Month: December 2015
According to research conducted by Internet security firm Kaspersky Lab, corporate malware attacks have increased by 3% year-on-year. In 2015, 58% of companies had been attacked with malware on at least one occasion and the motivation for conducting corporate malware attacks are numerous. Not all attackers are demanding a ransom.
Reasons for corporate malware attacks
In many cases, corporate malware attacks are conducted for financial reasons – but not always. There has been an increase in hacktivism and attacks on business competitors. According to research conducted by Kaspersky/B2B International, 28% of suspects in cyberattacks were believed to be attempting to simply disrupt a company’s operations.
Corporate malware attacks by competitors are believed to be increasing and in many cases the attackers are known. This is certainly the case for DDoS attacks. 48% of companies claimed to know the source of DDoS attacks they had suffered and 12% believed that the source was a specific competitor. 11% of attacks were conducted by political activists, while government backed groups accounted for 5% of attacks.
The mode of attack on corporate targets differs from attacks on consumers according to Kaspersky Lab.
There has been an increase in exploitation of legitimate software programs, with office programs used to attack companies three times as often as attacks on consumer targets. Internet-based attacks were commonly conducted on business customers. 29% of businesses claimed to have been exposed to Internet threats, while 41% of businesses were attacked via portable storage devices. Attacks on mobile devices have also increased as criminals have realized the ease at which the devices can be compromised and the wealth of data that are stored on the devices.
Cryptolocker infections double in 2015
Cryptolocker ransomware infections have increased substantially in recent months. There have been twice as many infections in 2015 as were recorded in 2014. According to Kaspersky, over 50,000 corporate devices were locked by Cryptolocker in 2015. Corporate customers have been given little alternative but to pay ransoms to get their data unlocked. Unfortunately, even when a ransom was paid, security keys were not always provided or did not work.
DDoS attacks being commissioned by business competitors
Attacks conducted for financial gain are still the most common, especially in the Telecom and manufacturing industry. Survey respondents from both industries claimed that ransoms were demanded in 27% of DDoS cyberattacks. Overall, 17% of attacks involved the disruption of services until a ransom was paid. In 18% of cases, DDoS attacks were conducted to distract IT security professionals while hackers went to work on other systems, as was the case with the recent attack on Internet and mobile phone service provider, TalkTalk. Companies appear to be increasingly attempting to gain a competitive edge by paying for hackers to disrupt the operations of their competitors.
2015: The year of the PoS attack!
2015 has also been a year of attacks on Point of Sale terminals. Retailers have been targeted by hackers trying to gain access to PoS data, oftentimes by installing malware capable of recording data from transactions. Kaspersky Lab managed to block more than 11,500 PoS hacks in 2015. 70% of hacks of PoS terminals involved malicious software that had only been developed this year. These attacks are likely to increase over the course of the next 12 months.
Cryptowall malware has been a major threat since it was first released on the unsuspecting world in September 2014. It did not take long for the malware to evolve, with a second version seen within a matter of weeks. A third incarnation was released at the start of the year. Now the game plan has changed again with the fourth version of Cryptowall malware now identified in the wild. The developers of the ransomware are keen to keep IT security experts and security software developers on their toes. They also want to continue to rake in millions of dollars in ransoms. The new version guarantees they will.
Cryptowall Malware is Now Harder to Spot, Easier to Obtain, and is a Whole Lot Nastier
As if it was not hard enough to prevent a Cryptowall malware infection, the developers of the ransomware have made it nastier and easier to infect computers. It is now capable of being installed by drive-by download.
The malware has also been packaged up with the Pony Trojan. Pony is nothing new, although that doesn’t make it any less dangerous. Pony is a password stealer that has been redeveloped and updated over the years. It has been predominantly spread via email spam in the past, and has most commonly been seen as an attached executable, or sent in compressed form in a .cab, .rar, or .zip file.
However, more recently it has been sent disguised as a document. Usually as a Word document but most commonly as a PDF file. The file is not a document of course. It is an executable with the extension masked. When double clicked, the Pony will be set loose.
Recently, the Pony Trojan has been sent via a link in spam email. Clicking the link will not take the user to a website as expected, instead it will attempt to download the malware. The file will be masked as a different type of file, even though it is an executable. The user is more likely to download a .SCR (screensaver) file with an adobe reader icon as it looks fairly innocuous. Regardless of how it is installed, it’s actions are the same. It will steal usernames, passwords, FTP and SSH credentials, and also Bitcoin, Litecoin, Primecoin, and Feathercoin.
Once credentials have been stolen, the user will be directed to a malicious website where they will be subjected to the Angler Exploit Kit – the most widely used exploit kit and attack tool. Angler takes advantage of security vulnerabilities in users’ browser plugins via drive-by attacks. Those attacks will unleash the final payload: The latest version of Cryptowall malware.
