The internet is full of fraud and theft and cybercriminals are operating in the open with impunity, misrepresenting brands and advocating deceit overtly.
Bolster found these criminals are using mainstream ISPs, hosting companies and free internet services – the same that are used by legitimate businesses every day.
Phishing and online fraud scams accelerate
In Q2, there was an alarming, rapid increase of new phishing and fraudulent sites being created, detecting 1.7 million phishing and scam websites – a 13.3% increase from Q1 2020.
Phishing and scam websites continued to increase in Q2 and peaked in June 2020 with a total of 745,000 sites detected. On average, there were more than 18,000 fraudulent sites created each day.
Cybercriminals use common, free email services to execute phishing attacks
The most active phishing scammers are using free emails accounts from trusted providers including Google and Yahoo!. Gmail was the most popular with over 45% of email addresses.
Russian Yandex was the second most popular email service with 7.3%, followed by Yahoo! with 4.0%.
Brand impersonation continues to escalate
Data reveals that the top 10 brands are responsible for nearly 44,000 new phishing and fraudulent websites from January to September 2020. Each month there are approximately 4,000 new phishing and fraudulent websites created from these 10 brands alone.
September saw a near tripling in volume with more than 15,000 new phishing and fraudulent websites being created for these top brands, with Microsoft, Apple and PayPal topping the list.
COVID-19 is still a target, but less so
Approximately 30% of confirmed phishing and counterfeit pagers were related to COVID-19, equaling over a quarter of a million malicious websites.
Compared to Q1, these scams increased by 22%, following dynamic news headlines – N95 masks, face coronavirus drugs and government stimulus checks. However, the good news is that these scams are declining month-over-month.
Cybercriminals will continue to utilize natural news drivers
Though phishing and fraudulent campaigns outside of extraordinary events are on the rise, cybercriminals continue to demonstrate their agility from major events. In Q3, Bolster discovered scams connected to Amazon Prime Day and the presidential election.
There was a 2.5X increase of fraudulent websites using the Amazon brand logo in September, focusing on payment confirmation, returns and cancellations and surveys for free merchandise. Where the presidential campaigns were fraught with counterfeiting and internet trolling.
“With the holiday shopping season kicking off, the results of the presidential election and the New Year approaching, we anticipate the number of phishing and fraudulent activity to continue to rise,” said Shashi Prakash, CTO of Bolster.
“In anticipation of these events, criminals are sharpening their knives of deception, planning new and creative ways to take advantage of businesses and consumers. Companies must be vigilant, arming their teams with the technology needed to continuously discover and take down these fraudulent sites before an attack takes place.”
Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.
The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.
And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020.
This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.
“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
In the early morning hours of Nov. 18 Central European Time (CET), cyptocurrency mining service NiceHash disccovered that some of the settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site. NiceHash froze all customer funds for roughly 24 hours until it was able to verify that its domain settings had been changed back to their original settings.
“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,” the company wrote in a blog post.
NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an Internet address at GoDaddy, and that the attackers tried to use their access to its incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. But he said GoDaddy was impossible to reach at the time because it was undergoing a widespread system outage in which phone and email systems were unresponsive.
“We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said in an email to this author. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”
Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform run by Namecheap Inc., another large domain name registrar. Using Farsight Security, a service which maps changes to domain name records over time, KrebsOnSecurity instructed the service to show all domains registered at GoDaddy that had alterations to their email records in the past week which pointed them to privateemail.com. Those results were then indexed against the top one million most popular websites according to Alexa.com.
The result shows that several other cryptocurrency platforms also may have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app. None of these companies responded to requests for comment.
In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on Nov. 17 was not related to a security incident, but rather a technical issue that materialized during planned network maintenance.
“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”
“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”
Race declined to specify how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts.
What’s more, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted fewer than a dozen other domains, including the phishing website servicenow-godaddy.com. This suggests the attackers behind the March incident — and possibly this latest one — succeeded by calling GoDaddy employees and convincing them to use their employee credentials at a fraudulent GoDaddy login page.
In August 2020, KrebsOnSecurity warned about a marked increase in large corporations being targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been aided greatly by many employees working remotely thanks to the ongoing Coronavirus pandemic.
A typical vishing scam begins with a series of phone calls to employees working remotely at a targeted organization. The phishers often will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s email or virtual private networking (VPN) technology.
The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.
On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools.
An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) says the perpetrators of these vishing attacks compile dossiers on employees at their targeted companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.
The FBI/CISA advisory includes a number of suggestions that companies can implement to help mitigate the threat from vishing attacks, including:
• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.
• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
• Verify web links do not have misspellings or contain the wrong domain.
• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
Ransomware still remains the most common cyber threat to SMBs, with 60% of MSPs reporting that their SMB clients have been hit as of Q3 2020, Datto reveals.
More than 1,000 MSPs weighed in on the impact COVID-19 has had on the security posture of SMBs, along with other notable trends driving ransomware breaches.
The impact of such attacks keeps growing: the average cost of downtime is now 94% greater than in 2019, and nearly six times higher than it was in 2018 increasing from $46,800 to $274,200 over the past two years, according to Datto’s research. Phishing, poor user practices, and lack of end user security training continue to be the main causes of successful ransomware attacks.
