2020 set the stage for cybersecurity priorities in 2021

It’s safe to assume that pretty much everyone is ready to move on from 2020. Between the COVID-19 pandemic, political battles, and social unrest, this has been a stressful year in so many ways. It has also been a very active year for cybercriminals and fraudsters who have preyed on people’s fears and vulnerabilities to push new scams. They’ve spoofed government health sites to trick people into clicking on malware links. They’ve targeted food delivery … More

The post 2020 set the stage for cybersecurity priorities in 2021 appeared first on Help Net Security.

Around 18,000 fraudulent sites are created daily

The internet is full of fraud and theft and cybercriminals are operating in the open with impunity, misrepresenting brands and advocating deceit overtly.

fraudulent sites

Bolster found these criminals are using mainstream ISPs, hosting companies and free internet services – the same that are used by legitimate businesses every day.

Phishing and online fraud scams accelerate

In Q2, there was an alarming, rapid increase of new phishing and fraudulent sites being created, detecting 1.7 million phishing and scam websites – a 13.3% increase from Q1 2020.

Phishing and scam websites continued to increase in Q2 and peaked in June 2020 with a total of 745,000 sites detected. On average, there were more than 18,000 fraudulent sites created each day.

Cybercriminals use common, free email services to execute phishing attacks

The most active phishing scammers are using free emails accounts from trusted providers including Google and Yahoo!. Gmail was the most popular with over 45% of email addresses.

Russian Yandex was the second most popular email service with 7.3%, followed by Yahoo! with 4.0%.

Brand impersonation continues to escalate

Data reveals that the top 10 brands are responsible for nearly 44,000 new phishing and fraudulent websites from January to September 2020. Each month there are approximately 4,000 new phishing and fraudulent websites created from these 10 brands alone.

September saw a near tripling in volume with more than 15,000 new phishing and fraudulent websites being created for these top brands, with Microsoft, Apple and PayPal topping the list.

COVID-19 is still a target, but less so

Approximately 30% of confirmed phishing and counterfeit pagers were related to COVID-19, equaling over a quarter of a million malicious websites.

Compared to Q1, these scams increased by 22%, following dynamic news headlines – N95 masks, face coronavirus drugs and government stimulus checks. However, the good news is that these scams are declining month-over-month.

Cybercriminals will continue to utilize natural news drivers

Though phishing and fraudulent campaigns outside of extraordinary events are on the rise, cybercriminals continue to demonstrate their agility from major events. In Q3, Bolster discovered scams connected to Amazon Prime Day and the presidential election.

There was a 2.5X increase of fraudulent websites using the Amazon brand logo in September, focusing on payment confirmation, returns and cancellations and surveys for free merchandise. Where the presidential campaigns were fraught with counterfeiting and internet trolling.

“With the holiday shopping season kicking off, the results of the presidential election and the New Year approaching, we anticipate the number of phishing and fraudulent activity to continue to rise,” said Shashi Prakash, CTO of Bolster.

“In anticipation of these events, criminals are sharpening their knives of deception, planning new and creative ways to take advantage of businesses and consumers. Companies must be vigilant, arming their teams with the technology needed to continuously discover and take down these fraudulent sites before an attack takes place.”

Mobile messengers expose billions of users to privacy attacks

Popular mobile messengers expose personal data via discovery services that allow users to find contacts based on phone numbers from their address book, according to researchers.

mobile messengers privacy

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery.

A recent study by a team of researchers from the Secure Software Systems Group at the University of Würzburg and the Cryptography and Privacy Engineering Group at TU Darmstadt shows that currently deployed contact discovery services severely threaten the privacy of billions of users.

Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal, and Telegram. The results of the experiments demonstrate that malicious users or hackers can collect sensitive data at a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.

Attackers are enabled to build accurate behavior models

For the extensive study, the researchers queried 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. Thereby, they were able to gather personal (meta) data commonly stored in the messengers’ user profiles, including profile pictures, nicknames, status texts and the “last online” time.

