It’s safe to assume that pretty much everyone is ready to move on from 2020. Between the COVID-19 pandemic, political battles, and social unrest, this has been a stressful year in so many ways. It has also been a very active year for cybercriminals and fraudsters who have preyed on people’s fears and vulnerabilities to push new scams. They’ve spoofed government health sites to trick people into clicking on malware links. They’ve targeted food delivery … More
The post 2020 set the stage for cybersecurity priorities in 2021 appeared first on Help Net Security.
SpyCloud launched SpyCloud VIP Guardian to extend the power of workplace fraud and account takeover prevention to the personal accounts of critical employees, board members and investors.
While enterprises can monitor corporate accounts and credentials for breach exposure, personal accounts tend to fall outside of their protection. SpyCloud VIP Guardian fills that gap by empowering critical employees to secure their own online identities using enterprise-grade tools, without exposing private data to their organizations.
When employees’ personal credentials are exposed to criminals in a new data breach, they are alerted so they can reset compromised passwords quickly and prevent account takeover and online fraud before it happens.
“Most people don’t realize just how often their passwords end up in the hands of criminals or how those passwords can be used to access other accounts that they think are safe,” said Chip Witt, Vice President of Product Management at SpyCloud.
“With SpyCloud VIP Guardian, we are extending our world-class account takeover prevention platform to personal accounts to protect important data on every front.”
SpyCloud VIP Guardian empowers business security leaders to:
- Extend the value of SpyCloud enterprise subscriptions to executives’ personal email accounts/identities, which are prime targets for cybercriminals
- Help executives, board members, and investors protect themselves from account takeover by giving them real-time visibility of their own data breach exposure
- Close security gaps that fall outside of corporate control by enabling executives to secure vulnerable personal accounts that could put your enterprise at risk
- Educate executives with sensitive access to corporate resources about the importance of strong password security.
The new solution allows companies to help protect executive accounts without compromising their privacy. Executives’ personal information such as email addresses, passwords or personally identifiable information are not accessible to the organization.
People should always make strong cybersecurity practices part of their personal habits, but the need is even greater now with millions of people still working from home during the pandemic and intermingling personal and professional accounts.
While all employees can be targets, savvy cybercriminals know that executives and others with high levels of access, whether they work as developers, system administrators, executive assistants or other roles, may lead to potentially lucrative or sensitive data and intellectual property.
With SpyCloud VIP Guardian, organizations can give these employees visibility and control of their own online identities by alerting them to new breach exposures tied to their personal accounts, enabling them to protect themselves both at work and at home.
Despite warnings not to reuse passwords across multiple accounts, the fact is that people do it all the time simply because it’s convenient. Criminals prey on this habit and use login credentials obtained from data breaches to take over other accounts. Any account protected by the same password as one that was breached is in danger.
The best way to prevent these accounts from being taken over is to identify the compromised credentials as quickly as possible after a breach – before criminals have time to use them.
That requires a comprehensive, continuously updated database of breach data that security leaders can compare with employees’ accounts. All SpyCloud solutions are underpinned by the world’s largest breach data collection.
Since last December, over 136,000 new COVID-19-themed domains have popped up and, while many host legitimate websites, others have been set up to serve malware, phishing pages, or to scam visitors.
SpyCloud researchers have also discovered that existing community threat intelligence feeds such as Google Safe Browsing, OpenPhish or ThreatsHub flag only a small percent of the domains as malicious.
“One potential reason is that the feeds we used have a focus on threat intelligence specific to phishing and malware, not necessarily scam sites. In addition, these feeds are sometimes automatically ingested into security products, increasing the potential impact of false positives because they could cause service disruptions in corporate and private networks,” the researchers noted.
Other interesting findings
After gathering a list of of over 136,000 hostnames and fully qualified domain names with COVID-19 or coronavirus themes from a variety of open-source feeds (threat lists, datasets of SSL certificates, etc.), they “parsed, deduplicated, and enriched the data with HTTP, additional DNS analysis, and WHOIS data that was manually collected” and found that many of the domains have active web content, but some merely display “placeholder” content indicating they’ve been purchased and “parked” at the registrar.