The survey also revealed the following:
- MSPs a target: 95% of MSPs state their own businesses are more at risk. Likely due to increasing sophistication and complexity of ransomware attacks, almost half (46%) of MSPs now partner with specialized Managed Security Service Providers (MSSPs) for IT security assistance – to protect both their clients and their own businesses.
- SMBs spend more on security: 50% of MSPs said their clients had increased their budgets for IT security in 2020, perhaps indicating awareness of the ransomware threat is growing.
- Average cost of downtime continues to overshadow actual ransom amount: Downtime costs related to ransomware are now nearly 50X greater than the ransom requested.
- Business continuity and disaster recovery (BCDR) remains the number one solution for combating ransomware, with 91% of MSPs reporting that clients with BCDR solutions in place are less likely to experience significant downtime during an attack. Employee training and endpoint detection and response platforms ranked second and third in tackling ransomware.
The impact of COVID-19 on ransomware and the cost of security disruptions
During the pandemic, the move to remote working and the accelerated adoption of cloud applications have increased security risks for businesses. More than half (59%) of MSPs said remote work due to COVID-19 resulted in increased ransomware attacks, and 52% of MSPs reported that shifting client workloads to the cloud increased security vulnerabilities.
As a result, SMBs need to take precautions to avoid the costly disruptions that occur in the aftermath of an attack. The survey also determined that healthcare was the most vulnerable industry during the pandemic (59%).
“Now more than ever organizations need to be vigilant in their approach to cybersecurity, especially in the healthcare industry as it’s managing and handling the most sensitive (and for criminals the most valuable) private data,” said Travis Lass, President of XLCON.
“The majority of our clients are small healthcare clinics, with no in-house IT. As ransomware attacks continue to increase, it’s critical we do everything we can to support them by arming them with best-in-class technology that will fend off malicious attackers looking to take advantage of the already fragile state of the healthcare industry.”
Top three ways ransomware is attacking entities
- Phishing emails. 54% of MSPs report these as the most successful ransomware attack vector. The social engineering tactics used to deceive victims have become very sophisticated, making it vital for SMBs to offer extensive and consistent end user security education that goes beyond the basics of identifying phishing attacks.
- Software-as-a-Service (SaaS) applications. Nearly one in four MSPs reported ransomware attacks on clients’ SaaS applications, with Microsoft being hit the hardest at 64%. These attacks mean that SMBs must consider the vulnerability of their cloud applications when planning their IT security measures and budgets.
- Windows endpoint systems applications. These are the most targeted by hackers, with 91% of ransomware attacks targeting Windows PCs this year.
“Reducing the risk of cyberattacks requires a multi-layered approach rather than a single product – awareness, education, expertise, and purpose-built solutions all play a key role.
“The survey highlights how MSPs are taking the extra step to partner with MSSPs that can offer more security-focused experience, along with a more widespread use of security measures like SSO and 2FA – these are critical strategies businesses and municipalities need to adopt to protect themselves from cyber threats now and in the future.”
Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures (TTPs) throughout Q3 2020, with additional insight from Recorded Future.
Threat actors becoming even more ruthless
The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.
“We continue to see attackers use newsjacking and typosquatting techniques to attack organizations with ransomware, especially this quarter with the Presidential election and schools moving to a virtual learning model,” said John Ayers, Nuspire Chief Strategy Product Officer.
“It’s important for organizations to understand the latest threat landscape is changing so they can better prepare for current themes and better understand their risk.”
Increase in malware activity
There has been a significant increase in malware activity over the course of Q3 2020; the 128% increase from Q2 represents more than 43,000 malware variants detected a day.
As Emotet made a significant appearance, new features in Emotet modules were discovered, implying the group will likely continue operations throughout the remainder of the next quarter to successfully gauge the viability of these new features.
“Keeping a vigilant eye on how threats evolve, grow and adapt over time helps us understand how threat actors have been retooling their tactics. It’s more important than ever to consistently have visibility into the threat landscape.”
- The ZeroAccess botnet made another big appearance in Q3. It resurged in Q2, coming in second for most used botnet, but then went quiet towards the end of Q2, coming back up in Q3.
- Office document phishing skyrocketed during the second half of Q3, which could be due to the upcoming election, or because attackers have just finished retooling.
- Ransomware attack on the automotive industry is on the rise. At the end of Q3 2020, references have already surpassed the 2019 total at 18,307, an increase of 79.15% with Q4 still remaining.
- H-Worm Botnet, also known as Houdini, Dunihi, njRAT, NJw0rm, Wshrat, and Kognito, surged to the top of witnessed Botnet traffic for Q3 from the actors behind the botnet by deploying instances of Remote Access Trojans (RATs) using COVID-19 phishing lures and executable names.
COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, according to research from F5 Labs.
The report found that phishing incidents rose 220% during the height of the global pandemic compared to the yearly average. The number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.
The three primary objectives for COVID-19-related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.
Attackers’ brazen opportunism was in further evidence when certificate transparency logs (a record of all publicly trusted digital certificates) were examined.
The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which represents a massive 1102% increase on the month before.
“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.
“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”
Names and addresses of phishing sites
As per previous years’ research, fraudsters are becoming ever more creative with the names and addresses of their phishing sites.
