Explosion in digital commerce pushed fraud incentive levels sky-high

A rise in consumer digital traffic has corresponded with a rise in fraud attacks, Arkose Labs reveals. As the year progresses and more people than ever are online, historically ‘normal’ online behavioral patterns are no longer applicable and holiday levels of digital traffic continue to occur on a near daily basis.

fraud attacks 2020

Fraudsters are exploiting old fraud modeling frameworks that fail to take today’s realities into account, attempting to blend in with trusted traffic and carry out attacks undetected.

“As the world becomes increasingly digital as a result of COVID-19, fraudsters are deploying an alarming volume of attacks, and continually devising new and more sophisticated ways of carrying out their attacks,” said Vanita Pandey, VP of Marketing and Strategy at Arkose Labs.

“The high fraud levels that accompany high traffic volumes are likely here to stay, even after the pandemic ends. It’s crucial that businesses are aware of the top attack trends so that they can be more vigilant than ever to successfully identify and stop fraud over the long-term.”

Bot attacks and credential stuffing skyrocket

Q3 of 2020 saw its highest ever levels of bot attacks. 1.3 billion attacks were detected in total, with 64% occurring on logins and 85% emanating from desktop computers.

Due to the widespread availability of usernames, email addresses and passwords from years of data breaches, as well as easy access to automated tools to carry out attacks at scale, credential stuffing emerged as a main driver of attack traffic. 770 million automated credential stuffing attacks were detected and stopped by Arkose Labs in Q3.

For ecommerce, every day is Black Friday

The rise in digital traffic for most of 2020 means businesses have been dealing with holiday season levels of traffic since March. With every day now resembling Black Friday, some retailers are better equipped to handle the onslaught of holiday season traffic and fraud.

However, it remains to be seen if a holiday sales bump will occur this year, given already record high traffic levels for many ecommerce businesses.

While much of 2019 saw a marked shift from automated attacks to human sweatshop-driven attacks, automated attacks dominated much of 2020, with Q3 seeing a particularly high spike. This trend is likely to revert back to more targeted attacks in Q4, as during the holiday shopping season fraudsters typically employ low-cost attackers to commit attacks that require human nuance and intelligence.

Europe emerges as the top attacking region

Nearly half of all attacks in Q3 of 2020 originated from Europe, with over 10 million sweatshop attacks coming from Russia and 7 million coming from the United Kingdom.

Many European countries, such as the United Kingdom, France, Italy and Germany, are among those whose GDP shrunk the most since the global pandemic began. A surge in attacks from nations suffering the biggest dips in economic output highlights the economic drivers that spur fraud.

Pandey said, “COVID-19 has sent the world into turmoil, upending digital traffic patterns and introducing long-lasting consequences. Habits formed during 2020 – namely conducting commerce, school, work and even socializing entirely online – will be difficult to let go of, so fraud teams must be capable of quickly cutting through digital traffic noise and spotting even the most subtle signs of attacks. In particular, using targeted friction to deter malicious activity will be key in the months and years ahead.”

Healthcare organizations are sitting ducks for attacks and breaches

Seventy-three percent of health system, hospital and physician organizations report their infrastructures are unprepared to respond to attacks. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.

healthcare attacks breaches

Black Book Market Research surveyed 2,464 security professionals from 705 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks.

Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.

With the healthcare industry estimated to spend $134 billion on cybersecurity from 2021 to 2026, $18 billion in 2021, increasing 20% each year to nearly $37 billion in 2026, 82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.

Talent shortage for cybersecurity pros continues

Additionally, 291 healthcare industry human resources executives were surveyed to determine the organizational supply and demand of experienced cybersecurity candidates. On average, cybersecurity roles in health systems take 70% longer to fill than other IT jobs.

Health systems are struggling to find workers that request cybersecurity-related skills as vacancy duration as reported by survey HR respondents average about 118 days to fill positions, nearly three times as high as the national average for other industries.

“The talent shortage for cybersecurity experts with healthcare expertise is nearing a very perilous position,” said Brian Locastro, lead researcher on the 2020 State of the Healthcare Cybersecurity Industry study by Black Book Research.

Seventy-five percent of the sixty-six-health system CISOs responding agreed that experienced cybersecurity professionals are unlikely to choose a healthcare industry career path because of one main reason.

More than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy making authority.

COVID-19 has greatly increased risk of data breaches

Healthcare cybersecurity has become more complicated as providers are forced to deal with the COVID-19 pandemic. Understaffed and underfunded IT security departments are scrambling to accommodate the surge in demand of remote services from patients and physicians while simultaneously responding to the surge in security risks.

The survey found 90% of health systems and hospital employees who shifted to working at home due to the pandemic, did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems

“Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem,” said Locastro.

