Our data breach news items reinforce the need for organizations to maximize their defenses against malware attacks and phishing campaigns. Even though online security awareness is at an all-time high, cybercriminals are becoming more sophisticated in the methods used to extract passwords and break into databases.
It is also apparent from reading our data breach news items that the volume of cyberattacks is increasing. In order to mitigate the risk of malware attacks, organizations should implement a web content filter, while an email filter to prevent spams and scams reaching an inbox can eliminate the risk from phishing campaigns completely. Speak with us today for more information.
The Acer cyberattack recently reported to the California attorney general was due to an unspecified “security issue” on the company’s online store. Acer recently discovered that an unauthorized third party had gained access to its server and had stolen the data of its customers. Customers affected by the breach had made a purchase through Acer’s online store between May 12, 2015 and April 28, 2016.
Full Credit Card Information of Customers Stolen in Acer Cyberattack
Affected customers’ names, addresses, credit card numbers, card expiry dates, and CVC codes were all potentially stolen in the attack. Acer has pointed out that Social Security numbers were not recorded and were not obtained by the attackers. Acer does not believe that customer login details were stolen; however, the theft of password and login data could not be ruled out.
All individuals impacted by the breach do face a significant risk of suffering financial losses and must therefore keep a close check on their credit card statements for any sign of fraudulent activity. Due to the high level of risk Acer has recommended that all customers impacted by the breach place a credit freeze and fraud alert on their files. Credit reports should also be obtained from each of the credit agencies.
The incident has been reported to law enforcement and an investigation is ongoing. Acer also brought in external cybersecurity experts to assist with the investigation.
It is unclear how the Acer cyberattack occurred and whether the attackers gained access to the company’s systems in May last year or whether the attack occurred recently and resulted in a year’s worth of data being stolen. However, Acer did confirm to PCWorld that customers’ have been placed at risk because their data were “inadvertently stored in an unsecured format.”
In a statement issued by the Taiwanese computer company, Mark Groveunder Vice President, Customer Service for the Pan-American region said “We regret this incident occurred, and we will be working hard to enhance our security.” The company’s payment processing company has been informed of the breach and customers have now been notified by mail.
The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.
In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”
Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach
A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.
The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.
Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.
The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.
While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.
Spate of Account Hacks Reported After Major Data Leaks
Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.
While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.
TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.
All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.
Important Online Security Best Practices
To improve security and reduce the risk of more than one account being compromised….
Never reuse passwords
Create a complex password for each platform – use symbols, capitals, and numerals
Change your passwords regularly – every month or three months
Use 2-factor authentication if available
Use a password manager to help keep track of passwords
Don’t store your passwords in your browser
Regularly check your email address/username against the Have I Been Pwned? database
Over the past few days, rumors have been circulating about a massive MySpace data breach. Initial reports suggested that 427 million usernames and passwords had been obtained by a hacker going by the name of “Peace”. The name should sound familiar. The Russian hacker is the same individual who recently listed 117 million LinkedIn login credentials for sale on an illegal darknet marketplace. The hacker was also allegedly responsible for the 65 million-record data breach at Tumblr.
360 Million Login Credentials Stolen in MySpace Data Breach
Yesterday, Time Inc., confirmed that login credentials had been listed for sale online and that a MySpace data breach had occurred, although it would appear that the stolen data was obtained some time ago. The login credentials are for the old MySpace platform and date to before June 11, 2013. While Time Inc., did not confirm exactly how many login names and passwords had been stolen, Time confirmed that the figure of 360 million that had been reported in the press in the last couple of days was probably accurate.
Usernames, passwords, email addresses, and secondary passwords are reportedly being offered for sale. Out of the 360 million logins, Leakedsourrce.com suggests that 111,341,258 of the stolen records include a username and a password, and 68,493,651 records had a secondary password compromised. Not all of those stolen records also included a primary password.
Since 2013, data security has improved considerably and many companies have enforced the use of numerals, capital letters, and symbols when creating passwords. The stolen data reportedly includes only a small percentage of accounts with a capital letter in the password. This makes the passwords much easier to crack. The algorithm used to encrypt the passwords was also weak.
The login credentials from the MySpace data breach are reportedly being offered for sale for 5 Bitcoin – approximately $2,800.
All old users of the MySpace platform, and current users who joined the website before June 11, 2013 are potentially at risk. MySpace has responded to the breach by resetting all passwords on accounts created before June 11, 2013. When these users visit MySpace again they will be required to authenticate their account and supply a new password.
Additional security measures have been employed to identify suspicious account activity and the data theft is now being investigated. It would appear that no one at MySpace was aware that its database had been breached until the data were offered for sale just before the Memorial Day weekend.
MySpace Breach Shows Why It is Important Never to Reuse or Recycle Passwords
Since the data breach appears to have occurred some time ago, it is probable that many users will have changed their passwords on the site long ago, but the data could still be used to attack past and current users. All too often passwords are recycled and used for other online accounts, and many individuals use the same passwords for different platforms or rarely (or never) change them.
The MySpace data breach shows why it is important to use a different password for each online account and to regularly change passwords on all platforms. In the event of a breach of login credentials, users will only have to secure one account. If there is a possibility that only passwords are still in use on other platforms, MySpace account holders should update their passwords as soon as possible.
Hackers have access to tools that can check to see if account login and password combos have been used on other websites.
A successful CEO fraud scam that resulted in a fraudulent bank transfer being made from company accounts to a cyberattacker has cost the CEO his job.
CEO Fraud Scan Results in Losses of 40.9 Million Euros
Earlier this year, FAAC – an Austrian aircraft component manufacturer – was targeted by attackers who managed to pull off an audacious 50 million Euro ($55 million) CEO fraud scam. A wire transfer was made for 50 million euros by an employee of the firm after receiving an email request to transfer the funds from CEO Walter Stephan. The email was a scam and had not been sent by the CEO.