In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. By far the most common brand to be targeted in the second half of 2020 was Amazon.
Additionally, Paypal, Apple, WhatsApp, Microsoft Office, Netflix and Instagram were all in the top 10 most frequently impersonated brands.
By tracking the theft of credentials through to use in active attacks, criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.
Meanwhile, cybercriminals were also got more ruthless in their bid to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.
Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq. As a case in point, .tk is now the fifth most popular registered domain in the world.
Hiding in plain sight
2020 also saw phishers ramp up their bid to make fraudulent sites appear as genuine as possible. Most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to seem more credible to victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).
Combining incidents from 2019 and 2020, 55.3% of drop zones used a non-standard SSL/TLS port were additionally reported. Port 446 was used in all instances bar one. An analysis of phishing sites found 98.2% using standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.
The future of phishing
According to recent research from Shape Security, which was integrated with the Phishing and Fraud report for the first time, there are two major phishing trends on the horizon.
As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms.
This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.
Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.
Researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use MFA codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website.
Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies.
Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23.
“Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.
“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”
COVID-19 changed the rules of the game virtually overnight. The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education.
But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they’re willing to take it.
WFH isn’t new, but WFH suddenly, at scale, is
The attack surface changed — and so did the rules of the game.
A work-from-home world isn’t a new thing. Slow transitions to remote workplaces have become more of a norm, though pushes for all-remote workplaces come in cycles. In the past five to ten years, despite the rise of flexible work options and global teams, work still happened mainly in an office.
What is new is a massive amount of the workforce shifting to remote work nearly overnight. Suddenly, the internet became a company’s network—thousands of employees turned into thousands of individual offices. Secured networks were traded in for home Wi-Fi, and gaps and holes in an organization’s attack surface were introduced where they didn’t exist before.
That shift suddenly exposed vulnerabilities in the system, like older systems that were never updated, internet assets that were forgotten, and patches that never happened. These weak links are all the invitation a malicious adversary needs.
Rogue threats—web infrastructure created by criminals—changed, too. Phishing schemes suddenly took a new approach in the form of “COVID lures”: emails and ads that lead to questionable websites providing cure-alls for the virus, taking advantage of people’s increased fear and anxiety.
Attackers realized they had another advantage: employees responsible for diagnosing and fixing these kinds of security issues are now preoccupied with supporting family, supervising their kids’ remote education, or working long hours to cover other cuts. In other words, some of our players were benched.
Combine this easier access to enterprise systems with the increased willingness to hand over information and a drop in vigilance, and you can see how this all became a new kind of game. The good news is that although malicious actors seeking ways into these exposed systems are adapting, a company can adapt as well.
Going on the offensive
Companies can’t afford large-scale cyberattacks at any time, but especially right now. The pandemic has caused consumers who may have lost significant income to be picky with their purchases and investments. Companies need to be focused on retaining customer relationships so that they’ll weather the pandemic, and a take-down of the network could undercut customer trust in unrecoverable ways.
But many companies won’t take action. They may view their older systems as good enough to ride the wave to the other side of the pandemic, and once there, they’ll go back to what they had used before, unprepared for the next attack. They may get through, but nothing will have changed — things will not go back to how they were, and you will no longer be able to rely on systems that protected a pre-COVID world.
Now, there’s an opportunity to huddle up, form a new strategy, and go on the offensive. The pandemic can be an opportunity for businesses to take a look at their vulnerabilities, map their attack surface, and take appropriate actions to secure and strengthen their systems. We’ve seen this after other catastrophic events, such as after 9/11, when companies adopted new resiliency plans for any future recovery events. Companies have the same opportunity now.
Here are some things a company can do to ensure their systems are secure, even if they’ve been running a remote workforce for a while.
Invest in security teams
Companies who understand the value of keeping their systems secure and taking initiatives against potential leaks will want to invest in cybersecurity. Shore up the team and make new hires if needed. Overall, companies have been supportive of their security teams during this time, but if security isn’t a priority, make it one.
Map the attack surface
The quick move to remote work probably meant a fast rollout of new initiatives and quickly standing up new equipment, which means mistakes are the leading cause of a breach. Do an audit of your attack surface to uncover hidden failures and where older systems, forgotten assets, or unpatched issues are creating vulnerabilities.
Ask questions about what changed: What programs were canceled or altered? How are resources shifting around? Can new assets be secured before they roll out? Also, do some threat modeling with your team. Ask what a threat actor would do to attack your systems, or where they would gain a foothold. In other words, anticipate the opposing team’s next move.
Even the best companies miss something, but the more you can anticipate, the better. Then prepare a response plan for investigating attacks quickly, develop a triage system, create a playbook, and run drills so your players know their roles.
Update the old and roll out the new
Now that you’re learning the new rules of the game, can visualize the playing field and anticipate the opposing team’s next move, it’s time to act. Update older systems or trade them in for new ones. Patch security holes. Shrink the attack surface. Roll out new digital initiatives you might have been sitting on.
Finally, create that mobile app. Move to the cloud. Find new digital ways to engage with your customers, since it may be a while before in-store foot traffic returns. As you do this, you may come to realize that your systems were set up in such a way that you need to start over. In that case, do it. Now’s the time.