Forty percent of all clinical hospital employees receive little or no cybersecurity awareness training still in 2020, beyond initial education on log in access.

Fifty-nine percent of health system CIOs surveyed are shifting security strategies to address user authentication and access as malicious incidents and hackers are the 2020 attacker’s go-to entry point of choice for health systems.

Stolen and compromised credentials were ongoing issues for 53% of health systems surveyed as hackers are increasingly using cloud misconfigurations to breach networks.

Cybersecurity consulting and advisory services are in high demand

Sixty-nine percent of 219 C-Suite respondents state their health system’s budget for cybersecurity consulting is increasing in 2021 to assess gaps, secure network operations, and user security on-premises and in the cloud.

“In today’s highly competitive cybersecurity market there isn’t enough talent to staff hospitals and health systems,” said Locastro.

“As provider organizations struggle with recruit, hire and retain in house staff, the plausible choice is retaining an experienced advisory firm that is capable of identifying and remediating hidden security vulnerabilities, which appeals to the strategic and economic sense of boards and CEOs.”

Healthcare cybersecurity challenges find resolutions from outsourced services

“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” said Locastro. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”

That shortage of healthcare cybersecurity professionals and a lack of appropriate technology solutions implemented is forcing a rush to acquire services and outsourcing at a pace five times more than the acquisition of cybersecurity products and software solutions.

Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of managed services.

“The key place to start when choosing a cybersecurity services vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best-suited vendor,” said Locastro.

“Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”

Fifty-one percent of in-house IT management respondents with purchasing authority report their group is e not aware of the full variety of cybersecurity solution sets that exist, particularly mobile security environments, intrusion detection, attack prevention, forensics and testing in various healthcare settings.

Cybersecurity in healthcare provider organizations remains underfunded

The amount of dollars that are actually spent on healthcare industry cybersecurity products and services are increasing, averaging 21% year over year since 2017. Extended estimates have estimated nearly $140 Billion will be spent by health systems and health insurers by 2026.

However, 82% of hospital CIOs in inpatient facilities under 150 staffed beds and 90% of practice administrators collectively state they are not even close to spending an adequate amount on protecting patient records from a data breach.

Outdated IT systems, fewer cybersecurity protocols, untrained IT staff on evolving security skills, and data-rich patient files are making healthcare the current target of hacker attacks,” said Locastro. “And the willingness of hospitals and physician practices to pay high ransoms to regain their data quickly motivates hackers to focus on patient records.”

“Threats are now four times more likely to be centered on healthcare than any other industry, and ransomware attacks are increasing in popularity because of the amount of privileged information the hacker can obtain,” said Locastro.

“Providers at the point-of-care haven’t kept pace with the cybersecurity progress and tools that manufacturers, IT software vendors, and the FDA have made either.”

Healthcare consumers willing to change providers if patient privacy was comprised

Eighty percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry in 2020.

Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. Twenty-six percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year.

“Medical and financial leaders have wielded more influence over organizational budgets and made it difficult for IT management to implement needed cybersecurity practices despite the existing environment, but now consumers are beginning to react negatively to the provider’s lack of protection solutions.”

A poll of 3,500 healthcare consumers that used medical or hospital services in the last eighteen months revealed 93% would leave their provider if their patient privacy was comprised in an attack that could have been prevented.

Researchers discover POS backdoor targeting the hospitality industry

ESET researchers have discovered ModPipe, a modular backdoor that gives its operators access to sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS (point-of-sale) – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide.

POS backdoor targeting hospitality industry

The majority of the identified targets were from the United States.

Containing a custom algorithm

What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.

Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

“However, based on the documentation of RES 3700 POS, the attackers should not be able to access some of the most sensitive information – such as credit card numbers and expiration dates – which is protected by encryption. The only customer data stored in the clear and thus available to the attackers should be cardholder names,” cautions ESET researcher Martin Smolár, who discovered ModPipe.

“Probably the most intriguing parts of ModPipe are its downloadable modules. We’ve been aware of their existence since the end of 2019, when we first found and analyzed its basic components,” explains Smolár.

POS backdoor targeting hospitality industry

Downloadable modules

  • GetMicInfo targets data related to the MICROS POS, including passwords tied to two database usernames predefined by the manufacturer. This module can intercept and decrypt these database passwords, using a specifically designed algorithm.
  • ModScan 2.20 collects additional information about the installed MICROS POS environment on the machines by scanning selected IP addresses.
  • ProcList with main purpose is to collect information about currently running processes on the machine.

“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market,” adds Smolár.

What can you do?

