Month: September 2017

Equifax Breach Victims Directed to Phishing Website

The cyberattack on Equifax affected almost half the population of the United States. 143 million U.S. consumers potentially had their sensitive data stolen by hackers, as did around 400,000 individuals in the United Kingdom and 100,000 consumers in Canada.

To notify victims of the Equifax data breach by mail would have been a monumental and incredibly costly task. Instead, Equifax set up a website where breach victims could check to see if their data had been exposed and also register for free credit monitoring and identity theft protection services.

The official website used for this purpose is equifaxsecurity2017.com. Visitors to the website are required to enter some personal information as identification – the last six digits of their Social Security number and their full name.

That site then directed visitors to a second site, Trustedidpremier.com – which, it has to be said, does seem somewhat phishy. The site is owned by Equifax, with the name taken from its identity theft protection service, but the site did not mention Equifax, which led to many consumers questioning whether the site was real.

These choices gave phishers with a gilt-edged opportunity to take advantage. By registering a website similar to that used by Equifax, it would be possible to fool many U.S. consumers into revealing their sensitive information. For instance, instead of asking for the last six digits of the Social Security number, criminals could ask for the full SSN, along with a date of birth and a full name. If the fake website had official Equifax logos, many consumers would be fooled.

If Equifax had put the information on a subdomain of its official website, it would be easy for consumers to verify that they were on the correct site. The decision to use a new website for this purpose has made it too easy for scammers to take advantage.

There have already been many fake Equifax domains registered and used for phishing. While these sites are being identified quickly and shut down, during the time they are online they can be used to capture large volumes of sensitive information. Some of the recently registered domains featured transposed letters and common misspellings, such as replacing the y with a u to catch out careless typists.

However, it is not only bad typists that could be fooled by such a scam. One fake site – securityequifax2017.com – was registered that would likely fool many consumers. Such a site should also have been purchased by Equifax to prevent it being purchased by a scammer.

Fortunately, the website had been purchased by a software developer called Nick Sweeting specifically to demonstrate how easy it would be to take advantage. It was made clear on the site that the website was fake, and was not actually being used for phishing, only to raise awareness of the risk of similar sites being purchased by phishers.

However, so realistic was the site that it even fooled one Equifax employee. On at least eight occasions, that individual Tweeted the fake domain via the official Equifax Twitter account. The incorrect link was tweeted on at least 8 occasions according to Sweeney.

The fake site has since been blocked and taken offline; however, for two weeks the site was active. Had this been a real Equifax phishing website, many consumers could have been fooled.

Average Cost of a SMB Data Breach Revealed by New Study

The average cost of a SMB data breach is now $117,000 per incident, according to a large study of data breach costs at small to medium sized businesses.

The study was conducted by Kaspersky Lab and B2B International, with over 5,000 businesses in 30 countries asked about the costs of resolving data breaches.

There has been a rise in the average cost of a SMB data breach again this year and some notable changes to how those costs break down, compared to last year when the study was previously conducted. There were also notable differences between the main costs for SMBs and large enterprises.

Last year, the single biggest cost of data breaches was the reallocation of staff time, although this year, respondents from SMBs said the biggest costs were the loss of business as a result of a data breach and bringing in external experts to help investigate and resolve data breaches.

Out of the $117,000 average cost of a SMB data breach, $21,000 was spend on bringing in external experts and a further $21,000 had to be covered as a result of lost business. Other major costs were additional wages for staff ($16,000), credit rating damage and increases in insurance premiums ($11,000), improving software and infrastructure ($11,000), repairing brand damage ($10,000), and employing new staff ($10,000). The lowest costs were training ($9,000) and compensation ($8,000).

Kaspersky Lab points out that the reason these costs are so high for SMBs is likely due to a lack of skilled in-house staff, meaning they have little choice but to call in the professionals. Small businesses are also particularly vulnerable to loss of business as a result of a data breach. However, the study showed that small to medium sized businesses tend not to have to dig deep to pay compensation, which has been attributed to less formal business relationships.

