The internet is full of fraud and theft and cybercriminals are operating in the open with impunity, misrepresenting brands and advocating deceit overtly.
Bolster found these criminals are using mainstream ISPs, hosting companies and free internet services – the same that are used by legitimate businesses every day.
Phishing and online fraud scams accelerate
In Q2, there was an alarming, rapid increase of new phishing and fraudulent sites being created, detecting 1.7 million phishing and scam websites – a 13.3% increase from Q1 2020.
Phishing and scam websites continued to increase in Q2 and peaked in June 2020 with a total of 745,000 sites detected. On average, there were more than 18,000 fraudulent sites created each day.
Cybercriminals use common, free email services to execute phishing attacks
The most active phishing scammers are using free emails accounts from trusted providers including Google and Yahoo!. Gmail was the most popular with over 45% of email addresses.
Russian Yandex was the second most popular email service with 7.3%, followed by Yahoo! with 4.0%.
Brand impersonation continues to escalate
Data reveals that the top 10 brands are responsible for nearly 44,000 new phishing and fraudulent websites from January to September 2020. Each month there are approximately 4,000 new phishing and fraudulent websites created from these 10 brands alone.
September saw a near tripling in volume with more than 15,000 new phishing and fraudulent websites being created for these top brands, with Microsoft, Apple and PayPal topping the list.
COVID-19 is still a target, but less so
Approximately 30% of confirmed phishing and counterfeit pagers were related to COVID-19, equaling over a quarter of a million malicious websites.
Compared to Q1, these scams increased by 22%, following dynamic news headlines – N95 masks, face coronavirus drugs and government stimulus checks. However, the good news is that these scams are declining month-over-month.
Cybercriminals will continue to utilize natural news drivers
Though phishing and fraudulent campaigns outside of extraordinary events are on the rise, cybercriminals continue to demonstrate their agility from major events. In Q3, Bolster discovered scams connected to Amazon Prime Day and the presidential election.
There was a 2.5X increase of fraudulent websites using the Amazon brand logo in September, focusing on payment confirmation, returns and cancellations and surveys for free merchandise. Where the presidential campaigns were fraught with counterfeiting and internet trolling.
“With the holiday shopping season kicking off, the results of the presidential election and the New Year approaching, we anticipate the number of phishing and fraudulent activity to continue to rise,” said Shashi Prakash, CTO of Bolster.
“In anticipation of these events, criminals are sharpening their knives of deception, planning new and creative ways to take advantage of businesses and consumers. Companies must be vigilant, arming their teams with the technology needed to continuously discover and take down these fraudulent sites before an attack takes place.”
COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to research from F5 Labs.
The report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. The number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.
The three primary objectives for COVID-19-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.
Attackers’ brazen opportunism was in further evidence when certificate transparency logs (a record of all publicly trusted digital certificates) were examined.
The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which represents a massive 1102% increase on the month before.
“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.
“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”
Names and addresses of phishing sites
As per previous years’ research, fraudsters are becoming ever more creative with the names and addresses of their phishing sites.
In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. By far the most common brand to be targeted in the second half of 2020 was Amazon.
Additionally, Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were all in the top 10 most frequently impersonated brands.
By tracking the theft of credentials through to use in active attacks, criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.
Meanwhile, cybercriminals were also got more ruthless in their bid to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.
Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq. As a case in point, .tk is now the fifth most popular registered domain in the world.
Hiding in plain sight
2020 also saw phishers ramp up their bid to make fraudulent sites appear as genuine as possible. Most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to seem more credible to victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).
Combining incidents from 2019 and 2020, 55.3% of drop zones used a non-standard SSL/TLS port were additionally reported. Port 446 was used in all instances bar one. An analysis of phishing sites found 98.2% using standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.
The future of phishing
According to recent research from Shape Security, which was integrated with the Phishing and Fraud report for the first time, there are two major phishing trends on the horizon.
As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms.
This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.
Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.
Researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use MFA codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website.
Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.
Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23.
“Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.
“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”
BEC attacks increased 15% quarter-over-quarter, driven by an explosion in invoice and payment fraud, Abnormal Security research reveals.
“As the industry’s only measure of BEC attack volume by industry, our quarterly BEC research is important for CISOs to prepare and stay ahead of attackers,” said Evan Reiser, CEO of Abnormal Security.
“Not only are BEC campaigns continuing to increase overall, they are rising in 75% of industries that we track. Since these attacks are targeted and sophisticated, these increases could indicate an ability for threat actors to scale that may overwhelm some businesses.”
For this research, BEC campaigns across eight major industries were tracked, including retail/consumer goods and manufacturing, technology, energy/infrastructure, services, medical, media/tv, finance and hospitality.
