Cybersecurity News Archives - Page 10 of 12

California Wildfire-Themed BEC Attack Identified

It’s usual for phishers to use natural catastrophes as a lure to get ‘donations’ to line their pouches instead of helping the sufferers and the California wildfires are no exception. A lot of people have lost their lives in the fires and the death toll is likely to increase further as hundreds of people are still unaccounted for.

Entire towns such as Paradise have been completely devastated by the wildfires and hundreds of people have lost their homes. Numerous are suffering, have nowhere to reside, and have lost everything. As expected many people desire to donate money to assist the sufferers rebuild their lives. The attackers are using the sympathy of others to deceive companies.

A California wildfire phishing cheat was recently noticed by Agari that tries to capitalize on the tragedy. Nevertheless, contrary to several similar phishing campaigns that depend on huge volumes of electronic mails, this campaign is much more targeted.

The scammer is carrying out a business electronic mail compromise attack using the electronic mail account – or a deceived account – of the CEO of a firm. The first phase of the scam involves a rapid electronic mail to a worker questioning if they are available to assist. When a response is received, a second electronic mail is sent asking the worker to make a purchase of 4 Google Play gift cards, each of $500.

The CEO asks if there is a local store where the cards can be bought and asks the worker to make the purchase ASAP and to scratch off the reverse side, get the codes, and email them back. The electronic mail claims the CEO requires the cards to send to customers who have been caught up in the wildfires to provide help.

While the selected method of sending help is doubtful, to say the least, and the electronic mails have grammatical and spelling mistakes, the use of the CEO’s electronic mail account may persuade workers to go ahead as ordered. These cheats work because workers do not want to ask their CEO and desire to reply swiftly. Even though a request may be strange, the reasoning behind the request seems perfectly genuine.

Although this might seem like an obvious fraud, at least worthy of a call or text to the CEO to confirm its validity, some workers will no doubt not question the request. Each one that does as trained will cost the company $2,000.

This kind of cheat is common. They are often associated with wire transfer requests. In the rush to reply to the CEO’s request, a transfer is made, which might be for tens of thousands of dollars. The worker replies to the message through electronic mail saying the transfer has been made, the scammer erases the electronic mail, and the fake transfer is often not detected until after the scammer has used money mules to withdraw the money from the account.

Access to the CEO’s electronic mail account can be obtained in several ways, even though a spear phishing attack is common. Spam filtering solutions can assist to decrease the possibility for the first attack to take place and two-factor verification controls can avoid account access if identifications are stolen.

Staff training is vital to increase awareness of the danger of BEC attacks. Policies must also be applied that need all transfer requests sent through electronic mail, and any out-of-bounds requests, to be confirmed over the phone or through a text before a transfer is made.

Five Stats concerning Cloud Usage in 2018

Narrowing down the number of predictions, forecasts, and tendencies into five stats concerning cloud usage in 2018 is rather difficult, since most lists attempt to include something to satisfy everyone. Here we concentrate on only five important stats that show the developing landscape of the cloud.

1. Fewer Firms Are Using Hybrid Cloud Strategies

As per RightScale’s “State of the Cloud Report 2018”, the proportion of firms using hybrid cloud strategies decreased from 58% in January 2017 to 51% in January 2018. Even though the report noted a minor rise in firms accepting multi-cloud strategies (several private clouds or several public clouds), the first of our five stats concerning cloud usage in 2018 seems to confound predictors who forecasted a strong change to hybrid environments last year.

There might be different clarifications for this obvious contradiction. RightScale’s annual survey appoints less than one thousand firms – nearly half of whom have fewer than one thousand workers – indicating the report may not be completely illustrative of the “State of the Cloud”. It might also be the case the firms surveyed didn’t meet the conditions for when to use a hybrid strategy. However, it is an exciting statistic and one to observe as 2018 advances.

2. Containerization Increases, but Not as Quick as Serverless Calculating

Back in 2017, forecasts rattled around about the expected progress of containerization and serverless calculating (Function-as-a-Service/FaaS). Having been the buzzword for numerous years, most observers predict that containerization would carry on its remarkable expansion but that firms would adopt serverless calculating at a slower rate. Nevertheless, the second of our five stats concerning cloud usage in 2018 indicates the opposite is correct.

As per Cloudability’s “State of the Cloud Report 2018” – based on a tad more thorough survey than that carried out by RightScale – container adoption increased 246% among AWS users in 2017 Q4, while the adoption of serverless computing grew by 667% during the same period. It’s significant to note the relative beginning position of each facility before drawing too many conclusions regarding which to use, however, it is another statistic to observe as 2018 advances.