Unfortunately for FAAC, the CEO fraud scam was discovered too late and the transfer of funds could not be stopped. While the company was able to recover a small percentage of its losses, according to a statement released by FAAC, the company lost 41.9 million Euros as a result of the attack which contributed to annual pretax losses of 23.4 million Euros.
The bank transfer represented approximately 10% of the company’s entire annual revenue. Given the high value of the transfer it is surprising that the transfer request was not queried in person – or over the telephone with the CEO.
The CEO and the employee who made the transfer were investigated but do not appear to have been involved in the scam. The attackers were not believed to be linked to FAAC in any way.
Heads Roll After Huge Losses Suffered
Earlier this year, FAAC sacked its chief finance officer as a direct result of the scam. The CEO was recently sacked following a meeting of the company’s supervisory board. Stephan had worked at the company as CEO for 17 years.
This CEO fraud scam is one of the largest ever reported, although this type of scam is becoming increasingly common. Earlier this year the FBI issued an advisory about the high risk of CEO fraud scams following many attacks on U.S companies over the past year. In April, the FBI reported that $2.3 billion has been lost as a result of this type of scam.
CEO email fraud involves a member of the accounts department being sent an email from the CEO – or another senior executive – requesting a bank transfer be made from the company accounts. A reason is usually supplied as to why the transfer request needs to be made, and why it must be made urgently.
Oftentimes, the scammer and the target exchange a few emails. An email is initially sent asking for a transfer to be made, followed by another email containing details of the recipient account where the funds must be sent and the amount of the transfer. The scams are effective because the request appears to come from within the company from a senior executive or CEO. Oftentimes the attackers manage to compromise the CEO’s email account, and spend time researching the style the CEO uses for emails and who transfer requests have been sent to in the past.
According to the FBI, the average transfer amount is between $25,000 and $75,000, although much larger scams have been pulled off in the past. Irish budget airline Ryanair fell victim to a CEO fraud scam and wired $5 million to a Chinese bank, although the funds were able to be recovered. The Scoular Co., wired $17.2 million to scammers in February last year, while Ubiquiti suffered a loss of $46.7 million as a result of a CEO fraud scam.
Easy Steps to Prevent CEO Email Fraud
There are steps that can be taken that can greatly reduce the risk of these scams being successful.
Implement policies that require all bank transfers – or those above a certain threshold – to be authorized by telephone or through other communication channels.
Ensure bank transfer requests are authorized by a supervisor and are not left to one single employee
Configure spam filters to block spoofed domains to prevent scam emails from being delivered
Provide training to all accounts department staff and warn of the risk of CEO fraud scams
The 2012 LinkedIn data breach was believed to have resulted in the theft of 6.5 million emails and encrypted passwords; however, the data breach appears to be worse than previously thought with considerably more data stolen. Those data have now been listed for sale on a darknet marketplace, prompting LinkedIn to contact a substantial percentage of its users to get them to change their passwords.
117 Million Unsalted SHA-1 Hashes and Corresponding Usernames from 2012 LinkedIn Data Breach Listed for Sale
A hacker called “Peace” listed 117 million LinkedIn email and encrypted password combinations for sale this week. LinkedIn believes the data has also come from the 2012 LinkedIn data breach. The data were in the same format as the 6.5 million passwords and email combinations that were previously listed for sale. The latest batch of data has been listed or sale for a reported $2,200.
The passwords stolen in the 2012 LinkedIn data breach were unsalted SHA-1 hashes. While the passwords are encrypted, they are poorly protected and can easily be cracked with relative ease.
Soon after the 2012 LinkedIn data breach the 6.5 million account details were offered for sale on a Russian hacking forum. Motherboard reports that as many as 90% of those passwords were able to be cracked. This now places 18 times as many users at risk of having their accounts compromised.
LinkedIn users that joined the professional networking website after the 2012 data breach will not be affected by the data sale, although older users of the site could be at risk, especially if the password they used for their LinkedIn account has been used other logins elsewhere online.
Individuals who tend to use the same passwords on multiple websites or those who recycle old passwords are advised to change their passwords on their banking websites, social media profiles, email accounts, and other online sites if there is a possibility that they have used the same password as they used on LinkedIn prior to the 2012 breach.
The 2012 LinkedIn data breach was possible because security at the time was not particularly robust, although that has since been addressed. LinkedIn now salts its hashes, uses two factor authentication, and also email challenges. Since being alerted to the listing of the password/username combos, LinkedIn has been contacting affected users and attempting to invalidate passwords and force users to reset.
It is strongly advisable to login to LinkedIn and change your password as a precaution if you are unsure whether you have changed your password since 2012.
Each year, the Ponemon Institute conducts a benchmark survey on healthcare data privacy and security. The surveys give a picture of the state of healthcare data security, highlight the main threats faced by the healthcare industry, and offer an insight into the main causes of healthcare data breaches. This week, the Ponemon Institute released the results of its 6th annual benchmark study on healthcare data privacy and security.
Over the past 6 years, the main causes of healthcare data breaches have changed considerably. Back in 2010/2011 when the two healthcare data privacy and security surveys were conducted, the main causes of healthcare data breaches were lost and stolen devices, third party errors, and errors made by employees.
Breaches caused by the loss and theft of unencrypted devices such as laptops, smartphones, tablets, and portable storage devices such as zip drives has fallen considerably in recent years. Due to the high risk of loss and theft – and the cost of risk mitigation following a data breach and compliance fines – healthcare organizations are keeping tighter controls on portable devices. Staff have been trained to be more security conscious and many healthcare organizations have chosen to use data encryption on portable devices. However, lost/stolen devices and mistakes by employees and third parties are still the root cause of 50% of healthcare data breaches.
Healthcare Data Privacy and Security Study Shows Criminals Caused 50% of Healthcare Data Breaches
Data breaches caused by the loss and theft of portable devices may be in decline, but the same cannot be said of cyberattacks, which have increased considerably. When the first benchmarking study was conducted in 2010, 20% of data breaches were caused by hackers and other cybercriminals. By 2015, the figure had risen to 45%. This year criminals have been responsible for 50% of healthcare data breaches.