Growth by industry
During Q3, BEC campaign volume increased in six out of eight industries, with energy/infrastructure seeing the highest jump of 93% from Q2 to Q3. Retail/consumer goods and manufacturing, technology and media received the highest volume of attacks during the quarter.
During Q3, attackers continued to focus primarily on invoice and payment fraud, which increased 155% from Q2 to Q3. This trend was particularly notable in retail/consumer goods and manufacturing.
Threat actors continue to target invoice and payment fraud BEC attacks at finance departments, which increased by 54% on average per week from Q2 to Q3. In addition, attackers shifted tactics by increasing email attacks to group mailboxes by 212%.
- While credential-phishing COVID-19 related attacks decreased by 82%, invoice and payment fraud that continues to leverage the fear, uncertainty and doubt of the pandemic increased by 81%.
- The most impersonated brands returned to the pre-pandemic “normal,” as Zoom dropped away from the top spot, replaced by DHL and followed by Dropbox and Amazon. Rounding out the top five were iCloud and LinkedIn.
Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a report from Accenture.
The report examines the tactics, techniques and procedures employed by some of the most sophisticated cyber adversaries and explores how cyber incidents could evolve over the next year.
“Since COVID-19 radically shifted the way we work and live, we’ve seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities,” said Josh Ray, who leads Accenture Security’s cyber defense practice globally.
“The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere.
“In such a climate, organizations need to double down on putting the right controls in place and by leveraging reliable cyber threat intelligence to understand and expel the most complex threats.”
Sophisticated adversaries mask identities with off-the-shelf tools
Throughout 2020, CTI analysts have observed suspected state-sponsored and organized criminal groups using a combination of off-the-shelf tooling — including “living off the land” tools, shared hosting infrastructure and publicly developed exploit code — and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks.
For example, Accenture tracks the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). Active since at least 2014, the group is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia and other regions.
CTI analysts have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user.
According to the report, it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.
New, sophisticated tactics target business continuity
The report notes how one notorious group has aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access, and then uses these compromised systems as beachheads within a victim’s environment to hide traffic, relay commands, compromise e-mail, steal data and gather credentials for espionage efforts.
Operating from Russia, the group, refered to as BELUGASTURGEON (also known as Turla or Snake), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign policy research firms and think tanks across the globe.
Ransomware feeds new profitable, scalable business model
Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites.
The criminals behind the Maze, Sodinokibi (also known as REvil) and DoppelPaymer ransomware strains are the pioneers of this growing tactic, which is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers.
Additionally, the infamous LockBit ransomware emerged earlier this year, which — in addition to copying the extortion tactic — has gained attention due to its self-spreading feature that quickly infects other computers on a corporate network.
The motivations behind LockBit appear to be financial, too. CTI analysts have tracked cybercriminals behind it on Dark Web forums, where they are found to advertise regular updates and improvements to the ransomware, and actively recruit new members promising a portion of the ransom money.
The success of these hack-and-leak extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. In fact, CTI analysts have observed recruitment campaigns on a popular Dark Web forum from the threat actors behind Sodinokibi.
Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks.
The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic.
Threat level is unchanged
While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, major changes in organizational and IT infrastructure to support remote work created new vulnerabilities for threat actors to exploit.
The sudden switch to remote work and increased use of cloud services and personal devices significantly expanded the attack surface for many organizations. Facing an urgent need for business continuity, many companies did not have time to put all the necessary protocols, processes and controls in place, making it difficult for security teams to respond to incidents.
Threat actors—including nation-states and financially-motivated cyber criminals—are exploiting these vulnerabilities with malware, phishing, and other social engineering tactics to take advantage of victims for their own gain. One in four attacks are now ransomware related—up from 1 in 10 in 2018—and new COVID-19 phishing attacks include stimulus check fraud.
Additionally, healthcare, pharmaceutical and government organizations and information related to vaccines and pandemic response are attack targets.
The issue with dispersed workforces
Barry Hensley, Chief Threat Intelligence Officer, Secureworks said: “Against a continuing threat of enterprise-wide disruption from ransomware, business email compromise and nation-state intrusions, security teams have faced growing challenges including increasingly dispersed workforces, issues arising from the rapid implementation of remote working with insufficient consideration to security implications, and the inevitable reduced focus on security from businesses adjusting to a changing world.”
A rise in SaaS adoption is prompting concerns over operational complexity and risk, a BetterCloud report reveals.
Since 2015, the number of IT-sanctioned SaaS apps has increased tenfold, and it’s expected that by 2025, 85 percent of business apps will be SaaS-based. With SaaS on the rise, 49 percent of respondents are confident in their ability to identify and monitor unsanctioned SaaS usage on company networks—yet 76 percent see unsanctioned apps as a security risk.