3. Fears about Workers Not Following Cloud Safety Policies

Back in 2015, Gartner’s “Top Tactical Positions for 2016 and Beyond” (PDF) expected 95% of cloud safety failures would be the firm´s responsibility. The expectation was backed by one of Gartner’s Safety Brokers creating a report in which it was asserted the broker had recognized 21,825 documents shared on public clouds with file names such as “budget”, “salary” and “confidential”. In what way Gartner equated that to 95%, we are not quite certain. Nonetheless … …

In 2018, the Oracle and KMPG “Cloud Threat Report 2018” found that, even though 97% of the 450 IT experts surveyed had applied cloud safety policies, 82% of those had fears about workers following the policies. In order to tackle this challenge, 84% of firms were applying policy-driven automation to assist protect their cloud settings, while 40% of firms were also hiring cloud safety architects to protect against sophisticated attackers.

4. The Connection between IT and LOB is Getting Closer

Also in 2015, a Harvard Business Assessment created for Oracle (PDF) found that less than 40% of IT divisions cooperated with Line of Business divisions when scheduling cloud applications. The connection between IT and LOB has improved considerably since; with IDG’s “State of the CIO 2018” report demonstrating cooperation between the two divisions has risen to 71% – mainly because of efforts by CIOs.

Executive leaders are also pushing invention, technology and digital change up the agenda as per the CIO 100 Report 2018, and now over 50% of CIOs have a direct reporting line to their company’s most senior people. One more development that has assisted close the connection between IT and LOB is the formation of “Engagement Leader” positions – usually filled by experts with solid analytical and communication skills that assist settle issues between divisions.

5. Cloud Expenses Remain the #1 Pain Point

It does not take an expert analyst to properly predict that spending in the cloud will rise in 2018, in spite of cloud expenses being the #1 pain point for firms surveyed by 451Research. Of the 534 firms surveyed, over half (53.2%) said the cost of operating in the cloud was of concern to them, whereas the next closest worry – safety problems – kept fewer than half of IT chiefs awake at night. The complete list of pain point options and their comparative concern ranking is:

Cloud Expenses – 53.2%
Safety Problems – 46.6%
Reacting to Business Requirements – 43.3%
Managing Legacy Structure – 29.2%
Inadequate Staff – 27.2%
New Applications and Projects – 26.0%
Skills Deficiency – 24.0%
Vendor Management – 9.7%
Other – 2.6%

Increase in Phishing Emails Using .Com File Extensions

The anti-phishing solution supplier Cofense, formerly PhishMe, has informed a noticeable rise in phishing campaigns utilizing files with the .com extension. The .com extension is utilized for text files with executable bytecode. The code can be performed on Microsoft NT-kernel-based and DOS operating systems.

The campaigns recognized through Cofense Intelligence are mainly being transmitted to financial facility divisions and are utilized to download a range of malevolent payloads including the Loki Bot, Pony, and AZORult information stealers and the Hawkeye keylogger.

Some of the electronic mails in the campaigns clarify the user must open a .iso file attached to the electronic mail to see information linked to the electronic mail notification. The .iso file contains the .com executable. One such electronic mail announced to be from a firm that had received payment, however, had no outstanding bills. The electronic mail requested the receiver check the payment with the finance division to decide if a mistake had been made. The attachment seemed to be a credit notification from the bank.

The subject lines utilized in the phishing campaigns are different and include shipping information notices, price requests, remittance advice, bank information, and bills, even though the two most usual subjects contained a reference to ‘payment’ or a ‘purchase order’.

The payment themed electronic mails were utilized with the AzoRult information stealer and the purchase order subject lines were utilized with Loki Bot and Hawkeye.

Most of the campaigns utilized the .com file as an electronic mail attachment, even though some variations utilized an intermediate dropper and downloaded the .com file through a malevolent macro or exploit. The latter is becoming more usual as IT safety teams are prepared to the direct delivery method. Most of the malware variations used in these campaigns interconnected with domains hosted on Cloudflare. Nevertheless, Cofense notes that the actual C2 is not hosted on Cloudflare. Cloudflare is utilized as a domain front as Cloudflare is often entrusted by companies and is for that reason less likely to arouse doubt.

Cofense expects there will be an increase in the use of .com attachments in phishing campaigns and suggests companies to include the file extension in their anti-phishing training programs and phishing electronic mail simulations to main users when attacks happen.

Gmail Bug Allows Phishing Emails to Be Transmitted Anonymously

A Gmail bug has been found that lets electronic mails to be transmitted anonymously with no information contained in the sender field. The bug might easily be abused by cybercriminals for use in phishing attacks.

