2020 set the stage for cybersecurity priorities in 2021

It’s safe to assume that pretty much everyone is ready to move on from 2020. Between the COVID-19 pandemic, political battles, and social unrest, this has been a stressful year in so many ways. It has also been a very active year for cybercriminals and fraudsters who have preyed on people’s fears and vulnerabilities to push new scams. They’ve spoofed government health sites to trick people into clicking on malware links. They’ve targeted food delivery … More

The post 2020 set the stage for cybersecurity priorities in 2021 appeared first on Help Net Security.

SpyCloud VIP Guardian helps protect executive accounts without compromising privacy

SpyCloud launched SpyCloud VIP Guardian to extend the power of workplace fraud and account takeover prevention to the personal accounts of critical employees, board members and investors.

While enterprises can monitor corporate accounts and credentials for breach exposure, personal accounts tend to fall outside of their protection. SpyCloud VIP Guardian fills that gap by empowering critical employees to secure their own online identities using enterprise-grade tools, without exposing private data to their organizations.

When employees’ personal credentials are exposed to criminals in a new data breach, they are alerted so they can reset compromised passwords quickly and prevent account takeover and online fraud before it happens.

“Most people don’t realize just how often their passwords end up in the hands of criminals or how those passwords can be used to access other accounts that they think are safe,” said Chip Witt, Vice President of Product Management at SpyCloud.

“With SpyCloud VIP Guardian, we are extending our world-class account takeover prevention platform to personal accounts to protect important data on every front.”

SpyCloud VIP Guardian empowers business security leaders to:

  • Extend the value of SpyCloud enterprise subscriptions to executives’ personal email accounts/identities, which are prime targets for cybercriminals
  • Help executives, board members, and investors protect themselves from account takeover by giving them real-time visibility of their own data breach exposure
  • Close security gaps that fall outside of corporate control by enabling executives to secure vulnerable personal accounts that could put your enterprise at risk
  • Educate executives with sensitive access to corporate resources about the importance of strong password security.

The new solution allows companies to help protect executive accounts without compromising their privacy. Executives’ personal information such as email addresses, passwords or personally identifiable information are not accessible to the organization.

People should always make strong cybersecurity practices part of their personal habits, but the need is even greater now with millions of people still working from home during the pandemic and intermingling personal and professional accounts.

While all employees can be targets, savvy cybercriminals know that executives and others with high levels of access, whether they work as developers, system administrators, executive assistants or other roles, may lead to potentially lucrative or sensitive data and intellectual property.

With SpyCloud VIP Guardian, organizations can give these employees visibility and control of their own online identities by alerting them to new breach exposures tied to their personal accounts, enabling them to protect themselves both at work and at home.

Despite warnings not to reuse passwords across multiple accounts, the fact is that people do it all the time simply because it’s convenient. Criminals prey on this habit and use login credentials obtained from data breaches to take over other accounts. Any account protected by the same password as one that was breached is in danger.

The best way to prevent these accounts from being taken over is to identify the compromised credentials as quickly as possible after a breach – before criminals have time to use them.

That requires a comprehensive, continuously updated database of breach data that security leaders can compare with employees’ accounts. All SpyCloud solutions are underpinned by the world’s largest breach data collection.

Spotting and blacklisting malicious COVID-19-themed sites

Since last December, over 136,000 new COVID-19-themed domains have popped up and, while many host legitimate websites, others have been set up to serve malware, phishing pages, or to scam visitors.

COVID-19 malicious sites

SpyCloud researchers have also discovered that existing community threat intelligence feeds such as Google Safe Browsing, OpenPhish or ThreatsHub flag only a small percent of the domains as malicious.

“One potential reason is that the feeds we used have a focus on threat intelligence specific to phishing and malware, not necessarily scam sites. In addition, these feeds are sometimes automatically ingested into security products, increasing the potential impact of false positives because they could cause service disruptions in corporate and private networks,” the researchers noted.

Other interesting findings

After gathering a list of of over 136,000 hostnames and fully qualified domain names with COVID-19 or coronavirus themes from a variety of open-source feeds (threat lists, datasets of SSL certificates, etc.), they “parsed, deduplicated, and enriched the data with HTTP, additional DNS analysis, and WHOIS data that was manually collected” and found that many of the domains have active web content, but some merely display “placeholder” content indicating they’ve been purchased and “parked” at the registrar.

They pointed out that not all the “parked” domains are likely to become malicious. “Domain scalping may account for some of these purchases; for example, someone might purchase domains related to COVID-19 cures or vaccines with the hope of eventually selling them to a pharmaceutical company.”

On the other hand, there are those that are undeniably (if not too obviously) malicious:

COVID-19 malicious sites

“Most likely, the threat actor was sending phishing messages ‘from’ Chase with some form of messaging about the bank’s COVID-19 response, making it seem plausible to users that their bank may have set up a dedicated page related to the virus,” they explained.

Other findings include:

  • 78.4% of the COVID-19-themed domains use HTTP, the rest HTTPS
  • GoDaddy, NameCheap, Google, Name.com, and Tucows are the most popular domain registrars used by registrants of COVID-19 themed sites.