They pointed out that not all the “parked” domains are likely to become malicious. “Domain scalping may account for some of these purchases; for example, someone might purchase domains related to COVID-19 cures or vaccines with the hope of eventually selling them to a pharmaceutical company.”
On the other hand, there are those that are undeniably (if not too obviously) malicious:
“Most likely, the threat actor was sending phishing messages ‘from’ Chase with some form of messaging about the bank’s COVID-19 response, making it seem plausible to users that their bank may have set up a dedicated page related to the virus,” they explained.
Other findings include:
- 78.4% of the COVID-19-themed domains use HTTP, the rest HTTPS
- GoDaddy, NameCheap, Google, Name.com, and Tucows are the most popular domain registrars used by registrants of COVID-19 themed sites.
Everybody can join the fight
Some domain registrars have pledged to step up their efforts to actively find and take down fraudulent sites and to prevent registrations with certain keywords.
SpyCloud researchers are urging the security community to contribute to public feeds such as that operated by the COVID-19 Cyber Threat Coalition or to activities of organizations such as the Cyber Volunteers (CV19) to make everyone a little bit safer.
They have also provided the dataset they compiled so other researchers can take advantage of it for their own research.
Finally, they pointed out, even individual users can help keep everybody safe by reporting suspicious messages to email providers and corporate IT.
“Though flagging a phishing message within your inbox may not feel like a big deal, that action helps providers identify malicious content and flag it for other users,” they concluded.
Despite often repeated advice of using unique passwords for online accounts – or at least the most critical ones – password reuse continues to be rampant. And, according to breach discovery firm SpyCloud, employees of the Fortune 1000 are just as bad about reusing passwords as the rest of us.
The company has combed through their database of breach data for data tied to Fortune 1000 companies, analyzed it and found that employees in media companies are the worse when it comes to password reuse (rate of reuse: 85%), and those is retailing the best (53%), although even they still reuse passwords way to much.
They also found that the credentials of 127,083 C-level Fortune 1000 executives are available on the criminal underground and that, on average, companies in the Hotels, Restaurants & Leisure sector have the most exposed C-level executives.
“The most common passwords for the Media industry are mostly unprintable. But for Fortune 1000 employees with family-friendly passwords, popular themes include first names, company names, and simple strings of numbers and letters (123456, abc123, password),” they added.
“While most of these examples would fail to pass basic corporate password policies, people tend to transform a base password in predictable ways to bypass complexity rules. For example, ‘password’ might become ‘Password1’ or ‘Passw0rd!’ at work. Unfortunately, criminals are well-aware of these patterns, and sophisticated account checker tools make it easy for criminals to test variations of exposed passwords at scale.”
Other compromised assets
Personally identifiable information, phone numbers, geolocation data, financial information, social media accounts, and secret answers to security questions also get compromised and exposed online.
This data can be used by cybercriminals to steal a victim’s identity, create credible spear phishing messages, submit fraudulent applications, perform SIM swapping and phone porting, make fraudulent purchases, drain funds from accounts, connect the dots between personal and corporate identities (and use that info for targeted attacks), and more.
Interestingly enough, SpyCloud found that employees in the telecommunications sector have the highest average numbers of exposed PII assets, phone assets, geolocation assets, and plaintext corporate credentials per company.
“Although the companies within this sector are large, with an average of about 74,000 employees per company, employee totals do not account for the disparity,” they noted.
“It’s possible that employee tenure could have something to do with the sector’s high exposure levels. Employees who have owned their corporate email accounts for many years would have had plenty of opportunities to use them on third-party sites. Conversely, high levels of churn could also potentially play a part, with many short-term employees racking up a few exposures each before moving on.”
A time of chaos is a time for opportunity for unscrupulous individuals and groups, and COVID-19 is seemingly an unmissable boon for cyber crooks.