The analyzed data also reveals interesting statistics about user behavior. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all.

The researchers found that about 50% of WhatsApp users in the US have a public profile picture and 90% a public “About” text. Interestingly, 40% of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp.

Tracking such data over time enables attackers to build accurate behavior models. When the data is matched across social networks and public data sources, third parties can also build detailed profiles, for example to scam users.

For Telegram, the researchers found that its contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service.

Which information is revealed during contact discovery and can be collected via crawling attacks depends on the service provider and the privacy settings of the user. WhatsApp and Telegram, for example, transmit the user’s entire address book to their servers.

More privacy-concerned messengers like Signal transfer only short cryptographic hash values of phone numbers or rely on trusted hardware. However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds.

Moreover, since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for random phone numbers.

“We strongly advise all users of messenger apps to revisit their privacy settings. This is currently the most effective protection against our investigated crawling attacks,” agree Prof. Alexandra Dmitrienko (University of Würzburg) and Prof. Thomas Schneider (TU Darmstadt).

Impact of research results: Service providers improve their security measures

The research team reported their findings to the respective service providers. As a result, WhatsApp has improved their protection mechanisms such that large-scale attacks can be detected, and Signal has reduced the number of possible queries to complicate crawling.

The researchers also proposed many other mitigation techniques, including a new contact discovery method that could be adopted to further reduce the efficiency of attacks without negatively impacting usability.

The benefits of providing employees with an identity compromise solution

Employees find significant value in having access to an identity compromise solution, having an available remediation solution creates a better mindset for those that use it, and there are halo results that benefit others (especially employers), an Identity Theft Resource Center (ITRC) and Aura Identity Guard survey reveals.

identity compromise solution

More reports of identity theft than any other category

In 2019, the Federal Trade Commission (FTC) received over 3.2 million reports of fraud with more reports of identity theft than any other category. There is an opportunity to provide the needed support employees are asking for by giving them access to an identity compromise solution as a component of the benefits suite.

“Cybersecurity is an organizational issue,” said Eva Velasquez, president and CEO of the ITRC.

“Cybersecurity is not only in the hands of an IT or security department. Every employee plays a crucial role in its company’s security network. That is why it is so critical employees are educated on cybersecurity and have the proper cyber-hygiene tools.”

The impact of COVID-19

In some cases, the COVID-19 pandemic has highlighted the importance of offering an identity compromise solution as an employee benefit. COVID-19 forced many employers to rethink how to conduct business when federal and state governments, under the guidance of the Centers for Disease Control (CDC), issued stay-at-home orders for all nonessential businesses.

Many employers were put in an unfamiliar situation of ensuring that their employee’s home environment could sustain their work requirements. Employees had to ensure that their home computing networks, including home routers and modems, had the appropriate security settings in place.

Tessian’s report found nearly half of the people surveyed said they are forced to find workarounds for security policies while working from home to do the work required.

“The results of this study clearly indicate the value employees place on having their personal information protected – especially during this pandemic. Additionally, the results illustrate something we’ve known to be true: by protecting employees, employers are also able to protect themselves from digital malice by instilling a culture of cybersecurity across the enterprise,” said Hamed Saeed, General Manager of Aura Identity Guard.

The need for an identity compromise solution

The findings support that many employees want an identity compromise solution in some manner – from a referral to a free non-profit service, all the way to an employer-paid solution. Over 82 percent of employers surveyed said that offering access to an identity compromise solution did, indeed, provide value to their staff.

In early 2020 Aftermath survey results, 24.6 percent of victims have had issues with their employer as a result of their personal identity compromise and 27.3 percent have had challenges with their boss or coworkers.

Fake “DNS Update” emails targeting site owners and admins

Attackers are trying to trick web administrators into sharing their admin account login credentials by urging them to activate DNSSEC for their domain.

fake DNS update

Scam emails lead to fake login pages

The scam was spotted by Sophos researchers, when the admin(s) of their own security marketing blog received an email impersonating WordPress and urging them to click on a link to perform the activation (see screenshot above).