Healthcare data breaches have increased in volume, frequency, and severity. Prior to 2015, the largest healthcare data breach exposed 4.7 million patient health records. Data breaches that exposed more than 1 million healthcare records were very rare. However, in 2015, the Anthem Inc. breach exposed 78.8 million healthcare records, Premera BlueCross recorded a cyberattack that exposed 11 million records, and Excellus Blue Cross Blue Shield reported a breach of 10 million records. These data breaches were caused by criminals who gained access to systems using phishing techniques.
Phishing remains a major cause for concern, as is malware, although over the course of the past 12 months a new threat has emerged. Ransomware is now the second biggest cause for concern for healthcare security professionals. DDoS attacks remain the biggest worry as far as cyberattacks are concerned.
The purpose of ransomware and DDoS attacks is to cause widespread disruption. Healthcare IT professionals are right to be concerned. Both of these types of cyberattack have potential to have a hugely detrimental effect on the care that is provided to patients, potentially disrupting healthcare operations to such a degree that patients can actually come to physical harm.
Healthcare organizations have been investing more heavily in data security technologies to prevent breaches, yet these measures have not been sufficient to stop breaches from occurring. The report indicates that 89% of healthcare organizations suffered a data breach in the past two years, 79% suffered more than one breach, and 45% experienced more than five data breaches.
The cost of healthcare data breaches is considerable. The Ponemon Institute calculates the average cost to resolve a data breach to be $2.2 million for healthcare providers. The average cost of a business associate data breach is $1 million. The total cost each year, to mitigate risk and resolve data breaches, has been estimated by Ponemon to be $6.2 billion for the industry as a whole.
Healthcare Organizations Need to Increase Cybersecurity Efforts
Cybersecurity budgets may have increased over the years, but too little is being spent on healthcare data privacy and security data. Even with the increased risk, 10% of healthcare organizations have actually decreased their cybersecurity budgets, and more than half (52%) said their budgets have stayed the same this year.
Further investment is needed to tackle the growing threat and to prevent criminals from gaining access to data and locking it with ransomware.
Education also needs to be improved and greater care taken by healthcare employees to prevent accidental disclosures of data and mistakes that open the door to cybercriminals. Employee negligence was rated as the top cause for concern by both healthcare providers and business associates of healthcare organizations. Unless greater care is taken to prevent data breaches and healthcare organizations are held more accountable, the data breach totals will only rise.
This week has seen the release of new U.S. data breach statistics by the Identity Theft Resource Center (ITRC). The new report reveals the extent to which organizations have been attacked over the past decade, breaking down data breaches by industry sector.
ITRC has been collecting and collating information on U.S. data breaches since 2005. Since records of security breaches first started to be kept, ITRC figures show a 397% increase in data exposure incidents. This year has seen the total number of data breach incidents surpass 6,000, with 851 million individual records now having been exposed since 2015.
U.S. Data Breach Statistics by Industry Sector
The financial sector may have been extensively targeted by cybercriminals seeking access to financial information, but between 2005 and March 2016 the industry only accounts for 7.9% of data breaches. The heavily regulated industry has implemented a range of sophisticated cybersecurity protections to prevent breaches of confidential information which has helped to keep data secure. The business and healthcare sectors were not so well protected and account for the majority of data breaches over the past decade.
Over the course of the past decade financial sector ranked lowest for breaches of Social Security numbers. The largest data security incident exposed 13.5 million records. That data breach occurred when data was on the move.
At the other end of the scale is the business sector, which includes the hospitality industry, retail, transport, trade, and other professional entities. This sector had the highest number of data breaches accounting for 35.6% of all data breaches reported in the United States. Those breaches exposed 399.4 million records.
ITRC’s U.S. data breach statistics show that the business sector was the most frequently targeted by hackers over the course of the past decade, accounting for 809 hacking incidents. Hackers were able to steal 360.1 million records and the industry accounted for 13.6% of breaches that exposed credit and debit card numbers. The huge data breaches suffered by Home Depot and Target involved the exposure of a large percentage of credit and debit card numbers.
Healthcare Sector Data Breaches Behind the Massive Rise in Tax Fraud
The business sector was closely followed by the healthcare industry, which has been extensively targeted in recent years. ITRC reports that the industry accounted for 16.6% of data breaches that exposed Social Security numbers. Since 2005, over 176.5 million healthcare records have been exposed and over 131 million records were exposed as a result of hacking since 2007. That includes the 78.8 million records exposed in the Anthem Inc., data breach discovered early last year.
While hacking has exposed the most records, employee negligence and error were responsible for 371 data breaches in the healthcare industry. Healthcare industry data breaches are believed to have been responsible for the massive increase in tax fraud experienced this year. Tax fraud surged by 400 percent in 2016.
Government organizations and military data breaches make up 14.4% of U.S data breaches over the past decade, with the education sector experiencing a similar number, accounting for 14.1% of breaches. Over 57.4 million Social Security numbers were exposed in government/military data breaches along with more than 389,000 credit and debit card numbers.
The education sector experienced the lowest number of insider data breaches of all industry sectors (0.7%) although 2.4 million records were exposed via email and the Internet.
Cybersecurity Protections Need to Be Improved
The latest U.S. data breach statistics show that all industry sectors are at risk of cyberattack, and all must improve cybersecurity protections to keep data secure. According to Adam Levin, chairman and founder of IDT911, “Companies need to create a culture of privacy and security from the mailroom to the boardroom. That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe.”
Employers are enjoying the benefits of mobile devices but IT security professionals are concerned about the security risk that that comes from the use of Smartphones and tablets. The more devices that are allowed to connect to company networks, the higher the risk, but are mobile device data breaches actually occurring?
There is widespread concern that the devices pose a major security risk, but little data on the extent to which mobile data breaches occur. A new survey sheds some light on just how frequently mobile devices are implicated in data breaches.