Phishers often hide the sender of an electronic mail in phishing campaigns to deceive the receiver into believing the electronic mail is genuine. The sender’s electronic mail address can be deceived so the shown name seems to be a known contact or well-known organization. Nevertheless, if there is no information in the from field, several end users might be deceived into thinking the electronic mail has come from a genuine source.

The vulnerability was found by software developer Tim Cotton. It is the second Gmail vulnerability he has found in the past few days. The first Gmail vulnerability would let an attacker send a message directly to a user’s sent folder, possibly bypassing inbox anti-spam safeguards. The vulnerability might be abused to make a user think that they have earlier transmitted a message.

The vulnerability is present in how Gmail categorizes electronic mails. If the account holder’s name is in the from field, the message will be automatically sent to the sent folder. If an attacker was then to send a normal electronic mail to the same user, which referred to an earlier message they had received, the user might be enticed into checking the message in the sent folder and might open an attachment or click on an embedded hyperlink.

The latest Gmail vulnerability is similar to the first. Cotton found that if a receiver’s name is paired with a random tag such as <img> or <object> that contained a distorted image, the sender name would remain blank. Using this method, even if the receiver clicks on reply, no sender’s name will show. Even using the Show Original function, the sender’s name was not shown.

As per Cotton, “It was the blend of the quoted alias, a preceding word, space and the long base64, [and] poorly encoded img tag.” While the header was conserved and described, the Gmail UX might not handle it and returned a blank field.

Both vulnerabilities have been informed to Google, but thus far, they have not been rectified.

Q3 2018 Healthcare Data Breaches Report Released

A Q3 2018 healthcare data breach report from Protenus demonstrates there has been a substantial decrease in healthcare data breaches compared to the preceding quarter. In Q2, 142 healthcare companies reported data breaches compared to 117 in Q3.

However, because of some big breaches in Q3, the total number of disclosed records was considerably higher. Between July and September, the health records of 4,390,512 patients were disclosed, impermissibly disclosed, or thieved compared to 3,143,642 healthcare records in Q2. Each quarter in 2018, the number of disclosed records has increased considerably.

The large increase in disclosed records in Q3 is partly because of a huge data breach at UnityPoint Health that was disclosed in July. In that single breach, more records were disclosed than in the 110 healthcare data breaches in Q1, 2018. The breach was a phishing attack that saw a number of UnityPoint Health electronic mail accounts undermined. Those accounts had the PHI of 1.4 million patients. The biggest healthcare data breach in August was a hacking occurrence at a healthcare supplier that led to the disclosure of 502,416 records. The biggest breach in September was reported by a health plan and affected 26,942 plan members.

Hacking and other IT occurrences comprised of 51.28% of all data breaches in Q3. The second largest cause of breaches was insider occurrences (23.08%), after that loss/theft occurrences (10.26%). The reason of 15.38% of breaches in Q3 is not clear.

Hacks and IT occurrences also led to the maximum number of exposed/stolen healthcare records – 86% of all breached records in Q3. 3,649,149 records were undermined in the 60 occurrences pertained to hacks and IT occurrences. There were 8 reported ransomware/malware attacks and 10 occurrences involving phishing. It was not possible to decide the precise reason of 18 ‘hacking’ occurrences.

Q3 saw a surge in insider breaches. Insider breaches were divided into two types: insider flaws and insider crime. Insider crime contains impermissible disclosures of PHI, workers spying on medical records, and theft of healthcare records by workers. Insider breaches led to the thievery, exposure, or impermissible revelation of 680,117 patient records.

19 occurrences were categorized as insider flaws and affected 389,428 patients. There were 8 verified cases of insider crime that affected 290,689 patients – which is a major surge from the 70,562 patients affected by insider wrongdoing occurrences in Q2, and the 4,597 patients affected by similar occurrences in Q1.

In Q3, 19% of breaches involved paper records and 81% involved electronic medical records.

Healthcare suppliers suffered the most breaches in Q3 (74% of breaches), followed by health plans (11%) and business allies (11%). 23% of the quarter’s breaches had some business associate participation.

The report discloses that healthcare companies and their suppliers are sluggish to identify breaches. In one instance, it took a healthcare supplier 15 years to find out that a worker had been spying on healthcare records. In those 15 years, the worker illegally accessed the records of thousands of patients.

The average time to identify a breach was 402 days and the median time was 51 days. The average time to inform breaches was 71 days and the median time was 57.5 days.

Florida was the state worst affected by healthcare data breaches in Q3 with 11 incidents, followed by California on 10 and Texas on 9.

Eutelsat Selects TitanHQ to Safeguard its WiFi Networks

The prominent European satellite operator Eutelsat has implemented a new Wi-Fi sieving solution to safeguard its Wi-Fi networks.