Support your team
Above all, make sure you have the right team in place, and take care of them. Get them the resources and information they need as they audit, patch, and put new protocols in place for the future.
Communicate with both them and your leadership team to keep everyone informed, and if you think you’re too busy, communicate even more like teammates would on the field. Hedge against burnout. Above all, give your team the time and space they need to find the holes and make the fixes.
Live to play another day
In many ways, this shift to digital has been in progress for a long time. However, because it was never a necessity, the transformation lagged or stalled from a lack of resources and was moved down the priorities list. But today we see stalled-out initiatives finally being implemented. The plans have been in place, and COVID is now forcing us to get it done.
New Zscaler threat research reveals the emerging techniques and impacted industries behind a 260-percent spike in attacks using encrypted channels to bypass legacy security controls.
Showing that cybercriminals will not be dissuaded by a global health crisis, they targeted the healthcare industry the most. Following healthcare, the research revealed the top industries under attack by SSL-based threats were:
1. Healthcare: 1.6 billion (25.5 percent)
2. Finance and Insurance: 1.2 billion (18.3 percent)
3. Manufacturing: 1.1 billion (17.4 percent)
4. Government: 952 million (14.3 percent)
5. Services: 730 million (13.8 percent)
COVID-19 is driving a ransomware surge
Researchers witnessed a 5x increase in ransomware attacks over encrypted traffic beginning in March, when the World Health Organization declared the virus a pandemic. Earlier research from Zscaler indicated a 30,000 percent spike in COVID-related threats, when cybercriminals first began preying on fears of the virus.
Phishing attacks neared 200 million
As one of the most commonly used attacks over SSL, phishing attempts reached more than 193 million instances during the first nine months of 2020. The manufacturing sector was the most targeted (38.6 percent) followed by services (13.8 percent), and healthcare (10.9 percent).
30 percent of SSL-based attacks spoofed trusted cloud providers
Cybercriminals continue to become more sophisticated in avoiding detection, taking advantage of the reputations of trusted cloud providers such as Dropbox, Google, Microsoft, and Amazon to deliver malware over encrypted channels.
Microsoft remains most targeted brand for SSL-based phishing
Since Microsoft technology is among the most adopted in the world, Zscaler identified Microsoft as the most frequently spoofed brand for phishing attacks, which is consistent with ThreatLabZ 2019 report. Other popular brands for spoofing included PayPal and Google. Cybercriminals are also increasingly spoofing Netflix and other streaming entertainment services during the pandemic.
“Cybercriminals are shamelessly attacking critical industries like healthcare, government and finance during the pandemic, and this research shows how risky encrypted traffic can be if not inspected,” said Deepen Desai, CISO and VP of Security Research at Zscaler. “Attackers have significantly advanced the methods they use to deliver ransomware, for example, inside of an organization utilizing encrypted traffic. The report shows a 500 percent increase in ransomware attacks over SSL, and this is just one example to why SSL inspection is so important to an organization’s defense.”
Research paper: Rick Wash, “How Experts Detect Phishing Scam Emails“:
Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are “off” about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email — usually, the presence of a link requesting an action — triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.
In today’s world, most external cyberattacks start with phishing. For attackers, it’s almost a no-brainer: phishing is cheap and humans are fallible, even after going through anti-phishing training.
Patrick Harr, CEO at SlashNext, says that while security awareness training is an important aspect of a multi-layered defense strategy, simulating attacks during computer-based training sessions is not an effective way to learn, because people don’t necessarily retain the information.
“Working from home, where there are more distractions, makes it even less likely that people really pay attention to these trainings. That’s why it’s not uncommon to see the same people who tune out training falling for scams again and again,” he noted.
That’s why defenders must preempt attacks, he says, and reinforce a lesson during a live attack. When something gets through and someone clicks on a malicious URL, defenders must be able to simultaneously block the attack and show the victim what the phisher was attempting to do.
Latest phishing trends
Harr, who has over 20 years of experience as a senior executive and GM at industry leading security and storage companies and as a serial entrepreneur and CEO at multiple successful start-ups, is now leading SlashNext, a cybersecurity startup that uses AI to predict and protect enterprise users from phishing threats.
He says that most CISOs assume phishing is a corporate email problem and their current line of defense is adequate, but they are wrong.
“We are detecting 21,000 new phishing attacks a day, many of which have moved beyond corporate email and simple credential stealing. These attacks can easily evade email phishing defenses that rely on static, reputation-based detection. That’s why we typically see 80-90% of attacks evading conventional lines of defense to compromise the network,” he told Help Net Security.
“Magnify this by 150,000 new zero-hour phishing threats a week, almost double the number of threats versus a year ago, and we can safely say, ‘Houston we have a problem!’”
They are seeing:
- More text-based phishing, with no actual links, across SMS, gaming, search services, ad networks, and collaboration platforms like Zoom, Teams, Box, Dropbox, and Slack, as well as attacks on mobile devices
- A proliferation of phishing payloads beyond credential stealing scams which have been around for ages
- An increase in scareware, where phishers attempt to scare people into taking an action, such as sharing an email
- Rogue software attacks embedded in browser extensions and social engineering schemes like the massive Twitter bitcoin scam that happened in July
“Finally, we’re seeing cybercriminals trying out innovative ways to evade detection. For example, bad actors may register a domain that lays dormant for months before going live,” he added, and noted that they’ve witnessed a 3,000% increase in the number of phishing attacks since everyone began working and learning from home, and they expect this growth trend will continue.