Everybody can join the fight

Some domain registrars have pledged to step up their efforts to actively find and take down fraudulent sites and to prevent registrations with certain keywords.

SpyCloud researchers are urging the security community to contribute to public feeds such as that operated by the COVID-19 Cyber Threat Coalition or to activities of organizations such as the Cyber Volunteers (CV19) to make everyone a little bit safer.

They have also provided the dataset they compiled so other researchers can take advantage of it for their own research.

Finally, they pointed out, even individual users can help keep everybody safe by reporting suspicious messages to email providers and corporate IT.

“Though flagging a phishing message within your inbox may not feel like a big deal, that action helps providers identify malicious content and flag it for other users,” they concluded.

Password vulnerability at Fortune 1000 companies

Despite often repeated advice of using unique passwords for online accounts – or at least the most critical ones – password reuse continues to be rampant. And, according to breach discovery firm SpyCloud, employees of the Fortune 1000 are just as bad about reusing passwords as the rest of us.

password reuse

Compromised credentials

The company has combed through their database of breach data for data tied to Fortune 1000 companies, analyzed it and found that employees in media companies are the worse when it comes to password reuse (rate of reuse: 85%), and those is retailing the best (53%), although even they still reuse passwords way to much.

They also found that the credentials of 127,083 C-level Fortune 1000 executives are available on the criminal underground and that, on average, companies in the Hotels, Restaurants & Leisure sector have the most exposed C-level executives.

“The most common passwords for the Media industry are mostly unprintable. But for Fortune 1000 employees with family-friendly passwords, popular themes include first names, company names, and simple strings of numbers and letters (123456, abc123, password),” they added.

password reuse

“While most of these examples would fail to pass basic corporate password policies, people tend to transform a base password in predictable ways to bypass complexity rules. For example, ‘password’ might become ‘Password1’ or ‘Passw0rd!’ at work. Unfortunately, criminals are well-aware of these patterns, and sophisticated account checker tools make it easy for criminals to test variations of exposed passwords at scale.”

Other compromised assets

Personally identifiable information, phone numbers, geolocation data, financial information, social media accounts, and secret answers to security questions also get compromised and exposed online.

This data can be used by cybercriminals to steal a victim’s identity, create credible spear phishing messages, submit fraudulent applications, perform SIM swapping and phone porting, make fraudulent purchases, drain funds from accounts, connect the dots between personal and corporate identities (and use that info for targeted attacks), and more.

Interestingly enough, SpyCloud found that employees in the telecommunications sector have the highest average numbers of exposed PII assets, phone assets, geolocation assets, and plaintext corporate credentials per company.

“Although the companies within this sector are large, with an average of about 74,000 employees per company, employee totals do not account for the disparity,” they noted.

“It’s possible that employee tenure could have something to do with the sector’s high exposure levels. Employees who have owned their corporate email accounts for many years would have had plenty of opportunities to use them on third-party sites. Conversely, high levels of churn could also potentially play a part, with many short-term employees racking up a few exposures each before moving on.”

Cyber crooks continue to exploit COVID-19 for their malicious schemes

A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.

We’ve already covered a variety of COVID-19-themed scams, phishing attempts, hoaxes and malware delivery campaigns, but new and inventive approaches are popping up daily.

The latest schemes and scams that exploit COVID-19

Proofpoint researchers have observed COVID-19 being used as a pretext in BEC scams:

exploit COVID-19

“BEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the attacker’s end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the attacker will send their true ask. (I need you to buy gift cards, wire transfer funds, etc.),” the researchers explained.

“These coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the recipient. In the body of this message, the actor attempts to eliminate the possibility of voice-verification, in hopes of ensuring a higher success rate, by saying their phone is ‘faulty at the moment.’”

They’ve also spotted an assortment of fake notices impersonating doctors and local health agencies and institutions (aimed at the general population), as well as more targeted emails aimed at enterprises (employees), such as fake internal emails for credential phishing attacks impersonating the organization’s president, IT staff, risk manager, and so on.

Scammers are also trying to make media and advertising companies spread URLs of scammy websites to their audience – they offer money for the placing of the URL in a prominent place (e.g., on top of their most recent YouTube video description).

exploit COVID-19

Malvertising campaigns and extortion

There has also been a spike in malvertising campaigns on coronavirus-themed news stories, delivering malicious Flash Player updates.

ESET researchers have spotted COVID-19-themed extortion emails:


The sender is threatening to infect every member of the recipient family’s “with the Coronavirus” if he or she doesn’t deliver $4000. To make the threat more believable, the scammer uses leaked passwords in an attempt to create the impression that they know a lot about the recipient.

SpyCloud researchers have been keeping an eye on popular online criminal forums and have noticed:

  • A threat actor advertising a service in which they craft coronavirus-focused scam letters and scam sites for customers
  • A threat actor sharing instructions for cracking and taking over meal-kit delivery accounts, to take advantage of the fact that many people are ordering food online while attempting to practice social distancing. Another threat actor is offering to sell stolen meal-kit delivery codes.

Finally, with many, many people around the world losing their job due to the current situation, Brian Krebs says that cyber criminals have already started trying to trick them into becoming money mules. The pretext? They would be collecting and transmitting donations for an international “Coronavirus Relief Fund.”