Six data security firms* sponsored a survey conducted by Crowd Research Partners which set out to shed some light on the matter. 882 IT security professionals from a wide range of industries were asked a number of questions relating to mobile security and data breaches experienced at their organizations.
More than a Fifth of Companies Have Suffered Mobile Device Data Breaches
The results show that 21% of companies have experienced a mobile device data breaches at some point in the past that affected either devices supplied by their company or used by employees under BYOD policies. However, a further 37% of respondents could not say whether mobile device data breaches had actually occurred, indicating many are at risk of data theft or loss, but would not be able to determine if a data breach had in fact occurred.
Malicious Wi-Fi networks continue to be a problem. 24% of respondents said that BYOD or corporate-supplied devices have connected to malicious Wi-Fi networks at some point in the past. Many companies cannot say whether this has actually happened. Almost half of respondents (48%) could not say with any degree of certainty whether their employees had connected to malicious Wi-Fi networks.
Cybercriminals are developing malware at an alarming rate and mobile devices are now being targeted by many cybercriminal gangs. While the majority of threats affect Android phones, iPhone users are also being targeted. A number of new iOS malware have been discovered in the past year.
Mobile malware is a major problem for businesses. 39% of respondents said users of their networks had, at some point in the past, downloaded malware onto their devices. 35% of respondents were unaware whether this had happened. This suggests more than a third of companies are not monitoring the mobile devices that are allow to connect to corporate networks.
Respondents were asked what measures they were using to protect the mobile devices they allowed to connect to their networks. Only 63% of respondents said they used password protection to keep the devices secure. 49% said they had implemented solutions that enable them to remotely wipe devices that are lost, stolen, or reach the end of their life. 43% use encryption for sensitive data and only 38% said they have policies covering data removal at employee separation or device disposal.
34% said that when an employee leaves their organization ensures data is wiped from mobile devices 100% of the time. 13% said this occurred more than half of the time, and 16% said this happened less than half of the time. Most alarmingly, 23% were unaware if they wiped devices and 14% said they never wipe data from employees’ devices when they leave the company.
43% reported using mobile device management (MDM), 28% used endpoint security tools such as anti-malware programs, and 27% used network access controls.
Many IT security professionals are worried about the risk posed by mobile devices and are concerned about mobile device data breaches. The survey results show there is good reason for them to be concerned. Many companies are failing to implement policies and procedures to effectively manage mobile device security risks.
*The online survey was sponsored by Bitglass, Blancco Technology Group, Check Point Technologies, Skycure, SnoopWall and Tenable Network Security. The survey was conducted on members of the LinkedIn Information Security Community.
Phishing scams have increased significantly in the past few weeks as cybercriminals step up their campaigns during tax season, with many using a technique referred to as business email compromise to fool victims into sending employee W-2 form data to the attackers.
Beware of Business Email Compromise Campaigns During Tax Season
Some organizations have thwarted attacks, but many have fallen for the phishing scams and have emailed highly sensitive employee data to the criminals behind the campaigns. Business email compromise is used in spear phishing campaigns: Highly targeted and highly convincing attacks on small numbers of employees within an organization.
Most phishing campaigns are random. Emails are sent out by the million in the hope that some individuals will fall for the scams. The email campaigns are not particularly convincing and rely on greed or naiveté in many cases to attract a click or the disclosure of sensitive data.
Business email compromise campaigns on the other hand are much more convincing. They tend to involve very carefully constructed emails, good grammar, do not contain the spelling mistakes common in most spam emails, and are hand written and sent to a very select number of individuals within an organization or to just one person. They are often personal, referring to the target by their first name. They also use business email addresses for the attack. An email sent from within the company, or seemly from within the company, is much more likely to be trusted.
Corporate images are often used, email signatures copied, and the email address of the sender is spoofed. Victims are researched, as are the companies. The key to the success of these campaigns is their realism. The aim is to get an employee to take a specific action without thinking that the request is anything other than genuine. If the scam is successful, the victim may never know that they have been duped.
The email requests, at first glance at least, appear to be genuine. They are sent from a senior executive or the CEO of the company. When they are sent from an authority figure from within the company the request is less likely to be questioned.
In the past few weeks a number of companies have received business email compromise phishing emails and have sent attackers a list of employee W-2 form data, including Social Security numbers, dates of birth, names, and details of employee earnings for the year. These data can be used by the criminals to file false tax returns in the names of company employees.
W-2 Phishing Scams Target Californian Companies
Magnolia Health Corporation recently announced one of its employees had fallen for a business email compromise scam and had sent a full list of employees to the attacker. The mistake was discovered, although not for a week. The attack took place on February 3, 2016.
Also on February 3, Californian company BrightView also received a phishing email requesting employee data and sent information, as requested, to the email scammers. BrightView discovered the mistake the following day.
Polycom, a content collaboration and communication technology also based in California, was attacked in the same manner on February 5, and also fell for the business email compromise scam. California-based Snapchat similarly was fooled by the business email compromise scam and emailed the data of 700 employees to the attackers. Mercy Housing Inc., and Central Concrete Supply Co., also suffered similar attacks recently.
The attacks have not been limited to California. Alaskan Telecommunications company GCI also fell victim to a similar attack, which resulted in the data of 2,500 employees being sent to a scammer.
BEC scams are convincing and employees need to be particularly vigilant especially at this time of year. To reduce the risk of a BEC attack being successful, it is important that staff receive training on how to identify a business email compromise scam. Policies should also be introduced to make it harder for employees to fall for the scams, such as requiring all data requests to be verified by two employees, one of whom should be within the Information Security team.
Until tax season draws to a close we are likely to see even more companies fall for these scams.
Last year saw a massive increase in the number of recorded enterprise malware attacks, with hackers also targeting public sector organizations and government agencies with increased frequency. According to the new Dell Security Annual Threat Report, malware attacks virtually doubled in 2015, and reached a staggering 8.19 billion worldwide infections.
The new report makes for worrying reading. The current threat level is greater than ever before and the volume of enterprise malware attacks now taking place has reached unprecedented levels. Organizations that fail to implement robust controls to protect their systems from malware downloads are likely to be attacked.