The link took them to a “surprisingly believable” phishing page with logos and icons that matched their service provider (WordPress VIP), and instructed them to enter their WordPress account username and password to start the update.

“The scam then shows you some fake but believable progress messages to make you think that a genuine ‘site upgrade’ has kicked off, including pretending to perform some sort of digital ‘file signing’ at the end,” Sophos’s security proselytiser Paul Ducklin explained.

Finally, either intentionally or by mistake, the victim is redirected to a 404 error page.

Customized phishing pages

The malicious link in the email contained encoded banner and URL information that allowed researchers (and attackers) to customize the scam phishing page with different logos, to impersonate numerous different hosting providers.

“We didn’t even need to guess at the banner names that we could use, because the crooks had left the image directory browsable on their phishing site. In total, the crooks had 98 different ripped-off brand images ready to go, all the way from Akamai to Zen Cart,” Ducklin noted.

The attackers check HTTP headers for information about the target’s hosting provider and customize the scam email and the phishing site accordingly:

fake DNS update

Users who fall for the scam, enter their login credentials into the phishing site and don’t have 2-factor authentication turned on are effectively handing control of their site to the scammers.

Ducklin advises admins never to log in anywhere through links sent via email, to urn on 2FA whenever they can, and to use a password manager.

Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site,” he noted.

Surge in phishing attacks using legitimate reCAPTCHA walls

Cyber scammers are starting to use legitimate reCAPTCHA walls to disguise malicious content from email security systems, Barracuda Networks has observed. The reCAPTCHA walls prevent email security systems from blocking phishing attacks and make the phishing site more believable in the eyes of the user.

reCAPTCHA walls

reCAPTCHA walls are typically used to verify human users before allowing access to web content, thus sophisticated scammers are starting to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages.

Researchers observed that one email credential phishing campaign had sent out more than 128,000 emails to various organizations and employees using reCAPTCHA walls to conceal fake Microsoft login pages. The phishing emails used in this campaign claim that the user has received a voicemail message.

Once the user solves the reCAPTCHA in this campaign, they are redirected to the actual phishing page, which spoofs the appearance of a common Microsoft login page. Unsuspecting users will be unaware that any login information they enter will be sent straight to the cyber scammers, who will likely use this information to hack into the real Microsoft account.

Steve Peake, UK Systems Engineer Manager, Barracuda Networks comments: “In this difficult time, it is no surprise to see that cyber scammers are seeking increasingly sophisticated methods of stealing log-in credentials and data from unsuspecting, remote workers.

“Fortunately, there are a number of proactive measures employers and business owners can take to prevent a security breach. Most importantly, users must be educated about the threat so they know to be cautious instead of assuming a reCAPTCHA is a sign that a page is safe.

“Furthermore, whilst reCAPTCHA based scams make it harder for automated URL analysis to be conducted, sophisticated email security solutions can still detect these phishing attacks using AI-based email protection solutions. Ultimately, however, no security solution will catch everything, and the ability of the users to spot suspicious emails and websites is key.”

Beware of fake COVID-19-themed emails from President Trump

As US citizens wait for President Trump’s final decision about whether quarantine will be over by Easter, malware peddlers have already “decided”: quarantine will be prolonged until August 2020.

Phishing emails point to malware

Researchers with anti-phishing startup Inky have spotted two phishing emails purportedly coming from the White House, “signed” by President Trump.

fake COVID-19 Trump

Both include a link to a compromised website that served a nearly perfect replica of the real White House Coronavirus informational site:

fake COVID-19 Trump

The victims are urged to download and peruse the document. Unfortunately for those who do it, they will be likely infected with a dropper Trojan (file hashes).

This particular page, located on a compromised Russian site, has been taken down, but it’s easy for criminals to set up new ones and change links in the phishing emails.

An email from Mike Pence?