The cause of SMB data breaches has a significant bearing on resolution costs. Some types of attack proved much costlier to resolve. The average cost of a SMB data breach that resulted from a targeted attack was $188,000, followed by security incidents affecting non-computing connected devices (IoT) at $152,000 per incident.

Breaches caused by the loss of devices containing sensitive information cost an average of $83,000 to resolve, inappropriate use of IT resources cost $79,000, while virus and malware infections were the cheapest to resolve, costing an average of $68,000.

For enterprises, average data breach costs jumped from $1.2 million in 2016 to $1.3 million in 2017, with the main costs of a breach being additional wages for internal staff ($207,000), software and infrastructure improvements (172,000), bringing in external professionals ($154,000), training ($153,000), lost business ($148,000), and compensation ($147,000).

SMBs have increased spending on IT security in response to the increased threat of attack, devoting 19% of their IT budgets to security compared with 16% in 2017. There was a much smaller increase in security spending at very small businesses (1-49 employees), rising just 1% from 13%-14% of their IT budgets. There was no change in spending for large enterprises (1000+ employees) with 19% of IT budgets spent on security.

Beware of Hoeflertext Warnings: Popups Used to Deliver Ransomware

Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.

Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.

Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.

Clicking on the update button will not install a font pack, instead it will launch a download of a JavaScript script file – Win.JSFontlib09.js. If that file is saved and opened, it will download Locky ransomware onto the user’s device.

This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.

Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.

The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.

The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.

Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.

The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.

Content Filtering on Websites in Europe Could Become the Norm

On October 10, 2017, the European Parliament will vote on a new copyright law that could see content filtering on websites in Europe which are deemed to violate copyright laws.

These laws would apply to all websites displayed to users in Europe. The law would naturally cover websites such as torrent sites that share links to download copyright protected material, but also other websites may also be censored. Websites such as Reddit, E-bay, Wikipedia and GitHub could all easily fall foul of the Directive on Copyright in the Digital Single Market if users of the sites upload copyright protected material.

If the Directive on Copyright in the Digital Single Market is passed in its current form, all website owners would have to monitor content uploaded by site users to ensure copyright laws are not violated. Online services providers would be required by law to implement content filters to prevent pirated material from being displayed on their websites. Detection mechanisms such as the fingerprinting technology used by YouTube would need to be implemented. Platform operators would be liable for any copyrighted material uploaded to their sites.

Content filtering on websites in Europe could not be performed manually – the work involved in vetting all content would make that impractical. Therefore, content filters would need to be automatic, and if all content must be checked to determine if it is acceptable, all uploads would need to be scanned.

An alternative has been proposed to the upload filter – the “link tax” or ancillary copyright that was introduced in Spain and Germany. The link tax required sites that publish news snippets from other sites to be charged for doing so, although that measure did not work in practice so it is unlikely to be applied across all member states.

If Internet filters are applied, it would be difficult to differentiate between allowable use of copyrighted material and illegal use. It therefore has potential to affect parody websites, the use of quotes, and it could spell the end of Internet memes, at least in Europe. Also, if the new Directive is agreed in its current form, users would have no protection from unfair deletion of website content.

Raegan MacDonald, senior EU policy Manager at Mozilla said, “The proposal would make filtering and blocking of online content the norm, effectively undermining innovation, competition and freedom of expression.” He also labelled some of the elements of the new directive as “dysfunctional and borderline absurd.” Some see the Directive on Copyright in the Digital Single Market as Internet censorship akin to that used by China.

It has been argued that the use of this technology to apply content filtering on websites in Europe would violate the privacy of Internet users, as such a system would require all communications on websites to be monitored. That would potentially violate European privacy laws. A letter has been sent by six EU member states questioning the legality of the new Directive asking whether the directive is legal and whether “the proposed measures justified and proportionate.”

As it stands, if the Directive is passed, it will prove costly for businesses and as EDRi points out, the new law has potential to “undermine access to copyright-free public domain works that are for now freely available for everyone.”