And when asked what SaaS applications are likely to hold the most sensitive data across an organization, respondents believe it’s all apps including cloud storage, email, devices, chat apps, password managers, etc.
Concerns when managing SaaS environments
Respondents also highlighted slow, manual management tasks as a prime concern when managing SaaS environments. IT organizations spend over 7 hours offboarding a single employee from a company’s SaaS apps, which takes time and energy from more strategic projects.
“In the earlier part of the year, organizations around the world were faced with powering their entire workforces from home and turned to SaaS to make the shift with as little disruption to productivity as possible,” said David Politis, CEO, BetterCloud.
“Up until this point, most companies were adopting a cloud-first approach for their IT infrastructure — that strategy has now shifted to cloud only. But SaaS growth at this scale has also brought about challenges as our 2020 State of SaaSOps report clearly outlines.
“The findings also show increased confidence and reliance on SaaSOps as the path forward to reigning in SaaS management and security.”
SaaS adoption risk: Key findings
- On average, organizations use 80 SaaS apps today. This is a 5x increase in just three years and a 10x increase since 2015.
- The top two motivators for using more SaaS apps are increasing productivity and reducing costs.
- Only 49 percent of IT professionals inspire confidence in their ability to identify and monitor unsanctioned SaaS usage on company networks—yet more than three-quarters (76 percent) see unsanctioned apps as a security risk.
- The top five places where sensitive data lives are: 1. files stored in cloud storage, 2. email, 3. devices, 4. chat apps, and 5. password managers. But because SaaS apps have become the system of record, sensitive data inevitably lives everywhere in your SaaS environment.
- The top two security concerns are sensitive files shared publicly and former employees retaining data access.
- IT teams spend an average of 7.12 hours offboarding a single employee from a company’s SaaS apps.
- Thirty percent of respondents already use the term SaaSOps in their job title or plan to include it soon.
For the report surveyed nearly 700 IT leaders and security professionals from the world’s leading enterprise organizations. These individuals ranged in seniority from C-level executives to front-line practitioners and included both IT and security department roles.
Researchers at the National Institute of Standards and Technology (NIST) have developed a new method called the Phish Scale that could help organizations better train their employees to avoid phishing.
How does Phish Scale work?
Many organizations have phishing training programs in which employees receive fake phishing emails generated by the employees’ own organization to teach them to be vigilant and to recognize the characteristics of actual phishing emails.
CISOs, who often oversee these phishing awareness programs, then look at the click rates, or how often users click on the emails, to determine if their phishing training is working. Higher click rates are generally seen as bad because it means users failed to notice the email was a phish, while low click rates are often seen as good.
However, numbers alone don’t tell the whole story. “The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves. The tool can help explain why click rates are high or low.
The Phish Scale uses a rating system that is based on the message content in a phishing email. This can consist of cues that should tip users off about the legitimacy of the email and the premise of the scenario for the target audience, meaning whichever tactics the email uses would be effective for that audience. These groups can vary widely, including universities, business institutions, hospitals and government agencies.
The new method uses five elements that are rated on a 5-point scale that relate to the scenario’s premise. The overall score is then used by the phishing trainer to help analyze their data and rank the phishing exercise as low, medium or high difficulty.
The significance of the Phish Scale is to give CISOs a better understanding of their click-rate data instead of relying on the numbers alone. A low click rate for a particular phishing email can have several causes: the phishing training emails are too easy or do not provide relevant context to the user, or the phishing email is similar to a previous exercise. Data like this can create a false sense of security if click rates are analyzed on their own without understanding the phishing email’s difficulty.
Helping CISOs better understand their phishing training programs
By using the Phish Scale to analyze click rates and collecting feedback from users on why they clicked on certain phishing emails, CISOs can better understand their phishing training programs, especially if they are optimized for the intended target audience.
The Phish Scale is the culmination of years of research, and the data used for it comes from an “operational” setting, very much the opposite of a laboratory experiment with controlled variables.
“As soon as you put people into a laboratory setting, they know,” said Steves. “They’re outside of their regular context, their regular work setting, and their regular work responsibilities. That is artificial already. Our data did not come from there.”
This type of operational data is both beneficial and in short supply in the research field. “We were very fortunate that we were able to publish that data and contribute to the literature in that way,” said NIST researcher Kristen Greene.
As for next steps, Greene and Steves say they need even more data. All of the data used for the Phish Scale came from NIST. The next step is to expand the pool and acquire data from other organizations, including nongovernmental ones, and to make sure the Phish Scale performs as it should over time and in different operational settings.
“We know that the phishing threat landscape continues to change,” said Greene. “Does the Phish Scale hold up against all the new phishing attacks? How can we improve it with new data?” NIST researcher Shaneé Dawkins and her colleagues are now working to make those improvements and revisions.