Cryptowall Malware Leaves Victims Little Choice but to Pay the Ransom
The latest incarnation of the ransomware locks files with powerful encryption but also encrypts filenames. Unfortunately, with the latest version your files will be encrypted but you won’t know what files they are. The latest version uses different obfuscation methods to make it even harder to detect and it has much improved communication capabilities.
Victims are not so much told they have to pay a ransom, but are instead politely urged to pay for security software to protect against Cryptowall malware. The attackers say please more than once when suggesting payment be made to unlock files.
Unfortunately, you will have to pay the $700 security software charge to unlock your files if you have not performed a recent backup of your data. Otherwise your files will be lost forever.
To protect against the malware, make sure backups are regularly performed and ensure that all browsers, plugins and security software are kept bang up to date.
Criminals are using a new tactic to con money out of small to medium-sized businesses and startups, and are now using insider phishing scams to convince account department executives to make fraudulent bank transfers. The insider phishing scams are highly convincing, and a number of company executives have already fallen for the scams. Thousands of pounds have already been transferred into the bank accounts of criminals. By the time the fraudulent bank transfers are discovered, the money is long gone and cannot be recovered.
Insider phishing scams are targeting specific individuals in the accounts department
A number of similar insider phishing scams have been seen in recent months. Workers are sent an email from their boss asking them to transfer money from their personal account to help cover an essential bill. These scams tend to work on small businesses that are likely to experience cashflow difficulties.
Employees fall for the scams and make the transfers as they are fearful of their employer and want to appear keen and willing to help. The latest insider phishing scams appear to me much more targeted. Criminals already know the names of the individuals working in the accounts department and are targeting the person most likely to respond.
These people are sent an email from their boss, are referred to by name, and the email address used to send the message appears, at first glance at least, to be genuine.
A brief message is sent asking for a transfer of several thousand points to be made, and the bank account and sort code information are provided in the email. The victim is informed that their boss will send them further information to allow the payment to be entered into the company accounts. The victim is also asked to send an email back confirming when the transfer has been made.
The scam is clever. By asking for a confirmation, the victim will most likely reply to the same email and not follow up for a couple of days or so. By that time the transfer will have cleared, the money taken out of the criminal’s account, and it will not be possible to recall the funds.
Fake domain names being registered to conduct insider phishing scams
If an email was sent from an email address with a non-company domain it would be unlikely to result in a bank transfer being made. Even a busy accounts department executive would check who sent the email before making a transfer of £20,000. To get around this problem, criminals are registering a very similar domain name to that used by the target company.
Typically, the domain name used will be virtually identical to the one used by the company, with one minor change: One character will be replaced with another. The most effective way to do this is to replace an L with an i, or a 1 with a lower case L, or vice versa. The different domain name is then unlikely to be noticed. Instead of “Littlewoods”, the domain “Litt1lewoods” or “Littiewoods” would be used.
The success of these insider phishing scams relies on the email being as genuine as possible. The email must also be sent to the right account executive. If the request appears unusual – being sent to a person who would not typically make a bank transfer for example – it would appear suspicious and would likely be questioned.
After the domain name has been purchased, the format of the company’s email addresses must be discovered. Then the name of the chief executive and the company’s financial controller. The criminal behind the campaign can send the scam email.
The victims are therefore researched beforehand. The correct individual is identified and they – and they alone – are sent the transfer request. It has been hypothesized that the reason these insider phishing scams are being conducted on tech companies is they are more likely to be easy to research.
There have been numerous reports of these insider phishing scams being conducted in recent weeks. Some individuals have fallen for the scams and have made large transfers to the criminal’s account as requested.
How to protect against insider phishing scams
It is essential that all staff members are warned about these insider phishing scams and told to be vigilant. Protecting against these attacks must start at the top. Email requests to make transfers may be convenient, but employers must set up policies that require accounts executives to verify the request, by telephone, before they are made.
A few years ago, spam emails were very easy to spot. They were sent out in bulk, contained numerous typos and grammatical errors, and on the whole were very easy to identify as being fake. That is no longer the case. Scammers are now taking time to develop highly convincing campaigns to fool specific individuals into revealing personal information or making large bank transfers. The effort put into these campaigns is worth the effort. The criminals are much more likely to get the victim to take the required action.
In addition to instilling a security aware culture in an organization, one of the best protections is to purchase a robust spam filtering solution. An email sent from a domain closely matching the company´s own domain name would be caught by the spam filter and directed to the email quarantine folder. Training is good, but preventing insider phishing emails from being delivered is a much more reliable method of stopping employees from falling for these phishing scams.
Miss. attorney general Jim Hood has issued a warning to state residents to be extra vigilant after receiving a convincing Google account phishing email.
The latest Google account phishing scam attempts to fool users into revealing their passwords by warning users that they need to review the terms and conditions of their account. The reason the email claims Google requires this is due to changes made to government regulations. Users must check the new T&Cs in order to maintain compliance with government regulations.
