systems have been taken out of action for several days, with city workers forced to work on pen and paper. Many government services have ground to a halt as a result of the attack.
The attack, like many that have been conducted on the healthcare industry, involved a variant of ransomware known as SamSam.
The criminal group behind the attack is well known for conducting attacks on major targets. SamSam ransomware campaigns have been conducted on large healthcare providers, major educational institutions, and government organizations.
Large targets are chosen and targeted as they have deep pockets and it is believed the massive disruption caused by the attacks will see the victims pay the ransom. Those ransom payments are considerable. Demands of $50,000 or more are the norm for this group. The City of Atlanta ransomware attack saw a ransom demand issued for 6 Bitcoin – Approximately $51,000. In exchange for that sum, the gang behind the attack has offered the keys to unlock the encryption.
SamSam ransomware attacks in 2018 include the cyberattack on the electronic health record system provider Allscripts. The Allscripts ransomware attack saw its systems crippled, with many of its online services taken out of action for several days preventing some healthcare organizations from accessing health records. The Colorado Department of Transportation was also attacked with SamSam ransomware.
SamSam ransomware was also used in an attack on Adams Memorial Hospital and Hancock Health Hospital in Indiana, although a different variant of the ransomware was used in those attacks.
A copy of the ransom note from the city of Atlanta ransomware attack was shared with the media which shows the same Bitcoin wallet was used as other major attacks, tying this attack to the same group.
SecureWorks, the cybersecurity firm called in to help the City of Atlanta recover from the attack, has been tracking the SamSam ransomware campaigns over the past few months and attributes the attacks to a cybercriminal group known as GOLD LOWELL, which has been using ransomware in attacks since 2015.
While many ransomware attacks occur via spam email with downloaders sent as attachments, the GOLD LOWELL group is known for leveraging vulnerabilities in software to install ransomware. The gang has exploited vulnerabilities in JBoss in past attacks on healthcare organizations and the education sector. Flaws in VPNs and remote desktop protocol are also exploited.
The ransomware is typically deployed after access to a network has been gained. SecureWorks tracked one campaign in late 2017 and early 2018 that netted the gang $350,000 in ransom payments. The earnings for the group have now been estimated to be in the region of $850,000.
Payment of the ransom is never wise, as this encourages further attacks, although many organizations have no choice. For some, it is not a case of not having backups. Backups of all data are made, but the time taken to restore files across multiple servers and end points is considerable. The disruption caused while that process takes place and the losses suffered as a result are often far higher than any ransom payment. A decision is therefore made to pay the ransom and recover from the attack more quickly. However, the GOLD LOWELL gang has been known to ask for additional payments when the ransom has been paid.
The city of Atlanta ransomware attack commenced on Thursday March 22, and with the gang typically giving victims 7 days to make the payment. The city of Atlanta only has until today to make that decision before the keys to unlock the encryption are permanently deleted.
However, yesterday there were signs that certain systems had been restored and the ransomware had been eradicated. City employees were advised that they could turn their computers back on, although not all systems had been restored and disruptions are expected to continue.
As of today, no statement has been released about whether the ransom was paid or if files were recovered from backups.
How to Defend Against Ransomware Attacks
The city of Atlanta ransomware attack most likely involved the exploitation of a software vulnerability; however, most ransomware attacks occur as a result of employees opening malicious email attachments or visiting hyperlinks sent in spam emails.
Last year, 64% of all malicious emails involved ransomware. An advanced spam filter such as SpamTitan is therefore essential to prevent attacks. End users must also be trained how to recognize malicious emails and instructed never to open email attachments or click on links from unknown senders.
Software must be kept up to date with patches applied promptly. Vulnerability scans should be conducted, and any issues addressed promptly. All unused ports should be closed, RDP and SMBv1 disabled if not required, privileged access management solutions deployed, and sound backup strategies implemented.
by titanadmin | Mar 21, 2018 | Internet Security, Network Security, Phishing & Email Spam |
2017 ransomware statistics do not make for pleasant reading. Ransomware attacks continued to increase, the cost of mitigating attacks rose, and the number of ransomware variants in use has soared. Further, there are no signs that the attacks will stop and mounting evidence that the ransomware epidemic will get worse in 2018.
Key 2017 Ransomware Statistics
We have compiled some of the important 2017 ransomware statistics from research conducted by a range of firms over the past few months.
Kaspersky Lab’s research suggests ransomware attacks on businesses were happening every 2 minutes in Q1, 2017, but by Q3 attacks were far more frequent, occurring approximately every 40 seconds. Cybersecurity Ventures predicts the frequency of attacks will increase and by 2019 there will be an attack occurring every 14 seconds.
Cybersecurity Ventures also predicts ransomware will continue to be a major problem for businesses throughout 2018 and 2019, with the total cost of ransomware attacks expected to reach $11.5 billion by 2019.
The healthcare industry is likely to be heavily targeted due to the relative ease of conducting attacks and the likelihood of a ransom being paid. Cybersecurity Ventures predicts there will be a fourfold increase in ransomware attacks on healthcare organizations by 2019.
While research from IBM in 2016 suggested 70% of businesses pay ransom demands to recover data, in 2017 the percentage dropped considerably. Far fewer firms are now considering paying ransoms to recover data.
Symantec’s 2017 Internet Security Threat Report indicates ransom demands increased by 266% between 2015 and 2017.
There is considerable variation in published 2017 ransomware statistics. Malwarebytes reports there was a 90% increase in ransomware attacks in 2017. Beazley reports the increase was 18% and the healthcare sector accounted for 45% of those attacks. A recent McAfee Report puts the rise in ransomware attacks at 59% for the year, with a 35% quarter-over-quarter increase in attacks in Q4.
Microsoft’s Security Intelligence Report indicates Asia had the highest number of ransomware attacks in 2017, with Myanmar and Bangladesh the worst hit countries. Mobile devices that were the worst hit, with the most frequently encountered ransomware variant being LockScreen – an Android ransomware variant.
55% of Firms Experienced A Ransomware Attack in 2017
The research and marketing consultancy firm CyberEdge Group conducted a study that showed 55% of surveyed organizations had experienced at least one ransomware attack in 2017. Out of the organizations that had data encrypted by ransomware, 61% did not pay the ransom.
87% of firms that experienced an attack were able to recover the encrypted data from backups. However, 13% of attacked firms lost data due to the inability to recover files from backups.
Organizations that are prepared to pay a ransom are not guaranteed viable keys to recover their encrypted files. The CyberEdge survey revealed approximately half of companies that decided to pay the ransom were unable to recover their data.
FedEx reported in 2017 that the NotPetya attack cost the firm an estimated $300 million, the same figure quoted by shipping firm Maersk and pharma company Merck. Publishing firm WPP said its NotPetya attack cost around $15 million.
Strategies are being developed by businesses to respond to ransomware attacks quickly. Some companies, especially in the UK, have bought Bitcoin to allow fast recovery. However, those that have may find their stash doesn’t go as far as it was first thought thanks to the decline in value of the cryptocurrency. Further, many cybercriminals have switched to other forms of cryptocurrency and are no longer accepting Bitcoin. A third of mid-sized companies in the UK have purchased Bitcoin for ransoms according to Exeltex Consulting Group.