Eutelsat is among the world’s main satellite operators. The firm has international coverage and offers video, data and broadband facilities in 150 countries all over Europe, Africa, and the Middle East. The firm has bases in 44 countries and hires over 1,000 technical, operational, and commercial experts and its satellite facilities help a big ecosystem of high-tech businesses.

Eutelsat has installed Wi-Fi hotspots in its business offices; however, the provision of Wi-Fi hotspots presents safety risks. In order to improve its safety position and safeguard its company and guest Wi-Fi users from online dangers such as malware, ransomware, and phishing, Eutelsat has now installed TitanHQ’s Wi-Fi filtering solution, WebTitan Cloud for Wi-Fi.

Through WebTitan Cloud for Wi-Fi, Eutelsat has produced a safe and secure atmosphere for workers and visitors to access the Internet and obstructs malware downloads and web-based phishing attacks. Moreover, the solution lets Eutelsat implement its internet usage plans and avoid its workers from retrieving wrong and unlawful web content. Through cautious control of worker Internet use, Eutelsat is also improving output of its staff.

The solution provides Eutelsat thorough reports on Internet traffic, offers complete visibility into network usage, and lets the firm to save bandwidth through the control of access to certain kinds of web content. The Wi-Fi filtering solution also safeguards the brand by avoiding issues from arising over the kinds of content that are retrieved through its Wi-Fi network.

“Our existing levels of accomplishment and development, including what we’ve seen in the previous six months, verify that businesses are recognizing the value of our dedication to Wi-Fi safety across our offerings and our customer-first philosophy. We are really excited to see what 2019 will bring for both our newly signed clients and our present client base,” said TitanHQ CEO, Ronan Kavanagh.

Trump Spam Dominates Electronic mail Subject Lines in Run up to Mid-Terms

Donald Trump is well recognized for his claims to be the largest and best and now he can make a new demand, having been called by Proofpoint as the most usually used keyword in election-related spam.

The name Trump highlighting in 53% of election-related spam electronic mail subject lines, defeating the nearest opponent “Obama” who had a trifling 6%. The nearest keyword word to Trump was “Democrat” with 11% of spam volume, after that “election” on 10% and “republican” on 7%.

A search for the names of all contenders running for Congress generated insignificant results for all except two candidates. Although there were several well-liked, nationally-recognized names up for election, just Cruz and Pelosi had prominent spam electronic mail volumes, although at a low level. The name Cruz was present in 4% of subject lines and Pelosi was in 2%.

Proofpoint notices that in the run-up to the polls, higher spam volumes related with positive results for the contenders in the United States, UK, France, and Germany. In the run-up to the 2016 U.S. election, Trump spam was nine times as common as Clinton spam.

For the mid-terms, the results are not so obvious even though the higher number of “democrat” spam electronic mails compared to “republican” spam electronic mails did correspond with the outcomes for the House of Representatives with the Democrats acquiring a majority.

The examination of the election-related spam landscape emphasized a usual tendency in phishing and spamming. The use of effective brand names to generate clicks on hyperlinks inserted in electronic mails. The strongest brands are commonly used by spammers to creäte more clicks.

“Whether these brands are trendy or polarizing, spammers include them in subject lines, electronic mail bodies, URL landing pages, social media remarks, and more to drive clicks and eyeballs, even though the actual spam or associated pages are totally unconnected to politics,” notes Proofpoint.

Z Services Selects TitanHQ to Provide New Cloud-Based Security

The Dubai-based managed facility supplier Z Services has increased its partnership with TitanHQ and is now offering cloud-based web filtering and in-country electronic mail archiving as a facility to clients all over the MENA region.

Cybersecurity is a crucial business concern all over the MENA region and businesses are increasingly looking to managed facility suppliers to provide solutions to improve their safety posture. It makes much more intelligence to have cybersecurity as an operational expenditure rather than a capital expenditure, which is achieved through cloud-based facilities instead of appliance-based solutions. Z Services has been increasing its customer base by supplying these solutions to SMEs through ISPs.

Z Services increased its cybersecurity facilities earlier this year with a new partnership with TitanHQ. The managed facility supplier began offering a new cloud-based anti-spam facility – Z Services Anti-Spam SaaS – which was powered by TitanHQ’s SpamTitan technology. The facility obstructs nuisance spam electronic mail and delivers safety against ransomware, malware, and phishing attacks.

The fame of the facility has encouraged Z Facilities to increase its partnership with TitanHQ and begin offering a new web filtering and electronic mail archiving facility to companies in the region via their ISPs. Its Internet security-as-a-service offering is powered by WebTitan and the in-country electronic mail archiving facility is powered by ArcTitan. TitanHQ provided its solutions in white label form letting Z Services to rebrand the solutions and generate its MERALE SaaS offering – An economical, auto-provisioned, Internet safety and compliance facility.