In addition to these emails, Inky has also detected an email purportedly coming from Vice President Mike Pence.

This one is not COVID-19-themed and does not contain a link. It sound a bit like the beginning of an extortion attempt, though it’s likely to be an advance-fee scam:

OPIS

The email will not fool the majority of recipients, but there is always a small subset of gullible users that will not find anything suspicious in the atrocious grammar, spelling and wording used, and will self-select to be scammed.

Social isolation is a risk factor for scam loss

The coronavirus crisis is forcing people to distance themselves from others, work remotely, and spend time indoors and online. While social distancing is a good health practice to reduce the spread of the coronavirus, it may be helping scammers.

risk scams

Research from the Better Business Bureau (BBB), the FINRA Investor Education Foundation, and the Stanford Center on Longevity found that people are more likely to lose money to a scam when they are socially or physically isolated from others, if they are actively engaging online, and if they are financially vulnerable.

“According to our research, social isolation is a key risk factor for susceptibility to scams, as is financial vulnerability,” said Melissa Lanning Trumpower, executive director of the BBB Institute for Marketplace Trust, BBB’s foundation that conducted the research.

“Add increased time spent online and coronavirus creates the ‘perfect storm’ for scammers, because all three of these factors have increased dramatically.”

As bricks-and-mortar businesses close or curtail services and the financial markets experience a high level of volatility, many consumers are left to wonder if they will have a job or an immediate way to provide for their loved ones. As people turn to the Internet seeking new or temporary employment, they are also at increased risk of employment scams.

Employment scams are deemed the riskiest scams of 2019, making up 9.3 percent of all scams reported and a median dollar loss of $1,500.

Despite these factors, there are steps everyone can take to protect themselves and their family from losing money and compromising personal information.

Contact someone you trust

Don’t be afraid to contact a friend, or a company or organization you trust for advice. Isolation is a risk factor for scams. Feelings of loneliness were associated with being more likely to engage with and lose money to scammers. This was especially true when the individual felt he or she lacked companionship and was isolated from loved ones.

Fact: Scammers will try to isolate their victims.

Don’t click on a link before you do your research

Before clicking a link or sharing personal information online, stop, pause, and research the company or person. People are more likely to lose money to scams perpetrated online.

Consumers who are approached online (email, website, social media, internet messaging, and online classifieds) are significantly more likely to report losing money.

Fact: A staggering 81.2 percent of consumers lost money to online purchase scams in 2019.

Beware of job offers that sound too good to be true

Employment scams were the No. 1 riskiest two years in a row. As traditional jobs are cut and workers begin to seek new roles or remote opportunities to fill the void, they must be wary of job offers that sound too good to be true.

Fact: Scammers prey on jobseekers, particularly those seeking remote jobs.

Learn about cyber risk and scams

Learn about scammer tactics to help avoid falling prey to scams and be wary of any offer to “get ahead” that seem too good to be true. Those who are financially vulnerable are more susceptible to scams.

Individuals under financial strain and those with lower levels of financial literacy may be more susceptible to scammers. Specific risk-factors include:

  • Household income of $50,000 per year and below.
  • Spending more per month than one’s earnings, not saving money, and having significant amounts of debt.
  • Feeling compelled to “catch up” or “get ahead” financially.

Fact: According to the Exposed to Scams report, those who heard about the scam before they were targeted were significantly less likely to lose money (9 percent vs 34 percent).

IRS scams during tax season target unsuspecting consumers

Scam robocalls and phishing emails disguised as banks continue to trick consumers to put their personal information at risk, and tax season is no exception.

IRS scams

Increase in potential threats

During this time of the year consumers need to be aware of the increase in potential threats as hackers pose as collectors from the IRS, tax preparers or government bureaus.

These tactics are particularly effective due to tax payers concerns of misfiling their taxes or accidentally running into trouble with groups like the IRS.

McAfee researchers recently uncovered an example of an illegitimate IRS site created to scam unsuspecting consumers. If you look closely, you will notice a non-IRS domain and not a secure connection, these are key things to look out for when seeking online resources.