A link to do this was supplied in the email. Clicking the link would direct users to a page that appeared to be from Google; however, this was part of the scam. Users were asked to login and were presented with a standard Google login page, but when they did, their information was recorded and sent to a hacker.
While this scam appeared convincing, there was a tell-tale sign that the request was not genuine. The request to enter account details contained a spelling error in the word “account.” This is not an error that Google would make.
Google Account Phishing Email Scams
Google account phishing email scams are being conducted with increasing frequency. Two other Google account scams were spotted in the summer and are still being used by criminals to gain access to users’ email accounts.
Gmail Phishing Scam
This scam is not new. It was first discovered by Symantec early last year but it is still active. A new batch of spam emails was sent to Gmail account holders over the summer, which fooled many people into revealing their Gmail passwords.
Gmail offers anti-spam protection, although hackers were able to bypass the controls. The emails appeared to have been sent by Gmail administrators. The messages contained a link to a Google Drive document. Clicking the URL directed users to the document, but they needed to enter their login credentials to view it. Users entered their information and were able to view the document; however, what they would not have realized is they had also just compromised their accounts.
In this case, the link they were sent in the email directed them to a folder on Google Drive that had a preview page. The preview page looked like a standard Google login prompt. When the users entered their details, the login credentials were recorded by a PHP script and the data was sent to the hacker’s command and control center located in the United Arab Emirates. That attack was made possible as the hackers were able to fake Google’s SSL encryption. The faked SSL encryption was sufficient to bypass the anti-spam controls and fooled users into revealing their login credentials by exploiting their trust in Google.
Spear phishing attack targeting Gmail account holders
The Gmail password recovery feature is being exploited by hackers using social engineering techniques to get users to provide access to their Gmail accounts. This Google account phishing email scam also exploits users trust in Google.
Provided an attacker knows the mobile phone number of a victim as well as their email address, they are able to attempt this scam.
It starts with the attacker using the password recovery feature on Gmail to resend a user’s password. The attacker enters the victims email address and opts to have the second step of the authentication process send an SMS to the user’s phone.
The user is sent a verification code to their mobile phone, which is closely followed by a text from the attacker. The attacker claims to be from the Google account management team and asks for their activation code. Since the attacker already has the email address, he or she can then use the code to complete the password reset function. Only the attacker will then be able to access the users Gmail account.
It is almost every day that a Facebook video phishing scam is discovered, and yesterday was no exception. Scammers are increasingly looking to take advantage of Facebook’s drive to compete with YouTube as the go to place for watching video content.
Latest Facebook video phishing scam offers Facebook video application for free
The social media website is now actively encouraging users to upload videos to the site; videos are now playing automatically in live feeds when the mouse arrow is hovered over a post, and scammers are taking advantage by offering users an easy way to upload and view videos via mobile devices. The Facebook video phishing scam is likely to catch out many users of the site.
Video posts are now common on the social media platform due to the ease at which users can take videos using their mobile phones. Those users naturally want an effortless way of sharing their video content with friends and family. What better way of doing this than with a Facebook video app? Simply download the app and you can share your self-generated video content with a tap of the screen!
Unfortunately for the user, the app being offered is fake. It will make sharing information effortless, but not the information that the user will want to be shared. Any Facebook user that falls for the scam will instantly share their login credentials and friends list with a cybercriminal.
Facebook video phishing scam displayed via a popup browser window
The new Facebook video phishing scam is being advertised via a popup window that appears virtually identical to the genuine Facebook website. The Facebook search bar appears as normal, along with the icons at the top of the page that every user will be very familiar with. A casual glance at the URL is likely to arouse little suspicion as the site address starts with “Facebook”.
Closer inspection will show that this is not a genuine Facebook page. The popup window has been seen on two variants of the real domain name: Facebooksk.info & Facebookstls.com. This is a sure sign that this is a Facebook video phishing scam and that the free Facebook video app being offered is not genuine.
These popups appear when the user clicks on an advert offering a free Facebook video application that users can download to their device. The adverts can also pop up on the screen while browsing websites that have been infected with adware.
The fake Facebook video app has so far only been seen in Spanish; although English-speaking users should also be wary. An English language version is sure to be released soon.
Before being allowed to download the free Facebook video application, users must first confirm they are over 18 years old. Age verification is required before the user will be permitted to download the app. In order to do this, the user will have to enter their username and password. The login box has been created to closely mimic one used by the genuine Facebook site.
When the user enters their information and clicks on the login box, a PHP script will run that sends the data to the hacker behind the Facebook video phishing scam.
Once login credentials have been provided, the hacker will be able to login to the victim’s account, and access that user´s friend list. Phishing links will then be sent out to all of the users friends. The contents of the account, including all of the security settings, can also be accessed.
This Facebook video phishing scam is one of many now doing the rounds on the social media platform. All site users must exercise caution before logging in or divulging any sensitive information via the social media platform. Not all Facebook scams are this obviously fake and easily identified. Scammers are devising ever more sophisticated ways to get users to compromise their own accounts.