To keep the operators behind ModPipe at bay, potential victims in the hospitality sector as well as any other businesses using the RES 3700 POS are advised to:

  • Use the latest version of the software.
  • Use it on devices that run updated operating system and software.
  • Use reliable multilayered security software that can detect ModPipe and similar threats.

Fraudsters increasingly creative with names and addresses for phishing sites

COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to research from F5 Labs.

phishing sites

The report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. The number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.

The three primary objectives for COVID-19-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.

Attackers’ brazen opportunism was in further evidence when certificate transparency logs (a record of all publicly trusted digital certificates) were examined.

The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which represents a massive 1102% increase on the month before.

“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.

“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”

Names and addresses of phishing sites

As per previous years’ research, fraudsters are becoming ever more creative with the names and addresses of their phishing sites.

In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. By far the most common brand to be targeted in the second half of 2020 was Amazon.

Additionally, Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were all in the top 10 most frequently impersonated brands.

By tracking the theft of credentials through to use in active attacks, criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.

Meanwhile, cybercriminals were also got more ruthless in their bid to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.

Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq. As a case in point, .tk is now the fifth most popular registered domain in the world.

Hiding in plain sight

2020 also saw phishers ramp up their bid to make fraudulent sites appear as genuine as possible. Most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to seem more credible to victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).

Combining incidents from 2019 and 2020, 55.3% of drop zones used a non-standard SSL/TLS port were additionally reported. Port 446 was used in all instances bar one. An analysis of phishing sites found 98.2% using standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.

The future of phishing

According to recent research from Shape Security, which was integrated with the Phishing and Fraud report for the first time, there are two major phishing trends on the horizon.

As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms.

This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.

Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.

Researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use MFA codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website.

Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.

Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23.

Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.

“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”

63 billion credential stuffing attacks hit retail, hospitality, travel industries

Akamai published a report detailing criminal activity targeting the retail, travel, and hospitality industries with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft.

attacks industries

“Criminals are not picky — anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report.

“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Recirculating old credential lists to identify new vulnerable accounts

During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report.

It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programs.

Between July 2018 and June 2020, more than 100 billion credential stuffing attacks ere observed in total. In the commerce category – comprising the retail, travel, and hospitality industries – there were 63,828,642,449 recorded. More than 90% of the attacks in the commerce category targeted the retail industry.

Credential stuffing isn’t the only way that criminals target the retail, travel, and hospitality industries. They target organizations in these industries at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks.

Between July 2018 and June 2020, 4,375,711,860 web attacks against retail, travel, and hospitality were observed, accounting for 41% of the overall attack volume across all industries. Within this data set, 83% of those web attacks targeted the retail sector alone.

SQLi attacks are an evident favorite among criminals, accounting for just under 79% of the total web application attacks against retail, travel, and hospitality.

attacks industries

The holiday shopping season altered by the pandemic

As the global economy prepares for a holiday shopping season, it does so in an environment that has changed radically due to the pandemic. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in the past. They’re going to log-in, collect their reward points, and maybe use loyalty programs to gain some discounts or other perks just for being a member.

Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft. So, while an individual’s loyalty to a merchant, airline, or hotel chain might not literally be for sale, there’s a good chance the account associated with such programs might be.

“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan concluded.

“Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”

Credential stuffing is just the tip of the iceberg

Credential stuffing attacks are taking up a lot of the oxygen in cybersecurity rooms these days. A steady blitz of large-scale cybersecurity breaches in recent years have flooded the dark web with passwords and other credentials that are used in subsequent attacks such as those on Reddit and State Farm, as well as widespread efforts to exploit the remote work and online get-togethers resulting from the COVID-19 pandemic.

credential stuffing

But while enterprises are rightly worried about weathering a hurricane of credential-stuffing attacks, they also need to be concerned about more subtle, but equally dangerous, threats to APIs that can slip in under the radar.

Attacks that exploit APIs, beyond credential stuffing, can start small with targeted probing of unique API logic, and lead to exploits such as the theft of personal information, wholesale data exfiltration or full account takeovers.

Unlike automated flood-the-zone, volume-based credential attacks, other API attacks are conducted almost one-to-one and carried out in elusive ways, targeting the distinct vulnerabilities of each API, making them even harder to detect than attacks happening on a large scale. Yet, they’re capable of causing as much, if not more, damage. And they’re becomingg more and more prevalent with APIs being the foundation of modern applications.

Beyond credential stuffing

Credential stuffing attacks are a key concern for good reason. High profile breaches—such as those of Equifax and LinkedIn, to name two of many—have resulted in billions of compromised credentials floating around on the dark web, feeding an underground industry of malicious activity. For several years now, about 80% of breaches that have resulted from hacking have involved stolen and/or weak passwords, according to Verizon’s annual Data Breach Investigations Report.