Through MERALE, SMEs are able to obstruct web-based dangers such as phishing and avoid ransomware and malware downloads while cautiously monitoring the online content workers can access. In addition to improving Internet safety, companies benefit from output gains through the obstructing of types of web content such as dating, gambling, and social media sites. An extensive reporting suite gives companies all the information they require on the online activities of the staff. The in-country electronic mail archiving facility assists companies abide by the government, state, and industry rules meet eDiscovery requirements.

“We trust that MERALE will be a game-changer in how small and medium companies in the region make sure their safety, and as a subscription-based facility, it removes the need for heavy investments and long-term commitments,” said, Nidal Taha, President – Middle East and North Africa, Z Services.

U.S. Treasury Probing $700,000 Loss to Phishing Scam

In July 2018, the Washington D.C. government fell for an electronic mail cheat that led to wire transfers totaling approximately $700,000 being sent to a scammer’s account.

The scammer mimicked a seller used by the city and demanded unsettled bills for construction work be paid. The seller had been hired to work on a design and build the project on a permanent supportive lodging facility.

The electronic mails demanded the payment method be altered from check to bank transfer, and particulars of a Bank of America account was specified where the payments needed to be directed. Three separate payments were made adding up $690,912.75.

The account details provided were for an account managed by the scammer. By the time the cheat was exposed, the money had already been drawn from the account and might not be recovered. As per a Washington Post inquiry, the scammer had mimicked the company Winmar Construction.

The electronic mails were transmitted from a domain that had been listed by the scammer that imitated that of the construction company. The domain was same except two letters which had been transferred. The scammer then generated an electronic mail address using that domain which was utilized to request payment of the bills.

As per the Washington Post, before this cheat, the D.C. government was targeted with several phishing electronic mails, even though Mike Rupert, a representative for the city’s chief technology officer, said those phishing attacks were not fruitful and were not linked to the wire transfer cheat.

These cheats are usual. They frequently involve an electronic mail account compromise which lets the scammers identify sellers and get details of remaining payments. David Umansky, a spokesman for the city’s chief financial officer stated the Washington Post that the attacker had gotten the information required to pull off the scam from the seller’s system and that D.C. officers failed to identify the fake domain and electronic mail.

After noticing the fake wire transfers, the D.C. government got in touch with law enforcement and steps have been taken to trace the scammers. Extra safety controls have now been implemented to avoid similar cheats from succeeding in the future, including the requirement for extra confirmation to take place to verify the genuineness of any request to alter bank information or payment methods.

The U.S Treasury Division has now started an inquiry into the breach, as bank scam is a central offense. That inquiry is continuing.

Cofense Expands 24/7 Global Phishing Defense

Cofense has declared that it has expanded its 24/7 Phishing Defense Facility to deliver even greater help to clients beyond business hours and make sure that phishing dangers are identified in the shortest possible time.

The Cofense Phishing Defense Center (PDC) was introduced to ease the load on IT safety teams by letting them offload some of the load of searching through electronic mails informed by their end users and analyzing those electronic mails to identify the actual threats.

When workers report doubtful electronic mails – through Cofense Reporter for example – the electronic mails are transmitted to Cofense Triage for scrutiny. The malware and danger experts in the Cofense PDC team carry out an in-depth study of the reported dangers and send complete information back to clients’ incident responders that let them take action to alleviate the threat. The quicker a threat can be identified, the lower the possibility of a worker reacting to the danger.

The Phishing Defense Service saves companies a substantial amount of time and effort and lets dangers to be identified and alleviated much more quickly. With the volume of phishing dangers rising, occurrence responders can easily get caught up identifying dangers in the hundreds of electronic mails that are informed as ‘suspicious’ by their workers. Data from Cofense indicates that usually, just 10%-15% of reported electronic mails are malevolent, however, all messages must be tested and evaluated.

The Cofense PDC team already works round-the-clock to evaluate active phishing dangers, nevertheless, the growth of the facility makes sure that irrespective of the time of day or night, new dangers are recognized in the shortest possible time frame. This is particularly vital for firms that have offices in several countries and time zones. Those businesses must not have to wait until business hours for dangers to be identified. They need to be identified day or night.

“Since threat actors do not sleep, neither should your defense capabilities,” clarified Josh Nicholson, Senior VP of Professional Services at Cofense. “Our improved, round-the-clock phishing defense facility puts clients at ease by offering expert analysis and reaction for any informed doubtful electronic mail, any day, any time, in a matter of minutes.”

The expansion will make sure that malware experts are always on hand to evaluate informed phishing attempts and assist clients to alleviate new phishing attempts much more quickly.