While the COVID-19 outbreak has disrupted the lives and operations of many people and organizations, the pandemic failed to interrupt onslaught of malicious emails targeting people’s inboxes, according to an attack landscape update published by F-Secure.
Increase of malicious emails utilizing COVID-19 issues
Beginning in March and continuing through most of the spring, there was a significant increase of malicious emails utilizing various COVID-19 issues as a lure to manipulate users into exposing themselves to various email attacks and scams.
Common COVID-19-related campaigns included in these emails range from attempting to trick users into ordering face masks from phony websites to infecting themselves with malware by opening malicious attachments.
Three-quarters of attachments in these emails contained infostealers – a type of malware that steals sensitive information (such as passwords or other credentials) from an infected system.
“Cybercriminals don’t have many operational constraints, so they can quickly respond to breaking events and incorporate them into their campaigns. The earliest days of the COVID-19 outbreak left a lot of people confused or worried, and attackers predictably tried to prey on their anxieties,” said Calvin Gan, a manager with F-Secure’s Tactical Defense Unit.
“Spotting malicious emails isn’t typically a priority for busy employees, which is why attackers frequently attempt to trick them into compromising organizations.”
Additional trends from the first half of 2020
- Finance was the most frequently spoofed industry in phishing emails; Facebook was the most frequently spoofed company
- Email was the most popular way of spreading malware, and accounted for over half of all infection attempts
- Infostealers were the most common type of malware spread by attackers; Lokibot was the most common malware family
- Telnet and SSH were the most frequently scanned IP ports
The report also notes that attacks leveraging cloud-based email services are steadily increasing and highlights a significant spike in phishing emails that targeted Microsoft Office 365 users in April.
“Notifications from cloud services are normal and employees are accustomed to trusting them. Attackers taking advantage of that trust to compromise targets is perhaps the biggest challenge companies need to address when migrating to the cloud,” explained F-Secure Director of B2B Product Management Teemu Myllykangas.
“Securing inboxes in general is already a challenge, so companies should consider a multilayer security approach that combines protection technologies and employee education to reduce their exposure to email threats.”
Companies are losing money to criminals who are launching Business Email Compromise (BEC) attacks as a more remunerative line of business than retail-accounts phishing, APWG reveals. High-ticket BEC attacks Agari reported average wire transfer loss from BEC attacks smashed all previous frontiers, spiking from $54,000 in the first quarter to $80,183 in Q2 2020 as spearphishing gangs reached for bigger returns. Scammers also requested funds in 66 percent of BEC attack in the form of … More
The post Phishing gangs mounting high-ticket BEC attacks, average loss now $80,000 appeared first on Help Net Security.
Barracuda released key findings about the ways cybercriminals are attacking and exploiting email accounts. The report reveals a specialized economy emerging around email account takeover and takes an in-depth look at the threats organizations face and the types of defense strategies you need to have in place.
- More than one-third of the hijacked accounts analyzed by researchers had attackers dwelling in the account for more than one week.
- 20% of compromised accounts appear in at least one online password data breach, which suggests that cybercriminals are exploiting credential reuse across employees’ personal and organization accounts.
- In 31% of these compromises one set of attackers focuses on compromising accounts and then sells account access to another set of cybercriminals who focus on monetizing the hijacked accounts.
- 78% of attackers did not access any applications outside of email.
“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximize the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” said Don MacLennan, SVP Engineering, Email Protection at Barracuda.
“Being informed about attacker behavior will help organizations put the proper protection in place so they can defend against these types of attacks and respond quickly if an account is compromised.”
43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company, according to a Tessian report.
With human error being a leading cause of data breaches today, the report examines why people make mistakes and how they can be prevented before they turn into breaches.
Human error: The impact on cybersecurity
When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.
47% of employees cited distraction as a top reason for falling for a phishing scam. This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.
In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with 17% of those emails going to the wrong external party.
This simple error leads to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, one-fifth of respondents said their company had lost customers as a result of sending a misdirected email, while 12% of employees lost their job.
The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.
How stress impacts cybersecurity
The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).
It is worrying, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while 46% of employees have experienced burnout.
Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.
Jeff Hancock, a professor at Stanford University and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity.
The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret.
Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
Why age matters
The report also shows that age, gender and industry play a role in people’s cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t work in preventing incidents of human error. Findings include:
- Half of employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.
- 65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.
- 70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.
- Workers in the Technology industry were the most likely to click on links in phishing emails, with 47% of respondents in this sector admitting they had done so. This was closely followed by employees in Banking and Finance (45%).
Tim Sadler, CEO of Tessian said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time.
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”
Rapid7’s research found that the security of the internet overall is improving. The number of insecure services such as SMB, Telnet, rsync, and the core email protocols, decreased from the levels seen in 2019.
