Million new cyber phishing sites created each month

Cyber phishing attacks continue to increase in volume and sophistication, according to researchers at security firm Webroot.

Cyber phishing attacks continue to increase in volume and sophistication, according to researchers at security firm Webroot.
In May 2017, the number of new phishing sites reached a new high of 2.3 million in that month alone, according to the September 2017 Webroot Quarterly Threat Trends Report.

Data collected by Webroot shows that the latest phishing sites use realistic web pages that are almost impossible to find using web crawlers to trick victims into providing personal and business information.

Once this data is harvested, attackers are able to steal digital identities to access business IT systems to steal data and compromise business email accounts to carry out CEO fraud attacks.

The Webroot data also shows phishing attacks have grown at an unprecedented rate in 2017, with it continuing to be one of the most common, widespread security threats faced by both businesses and consumers.

According to the report, phishing is the top cause of cyber breaches in the world, with an average of more than 46,000 new phishing sites created each day.

The sheer volume of new sites makes phishing attacks difficult to defend against for businesses, the report said.

Even if the block lists are updated hourly, they are generally 3–5 days out of date by the time they are made available, the report said, by which time the sites in question may have already victimised users and disappeared.

Attacks are increasingly sophisticated and more adept at fooling the victim, the researchers found. The note that while in the past, phishing attacks randomly targeted as many people as possible,today’s phishing is more sophisticated.

Cyber attackers now typically research their targets and use social engineering to uncover relevant personal information for individualised attacks. Phishing sites also hide behind benign domains and obfuscate true uniform resource locators (URLs), fooling users with realistic impersonated websites.

The researchers found that zero-day websites used for phishing may number in the millions each month, yet they tend to impersonate a small number of companies. Webroot categorised URLs by the type of website being impersonated and found that financial institutions and technology companies are the most phished categories.

According to an FBI public service announcement issued on 4 May 2017, phishing scams cost US business $500m a year, while Verizon found phishing to be involved in 90% of breaches and security incidents and a report by ESG showed that 63% of surveyed security and network influencers and decision makers have suffered from phishing attacks in the past two years.

In the ESG report, 46% of respondents said malware attacks have become more targeted over the past two years, and 45% said there is a greater volume of malware than in the past two years.

“Today’s phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs, using psychology and information gleaned from reconnaissance to get you to click on a link,” said Hal Lonas, chief technology officer at Webroot.

“Even savvy cyber security professionals can fall prey. Instead of blaming the victim, the industry needs to embrace a combination of user education and organisational protection with real-time intelligence to stay ahead of the ever-changing threat landscape,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Millions of customer records hacked in major Equifax security breach

A major security breach at Equifax has taken place over a two month period

A major security breach at Equifax has taken place over a two month period

It is thought to have affected 143 million customers in the US, as well as an undisclosed number of Britons and Canadians.

The perpetrators exploited a vulnerability in a US website application to gain access to confidential information – including names, social security numbers, birth dates, addresses and driver’s license numbers, as well as around 209,000 credit card numbers – over a two month period from May 2017.

It also found unauthorised access to “limited personal information” of a number of British and Canadian customers, and will work with regulators in both countries to determine an appropriate path forward. It added that it had found “no evidence” of any unauthorised activity on its core consumer or enterprise credit reporting databases.

Since halting the intrusion on 29 July, Equifax has been working closely with law enforcement and brought in a cyber security partner to conduct a thorough forensic review of its systems. This investigation is mostly complete, but more detailed information is expected to emerge in the coming days and weeks.

Equifax has confirmed that the massive data breach was result of missed patch and appear to have failed to roll out a patch that might have stopped the massive breach of its systems.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.

In a brief update statement, Equifax said it had been “intensely investigating” the scope of the intrusion with the help of an undisclosed cyber security firm – thought to be Mandiant – to find out exactly what information was accessed and whom it belongs to.

“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638,” it said. “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Apache Struts is an open-source model-view controller (MVC) framework for building Java web applications, and is well used across the financial services sector. The vulnerability causes it to mishandle file upload, which enables malicious actors to execute arbitrary commands via a command string in a crafted content-type HTTP header.

This was first highlighted in March 2017, and patches were subsequently released for it.

However, the Equifax breach began in May, which would seem to suggest the organisation did not bother to apply the updates to its systems.

Since news of the breach emerged, it has also emerged that the incident may have resulted in many more Britons than at first suspected having their data compromised – around 44 million by some estimates.

This is because even if people do not directly purchase Equifax’s consumer services themselves, some of their sensitive personal data is almost certainly held by enterprises, which use its corporate services to check credit scores for loans, for example.

Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.

While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify customers of a problem much sooner.

“We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

How to improve cyber security against email attacks and for GDPR compliance

Emails are becoming increasingly dangerous for cyber security risks.

Emails are becoming increasingly dangerous for cyber security risks.

About 200 billion emails are sent every day, but because of its importance email is constantly exploited by attackers – yet is often overlooked in cyber security strategies

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.

The General Data Protection Regulation (GDPR), set to come into force in May 2018, is designed to protect European Union (EU) citizensí data, and organisations that want to operate within the EU will be expected to comply with it.