Fake sites such as this pose particular risk to consumers when combined with phishing email campaigns. In fact, 41% of Americans admitted to falling victim to email phishing scams in 2019, serving as another reminder to be vigilant during the stressful tax season.

File before a scammer does it for you

The easiest defense you can take against IRS scams is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a fraudster.

Beware of phishing attempts

Phishing is a common tactic crooks leverage during tax season, so stay vigilant around your inbox and double-check legitimacy of any unfamiliar or remotely suspicious emails. Be wary of strange file attachment names such as “virus-for-you.doc” and remember that the Office of Social Security or IRS do not call or email tax payers.

IRS scams: Watch out for spoofed websites

Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search.

Consider an identity theft protection solution

If your data does become compromised, be sure to use an identity theft solution, allowing users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

Cryptocurrency crime losses more than double to $4.5 billion in 2019

Cryptocurrency users, exchanges and investors suffered $4.5 billion in crypto-related losses resulting from thefts, hacks, and fraud, a CipherTrace report reveals.

cryptocurrency crime losses

Cryptocurrency crime losses

The lion’s share of those losses stem from the staggering growth of Ponzi schemes, exit scams, and misappropriation of funds crimes, the value of which rose 533 percent year over year.

Also, traditional financial services have become increasingly infused with crypto assets. For instance, results of an extensive analysis of the blockchain found almost all U.S. banks harbor illicit virtual asset related money service businesses (MSBs), including cryptocurrency exchanges.

Of additional concern for banks, 66 percent of dark market vendors sell stolen financial products and compromised accounts for cryptocurrency. And virtually all (97 percent) of ransomware attacks use bitcoin as the payment rail.

“Our research revealed some surprising trends in 2019,” said David Jevans, CEO of CipherTrace. “First, there was a dramatic shift away from outright thefts and exchange hacks and toward Ponzi schemes, exit scams, and other con games.

“Second, like them or not, banks have a lot more virtual assets lurking in their accounts and payment networks than most in the industry had previously thought. Banks need new capabilities to ferret out illicit MSBs, terrorist financing, and other major sources of risk.”

The report also provides an overview of regulatory moves throughout the world. This includes a comprehensive chart of anti-money laundering (AML) regulations by country, an update on the respective blockchain-related enforcement authority of the SEC, FinCEN, and the CFTC, and detailed reports on major regulatory and eCrime developments in various countries.

Trends in theft, fraud, hacks and misappropriation of funds

Cryptocriminals had a banner year in 2019. Total cryptocurrency crime increased 160 percent from 2018. However, as the report suggests, if 2019 had a Person of the Year, it would have been The Malicious Insider.

The culprits behind most of the losses were fraudsters operating inside everything from seemingly legitimate blockchain projects that were actually exit scams to crypto Ponzi and pyramid schemes. Ultimately, all that $4.5B worth of illicit cryptocurrency needs to be laundered.

Crypto-asset blind spots expose banks to risk

The typical top 10 U.S. bank unknowingly facilitates approximately $2 billion in illicit cryptocurrency transactions each year. Stealth MSBs using accounts and payment networks expose financial institutions to significant AML and counter terrorism financing (CTF) compliance risk.

Further research revealed banks paid record AML fines globally in 2019—more than $6.2 billion. This number could increase in 2020 as crypto-related money laundering and sanction evasion enforcement ramps up.

“As crypto-assets become increasingly entangled in traditional financial services, AML and CTF compliance risks are on the rise,” said Stephen Ryan, COO of CipherTrace.

“Virtual assets are now pervasive in bank accounts and payment networks, and banks must find ways to deal with the risks. Effectively mitigating cryptocurrency risks requires equipping compliance officers with the best tools and intelligence to gain visibility into this new asset class.”