Vulnerabilities and exposures still plague the modern internet even with the increasing adoption of more secure alternatives to insecure protocols, like Secure Shell (SSH) and DNS-over-TLS (DoT).
“We were surprised to see that recent incidents appear to have had no obvious effect on the fundamental nature of the internet, however it is possible that we have yet to see the full impact,” said Tod Beardsley, Director of Research at Rapid7.
Most exposed countries and organizations
The United States, China, South Korea, the United Kingdom and Germany rank as the top five most exposed countries, while the top publicly traded companies in the United States, the United Kingdom, Australia, Germany, and Japan are still hosting a high number of unpatched services with known vulnerabilities.
Publicly traded financial services and telecommunications companies in the United States, the United Kingdom, Australia, Germany, and Japan were found particularly vulnerable. There are tens of thousands of high-rated Common Vulnerabilities and Exposures (CVEs) across the public-facing assets of these two sectors.
Telnet continues to be commonly used across cloud providers, despite being unsuitable for the internet due to its lack of security controls – with Microsoft, Alibaba and OVHcloud having the most exposure.
Slow patch and update adoption
Patch and update adoption continues to be slow, especially in remote console access where, for example, 3.6 million SSH servers are running versions between five and 14 years old.
Furthermore, there has been an average 13 percent year-over-year decrease in exposed, highly vulnerable services such as SMB, Telnet, and rsync.
Also, unencrypted, cleartext protocols are still heavily used with 42 percent more plaintext HTTP servers than HTTPS, 3 million databases awaiting insecure queries, and 2.9 million routers, switches, and servers accepting Telnet connections, which is a 7% decrease when compared to research Rapid7 conducted 2019.
NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.
- Phishing protection rates ranged from 79.2% to 95.5%
- For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
- Protection improved over time; the most consistent products provided the best protection against phishing and malware.
Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.
Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.
In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.
Protecting against malware and phishing
The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.
To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.
“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.
- Google Chrome – version 81.0.4044.113 – 81.0.4044.138
- Microsoft Edge – version 83.0.478.10 – 84.0.516.1
- Mozilla Firefox – version 75.0 – 76.0.1
- Opera – version 67.0.3575.137 – 68.0.3618.125
Impersonations have become pervasive, and are by far the most prevalent type of email-based attack ending up in business’s inboxes. This is according to a survey report by GreatHorn.
Emphasizing the trend, 48.7% of respondents reported seeing impersonations of people such as colleagues, customers or vendors preying on the sense of urgency of an increasingly distracted and dispersed workforce.
To develop the report, researchers collected data from over 640 security, IT and c-suite professionals to gain a better understanding of new threat vectors, issues impacting the industry at large and emerging strategies for targeted attacks.
Impersonations wreaking havoc on email inboxes
As the professional community continues to work in a remote environment, email impersonations present the perfect way for opportunistic fraudsters to take advantage of human vulnerabilities.
Although there are infinite variations of impersonation attacks, each one relies on an end users’ misguided trust in surface appearance and quick reactions to emails. The survey found that this type of attack has continued to flourish, with 35.1% of respondents saying that people impersonation attacks ranked as their top email threat in 2020.
Meanwhile, 42.4% report seeing impersonations of well-known brands in their inbox – a sharp rise from just 22.4% in 2019. Furthermore, ten percent of participants flagged brand impersonations as their top email threat, another increase from 2019 (4.8%).
Both people and brand impersonations remain difficult to detect as they appeal to authority and urgency, utilize a known contact name and depend on the systematic lack of education among non-technical recipients.
Remediation takes center stage as email-based attacks skyrocket
With this increase in email threats, IT professionals are being stretched thin as their time spent responding to and remediating email-based attacks has increased dramatically over the past year.
35.8% of respondents report seeing phishing, impersonations, credential theft, spoofing, malware, ransomware or other email threats in their inbox on a daily basis – up from 24.3% in 2019.
Due to this increase, 33.6% of respondents said they need to remediate an email-based attack every day – including suspending compromised email accounts, running PowerShell scripts, resetting compromised application accounts, legal action and more – a significant 165% increase from 2019, when only 12.7% reported the need to remediate an email-based attack on a daily basis. This surge in email-based attacks serves as a reminder that email security strategies require continuous improvement in order to mitigate the ever-evolving threats.
“This year’s survey data presents a clear reminder that organizations continue to be inundated with email-based attacks, most notably impersonations, that require constant remediation,” said GreatHorn CEO Kevin O’Brien.
“It’s impossible to prevent all phishing attacks, which is why it’s so important for IT professionals to reassess their email security strategy by putting a renewed emphasis on risk reduction in order to decrease time to detection (TTD) and time to respond (TTR.)”