Additionally, research by Akamai determined that three-quarters of credential abuse attacks against the financial services industry in 2019 were aimed at APIs. Many of those attacks are conducted on a large scale to overwhelm organizations with millions of automated login attempts.

The majority of threats to APIs move beyond credential stuffing, which is only one of many threats to APIs as defined in the 2019 OWASP API Security Top 10. In many instances they are not automated, are much more subtle and come from authenticated users.

APIs, which are essential to an increasing number of applications, are specialized entities performing particular functions for specific organizations. Someone exploiting a vulnerability in an API used by a bank, retailer or other institution could, with a couple of subtle calls, dump the database, drain an account, cause an outage or do all kinds of other damage to impact revenue and brand reputation.

An attacker doesn’t even have to necessarily sneak in. For instance, they could sign on to Disney+ as a legitimate user and then poke around the API looking for opportunities to exploit. In one example of a front-door approach, a researcher came across an API vulnerability on the Steam developer site that would allow the theft of game license keys. (Luckily for the company, he reported it—and was rewarded with $20,000.)

Most API attacks are very difficult to detect and defend against since they’re carried out in such a clandestine manner. Because APIs are mostly unique, their vulnerabilities don’t conform to any pattern or signature that would allow common security controls to be enforced at scale. And the damage can be considerable, even coming from a single source. For example, an attacker exploiting a weakness in an API could launch a successful DoS attack with a single request.

API DoS

Rather than the more common DDoS attack, which floods a target with requests from many sources via a botnet, an API DoS can happen when the attacker manipulates the logic of the API, causing the application to overwork itself. If an API is designed to return, say, 10 items per request, an attacker could change that value to 10 million, using up all of an application’s resources and crashing it—with a single request.

Credential stuffing attacks present security challenges of their own. With easy access to evasion tools—and with their own sophistication improving dramatically – it’s not difficult for attackers to disguise their activity behind a mesh of thousands of IP addresses and devices. But credential stuffing nevertheless is an established problem with established solutions.

How enterprises can improve

Enterprises can scale infrastructure to mitigate credential stuffing attacks or buy a solution capable of identifying and stopping the attacks. The trick is to evaluate large volumes of activity and block malicious login attempts without impacting legitimate users, and to do it quickly, identifying successful malicious logins and alerting users in time to protect them from fraud.

Enterprises can improve API security first and foremost by identifying all of their APIs including data exposure, usage, and even those they didn’t know existed. When APIs fly under security operators’ radar, otherwise secure infrastructure has a hole in the fence. Once full visibility is attained, enterprises can more tightly control API access and use, and thus, enable better security.

CIOs prioritizing IAM over endpoint security and security awareness training

CIOs are prioritizing identity and access management (IAM) over endpoint security and security awareness training in 2020, according to a Hitachi ID survey.

CIOs prioritizing IAM

The survey, focused on changes in IT spending in the wake of the coronavirus pandemic, reveals that cybersecurity is IT leaders’ top focus for the rest of the year—and half of those surveyed are increasing their budgets to support their goals.

The pandemic has upended most businesses’ 2020 plans, with 70% of CIOs reporting their long-term priorities have shifted since the start of the year. Now, 89% said they’re focused on cybersecurity, while 82% are working on remote enablement.

Their goals reflect these new priorities: 86% said they’re aiming to improve security standards across their environment, while 80% are making their tech stack more flexible for remote and on-premise users. In addition, 75% said they were hoping to keep their IT infrastructure and tool stack up to date.

CIOs expect their budgets to increase in 2020

While budgets are tight for half the respondents, who don’t expect an increase in spending, the other half of CIOs expect their budgets to increase in 2020 to reflect shifts in IT. Some 33% anticipated a 5% increase, 13% foresaw a 5-10% increase, and 9% expected an increase greater than 10%.

To achieve their security and remote enablement goals, 43% of CIOs are investing in IAM, ahead of endpoint security (34%) and security awareness training (17%).

“Prioritizing IAM makes sense. CIOs have been waking up to the fact that most hackers don’t break down the gate—they just unlock it because they already have the keys,” said Kevin Nix, CEO at Hitachi ID.

“Bad actors have been focused on stolen credentials, phishing attacks, and social engineering, especially since the pandemic forced so many employees to work remotely. We’ve seen a new urgency among companies looking for IAM solutions. Last year, businesses might plan to adopt IAM over a year or two. Now they need it next quarter.”