Advice for CISOs
His main advice to CISOs is not to be complacent and to be diligent: near term, mid-term, and long term.
“You’ve got to take a comprehensive, multi-layer phishing defense approach outside the firewall, where your biggest user population is working remotely, and inside the firewall for your internal users. You need to protect mobile devices and PC/Mac endpoints, with end-to-end encryption (E2EE) deployed,” he opined.
“You also have to be mindful of corporate users’ personal side as their personal and business lives have converged, and many people use the same devices and same credentials across personal and business accounts.
Thirdly, this type of attacks need to be prevented from happening. “Use AI-enabled defenses to fight AI-enabled attacks. Fight machines with machines and adopt a preemptive security posture.”
Finally: some attacks inevitably breach all defenses and they must be prepared to quickly detect and respond to attack, and perform the necessary cleanup.
Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks.
The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic.
Threat level is unchanged
While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, major changes in organizational and IT infrastructure to support remote work created new vulnerabilities for threat actors to exploit.
The sudden switch to remote work and increased use of cloud services and personal devices significantly expanded the attack surface for many organizations. Facing an urgent need for business continuity, many companies did not have time to put all the necessary protocols, processes and controls in place, making it difficult for security teams to respond to incidents.
Threat actors—including nation-states and financially-motivated cyber criminals—are exploiting these vulnerabilities with malware, phishing, and other social engineering tactics to take advantage of victims for their own gain. One in four attacks are now ransomware related—up from 1 in 10 in 2018—and new COVID-19 phishing attacks include stimulus check fraud.
Additionally, healthcare, pharmaceutical and government organizations and information related to vaccines and pandemic response are attack targets.
The issue with dispersed workforces
Barry Hensley, Chief Threat Intelligence Officer, Secureworks said: “Against a continuing threat of enterprise-wide disruption from ransomware, business email compromise and nation-state intrusions, security teams have faced growing challenges including increasingly dispersed workforces, issues arising from the rapid implementation of remote working with insufficient consideration to security implications, and the inevitable reduced focus on security from businesses adjusting to a changing world.”
75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals.
Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election.
Election infrastructure: High-level findings
Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. States with a grade of ‘C’ are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data. Those with a ‘D’ are nearly 5x more likely to experience a breach.
- States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
- States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
- Among states and territories, there are as many ‘F’ scores as there are ‘A’s
- The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software.
Significant security concerns were observed with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.
The battleground states
According to political experts, the following states are considered “battleground” and will help determine the result of the election. But over half have a lacking overall IT infrastructure:
- Michigan: 92 (A)
- North Carolina: 81 (B)
- Wisconsin: 88 (B)
- Arizona: 81 (B)
- Texas: 85 (B)
- New Hampshire: 77 (C)
- Pennsylvania: 85 (B)
- Georgia: 77 (C)
- Nevada: 74 (C)
- Iowa: 68 (D)
- Florida: 73 (C)
- Ohio: 68 (D)
“This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors.
“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”
Potential consequences of lower scores
- Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation. Malicious actors often sell access to organizations they have successfully infected.
- Attacks via third-party vendors – many states use the same vendors, so access into one could mean access to all. This is the top cybersecurity concern for political campaigns.
- Voter registration databases could be impacted. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.
“These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments,” said Rob Knake, the former director for cybersecurity policy at the White House in the Obama Administration.
“For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections, but save more lives.”
A set of best practices for states
- Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
- Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
- States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
- States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes
Cyberattacks are becoming increasingly sophisticated as tools and services on the dark web – and even the surface web – enable low-skill threat actors to create highly evasive threats. Unfortunately, most of today’s modern malware evades traditional signature-based anti-malware services, arriving to endpoints with ease. As a result, organizations lacking a layered security approach often find themselves in a precarious situation. Furthermore, threat actors have also become extremely successful at phishing users out of their credentials or simply brute forcing credentials thanks to the widespread reuse of passwords.
A lot has changed across the cybersecurity threat landscape in the last decade, but one thing has remained the same: the endpoint is under siege. What has changed is how attackers compromise endpoints. Threat actors have learned to be more patient after gaining an initial foothold within a system (and essentially scope out their victim).
Take the massive Norsk Hydro ransomware attack as an example: The initial infection occurred three months prior to the attacker executing the ransomware and locking down much of the manufacturer’s computer systems. That was more than enough time for Norsk to detect the breach before the damage could done, but the reality is most organization simply don’t have a sophisticated layered security strategy in place.
In fact, the most recent IBM Cost of a Data Breach Report found it took organizations an average of 280 days to identify and contain a breach. That’s more than 9 months that an attacker could be sitting on your network planning their coup de grâce.
So, what exactly are attackers doing with that time? How do they make their way onto the endpoint undetected?