Additional key stats
- 40% of respondents said their biggest problem with their current email security solution was missing payload attacks such as malware, malicious attachments and links. This was followed by missing phishing attacks (39.3%), which includes people impersonations, brand impersonations or even impersonations of services like fake voicemail scams and fake invoices.
- In 2020, 21.9% of study participants said they saw a wire transfer request in their inbox, a slight decrease from 2019 where it was 26.3%.
- When asked about credential theft attempts found in inboxes, 28.1% of survey respondents saw these in 2020 – a slight increase over 2019, where it was 24.1%.
- Only 32.9% study participants said they had seen spam/graymail in their inboxes – a significant drop from 2019 data, where 53.3% indicated that spam/graymail slipped past the filter.
- 48.3% of respondents report having to go into their junk or spam folder within the past week to retrieve and open an email that should have wound up in their inbox – up from 2019, when only 30.7% reported having to do this in the same time span.
There has been a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020, according to Abnormal Security. This sharp rise continues the trend.
Also, according to the report, invoice and payment fraud attacks increased more than 75 percent in the first three months of 2020.
Larger dollar amounts are involved
During invoice and payment fraud BEC attacks, attackers pose as vendors, suppliers or customers in order to steal money using tactics such as initiating fraudulent wire transfers or hijacking vendor conversations to redirect vendor payments. These types of attacks typically involve much larger dollar amounts compared to other types of BEC attacks since they target business to business transactions.
In one example, the Abnormal Security team detected and stopped an attempted invoice fraud targeting a telecommunications provider, preventing more than $700,000 in losses. The attacker impersonated a real vendor and methodically engaged numerous employees over the course of two months, eventually convincing the target to change banking details and redirect the payment of a legitimate invoice of over $700,000 to the attacker’s account before the transaction was prevented.
Increasing number of attacks
An increasing number of these attacks were tracked, both in the number of organizations targeted and the number of attacks received per organization. The research team observed:
- A 200% increase in the average rate of invoice and payment fraud BEC attacks each week
- A 36% increase in the number of organizations experiencing these attacks
- Out of all types of BEC attacks, invoice and payment fraud BEC attacks are increasing in popularity. In April, these types of attacks comprised 14% of all BEC attacks, increasing to 17% in May.
“While all business email compromise attacks can lead to significant financial loss, those focused on invoice and payment fraud can have an even greater financial impact,” said Evan Reiser, CEO and co-founder, Abnormal Security.
“Even when an organization has established best-in-class security, third-parties represent a weak link. As these types of attacks continue to climb, it’s more important than ever for companies to implement technology that detects and stops them.”
U.S. small businesses report an increase in suspicious business emails over the past year, a cyber survey by HSB shows, and employees are taking the bait as they fall for phishing schemes and transfer tens of thousands of dollars in company funds into fraudulent accounts.
“Whether it’s a phishing scheme, fraud or malware, most cyber-attacks start with an email,” said Timothy Zeilman, vice president for HSB, part of Munich Re. “Even companies that have information security training and fairly savvy employees fall victim to these deceptions.”
A rise in suspicious emails
Over half of business executives (58 percent) said suspicious emails had increased in the past year.
More than a third (37 percent) of the organizations received an email from someone pretending to be a senior manager or vendor requesting payments.
Almost half of employees receiving those emails (47 percent) responded by transferring company funds, resulting in losses most often in the $50,000 to $100,000 range (37 percent) and rarely less than $10,000 (only 11 percent).
Business email schemes could become an even bigger threat
The scam is convincing because cyber thieves in many cases gain access to business email accounts and assume the false identities of company managers.
“It’s more important than ever to pay attention to safe cybersecurity practices and make sure you verify requests for payments,” he said. “Don’t rely on email alone – call the person and confirm the payment is legitimate before releasing any funds.”
Phishing kits are the new bestsellers of the underground market, with the number of phishing kit ads on underground forums and their sellers having doubled in 2019 compared to the previous year, Group-IB reveals.
The growing demand for phishing kits is also reflected in its price that skyrocketed last year by 149 percent and exceeded $300 per item. Last year, phishing kit creators’ favorite brands were Amazon, Google and Office 365.
Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website. This toolset enables attackers with modest programming skills carry out massive malicious campaigns, which is the reason for why they represent a point of interest for cybersecurity researchers.
The detection of a phishing kit not only helps to discover hundreds or even thousands of phishing pages, but can also serve as a starting point of an investigation to identify the toolkit’s creator and bring them to justice.
Thus the number of phishing kit sellers active on underground forums increased by over 120% in 2019 year-on-year. Relatively the same growth showed the number of online ads posted on such web resources.
The price range
In 2019, the average price of a phishing kit more than doubled compared to the year before and totaled $304, with the prices generally ranging between $20 and $880. In comparison, in 2018, the prices for a phishing kit varied between $10 and $824, while the average price stood at $122.