CIOs prioritizing IAM

Other findings

  • 67% of CIOs say they’re more willing to invest in emerging technologies
  • 88% of respondents at companies with 500-1000 employees were planning to invest in emerging technology, the most of any size category. Just 45% of those at companies with 5,000 to 10,000 employees said the same, the lowest of any category.
  • 87% would consider emerging security technology in 2020, while 71% would consider emerging AI and machine learning technology

20% of credential stuffing attacks target media companies

The media industry suffered 17 billion credential stuffing attacks between January 2018 and December 2019, according to a report from Akamai.

credential stuffing media

The apparent fourfold increase in attacks is partly attributable to the enhanced visibility into the threat landscape

The report found that 20% of the 88 billion total credential stuffing attacks observed during the reporting period targeted media companies.

Media companies present an attractive target

Media companies present an attractive target for criminals according to the report, which reveals a 63% year-over-year increase in attacks against the video media sector.

The report also shows 630% and 208% year-over-year increases in attacks against broadcast TV and video sites, respectively. At the same time, attacks targeting video services are up 98%, while those against video platforms dropped by 5%.

The marked uptick in attacks aimed at broadcast TV and video sites appear to coincide with an explosion of on-demand media content in 2019. In addition, two major video services launched last year with heavy support from consumer promotions. These types of sites and services are well aligned to the observed goals of the criminals who target them.

Much of the value in media industry accounts lies in the potential access to both compromised assets, like premium content, along with personal data according to Steve Ragan, author of the report.

“We’ve observed a trend in which criminals are combining credentials from a media account with access to stolen rewards points from local restaurants and marketing the nefarious offering as ‘date night’ packages. Once the criminals get a hold of the geographic location information in the compromised accounts, they can match them up to be sold as dinner and a movie,” Ragan explained in the report.

Attacks targeting published content

Video sites are not the sole focus of credential stuffing attacks within the media industry, however. The report notes a 7,000% increase in attacks targeting published content.

Newspapers, books and magazines sit squarely within the sights of cybercriminals, indicating that media of all types appear to be fair game when it comes to these types of attacks.

The United States was by far the top source of credential stuffing attacks against media companies with 1.1 billion in 2019, an increase of 162% over 2018. France and Russia were a distant second and third with 3.9 million and 2.4 million attacks, respectively.

India, was the most targeted country in 2019, enduring with 2.4 billion credential stuffing attacks. It was followed by the United States at 1.4 billion and the United Kingdom at 124 million.

“As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” Ragan explained.

Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”

OPIS

Some of the shuffling of top target areas in Q1 2020 correlate with effects of the pandemic lockdowns in various parts of the world

Spike in malicious login attempts against European broadcasters

There was a large spike in malicious login attempts against European video service providers and broadcasters during the first quarter of 2020. One attack in late March, after many isolation protocols had been instituted, directed nearly 350,000,000 attempts against a single service provider over a 24-hour period.

Separately, one broadcaster well known across the region, was hit with a barrage of attacks over the course of the quarter with peaks that ranged in the billions.

Another noteworthy trend during the first quarter was the number of criminals sharing free access to newspaper accounts. Often offered as self-promotional vehicles, credential stuffing campaigns must still be initiated in order to steal the working username and password combinations that are given away.

Researchers also observed a decline in the cost of stolen account credentials over the course of the quarter, which traded for approximately $1 to $5 at the start and $10 to $45 for package offers of multiple services. Those prices fell as new accounts and lists of recycled credentials populated the market.

70% of organizations experienced a public cloud security incident in the last year

70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.

public cloud security incident

Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.

“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.

“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”

The unintentional open door: How attackers break in

Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.

Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.

Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.

public cloud security incident

Public cloud security incident: The silver lining

96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.

Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.

How much is your data worth on the dark web?

Credit card details, online banking logins, and social media credentials are available on the dark web at worryingly low prices, according to Privacy Affairs.

dark web prices

  • Online banking logins cost an average of $35
  • Full credit card details including associated data cost $12-20
  • A full range of documents and account details allowing identity theft can be obtained for $1,500

Forged documents including driving licenses, passports, and auto-insurance cards can be ordered to match stolen data.

The research team scanned dark web marketplaces, forums, and websites, to create the price index for a range of products and services relating to personal data, counterfeit documents, and social media.

Online banking logins cost an average of $35

Online banking credentials typically include login information, as well as name and address of the account holder and specific details on how to access the account undetected.

Full credit card details including associated data costs: $12-20

Credit card details are usually formatted as a simple code that includes card number, associated dates and CVV, along with account holders’ data such as address, ZIP code, email address, and phone number.

A full range of documents and account details allowing identity theft can be obtained for $1285.

Criminals can switch the European ID for a U.S. passport for an additional $950, bringing the total to $2,235 for enough data and documents to do any number of fraudulent transactions.