It usually starts with a phish. No matter what report you choose to reference, most point out that around 90% of cyberattacks start with a phish. There are several different outcomes associated with a successful phish, ranging from compromised credentials to a remote access trojan running on the computer. For credential phishes, threat actors have most recently been leveraging customizable subdomains of well-known cloud services to host legitimate-looking authentication forms.
The above screenshot is from a recent phish WatchGuard Threat Lab encountered. The link within the email was customized to the individual recipient, allowing the attacker to populate the victim’s email address into the fake form to increase credibility. The phish was even hosted on a Microsoft-owned domain, albeit on a subdomain (servicemanager00) under the attacker’s control, so you can see how an untrained user might fall for something like this.
That secondary payload is usually a remote-access trojan or botnet of some form that includes a suite of tools like keyloggers, shell script-injectors, and the ability to download additional modules. The infection isn’t usually limited to the single endpoint for long after this. Attackers can use their foothold to identify other targets on the victim’s network and rope them in as well.
It’s even easier if the attackers manage to get hold of a valid set of credentials and the organization hasn’t deployed multi-factor authentication. It allows the threat actor to essentially walk right in through the digital front door. They can then use the victim’s own services – like built-in Windows scripting engines and software deployment services – in a living-off-the-land attack to carry out malicious actions. We commonly see threat actors leverage PowerShell to deploy fileless malware in preparation to encrypt and/or exfiltrate critical data.
The WatchGuard Threat Lab recently identified an ongoing infection while onboarding a new customer. By the time we arrived, the threat actor had already been on the victim’s network for some time thanks to compromising at least one local account and one domain account with administrative permissions. Our team was not able to identify how exactly the threat actor obtained the credentials, or how long they had been present on the network, but as soon as our threat hunting services were turned on, indicators immediately lit up identifying the breach.
In this attack, the threat actors used a combination of Visual Basic Scripts and two popular PowerShell toolkits – PowerSploit and Cobalt Strike – to map out the victim’s network and launch malware. One behavior we saw came from Cobalt Strike’s shell code decoder enabled the threat actors to download malicious commands, load them into memory, and execute them directly from there, without the code ever touching the victim’s hard drive. These fileless malware attacks can range from difficult to impossible to detect with traditional endpoint anti-malware engines that rely on scanning files to identify threats.
Elsewhere on the network our team saw the threat actors using PsExec, a built in Windows tool, to launch a remote access trojan with SYSTEM-level privileges thanks to the compromised domain admin credentials. The team also identified the threat actors attempts to exfiltrate sensitive data to a DropBox account using a command-line based cloud storage management tool.
Fortunately, they were able to identify and clean up the malware quickly. However, without the victim changing the stolen credentials, the attacker could have likely re-initiated their attack at-will. Had the victim deployed an advanced Endpoint Detection and Response (EDR) engine as part of their layered security strategy, they could have stopped or slowed the damage created from those stolen credentials.
Attackers are targeting businesses indiscriminately, even small organizations. Relying on a single layer of protection simply no longer works to keep a business secure. No matter the size of an organization, it’s important to adopt a layered security approach that can detect and stop modern endpoint attacks. This means protections from the perimeter down to the endpoint, including user training in the middle. And, don’t forget about the role of multifactor authentication (MFA) – could be the difference between stopping an attack and becoming another breach statistic.
What is the threat?
An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.
Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.
How do ATM cash-out attacks work?
An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.
The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.
With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.
These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.
Who is most at risk?
Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.
What are some detection best practices?
- Velocity monitoring of underlying accounts and volume
- 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
- Reporting system that sounds the alarm immediately when suspicious activity is identified
- Development and practice of an incident response management system
- Check for unexpected traffic sources (e.g. IP addresses)
- Look for unauthorized execution of network tools.
What are some prevention best practices?
- Strong access controls to your systems and identification of third-party risks
- Employee monitoring systems to guard against an “inside job”
- Continuous phishing training for employees
- Multi-factor authentication
- Strong password management
- Require layers of authentication/approval for remote changes to account balances and transaction limits
- Implementation of required security patches in a timely manner (ASAP)
- Regular penetration testing
- Frequent reviews of access control mechanisms and access privileges
- Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
- Installation of file integrity monitoring software that can also serve as a detection mechanism
- Strict adherence to the entire PCI DSS.
While there has been a year-over-year decrease in publicly disclosed data breaches, an Arctic Wolf report reveals that the number of corporate credentials with plaintext passwords on the dark web has increased by 429 percent since March.
For a typical organization, this means there are now, on average, 17 sets of corporate credentials available on the dark web that could be used by hackers.
With access to just one corporate account, attackers can easily execute account takeover attacks, which allow them to move laterally within an organization’s corporate network and gain access to sensitive data, intellectual property, competitive information, or funds.
Cybersecurity incidents now occur after hours
The sharp increase in corporate credential leaks underscores the need for organizations to have dedicated 24×7 monitoring of their network, endpoint, and cloud environments in order to prevent targeted attacks that could happen at any time.
Of the high-risk security incidents observed, 35% occur between the hours of 8:00 PM and 8:00 AM, and 14% occur on weekends; times when many in-house security teams are not online.
“The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge. Yet, despite this constant innovation, we continue to see breaches in the headlines.