The latest schemes and scams that exploit COVID-19
Proofpoint researchers have observed COVID-19 being used as a pretext in BEC scams:
“BEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the attacker’s end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the attacker will send their true ask. (I need you to buy gift cards, wire transfer funds, etc.),” the researchers explained.
“These coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the recipient. In the body of this message, the actor attempts to eliminate the possibility of voice-verification, in hopes of ensuring a higher success rate, by saying their phone is ‘faulty at the moment.’”
They’ve also spotted an assortment of fake notices impersonating doctors and local health agencies and institutions (aimed at the general population), as well as more targeted emails aimed at enterprises (employees), such as fake internal emails for credential phishing attacks impersonating the organization’s president, IT staff, risk manager, and so on.
Scammers are also trying to make media and advertising companies spread URLs of scammy websites to their audience – they offer money for the placing of the URL in a prominent place (e.g., on top of their most recent YouTube video description).
Malvertising campaigns and extortion
There has also been a spike in malvertising campaigns on coronavirus-themed news stories, delivering malicious Flash Player updates.
ESET researchers have spotted COVID-19-themed extortion emails:
The sender is threatening to infect every member of the recipient family’s “with the Coronavirus” if he or she doesn’t deliver $4000. To make the threat more believable, the scammer uses leaked passwords in an attempt to create the impression that they know a lot about the recipient.
SpyCloud researchers have been keeping an eye on popular online criminal forums and have noticed:
- A threat actor advertising a service in which they craft coronavirus-focused scam letters and scam sites for customers
- A threat actor sharing instructions for cracking and taking over meal-kit delivery accounts, to take advantage of the fact that many people are ordering food online while attempting to practice social distancing. Another threat actor is offering to sell stolen meal-kit delivery codes.
Finally, with many, many people around the world losing their job due to the current situation, Brian Krebs says that cyber criminals have already started trying to trick them into becoming money mules. The pretext? They would be collecting and transmitting donations for an international “Coronavirus Relief Fund.”
9,050,064,764 credentials have been recovered throughout 2019 which came from a total of 640 unique data breaches and include email addresses connected to plaintext passwords and usernames with plaintext passwords, SpyCloud reveals.
That means, on average, each of these data breaches gave criminals more than 14 million sets of login credentials. Because people often reuse passwords across several accounts, both personal and for work, each set of login credentials could be used to access dozens or more accounts through which cybercriminals can perpetrate fraud.
Credential exposure report
Almost a third of internet users affected by data breaches last year had reused a password in some form. 94% of those who recycled passwords reused the exact same password, while the other 6% made minor changes such as capitalizing the first letter or adding numbers to the end of their typical password. These tactics are easily defeated by tools, which test for common, slight variations.
In terms of organizational security, there’s a worrying trend more of the data criminals are sharing and selling came from breaches of misconfigured or unsecured servers. Organizations may also be taking incomplete steps to protect passwords.
Criminals still using passwords they stole in 2012
The researchers found that more than half (53.7%) of the plaintext passwords recovered were originally protected using the outdated hashing algorithms SHA-1 and MD5.
Security professionals have recommended against using SHA-1 since about 2005, and against using MD5 since as far back as 1996, because cybercriminals can easily and quickly crack passwords hashed with these functions and recover plaintext passwords.
“Our data shows that consumers are still not changing their poor password habits, yet we know they’re holding organizations accountable for their security.” said David Endler, chief product officer for SpyCloud.
“Criminals are still using passwords they stole in 2012 to attack and take over accounts today. Companies need to guide users to set better passwords at the time of account creation and they need to help users maintain strong, uncompromised passwords whenever their credentials are exposed in a breach anywhere in the world.”
World’s most popular passwords protecting some 125 million accounts
Despite the problem of password fatigue and reuse coming into clearer focus over the past few years, little has changed in the world’s most popular passwords. Among the more than nine billion collected last year, the top three are “123456,” “123456789,” and “qwerty,” and are being used to protect some 125 million accounts.
It is increasingly up to organizations to comply with NIST’s password guidelines, which recommend checking user passwords for those that have exposed bee in previous breach corpuses, as well as commonly used or easy-to-guess passwords.