Malware installation on compromised systems is prevalent

Remote installation of software on 1,000 computers at a time allows criminals to target the public with malware such as ransomware in various countries with a 70% success rate.

Stolen data is very easy to obtain

The general public needs to not only be aware of how prevalent the threat of identity theft is but also how to mitigate that threat by applying due diligence in all aspects of their daily lives.

Bad habits and risky behaviors put corporate data at risk

IT and application development professionals tend to exhibit risky behaviors when organizations impose strict IT policies, according to SSH.

risky behaviors

Polling 625 IT and application development professionals across the United States, United Kingdom, France, and Germany, the survey verified that hybrid IT is on the rise and shows no signs of slowing down.

Fifty-six percent of respondents described their IT environment as hybrid cloud, an increase from 41 percent a year ago. On average, companies are actively using two cloud service vendors at a time.

While hybrid cloud offers a range of strategic benefits related to cost, performance, security, and productivity, it also introduces the challenge of managing more cloud access.

Cloud access solutions slowing down work

The survey found that cloud access solutions, including privileged access management software, slow down daily work for 71 percent of respondents. The biggest speed bumps were cited as configuring access (34 percent), repeatedly logging in and out (30 percent), and granting access to other users (29 percent).

These hurdles often drive users to seek risky workarounds, with 52 percent of respondents claiming they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.

85 percent of respondents also share account credentials with others out of convenience, even though 70 percent understand the risks of doing so. These risks are further exacerbated when considering that 60 percent of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.

“As businesses grow their cloud environments, secure access to the cloud will continue be paramount. But when access controls lead to a productivity trade-off, as this research has shown, IT admins and developers are likely to bypass security entirely, opening the organization up to even greater cyber risk,” said Jussi Mononen, chief commercial officer at SSH.

“For privileged access management to be effective, it needs to be fast and convenient, without adding operational obstacles. It needs to be effortless.”

Orgs using public internet networks

In addition to exposing the risky behaviors of many IT and application development professionals when accessing the cloud, the survey also revealed some unwitting security gaps in organizations’ access management policies. For example, more than 40 percent of respondents use public internet networks – inherently less secure than private networks – to access internal IT resources.

Third-party access was also found to be a risk point, with 29 percent of respondents stating that outside contractors are given permanent access credentials to the business’ IT environment.

risky behaviors

Permanent credentials are fundamentally risky as they provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost.

Mononen continued, “When it comes to access management, simpler is safer. Methods like single sign-on can streamline the user experience significantly, by creating fewer logins and fewer entry points that reduce the forming of bad IT habits.

“There is also power in eliminating permanent access credentials entirely, using ephemeral certificates that unlock temporary ‘just-in-time’ access to IT resources, only for time needed before access automatically expires. Ultimately, reducing the capacity for human error comes down to designing security solutions that put the user first and cut out unnecessary complexity.”

Account credentials of 26+ million LiveJournal users leaked online

A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums.

livejournal data dump

The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users.

After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected users can use to check whether they’ve been affected. He also dated the data dump to 2017 because the year was included in the data dump’s file name.

When did the breach happen?

The story of this data breach and leak is an interesting one.

There have been rumors about a supposed LiveJournal breach for years, though the blogging platform, which is owned by Russian media company Rambler Media Group, never confirmed them.

Back in 2018, Hunt received reports about a sextortion campaign targeting LiveJournal users and using their passwords:

Denise Paolucci, one of the owners of Dreamwidth, an online journal service based on the LiveJournal codebase (and with a significant crossover in user base), said on Tuesday that the data dump has been available on the black market since at least October of 2018, when they first reported people getting spam extortion emails with passwords in them.

“Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had,” she explained.

“We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that’s circulating is real or fake. All we can say for certain is that none of the evidence we’ve seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”

Past and current LiveJournal users are advised to change their passwords to a new, long and unique one and to do the same on any other account where they used the same one.

Less than a quarter of Americans use a password manager

A large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online, FICO reveals.

use password manager

As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.

Do you use a password manager?

The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and 4 percent use a single password across all accounts.

Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high risk strategies such as writing their passwords down in a notebook. If you’re a security leader and your organization is still not using a password manager, find out how to evaluate a password management solution for business purposes.

“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO.

“Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”

A forgotten password can affect online purchases

The study shows that consumers struggle with maintaining their current passwords as 28 percent reported abandoning an online purchase because they forgot login information, and 26 percent reported being unable to check an account balance.

Forgotten usernames and passwords even affect new account openings, 13 percent said that it has stopped them from opening a new account with an existing provider.