The price for phishing kits depends on their complexity – the quality and the number of phishing pages, as well as the existence of side services like “technical support” on behalf of their creator.
What is remarkable – some of the phishing kits were offered free of charge, which was explained not by human generosity but likely by backdoors contained in them, which enabled their creators to access all the gathered data.
Detect and neutralize: How to hunt for phishing kits?
The process of phishing kit detection is becoming more and more challenging, with the statistics for the previous year showing a frustrating trend: hackers grow more cautious in their malicious activities since only 113,460 out of 2.7 million phishing pages detected contained a phishing kit.
The cyber crooks normally remove them or resort to various means to hide them and prevent from being detected by cybersecurity researchers.
To collect data, phishing kits normally have a designated email address, to which the illegally harvested info should be sent. One more trend saying in favor of phishing kits’ expanding place on the underground market is the number of unique email addresses detected in them – the figure saw an 8% growth last year. The increased amount of unique email addresses in phishing kits might reflect the rising number of their operators.
To attract more buyers, the developers of phishing kits usually make them targeting well-known brands with large audience – the fact that potentially should facilitate the conduct of fraudulent campaigns for the toolkit future owner.
The brands most commonly found in phishing kits in 2019 were Amazon, Google, Instagram, Office 365, and PayPal. Top 3 “online markets” for trafficking in phishing kits last year were Exploit, OGUsers, and Crimenetwork.
“Phishing kit creators are the driving force of this criminal marketplace – one individual might be behind the creation of hundreds of phishing pages and, even worse, behind the compromise of the personal information of thousands of people,” Group-IB CTO and Head of Threat Hunting Intelligence team Dmitry Volkov said.
“Therefore, the fight against phishing kit creators should be at the core of struggle to eradicate phishing.”
Scam robocalls and phishing emails disguised as banks continue to trick consumers to put their personal information at risk, and tax season is no exception.
Increase in potential threats
During this time of the year consumers need to be aware of the increase in potential threats as hackers pose as collectors from the IRS, tax preparers or government bureaus.
These tactics are particularly effective due to tax payers concerns of misfiling their taxes or accidentally running into trouble with groups like the IRS.
McAfee researchers recently uncovered an example of an illegitimate IRS site created to scam unsuspecting consumers. If you look closely, you will notice a non-IRS domain and not a secure connection, these are key things to look out for when seeking online resources.
Fake sites such as this pose particular risk to consumers when combined with phishing email campaigns. In fact, 41% of Americans admitted to falling victim to email phishing scams in 2019, serving as another reminder to be vigilant during the stressful tax season.
File before a scammer does it for you
The easiest defense you can take against IRS scams is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a fraudster.
Beware of phishing attempts
Phishing is a common tactic crooks leverage during tax season, so stay vigilant around your inbox and double-check legitimacy of any unfamiliar or remotely suspicious emails. Be wary of strange file attachment names such as “virus-for-you.doc” and remember that the Office of Social Security or IRS do not call or email tax payers.
IRS scams: Watch out for spoofed websites
Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search.
Consider an identity theft protection solution
If your data does become compromised, be sure to use an identity theft solution, allowing users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.
As of January 2020, nearly 1 million (933,973) domains have published DMARC records — an increase of 70% compared to last year, and more than 180% growth in the last two years. In addition, 80% of all inboxes worldwide do DMARC checks and enforce domain owners’ policies — if domain owners have configured DMARC, a new Valimail report reveals.
However, just 13% of all DMARC records are configured with enforcement policies, demonstrating that interest in DMARC is increasing but DMARC expertise is not keeping pace.
“Given DMARC’s benefits, it comes at no surprise its rate of adoption has been growing consistently,” said Alexander García-Tobar, CEO and co-founder, Valimail.
“But publishing a DMARC record is just the first step — enforcement must be reached before a domain is protected, and trust can be restored to email.
“There’s an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesn’t work, and move on to easier targets.”
Additional key data points
- At a minimum, 1% of global email volume is sent using a spoofed domain.
- The United States remains the largest source of spoofed email by volume.
- Russia, China, Vietnam and India continue to have a proportionally high number of spoofs among email originating from these countries.
- 79% of US federal domains have DMARC records and 93% of those are at enforcement, a tribute to the the success of a 2017 directive from the Department of Homeland Security, BOD 18-01.
- 23% of billion-dollar companies’ domains are at DMARC enforcement.
The research from Valimail was compiled by analyzing a broad cross-section of company sizes and revenues across eight different verticals.
A staggering 97% of IT leaders say insider breach risk is a significant concern, according to a survey by Egress.