Dell Reports a 73% Increase in Malware Infections in 2015
To compile the report, Dell gathered data from its Dell SonicWALL Global Response Intelligence Defense network. In 2014, Dell SonicWALL received approximately 37 million unique malware samples. In 2015, that figure increased to 64 million: An increase of 73%. Dell noted increases in malware, ransomware, viruses, Trojans, worms, and botnets in 2015.
Not only is the volume of malware increasing, the vectors used to infect devices and networks are now much broader. Cybercriminals are also getting much better at concealing infections and covering their tracks. When malware is eventually discovered on systems, it has usually been present and active for some time.
Hackers are now using anti-forensic techniques to evade detection, steganography, URL pattern changes, and are modifying their landing page entrapment techniques. Command and Control center communications are also being encrypted making it harder to identify communications from infected devices and systems. Oftentimes, it is communications between malware and C&C servers that allow anti-malware and intrusion prevention systems to identify malware infections.
Spam email is still being used to deliver malicious software although drive-by attacks have increased. IoT devices are also being used to install malware due to the relatively poor security of the devices.
Enterprises now have a much broader attack surface to defend, yet security budgets are often stretched making it difficult for IT security teams to install adequate defenses to repel attacks using such a diverse range of attack vectors. It may not be possible to implement robust defenses to repel all attacks, although by concentrating on the most commonly exploited weaknesses the majority of enterprise malware attacks can easily be prevented.
How to Defend Against Enterprise Malware Attacks
The majority of successful enterprise malware attacks could have been prevented had basic security measures been implemented and had industry security best practices been adopted. Hackers may be using ever more sophisticated methods to infiltrate systems and steal data, but in the majority of cases they do not use zero-day vulnerabilities to attack: Well-known security weaknesses are exploited.
All too often enterprise malware attacks are discovered to have occurred as a result of unpatched or outdated software. Oftentimes, patches and software updates have been available for months prior to attacks taking place. One of the best defenses against cyberattacks is to adopt good patch management practices and ensure that software updates are applied within days of release.
Email spam is still used to deliver a wide range of malware and malicious software, yet spam email is easy to block with a robust spam filtering solution such as SpamTitan. Along with staff training on phishing email identification and basic security best practices, malware infections via email can be easily prevented.
It is also strongly advisable to implement an enterprise web filtering solution. Allowing employees full access to the Internet can leave a business susceptible to drive-by malware downloads. A web filtering solution such as WebTitan Gateway – or WebTitan Cloud for Wi-Fi networks – can prevent malicious file downloads, malvertising, and limit the risk of drive-by enterprise malware attacks.
Using a firewall capable of inspecting every packet and validating all entitlements for access is also advisable. Since hackers are also using SSL/TLS encryption to mask C&C communications, it is a wise precaution to use a firewall that incorporates SSL-DPI inspection functionality.
According to a February 2016 California data breach report issued by the California attorney general’s office, the majority of data breaches are easily preventable if basic security measures are adopted. Had companies doing business in the state of California implemented industry best practices and adhered to federal and state regulations, the privacy of millions of Californians would have been protected.
However, that was not the case and over the course of the past 4 years close to 50 million state residents have had their private data exposed as a result of data breaches suffered by government and private organizations.
The California data breach report includes a summary of data breaches reported to the attorney general’s office between 2012 and 2015. From 2012, the California Attorney general’s office needed to be notified of a breach of personally identifiable information if more than 500 state residents were affected.
Between 2012 and 2015, 657 data breaches were reported. 49.6 million state residents had their personally identifiable information exposed.
In almost half of cases, Social Security numbers were obtained by cybercriminals or were exposed as a result of the loss or theft of devices used to store personal information.
2015 was a Bad Year for Data Breaches in California
The California data breach report was compiled following a particularly bad year for Californians. In 2015, 24 million state residents had their personal information exposed. That equates to one in three Californians. To put the figure into perspective, in 2012 only 2.6 million state residents were affected by data breaches.
The California data breach report was compiled to show just how bad the current situation is. According to State attorney general Kamala D. Harris, the report should serve as a “starting point and a call to action for all of us.” The situation must improve.
Harris points out in the introduction to the 2016 Californian data breach report that “many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers,” she goes on to say that if a company chooses to store private and confidential data on state residents, that company has a “legal obligation to adopt appropriate security controls.”
California Data Breach Report Summary
The main findings of the 2016 California data breach report are listed below:
The biggest data security threats are malware and hacking
Malware and hacking exposed 54 percent of records and accounted for the most data breaches (365)
Malware and hacking attacks have grown by 22% in 4 years and caused 58% of breaches in 2015
Malware and hacking caused 90% of retail data breaches
Physical breaches (loss and theft of devices) accounted for 27% of all reported breaches.
Physical breaches are declining: They fell from 27% in 2012 to 17% in 2015
Errors and employee/employer negligence accounted for 17% of data breaches
Medical records were exposed or stolen in 19% of reported breaches
Payment card information was stolen in 39% of data breaches
Small businesses reported 15% of data breaches
According to the new California data breach report, the retail sector suffered the most, accounting for a quarter of all data breaches reported in the past four years. Those security incidents resulted in the exposure of 42% of the total number of records exposed in the past four years. The financial sector was in second place with 18% of breaches, while the healthcare sector was third being involved in 16% of data breaches.
Data Breach Prevention – Improve Protection Against Malware
The prevention of cyberattacks requires multi-layered security systems, although in the majority of cases data breaches were found to be the result of a failure to update software and apply patches. The security vulnerabilities that were exploited by hackers or used to install malware had been discovered and patched. In the majority of cases, patches had existed for over a year but had not been installed.
Malware is commonly used as a way of gaining access to computer systems used to store valuable consumer data. Malware is often delivered via spam email campaigns. A robust and powerful anti-spam solution should be implemented to catch malicious emails and prevent them from being delivered to user inboxes.