This is a notable trend as consumers are more willing than ever to do business digitally. The study found that the majority of respondents would open a checking (52 percent) or mobile phone (64 percent) account online, while an overwhelming majority of respondents (82 percent) said they would open a credit card account online.

Consumers trusting physical and behavioral biometrics

However, while there is significant room to improve how consumers protect their login credentials, the survey also found that Americans are becoming more trusting of using physical and behavioral biometrics to secure their financial accounts.

The survey found that 78 percent of respondents said they would be happy for their bank to analyze behavioral biometrics – such as how you type – for security and 65 percent are happy to provide biometrics to their bank; while 60 percent are open to using fingerprint scans to secure their accounts.

Security alternatives

Additionally, when logging into their mobile banking apps, respondents are now considering alternative security measures beyond the traditional username and password. The five most widely used security alternatives are:

  • One-time passcode via SMS (53 percent)
  • One-time passcode via email (43 percent)
  • Fingerprint scan (39 percent)
  • Facial Scan (24 percent)
  • One-time passcode delivered and spoken to mobile phone (23 percent)

“Digital services are currently playing a critical role in daily life. It is a good time to evaluate how we protect ourselves and our information online,” said Lasher.

“Customers have been happy to adopt security such as one-time passcodes, and are now showing that they are willing to adopt additional options, such as biometrics, to protect their accounts.

“There are no magic bullets and the ability to layer and deploy multiple authentication methods appropriate to each occasion is key. Financial services organizations and consumers need to continue to keep security best practices top of mind to help combat fraudsters now and in the future.”

99% of enterprise users reuse passwords across accounts

Very few users take appropriate action to significantly reduce the risk of password compromise, according to a Balbix report.

reuse passwords

The study found that more than 99% of enterprise users reuse passwords, either across work accounts, or between work and personal accounts. Password reuse is widely prevalent due to the desire for convenience and speed when navigating various accounts. The report also discovered that on average, every single user password is shared across 2.7 accounts.

What’s more, the average user has more than 8 passwords shared between accounts, with 7.5 passwords shared between work and personal accounts and 0.8 passwords shared between internal and SaaS accounts.

“The rapid shift to remote work as a result of COVID-19 has simultaneously shifted the balance of control away from IT and towards employees,” said Abe Smith, cybersecurity veteran with decades of information security leadership roles in the Bay Area.

“Even well-intentioned users won’t have identity best practices, such as multifactor authentication and avoiding password reuse, in mind when adopting new tools. Security teams must find ways to automate identification of password risks.”

Compromised credentials, a widespread issue

Breaches caused by compromised credentials are not the result of a small minority of users with poor password hygiene – they are the result of a widespread issue. The report determined the key password related issues most responsible for the overall breach risk to the enterprise. They are listed in order of greatest risk below:

  • Weak and default system passwords on domain controllers and other infrastructure components and services
  • Cached credentials for logging into mission critical systems
  • Privileged user machines with a high likelihood of breach logging into core servers
  • Password reuse between work and personal accounts

Organizations have the least control over passwords

Considering different aspects of security, organizations have the least control over passwords. Users desire a high level of convenience, and while this is a common human behavior, organizations still must prioritize the issue of poor password hygiene to remediate associated risk.

“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of Balbix.

“In order to transform cyber security posture and increase overall resilience, enterprises must systematically address the weaknesses in their password strategies, adopting proven technologies such as multifactor authentication and password managers.”

Phishers exploiting employees’ layoff, payroll concerns

A few days ago, we outlined several phishing campaigns going after Zoom and WebEx credentials of employees. Two new ones are trying to exploit their (at the moment very rational) fears by delivering fake “Zoom meeting about termination” emails and fake notifications about COVID-19 stimulation/payroll processing.

Phishing for Zoom credentials

Spotted by Abnormal Security, one phishing campaign comes in the form of emails seemingly coming from the organization’s Human Resources department, urging the recipient to attend a Zoom meeting scheduled to start in a few minutes:

fake termination emails

The purported topic of the meeting? The employee’s termination.

The provided link takes the victim to a spoofed Zoom login page hosted on zoom-emergency.myftp.org.

“The email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials,” the company notes.

“Frequent Zoom users would look at the login page, think their session has expired, and attempt to sign in again. They would be more likely to input their login credentials without checking the abnormalities in the phishing page such as the URL or non functioning links.”

Phishing to deliver malware

The second phishing campaign is made to look like an email from an outsourced HR contractor informing employees of additional stimulus being provided to them and asking recipients to view the latest Payroll Report:

fake termination emails

The email contains a link to a fake payroll report hosted on Google Docs, which contains another link inside it.

“The document claims that the report cannot be viewed on mobile devices, and that it can only be viewed via corporation desktop computers. However, this second link leads to a malware download,” the company shared.