Section 2 of the GDPR states that organisations must ìprotect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal dataî.

The European Commission defines personal data as ìany information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computerís IP addressî.

This regulation of greater email protection arrives shortly after the WannaCry and Petya cyber attacks. Despite emails being used regularly, they remain vulnerable to attack, both as a target and as an attack vector.

Several malware families, such as Emotet and Trickbot, have recently added functionality that enables them to spread via email. Emotet, for example, now has the capability to steal email credentials from infected computers and use these to send out emails to spread itself further.

The dangers that organisations can expose themselves to through unsecured email accounts are often more than just compromised emails. Financial account information can be leaked, ransomware and viruses can infect networks, and reputational damage can occur from hacks being disclosed. This disclosure will become mandatory under the GDPR.

Developing a security policy for email can be relatively simple, and a natural first step for bringing organisations into alignment with GDPRís requirements. However, a companyís email security protocols are only as strong as the employees who use them.

Email cyber security risks

Anti-virus filtering should be used on all email traffic.

Although this will not be a complete solution in itself, it will remove much of the background noise – the easy-to-spot threats -allowing security teams to focus on the more sophisticated attacks. Organisations should also consider using a secure anti-malware proxy or next-generation firewalls.

Some organisations may want to consider whitelisting or blacklisting filters for managing their email security. With whitelisting, only known, trusted email sources are allowed through; with blacklisting, all but the known, malicious email sources are blocked.

Whitelisting offers more protection, but it will inevitably block some important emails, which can cause frustration for employees.

Some organisations have gone as far as to block all attachments, which is effective in preventing malicious attachments, but naturally has consequences.

But there is no such thing as 100% security.

Organisations need to educate their employees in how to spot fraudulent emails and raise awareness of the dangers of malicious emails.

To engage the participants, this education should be easy to understand and should not rely on technical jargon. Staff should be positively encouraged to report suspicious emails and given feedback about any emails reported. Not only will this allow the security settings to be updated, but it will also educate staff further.

It is also vital to tailor the message to the particular audience. For example, telling an HR department not to open attachments from external addresses will not work, because they deal with people who are applying for jobs.

Following recent incidents of leaked emails, many organisations are now encrypting emails, installing encryption protocols as add-ons to existing email apps.

Not only do these systems rely on end-to-end encryption to secure their content, but some also ensure compliance with the GDPR. ìThere are hundreds of email security or encryption services, but we have found customers need verifiability, which is in high demand because of GDPR,î says Kurt Kammerer, CEO of Regify.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Business warned of massive ransomware campaign

Cyber security researchers are urging businesses to prepare for ransomware attacks after the discovery of a massive cyber attack campaign

Cyber security researchers are urging businesses to prepare for ransomware attacks after the discovery of a massive cyber attack campaign

Businesses should ensure employees are aware of the dangers of email attachments in the light of evidence of large scale ransomware distribution campaigns.

On 28 August, more than 23 million email messages were sent in just 24 hours with malicious attachments containing variants of the Locky ransomware, according to researchers at AppRiver.

As a first line of defence, businesses are urged to inform employees of the ransomware risks associated with email attachments.

Businesses are advised to pay particular attention to raising awareness among employees who have access to sensitive data with high business impact.

In the second quarter of 2017, ransomware was the most popular form of malware, with 68% of all malicious email messages bearing some variant of ransomware, according to security firm Proofpoint.

In particular, email recipients should be wary of any attachments to email with the subject such as: please print, documents, photo, images, scans, pictures, and payment.

Some of the latest Locky campaings send emails appearing to be from the targeted organisationís scanner, printer or other legitimate source, warns Comodo Threat Intelligence Lab.

The latest versions of the Locky ransomware are typically downloaded by a Visual Basic Script file in a ZIP file nested in another ZIP file as soon as the attachment is clicked.

Locky then encrypts all files on the system before instructing the victim to install the TOR browser and visit a .onion (Darkweb) site to process payment of .5 Bitcoins worth around $2,150.

Once the ransom payment is made the attackers promise a redirect to the decryption service, but the consensus among law enforcement and security industry representatives is to advise against payment because there is no guarantee the files will be decrypted or that the attackers will not strike again.

As there are currently no publicly shared methods to reverse the latest Locky variants, security researchers say employee awareness is paramount.

As a second line of defence, businesses are advised to ensure they have systems in place that can block spoofed emails and detect new variants of malware such as advanced analysis at the email gateway.

However, with each resurgence of Locky, the ransomware has continued to evolve to evade enterprise security defences, making it notoriously difficult to detect.

In the latest round of Locky ransomware campaigns that started around 9 August 2017, some Locky variants include sandbox evasion capabilities, according to security researchers at Malwarebytes Labs.

Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ìEnable Contentî button.

Sandboxes will not help the cyber security risks

For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.

However, Malwarebytes researcher Marcelo Rivero discovered that some of the latest versions of Locky do not simply trigger by running the macro itself, but wait until the fake Word document is closed by the user before it starts to invoke a set of command to download the ransomware and issue the ransom demand.

‘While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realise there is nothing to be seen,’ Rivero and colleague JÈrÙme Segura wrote in a blog post.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139