If staff are also trained to identify malware and potentially harmful emails and attachments, a great deal of malware infections can be prevented. However, email is not the only malware delivery mechanism. Cybercriminals are increasingly using exploit kits to probe for security weaknesses in browsers and browser plugins. Those vulnerabilities can be exploited and used to download malware without any user interaction required.
These infections are referred to as drive-by attacks, and they can occur if a user can be directed to a malicious website or a site that has been compromised by cybercriminals.
Third party advertising networks can contain adverts with malicious links that direct visitors to sites where drive-by attacks can take place. Those adverts can appear on legitimate websites. Even some of the biggest sites on the Internet have been discovered to display malvertising. These threats must be dealt with to prevent data breaches from occurring.
Protecting against malware delivery via the Internet requires a different solution: a web filter.
Protect End Users from Web-Borne Malware Threats with WebTitan
WebTitan offers a range of web filtering solutions for the enterprise to protect end users from web-borne threats such as malware, ransomware, viruses, Trojans, and memory-resident malware threats. Solutions have also been developed to keep Wi-Fi networks and hotspots free from malware.
By implementing a web filtering solution, end users can be prevented from visiting websites known to contain malware and from engaging in risky online behavior. By restricting access to potentially dangerous websites, the risk of a malware or ransomware infection can be greatly reduced.
For further information on the benefits of WebTitan’s web filtering solutions contact the Sales team today:
Apple device security is particularly robust, yet the company’s operating systems are far from impregnable as a recent Apple malware attack has shown. Apple device users have recently been targeted by hackers believed to be operating out of China. The Apple malware attack has so far resulted in the credentials of approximately 225,000 iPhone users being obtained by the hackers.
KeyRaider Responsible for Apple Malware Attack
The malware in question has been named KeyRaider. Fortunately, only device owners who have jailbroken their iPhones are at risk of infection. Jailbreaking an iPhone will allow banned apps to be installed on the devices, but the process also introduces a vulnerability that can be exploited by hackers. KeyRaider attacks devices that have been jailbroken using Cydia: The most popular jailbreaking tool for Apple devices.
Device GUID as well as Apple account user names and passwords have successfully been stolen by KeyRaider. The malware can steal user credentials, Apple purchasing information, private keys, and Apple push notification certificates.
Once infected, user credentials are uploaded to a command and control server, and those data are made accessible to other individuals. The information can be used to purchase apps for Apple devices without the user being charged, instead the charges for the purchases are applied to infected users’ accounts.
To date it has been estimated that as many as 20,000 individuals have downloaded software that allows them to obtain Apple apps for free at the expense of other Apple device users. In some cases, users’ devices have been locked and attackers have demanded ransoms to be paid to unlock the infected iPhones and iPads.
The Apple malware attack was discovered by Palo Alto Networks and China’s WeipTech, although services have now been developed that are capable of detecting devices that have been infected with the malware.
iOS App Store applications being infected with malware
Palo Alto Networks has also recently issued a warning over IOS App Store applications that have been infected with malware. To date, 39 different apps have been discovered to have been infected, placing users of non-jailbroken Apple devices at risk of compromising their iPhones and iPads. Hackers were able to copy and alter Xcode development tools used by iOS app developers, and have been able to infect genuine applications by injecting malicious code.
It is not just relatively obscure apps that have been infected. WeChat is used by hundreds of millions of Apple device owners, and the app was one of those infected with malicious code. That said, the developers of the app, Tencent, have investigated the issue have reported that the malware has not been able to steal user credentials.
The malware infections are understood to be used to steal iCloud login credentials and Chinese security researchers have discovered close to 350 different mobile apps that have been injected with malicious code. Those apps include some of the most popular Apple apps being downloaded in China, such as Didi Kuaidi.
Some of the Chinese App Store apps discovered to have been compromised
The recent Apple malware attacks have come as a surprise to many security researchers and users who considered Apple devices to be perfectly safe. While Apple is without any shadow of a doubt the safest mobile platform, owners of the devices should not consider iOS to be 100% safe.
Did you think the Ashley Madison data breach was mildly humorous? Did you think that it serves the people right for cheating on their husband, wife or life partner? If you did, you certainly didn’t have an account with the online cheating website. Those who did simultaneously broke out in a cold sweat when they realized the website had been hacked and the perpetrator was threatening to make the data public.
Ashley Madison data breach exposed millions of confidential records
The Impact Team was the hacking group behind the Ashley Madison data breach. The company announced it had hacked the company’s database on the Tor network. The hackers claimed they would release details of the website’s patrons – people looking to have extra-marital affairs – if the company did not shut down its website. Avid Life Media Ltd., the company behind Ashley Madison, did not agree to close its business. The hackers then made good on their promise and started publishing data. A large data dump caused many of the website’s subscribers to panic.
The methods used by the attackers to gain access to the website have not been disclosed, although they were able to obtain the records of more than 30 million individuals in the attack. Unfortunately for the people who have had their privacy violated, there is little that can be done apart from take precautions with their financial accounts. Their data cannot be un-exposed and it is out there and can be used by whoever finds it. That will mean phishers, cybercriminals, identity thieves, and anyone who has taken an objection to their extra-marital activities may try to expose them.
A data breach can seriously damage a company’s reputation
This was a high profile breach due to the nature of the website and the total confidentiality that is expected and demanded by the company’s clients. A data breach such as this has potential to cause considerable damage to a brand with a marketing strategy and service that depends on privacy. However, brand reputation damage occurs following any security breach. Target, Anthem Inc., eBay, OPM. All have had their reputations damaged to varying degrees as a result of security breaches and data theft.
Many IT professionals believe that it is not a case of whether a security breach will be suffered, but when it will happen. A great many security professionals believe that most companies have already suffered a security breach. They just do not know yet.
Lessons learned from the Ashley Madison data breach
Consumers can learn lessons from the Ashley Madison data breach. They should be aware that disclosing any information increases the risk of someone else accessing that information.