United States Leads the World as Primary Host of Malware C2 Infrastructure

The United States is home to the maximum proportion of malware command and control (C2) infrastructure – 35% of the international total, as per fresh research circulated by phishing defense and threat intelligence company Cofense. 27% of network Indicators of Compromise (IoCs) from phishing-borne malware are also either situated in or proxied through the United States. Cofense data indicate that Russia is in the second position with 11%, followed by the Netherlands and Germany with 5% each and Canada with 3%.

C2 infrastructure is utilized by hackers to communicate with malware-infected hosts and deliver orders, download new malware modules, and exfiltrate data. Cofense clarified that simply because the C2 infrastructure is hosted in the United States doesn’t necessarily imply that more attacks are being carried out on U.S inhabitants than in other nations. It is usual for attackers to host their C2 infrastructure outside their own country to make it tougher for the agencies to identify their actions. C2 infrastructure is also usually situated in nations that don’t have a repatriation contract with the host nation.

Threat actors are more concerned with locating somewhere to find their C2 infrastructure to minimize risk instead of locating it in a particular country. Cofense notices that “C2 infrastructure is extremely prejudiced toward compromised hosts, showing a high occurrence of host compromises inside the United States.” That obviously makes perfect sense, since there are more possible hosts to compromise in the United States than in other nations.

“Some companies will obstruct any links coming from nations known for the origination of malevolent activity that they don’t do business with,” clarified Darrel Rendell, the principal intelligence expert at Cofense. That would make hosting C2 infrastructure in the United States beneficial, as links between malware and those servers would be less likely to raise red flags.

In a latest blog post, Cofense provides instances of the distribution of C2 infrastructure using two usual banking Trojans: TrickBot and Geodo. Both banking Trojans are widely used in attacks on Western nations, and attacks have risen in frequency in 2018. The two Trojans are conspicuously different because they belong to different malware families and are used by different threat actors.

In both instances, the infrastructure is growing and the C2 sites are highly different, even though data demonstrate very different distributions of C2 infrastructure for each malware variation. TrickBot’s main site for its C2 infrastructure is Russia, followed by the U.S. Geodo on the other hand mainly uses the U.S, followed by the Germany, France and the United Kingdom, with next to nothing situated in Russia.

Cofense notices that although the differences between the two seem odd at first glance, their dissemination makes sense. Geodo utilizes genuine web servers as a reverse proxy, which then transmits traffic via actual servers to hosts on concealed C2 infrastructure. TrickBot, in contrast, utilizes for-purpose Virtual Private Servers (VPSs) to host its infrastructure. Its C2 might be mainly in the east, but it is mainly used to attack the west and much of its C2 infrastructure is in nations that lack a repatriation contract with the United States. That said, some infrastructure is in the U.S and European nations, which might be an attempt to make its infrastructure tougher to profile.

Cofense clarifies that the widespread and widely distributed C2 infrastructure will not only assist to make sure these two threats remain active for longer but also that using geolocation to distinguish genuine and malevolent traffic might not be particularly effective.

75% of Workers Lack Security Awareness

MediaPro has published its 2018 State of Secrecy and Safety Consciousness Report which evaluates the level of safety consciousness of workers across various industry sectors. The report is based on the replies to surveys sent to 1,024 workers throughout the United States that investigated their knowledge of real-world dangers and safety best practices.

This is the third year that MediaPro has carried out the survey, which classifies respondents in one of three groups –Risk, Novice, or Hero – based on their knowledge of safety dangers and understanding of best practices that will keep them and their company safe.

In 2016, when the survey was first carried out, 16% of respondents rated a risk, 72% were rated beginners, and 12% were rated as champions. Each year, the proportion of beginners has decreased and the proportion of champions has increased. Unluckily, the proportion of workers ranked as a danger to their company has also enhanced year-over-year.

In this year’s State of Secrecy and Safety Consciousness Report, 75% of all experts were rated as either a moderate or severe threat to their organization. 30% of respondents were considered to be a danger to the company, 45% were beginners, and 25% were champions. 77% of respondents in management ranks demonstrated a lack of safety consciousness, which is of specific concern as they are often targeted by phishers.

The main concerns were an incapability to identify the indications of a malware infection and a phishing attempt. There was also a weak understanding of social media dangers. When asked queries linked to malware, nearly 20% of workers failed to identify at least one sign of a malware infected computer. Given the rise in cryptomining attacks, it was a concern that a sluggish computer was the most usually ignored indication of a malware infection.