“The only way to eliminate cybersecurity challenges like ransomware, account takeover attacks, and cloud misconfigurations is by embracing security operations capabilities that fully integrate people, processes, and technology,” said Mark Manglicmot, VP Security Services, Arctic Wolf.
COVID-19 increasing the number of security operations challenges
- A 64 percent increase in phishing and ransomware attempts – Hackers have created new phishing lures around COVID-19 topics and adapted traditional lures seeking to take advantage of remote workers.
- Critical vulnerability patch time has increased by 40 days – A combination of higher common vulnerabilities and exposures (CVE) volumes, more critical CVEs, and the emergence of a remote workforce have significantly slowed the patching programs at many organizations.
- Unsecured Wi-Fi usage is up by over 240 percent – Remote workforces connecting to open and unsecured Wi-Fi networks outside of their office or home are now facing increased risks of malware exposure, credential theft, and browser session hijacking.
More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.
The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.
Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.
Mobile devices and a new threat landscape
The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.
“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.
“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”
The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.
- Typically works in financial services, professional services or the public sector.
- Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
- Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
- Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.
- Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
- Relies on remote collaboration tools and cloud suites to get work done.
- Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
- Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
- This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.
- Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
- Prefers to work on a desktop computer from a fixed location than on mobile devices.
- Relies heavily on productivity suites to communicate with colleagues in and out of the office.
- Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.
- Works on the frontlines in industries like healthcare, logistics or retail.
- Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
- Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
- Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.
“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.
“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.
“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”
The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.
Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.
Europol IOCTA 2020
Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.
Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.
The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.
Malware reigns supreme
Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.
Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.
Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.
Child sexual abuse material continues to increase
The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.
Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.
Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.
Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.
Payment fraud: SIM swapping a new trend
SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.
Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.
Criminal abuse of the dark web
In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.
Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.
OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.
VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.
“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”
EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.
Organizations are building confidence that their cybersecurity practices are headed in the right direction, aided by advanced technologies, more detailed processes, comprehensive education and specialized skills, a research from CompTIA finds.
Eight in 10 organizations surveyed said their cybersecurity practices are improving.
At the same time, many companies acknowledge that there is still more to do to make their security posture even more robust. Growing concerns about the number, scale and variety of cyberattacks, privacy considerations, a greater reliance on data and regulatory compliance are among the issues that have the attention of business and IT leaders.
Two factors – one anticipated, the other unexpected – have contributed to the heightened awareness about the need for strong cybersecurity measures.
“The COVID-19 pandemic has been the primary trigger for revisiting security,” said Seth Robinson, senior director for technology analysis at CompTIA. “The massive shift to remote work exposed vulnerabilities in workforce knowledge and connectivity, while phishing emails preyed on new health concerns.”
Robinson noted that the pandemic accelerated changes that were underway in many organizations that were undergoing the digital transformation of their business operations.
“This transformation elevated cybersecurity from an element within IT operations to an overarching business concern that demands executive-level attention,” he said. “It has become a critical business function, on par with a company’s financial procedures.”
As a result, companies have a better understanding of what do about cybersecurity. Nine in 10 organizations said their cybersecurity processes have become more formal and more critical.
Two examples are risk management, where companies assess their data and their systems to determine the level of security that each requires; and monitoring and measurement, where security efforts are continually tracked and new metrics are established to tie security activity to business objectives.
IT teams foundational skills
The report also highlights how the “cybersecurity chain” has expanded to include upper management, boards of directors, business units and outside firms in addition to IT personnel in conversations and decisions.
Within IT teams, foundational skills such as network and endpoint security have been paired with new skills, including identity management and application security, that have become more important as cloud and mobility have taken hold.
On the horizon, expect to see skills related to security monitoring and other proactive tactics gain a bigger foothold. Examples include data analysis, threat knowledge and understanding the regulatory landscape.
Cybersecurity insurance is another emerging area. The report reveals that 45% of large companies, 41% of mid-sized firms and 37% of small businesses currently have a cyber insurance policy.
Common coverage areas include the cost of restoring data (56% of policy holders), the cost of finding the root cause of a breach (47%), coverage for third-party incidents (43%) and response to ransomware (42%).
The benefits of cybersecurity awareness programs are currently the subject of broad discussion, particularly when it comes to phishing simulations. Nowadays, companies not only invest in IT security solutions, but also in the training of their employees with the goal of making them more conscious of security issues.
Already 96 percent of companies conduct security awareness trainings. This is one of the results of a study among qualified, international security experts, conducted by Lucy Security.
Security awareness covers various training measures which sensitize a company’s employees to IT security issues. The goal of these measures is to minimize the risks to IT security caused by employees.
Companies do not exploit employees’ potential
81 percent of the companies surveyed carry out phishing simulations. It is noteworthy, however, that only slightly more than half of the companies already include their employees in their security arrangements. For example, only 51 percent of the companies use a phishing alarm button.
49 percent do not use this function and thus do not exploit the full potential of their staff. The so-called “human firewall” is not activated. “The lack of use of a phishing incident button wastes a lot of protection potential and user motivation,” comments Palo Stacho, Head of Operations at Lucy Security.
In 92 percent of the companies, cybersecurity awareness has increased in recent months. 96 percent also agree that cybersecurity awareness has led to a higher level of security in their company. 98 percent are also convinced that security awareness measures make attacks by cyber criminals more difficult.