The lessons for consumers are:
If you want to do anything in secret, the Internet is probably not the best place to do it
When disclosing information of a sensitive nature, ask yourself what the consequences would be if someone found out or exposed that information
Would you be able to recover from a breach of that information?
Is the service or product more or less important than it being kept a secret?
No matter how secure a website, service, or application claims to be, there is always a risk of a security breach being suffered
There is never a 100% guarantee of privacy online – All networks and systems are vulnerable to attack
Businesses must conduct a risk analysis
Businesses must also consider the risks to data security. Many security threats exist, and they must all be effectively managed. In order to determine what risks exist, an organization must conduct a thorough risk analysis. It is only possible to address and manage risk if a company knows what security vulnerabilities exist. Unfortunately, many hackers already know about the data security risks that are present, as well as how they can be exploited.
Once a risk is identified, unless state or federal legislation demand that the risk is addressed, a company must decide what measures to employ, and whether they are actually worthwhile.
To do that a company must calculate the annualized rate of occurrence (ARO) of a security breach via a given vulnerability, which means how often a vulnerability is likely to be exploited in any given year. Then the company must determine the repercussions from that vulnerability being exploited. How much the security breach would cost to resolve. That figure is the single loss expectancy (SLE). Once these figures are known it is possible to determine the annual loss expectancy (ALE) by multiplying those two figures. A decision can then be taken about how the risk can be managed.
Sean Doherty, Head of Research & Development at TitanHQ recently pointed out that “the notion of having ‘perfect security’ is ludicrous”. What must be done is to make it as hard as possible for systems to be infiltrated and data stolen. It is essential to implement good security measures which will be sufficient to repel attacks from all but the most skilled, motivated, and determined individuals. There is no such thing as zero risk, but it is possible to manage risk and get it down to a minimal level.
The world’s biggest cyberattack to date has been pulled off by the Carbanak hacking team. It resulted in $1 billion being obtained from more than 100 financial institutions around the world. Who says crime doesn’t pay!
This robbery is on an altogether different scale. The scam has been in operation for over two years according to a recent report by Kaspersky Labs, one of the providers of anti-virus protection present in SpamTitan and WebTitan security products.
The gang is a truly International network of hackers and online criminals, with members understood to be located in Ukraine, Russia, China and many European countries. The gang profits by making fraudulent transfers from corporate bank accounts. The money is transferred to the criminals’ accounts, withdrawn, and is never seen again.
The attacks are still being conducted and the gang has hit organizations all over the world. Their targets are numerous. Companies in the United States, United Kingdom, Germany, China, Hong Kong, Switzerland, Morocco, Ireland, Australia, Ukraine, Russia, India, Pakistan, Norway, Spain, France, Poland, Czech Republic, Bulgaria, Brazil, Canada, and Iceland have all been targeted and had their bank accounts plundered.
The criminal activities were uncovered recently and a global effort is underway to bring Carbanak down. INTERPOL, Europol, and other law enforcement agencies are joining forces with providers of anti-virus and IT security products to identify those responsible, break the crime ring, and bring the individuals to justice. The problem? The methods used to obtain the money had not been seen before, and the exact way the gang obtained funds remained a mystery until very recently. This was the most sophisticated attack method ever seen according to Kaspersky Labs. The bad news is it is still in operation. Knowing how it works does not make catching the criminals much easier.
How are they managing to get so much money, virtually undetected?
The scam starts with a single employee in an organization responding to a spear phishing email. The individual is targeted by gaining information about him or her. That information is then used to craft an email that is likely to elicit the desired response: The downloading of Carbanak malware onto the user’s computer.
The malware is then used to launch an attack that allows access to the internal network of the company to be gained. From there the criminals locate system administrators with access to the company’s surveillance systems. The CCTV systems used by the financial institution are then accessed and the video feeds and files viewed. The criminals look at what happens on the screens of the members of staff who service cash transfer systems. The necessary data is recorded and the actions of the staff copied. Money is moved out of company accounts the exact same way the staff would do it.
The scheme is bold, ingenious, and incredibly scary. By operating in this fashion it does not matter whether each bank has a different software system. It makes no difference. The criminals don’t even use hacks. All that is required is network access. Their activities can be easily hidden behind legitimate actions made by staff.
A virtually perfect crime that is meticulously planned
The criminals were able to operate and leave next to no clues as to how they obtained funds. The scheme shows that no system is perfectly safe and impervious to attack. However, the scam started with a spear phishing campaign and protections can be put in place to prevent phishing emails from being delivered.
In this case, the initial targets were meticulously researched. The spear phishing emails then designed to get malware installed. However, if phishing emails are blocked and phishing websites cannot be accessed, then it is possible to prevent access from being gained.
If users can be prevented from opening infected attachments, visiting malware-infected websites or installing malicious plugins, users can be prevented from infecting corporate networks.
Emails can be blocked with a powerful anti-Spam solution, malicious websites blocked with web filtering software, and employees can be trained about how to be more security conscious. This applies to personal use of the Internet at home as well as the office. It is personal online activity that allows cyber criminals to gain so much information about their targets and devise effective phishing campaigns. It is not an option to just provide IT security staff with training. This must be extended to all individuals within an organization to protect against attack.
There is no one single solution that can be employed to offer total protection. A layered approach is required with numerous different security solutions employed.
We recommend including some of the following components:
Anti-Virus protection for firewalls
Separate Email Gateway Anti-Virus software
Desktop and Server AV Protection (a different engine to those used on the firewalls)
Anti-Spam solutions (SpamTitan includes Clam and Bitdefender protection)
Web Filtering Technology (WebTitan also includes dual AV engines)
Securing of Wi-Fi networks (no open networks)
Regular Anti-Virus and Anti-Malware scans
Full system security audits to check for vulnerabilities
Encrypted credit cards have been around for a long time now – or, at least, credit cards with a limited amount of encryption. The magnetic strip on the back of each credit card is encrypted, and so is some of the data in the more recent chip-and-PIN cards, but basically the security offered by most encrypted credit cards is, well, basic.