“This attack utilizes growing concerns regarding employee payroll during the COVID-19 pandemic. Users are likely to read this message, and rush to claim their supposed stimulus while ignoring obvious red flags along the way. Whether this is a result of greed or desperation, attackers are able to manipulate users into downloading harmful files.”

Phishers exploit Zoom, WebEx brands to target businesses

Proofpoint researchers have spotted and documented email phishing campaigns targeting US companies in a variety of industries with emails impersonating Zoom and Cisco (WebEx).

phishing Zoom WebEx

Phishing emails impersonating Zoom and WebEx

“Video conferencing has become very popular very quickly. Attackers have noticed and moved to capitalize on that popularity and brand strength,” noted Sherrod DeGrippo, Proofpoint’s Senior Director of Threat Research at Proofpoint.

“Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”

Some of the lures are not particularly original, but will surely fool some of the targets. For example, an email that welcomes users to their new Zoom account and requests them to activate their account, or an email that claims that the user has missed a scheduled Zoom conference meeting (see above).

In both cases, the attackers are after account credentials, either for Zoom or for the target’s email account.

The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”):

phishing Zoom WebEx

Many targets will spot the malicious nature of the email almost immediately, as it warns about an old vulnerability in a software that has nothing to do with Cisco WebEx (apart from the fact that both are developed by Cisco.) But there’s always some recipients who panic or are inattentive enough at the moment of perusal and will end up entering their login credentials.

The value of compromised video conferencing accounts is obvious. “Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks,” DeGrippo noted.

Malware delivery campaign

The researchers have also spotted a email malware delivery campaign that does not impersonate the aforementioned developers of video conferencing solutions, but does exploit their widespread use.

The emails are made to look like they are coming from a potential client who asked for a quote, says they are available for a call via Zoom, and contain a booby-trapped Excel file in the attachment, supposedly containing the sender’s schedule.

To view the contents, the recipient is asked to enable macros. If they do, the macros execute a script that, unbeknownst to the victim, installs a legitimate remote control application, which the attackers then use to access files and information on the compromised system.

Users are warned to be on the lookout for these and similar lures, and to keep in mind that phishers love nothing more than (ab)using popular brands as social engineering lures. These specific campaigns were directed at employees in US companies in the technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing sectors.

What type of data is trending on the dark web?

Fraud guides accounted for nearly half (49%) of the data being sold on the dark web, followed by personal data at 15.6%, according to Terbium Labs. Researchers surveyed three major dark web marketplaces: “The Canadian HeadQuarters”, “Empire Market” and “White House Market,” sorting all data listings into six categories: personal data, payment cards, financial accounts and credentials, non-financial accounts and credentials, fraud guides and fraud tools and templates. Dark web marketplaces mimic big box retailers … More

The post What type of data is trending on the dark web? appeared first on Help Net Security.

Most credential abuse attacks against the financial sector targeted APIs

From May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs, in an effort to bypass security controls. According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

credential abuse attacks

According to the report’s findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed. Nearly 20 percent, or 16,557,875,875, were against hostnames that were clearly identified as API endpoints. Of these, 473,518,955 attacked organizations in the financial services industry.

A mix of API targeting, and other methodologies

But not all attacks were exclusively API focused. On August 7, 2019, the single largest credential stuffing attack against a financial services firm was recorded, consisting of 55,141,782 malicious login attempts.

This attack was a mix of API targeting, and other methodologies. On August 25, in a separate incident, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.

“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” said Steve Ragan, Akamai security researcher and principal author of the State of the Internet / Security report.

“Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.”

Criminals exposing data through different methods

Indicative of this fluid attack dynamic, the report shows that criminals continue to seek to expose data through a number of methods, in order to gain a stronger foothold on the server and ultimately achieve success in their attempts.

SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during the 24-month period observed by the report. That rate is halved to 36% when looking at financial services attacks alone. The top attack type against the financial services sector was Local File Inclusion (LFI), with 47% of observed traffic.

LFI attacks exploit various scripts running on servers, and as a consequence, these types of attacks can be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS) and DoS attacks.

XSS was the third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.

Criminals still leveraging DDoS attacks

The report also shows that criminals continue to leverage DDoS attacks as a core component of their attack arsenal, particularly as it relates to targeting financial services organizations.

Observations from November 2017 until October 2019, show the financial services industry ranking third in attack volume, with gaming and high tech being the most common targets. However, more than forty percent of the unique DDoS targets were in the financial services industry, which makes this sector the top target when considering unique victims.

Security teams need to constantly consider policies, procedures, workflows, and business needs – all while fighting off attackers that are often well organized and well-funded,” Ragan concluded. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”