Phishing simulations strengthen trust in superiors
The measures also strengthen the confidence in the management. Almost 89 percent of the survey participants “fully”, “largely” or “rather agree” that trust in management is not called into question by phishing campaigns.
73 percent also confirm that the security awareness measures do not cause any fear among employees. In fact, the measures have the opposite effect: 95 percent of the respondents say that the phishing simulations have a positive effect on the working atmosphere. 100 percent also claim that the measures have a positive effect on their company’s error culture.
Security awareness makes companies more secure
Finally, 92 percent of the survey participants denied that the same level of IT security could be maintained in the company if the existing funds and resources were invested exclusively in technical security measures, such as firewalls and virus scanners.
“At Lucy Security, internal analyses have shown that correctly implemented awareness programs make a company up to ten times more secure,” says Palo Stacho. “But the benefits of cybersecurity awareness go far beyond fewer security incidents and better trained employees. The trainings and increased attention to IT security also have a positive effect on the corporate culture.”
Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials.
“The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message,” Area 1 Security researchers noted.
In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy (execs and upper management).
Every and any pretense is good for a phishing email, but when targeting businesses, the lure can be very effective if it can pass as an email sent from inside the organization. So the attackers attempted to make it look like the email was coming from the company’s “security services”, though some initial mistakes on their part would reveal to careful targets that the email was sent from an outside email account (a Gmail address).
“On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions,” the researchers explained.
The phishing site
Following the link in the email takes victims to the phishing site, initially hosted on a compromised, outdated WordPress site.
The link is “personalized” with the target’s email address, so the HTML form on the malicious webpage auto-populates the username field with the correct email address (found in the URL’s “email” parameter). Despite the “generic” look of the phishing page, this capability can convince some users to log in.
Once the password is submitted, a script sends the credentials to the phishers and the victim is shown an error page.
As always, users/employees are advised not to click on links in unsolicited emails and to avoid entering their credentials into unfamiliar login pages.
Researchers at the National Institute of Standards and Technology (NIST) have developed a new method called the Phish Scale that could help organizations better train their employees to avoid phishing.
How does Phish Scale work?
Many organizations have phishing training programs in which employees receive fake phishing emails generated by the employees’ own organization to teach them to be vigilant and to recognize the characteristics of actual phishing emails.
CISOs, who often oversee these phishing awareness programs, then look at the click rates, or how often users click on the emails, to determine if their phishing training is working. Higher click rates are generally seen as bad because it means users failed to notice the email was a phish, while low click rates are often seen as good.
However, numbers alone don’t tell the whole story. “The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves. The tool can help explain why click rates are high or low.
The Phish Scale uses a rating system that is based on the message content in a phishing email. This can consist of cues that should tip users off about the legitimacy of the email and the premise of the scenario for the target audience, meaning whichever tactics the email uses would be effective for that audience. These groups can vary widely, including universities, business institutions, hospitals and government agencies.
The new method uses five elements that are rated on a 5-point scale that relate to the scenario’s premise. The overall score is then used by the phishing trainer to help analyze their data and rank the phishing exercise as low, medium or high difficulty.
The significance of the Phish Scale is to give CISOs a better understanding of their click-rate data instead of relying on the numbers alone. A low click rate for a particular phishing email can have several causes: the phishing training emails are too easy or do not provide relevant context to the user, or the phishing email is similar to a previous exercise. Data like this can create a false sense of security if click rates are analyzed on their own without understanding the phishing email’s difficulty.
Helping CISOs better understand their phishing training programs
By using the Phish Scale to analyze click rates and collecting feedback from users on why they clicked on certain phishing emails, CISOs can better understand their phishing training programs, especially if they are optimized for the intended target audience.
The Phish Scale is the culmination of years of research, and the data used for it comes from an “operational” setting, very much the opposite of a laboratory experiment with controlled variables.
“As soon as you put people into a laboratory setting, they know,” said Steves. “They’re outside of their regular context, their regular work setting, and their regular work responsibilities. That is artificial already. Our data did not come from there.”
This type of operational data is both beneficial and in short supply in the research field. “We were very fortunate that we were able to publish that data and contribute to the literature in that way,” said NIST researcher Kristen Greene.
As for next steps, Greene and Steves say they need even more data. All of the data used for the Phish Scale came from NIST. The next step is to expand the pool and acquire data from other organizations, including nongovernmental ones, and to make sure the Phish Scale performs as it should over time and in different operational settings.
“We know that the phishing threat landscape continues to change,” said Greene. “Does the Phish Scale hold up against all the new phishing attacks? How can we improve it with new data?” NIST researcher Shaneé Dawkins and her colleagues are now working to make those improvements and revisions.
Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.
Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.
Opened email lets spy in
According to the data, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading.
Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.
These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.
Top-10 tools used in attacks were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%).
The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.
Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.
In the first six months of 2020, a total of 9 304 phishing web resources were blocked, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.
This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns.
Experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.
Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent.
The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.
Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.
The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).
“The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails,” comments CERT-GIB deputy head Yaroslav Kargalev.
“Ransomware operators have focused on targeted attacks, choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse.
“Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly.
“The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”