When you go shopping in a store like, let´s say Target, the retailer provides an electronic terminal for you to scan “encrypted” credit cards. The terminal sends your card´s identifying data to the credit card company´s servers to verify that you have the funds to pay for your purchases.
Although the electronic transfer of information is encrypted in transit and at rest, there is a weak point in the process during which the data is decrypted into clear text so that it can be read by the payment processing software. In Target´s case it was the point of sale (POS) electronic terminal where the weak point was located.
The Target hack was on a massive scale
Hackers used the weak spot in Target´s POS electronic terminals to steal the details of 110 million credit and debit cards. Not just the credit card numbers were taken, but their PIN numbers and the card holder´s address, email and phone number – suggesting that Target´s customer database was also hacked (because encrypted credit cards do not have your email address on the magnetic strip).
Initially the retail giant tried to cover-up the hack, but as shoppers started reporting unauthorized purchases on their credit accounts, Target had to come clean and admit to the data breach. As a result, the lawsuits are flying in, Congress called the company negligent and attorney generals in every state in the country are looking into the matter.
The damage to Target – both financially and in terms of lost reputation – will be billions of dollars
Yet the hack could have been worthless
Had the retail industry adopted properly secure encrypted credit cards, the hack of Target´s database would have been worthless. Properly secure encrypted credit cards work not by storing the credit card number and PIN on the magnetic strip, but by storing a random encrypted number and a public key.
When a purchase is made at a store like, let´s say Target, the retailer does not need the credit card number or PIN, just an authorization code so that the card can be charged. So, when the credit card is used, the random encrypted number and card holder´s public key is transmitted to the credit card issuer. The credit card issuer sends back an authorization code that just the credit card would be able to read.
This “PKI encryption” at the point of sale would mean that any hacked credit card details would be worthless to the hacker. It would cost billions of dollars to introduce a system for properly secure encrypted credit cards to be used in the retail industry, and there seems to be no consensus between banks, retailers, and credit card issuers on what standards should be used.
Google already making strides towards genuinely secure payments
Google has already addressed the problem of genuinely secure payments with the introduction of its Digital Wallet. The Digital Wallet works by isolating credit and debit card data and processing it outside of the Android operating system in a chip they called the Secure Element (SE).
Google´s plan of keeping credit card data out of the reach of malware running in the operating system has really taken off. Many companies are in a battle to come out on top in the lucrative market for credit card fees. Because of a lack of consensus, few manufacturers are adding the SE chip to mobile devices or the near-field communications chips needed to radio encrypted data from encrypted credit cards to the POS terminals.
Because of the lack of consensus between banks, retailers and credit card issuers, and a lack of knowledge about which way encrypted credit cards are headed – if at all – many more retail companies are likely to experience a similar attack to that witnessed by Target.
A network security incident was recently reported by online footwear and apparel retailer Zappos.com. The Zappos data breach was one of the largest ever reported to have been suffered by a United States-based retailer.
Zappos data breach affects 24 million customers
Full details of the Zappos data breach have not been made public, although it is understood that a hacker managed to gain access to one of the servers in Kentucky that was used by the online retail giant. Once access was gained, the hacker responsible for the attack was able to access part of the company’s internal computer network and systems, and managed to obtain data held on approximately 24 million of the company’s customers. The Zappos data breach did not only affect US-based customers. Customers from countries all around the world were affected.
No credit card details were obtained in the cyberattack, as those data were stored on a different server; but personal information of customers was exposed, including their names, addresses, contact telephone numbers and some billing information. The Zappos data breach highlights the problems even large companies can have keeping data secure.
Big Name Brands Suffer Big Data Breaches
The Zappos data breach was one of a number suffered by well-known companies in recent months. Cybercriminals have been attacking large corporations and accessing their huge databases in order to steal customer data and corporate secrets.
Sony was attacked this year and hackers were able to steal the account details of 20 million purchasers of its computer games. Some credit card numbers were stolen, as well as names, addresses, email addresses, and contact telephone numbers. Some of the stolen data have been listed for sale on darknet websites. The information is purchased by cybercriminals and used for phishing attacks and spam email campaigns.
Cybercriminals are able to sidestep even highly complex cybersecurity defenses by targeting employees with phishing campaigns. Spammers send out emails in the millions in the hope that a few individuals will respond and install malware. In the case of Epsilon, employees were targeted with spear phishing emails. These were highly targeted, and proved to be very effective.
Epsilon reported that approximately 50 of its clients were affected by the data breach. Epsilon holds email lists for its clients. Some of those lists contain a considerable amount of data. The exact number of email addresses obtained by the hackers has not been disclosed, but Epsilon is understood to hold billions of email addresses and has 2,500 corporate clients. This data theft could well be the biggest ever recorded.
Is it possible to prevent cyberattacks?
Is it possible to prevent cyberattacks? Many small to medium-sized business owners may be wondering if there is much point paying for cybersecurity defenses if they can be so easily side-stepped. After all, if big corporations suffer attacks, what chance do they have of preventing an attack?
It is true that it is not possible to implement defenses than can eliminate all risk of an attack being suffered, but it is possible to keep risk to a minimal level by implementing multi-layered security systems. An intelligent approach, using a number of different strategies, will give the best protection. If no effort is made to secure a network, it will be attacked.
Anti-virus and anti-malware software are a must, as are robust firewalls. However, hackers often target employees with phishing campaigns. Employees are seen as the weakest link, and the easiest way of gaining access to a corporate network. Protections must therefore be put in place to prevent these attacks from succeeding. The best defenses are those that prevent phishing emails from reaching employees, and prevent employees from visiting phishing websites and falling for social media phishing attacks.
Email spam is easy to block with an anti-spam solution such as SpamTitan. Malicious websites can be blocked with WebTitan, which can also be configured to offer protection from social media phishing campaigns and malicious website ads.
With these controls in place, SMBs will be well protected from cyberattacks and should be able to do enough to convince all but the most skilled and determined hackers to give up and find an easier target.