Darknet markets

The report also outlined a multi-year research project into darknet markets and other illicit vendors, which revealed that of dark market vendors:

  • 40 percent hawked compromised bank account or credit card credentials for as little as 1 percent of face value
  • 24 percent offered compromised payment services accounts
  • 2 percent sold stolen cryptocurrency private keys

These findings further highlighted the issues banks and financial institutions face with regards to payment fraud and virtual asset laundering risks.

The research also showed that bitcoin is the payment of choice for cyber extortionists. During the last year, they demanded BTC as payment in 97 percent of ransomware attacks. All of this extorted bitcoin will need to be laundered before criminals can use the funds.

cryptocurrency crime losses

2020 will be a year of intense regulatory changes

The research team identified varying levels of maturity and sophistication in AML/CTF regimes around the globe. For instance, AMLD5 went into effect across the European Union early January regulating crypto-fiat exchanges for the first time in most EU countries.

Additionally, CipherTrace described urgency among its customers and industry players around pending FATF Travel Rule legislation.

Exchanges and financial institutions in the G20 have less than six months to find a solution for dealing with this major compliance conundrum—how to comply with the requirement to share sender and receiver information before executing cryptocurrency transactions, while protecting confidentiality.

In the US, financial institutions including virtual asset service providers (VASPs) have been reminded by FinCEN that they must meet their funds Travel Rule obligations under the BSA or face enforcement actions.

Spam over phone and email is changing consumer communication preferences

Of today’s main communications mediums – text, phone calls and email – consumers get the most spam over phone and email: 70% said they receive spam often over email and 51% said the same for phone calls, a Zipwhip survey reveals.

spam over phone

Fifty-four percent of people even use a separate email address to avoid getting spam in their main account. Comparably, consumers report receiving much less spam over text: 41% reported rarely receiving text spam, and only 18% reported getting text spam often.

Given the high spam figures for phone and email, it’s no surprise that 92% of survey respondents said they ignore phone calls from unknown numbers. With texting, however, a person or business can identify themselves immediately without the consumer needing to engage.

This could be part of the reason texts have better response rates than phone calls; in a separate survey, Zipwhip found that 83% of consumers respond to a text message within 30 minutes or less.

Low scam attempts via text

Consumers also reported low volumes of scam attempts via text, with only 17% reporting they receive them often, versus 43% who report scam by phone and 46% who report scams by email often.

“Texting continues to be consumers’ most preferred medium, and that’s increasingly the case as spam and scam attempts infect other methods of communication like phone and email,” said John Lauer, CEO of Zipwhip. “Legitimate businesses with a real need to reach their customers have an obvious choice, and that’s to text.”

Surging robocalls

The survey also found that a large majority of consumers have been affected by the surge in robocalls – 83% of respondents said they’ve noticed an increase in the last year.

Consumers inundated with spam and scam phone calls, as well as robocalls, can report them to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) or their network carrier. In Zipwhip’s survey, 35% of consumers report already having done so.

Google and Facebook Duped in Huge ‘Scam’

Scam Hits Facebook And Google

Phishing

  • Google and Facebook have confirmed that they fell victim to an alleged $100m (£77m) scam
  • In March, it was reported that a Lithuanian man had been charged over an email phishing attack against “two US-based internet companies” that were not named at the time. They had allegedly been tricked into wiring more than $100m to the alleged scammer’s bank
  • On 27 April, Fortune reported that the two victims were Facebook and Google. The man accused of being behind the scam, Evaldas Rimasauskas, 48, allegedly posed as an Asia-based manufacturer and deceived the companies from at least 2013 until
  • “Fraudulent phishing emails were sent to employees and agents of the victim companies, which regularly conducted multimillion-dollar transactions with [the Asian] company,” the US Department of Justice (DOJ) said in March.
  • These emails purported to be from employees of the Asia-based firm, the DOJ alleged, and were sent from email accounts designed to look like they had come from the company, but in fact had not.
  • The DOJ also accused Mr Rimasauskas of forging invoices, contracts and letters “that falsely appeared to have been executed and signed by executives and agents of the victim companies”.