78% think employees have put data at risk accidentally in the past 12 months and 75% think employees have put data at risk intentionally. When asked about the implications of these breaches, 41% say financial damage would be the area of greatest impact.
More than 500 IT leaders and 5000 employees were surveyed across the UK, US and Benelux regions.
The results uncovered serious discrepancies between IT leaders’ perceptions of insider breach risk and causes, and how they are in managing them. It also exposed that employees are still confused about data ownership and responsibility.
Asked what traditional security tools they have in place to mitigate insider breach risk, just half of IT leaders said they are using anti-virus software to combat phishing attacks, 48% are using email encryption and 47% provide secure collaboration tools.
More than half (58%) say employee reporting is more likely than any breach detection system to alert them to an insider data breach.
Egress CEO, Tony Pepper, believes the findings show how IT leaders are resigned to the inevitability of insider breaches and don’t have adequate risk management in place.
“While they acknowledge the sustained risk of insider data breaches, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the risk. Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable.
“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”
Misdirected and phishing emails top cause of accidental insider data breaches
41% of employees who had accidentally leaked data said they had done so because of a phishing email. 31% said they caused a breach by sending information to the wrong person, for example, by email.
This is underlined by the fact that 45% said they had received an outlook recall message or an email asking them to disregard an email sent in error over the last year.
Tony Pepper adds; “Incidents of people accidentally sharing data with incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organizations and security teams have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter.
“However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organizations need to tune into these advances to truly be able to make email safe.”
Erroneous employee views on data ownership
The survey also showed that employee misconceptions over data ownership have a negative impact on information security. The employee-facing research found 29% of respondents said they or a colleague had intentionally shared data against company policy in the past year.
A worrying 46% said they or a colleague had broken company policy when they took data with them to a new job, while more than a quarter (26%) said they had taken a risk when sharing data because they weren’t provided with the right security tools.
This reckless approach to data protection may be explained by employees’ views on data ownership and responsibility. 41% of the employees surveyed don’t believe that data belongs exclusively to the organization and only 37% recognise that everyone has responsibility for keeping data safe.
Tony Pepper comments: “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe. This is a toxic combination for data protection efforts. When you add their propensity to take data with them when they change jobs and willingness to take risks when sharing data, the scale of the challenge faced by security professionals is alarming.”
Directors disrespecting data
The survey also highlighted that the more senior the employee, the more cavalier their attitude towards data breaches. 78% of directors have intentionally shared data against company policy in the past year, compared with just 10% of clerical staff.
Directors are the most likely to take data with them to a new job – 68% of those who had intentionally broken policy had done so when they changed jobs, compared with the overall average of 46%.
9,050,064,764 credentials have been recovered throughout 2019 which came from a total of 640 unique data breaches and include email addresses connected to plaintext passwords and usernames with plaintext passwords, SpyCloud reveals.
That means, on average, each of these data breaches gave criminals more than 14 million sets of login credentials. Because people often reuse passwords across several accounts, both personal and for work, each set of login credentials could be used to access dozens or more accounts through which cybercriminals can perpetrate fraud.
Credential exposure report
Almost a third of internet users affected by data breaches last year had reused a password in some form. 94% of those who recycled passwords reused the exact same password, while the other 6% made minor changes such as capitalizing the first letter or adding numbers to the end of their typical password. These tactics are easily defeated by tools, which test for common, slight variations.
In terms of organizational security, there’s a worrying trend more of the data criminals are sharing and selling came from breaches of misconfigured or unsecured servers. Organizations may also be taking incomplete steps to protect passwords.
Criminals still using passwords they stole in 2012
The researchers found that more than half (53.7%) of the plaintext passwords recovered were originally protected using the outdated hashing algorithms SHA-1 and MD5.
Security professionals have recommended against using SHA-1 since about 2005, and against using MD5 since as far back as 1996, because cybercriminals can easily and quickly crack passwords hashed with these functions and recover plaintext passwords.
“Our data shows that consumers are still not changing their poor password habits, yet we know they’re holding organizations accountable for their security.” said David Endler, chief product officer for SpyCloud.
“Criminals are still using passwords they stole in 2012 to attack and take over accounts today. Companies need to guide users to set better passwords at the time of account creation and they need to help users maintain strong, uncompromised passwords whenever their credentials are exposed in a breach anywhere in the world.”
World’s most popular passwords protecting some 125 million accounts
Despite the problem of password fatigue and reuse coming into clearer focus over the past few years, little has changed in the world’s most popular passwords. Among the more than nine billion collected last year, the top three are “123456,” “123456789,” and “qwerty,” and are being used to protect some 125 million accounts.
It is increasingly up to organizations to comply with NIST’s password guidelines, which recommend checking user passwords for those that have exposed bee in previous breach corpuses, as well as commonly used or easy-to-guess passwords.