Phishing attacks carry on to increase but phishing awareness is much worse than last year. 14% of respondents failed to recognize all indications of a phishing electronic mail compared to just 8% previous year. The most usually neglected phishing attempt was the proposition of a hot stock tip, which was failed by 20% of respondents. There was also poor knowledge of Business Email Compromise (BEC) cheats.

It was a similar account for social media security, with about 20% of respondents making bad conclusions on social media sites – conclusions that might create problems for their business such as disclosing confidential information or replying to possibly defamatory comments by colleagues.

An analysis of scores by industrial sectors disclosed the financial facilities performed the worst of the seven industrial sectors represented in the study. 85% of respondents in the financial facilities had a lack of safety consciousness to some degree.

“These levels of riskiness are shocking. It just takes one individual to click on the incorrect electronic mail that allows in the malware that exfiltrates your business’s data. Without everyone being more cautious, people and business data will carry on to be at risk,” said Tom Pendergast, chief safety and secrecy planner at MediaPRO.

Brands Most Usually Spoofed by Phishers Exposed

Vade Secure has issued a new report describing the brands most usually targeted by phishers in North America. The Phishers’ Favorites Top 25 list discloses the most usually spoofed brands in phishing electronic mails found in Q3, 2018.

For the latest report, Vade Security followed 86 brands and rated them based on the number of phishing attacks in which they were mimicked. Those 86 brands account for 95% of all brands deceiving attacks in Q3, 2018. Vade Secure notices that there has been a 20.4% rise in phishing attacks in Q3.

As was the case the preceding quarter, Microsoft is the most targeted brand. Phishers are trying to gain access to Azure, Office 365, and OneDrive identifications. If any of those login identifications can be acquired, the attackers can raid accounts and steal private information, and in the case of Office 365, use the electronic mail accounts to carry out more attacks on people within the same company or use contact information for outer spear phishing attacks. Vade Secure has noted a 23.7% increase in Microsoft phishing URLs in Q3.

The level to which Microsoft is targeted is shown in the graph below:

In second place is PayPal, the prominent deceived brand in the financial facilities. Here the goal is simple. To gain access to PayPal accounts to make transferals to accounts managed by crooks. There has been a 29.9% increase in PayPal phishing URLs in Q3, 2018.

Netflix phishing cheats have risen substantially in Q3, 2018. Vade Secure records there has been a 61.9% increase in the number of Netflix phishing URLs. The goal of these campaigns is to gain access to clients’ credit card particulars, through dangers of account closures that need confirmation using credit card details, for instance. The rise in Netflix phishing attacks saw the brand rise to third place in Q3.

Bank of America and Wells Fargo cheats make up for the top five, which had 57.4% and 21.5% phishing URL rises respectively. While down in 7th place overall, Chase bank phishing cheats are notable because of the huge increase in phishing attacks targeting the bank. Q3 saw a 352.2% rise in Chase bank phishing URLs, with a similar increase – 359.4% – in phishing attacks deceiving Comcast. The maximum growth in phishing URLs was for CIBC. Vade Security informs there was a 622.4% rise in spotted phishing URLs, which lifted the Canadian Imperial Bank of Commerce up 14 spots in the ranking to 25th place.

The report also demonstrates that phishers prefer Tuesdays and Thursdays for attacks targeting company users, while Netflix phishing cheats most usually take place on a Sunday. Vade Secure’s research also disclosed phishers are now using each phishing URL for a briefer period of time to evade having their electronic mails obstructed by electronic mail safety solutions.

As a consequence, more electronic mails are delivered to inboxes, emphasizing the significance of increasing safety awareness of the staff.

Anti-Phishing Working Group Publishes Q2, 2018 Phishing Trends Report

The Anti-Phishing Working Group has published its Phishing Activity Trends Report for Q2, 2018. The report has a synopsis and analysis of phishing attacks that were informed to APWG by its member firms and partners between April and June 2018.

The APWG quarterly reports provide insights into the modern phishing trends and demonstrate the level of phishing attacks on companies – Attacks aimed at getting workers to disclose their login identifications, visit malevolent websites, and connect ransomware and malware.

During Q1, 2018, the number of identified phishing sites rose each month from about 60,000 in January to roughly 110,000 in March. In Q2, there was a reverse of this trend with a monthly drop in phishing websites each month to an annual low in June when there were 51,401 phishing sites identified. Although this is definitely good news, June’s figures are still considerably higher than June 2017.

In addition to the drop in identified phishing sites, there has also been a drop in the number of deceived products. 274 products were deceived in April, 285 were deceived in May, but the figure dropped dramatically to 227 deceived brands in June.

In Q2, 2018 an average of 88,161 unique phishing electronic mail reports were transmitted to APWG by its clients. All through 2018, there has been a slight change in the number of informed phishing electronic mails reported each month, with figures varying between about 80,000 and 90,000 each month all through the year.

APWG reports a substantial rise in targeted attacks on software-as-a-service (SaaS) and webmail suppliers in Q2, 2018, which comprised 21% of all phishing attacks. Cybercriminals are trying to gain access to SaaS accounts, Office 365 for instance, to steal confidential company data. Webmail is a common target since compromised electronic mail accounts can be used to transmit spam and additional phishing messages.

Although these attacks are on the rise, the bulk of attacks are on payment processors, banks, and their clients. These attacks comprised 52% of all phishing attacks in Q2, even though there was a slight decline compared to Q1, 2018. Figures from APWG contributor PhishLabs demonstrate the proportion of phishing sites that are safeguarded by the HTTPS encryption protocol is continuing to increase, rising from 33% of sites in Q1, 2018 to just over 35% of sites in Q2. That is a substantial rise from Q4, 2016 when less than 5% of phishing sites used HTTPS and had SSL credentials. The increase reflects the increase in genuine websites that now use HTTPS and have SSL credentials.

Cofense Explores the Status of Phishing Protections in 2018

The anti-phishing solution supplier Cofense has issued its 2018 Status of Phishing Protection report. The report provides insights into the most usual phishing electronic mails being used by cybercriminals and the message topics that are most effective at deceiving workers into clicking and disclosing secret information. The report also breaks down phishing attacks by industrial sectors and demonstrates which industries are most vulnerable to phishing attacks.

In addition to describing the most effective phishing electronic mails, Cofense also offers anti-phishing guidelines and proposes best practices that must be adopted to make phishing simulation exercises and safety awareness training more effective.

To compile the report, Cofense examined the responses to 135 million phishing electronic mail replications from campaigns carried out by its clients. The company used a sample of 1,400 customers for its examination. Those companies were spread across 23 industries from more than 50 nations.

Cofense also examined more than 800,000 doubtful electronic mails that were reported by workers through Cofense Reporter and roughly 48,000 real-world phishing campaigns, with data on the latter gathered via the Cofense Intelligence service. The study used phishing data gathered between July 2017 and June 2018.

2018 Phishing Data

Phishing is the number one cyber-attack path
91% of all data breaches begin with a phishing electronic mail
92% of all malware is delivered through electronic mail
On average, each electronic mail user gets 16 malevolent electronic mails in their inbox every month
1 in 10 reported electronic mails are malevolent
21% of malevolent electronic mails contain attachments (malware or links concealed in attachments)
Business electronic mail compromise electronic mails are seldom noticed and reported
More than 50% of reported electronic mails are related to credential theft
The most usual credential phishing electronic mails try to get Office 365 logins

What are the Most Effective Phishing Electronic mails

Cofense put together a top ten list of phishing electronic mails, which is based on the most successful phishing campaigns of 2018. Six of the top ten phishing campaigns utilized “invoice” as the subject line, with an additional campaign using “customer invoice”. Invoice electronic mails accounted for five of the top six phishing campaigns of 2018. “Payment remittance” was utilized in the second most successful phishing campaign of 2018. “Statement” and “Payment” finished the top 10.

The top three reported phishing electronic mail subjects differed by industry sector, although “invoice” electronic mails were the most usually reported in all industries in addition to healthcare, where “payment notification” was most usual. Electronic mails claiming there is a new message in a mailbox or a new fax message were also common, as were payment notices. These common phishing topics are what companies must focus on when training workers together with training on other active dangers.

While it is shared for anti-phishing and safety awareness training to be provided yearly this is no longer sufficient. Cofense proposes that training must be carried out far more regularly – at least every quarter. Although several companies punish workers for failing to identify malevolent electronic mails, it is far more effective to focus on providing additional training those workers and doing more to encourage workers to report possible electronic mail dangers.

What is clear from Cofense research is that training and phishing replications are effective at decreasing vulnerability to phishing attacks. The more training that is provided, and the more practice workers have at identifying phishing electronic mails (via imitations), the more resilient companies will be to phishing attacks.

You can download the Cofense 2018 State of Phishing Defense Report here.

Anthem Data Breach Settlement of $16 Million Agreed with OCR

The biggest ever healthcare data breach in the United States has attracted the biggest ever penalty for noncompliance with HIPAA Laws. The Anthem data breach settlement of $16 million overshadows the earlier maximum HIPAA penalty of $5.55 million and reflects not only the harshness of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen but also the level of noncompliance with HIPAA Laws.

The Division of Health and Human Services’ Office for Civil Rights (OCR), the leading enforcer of HIPAA Laws, started a HIPAA compliance analysis of Anthem in February 2015 when news of the huge cyberattack was reported in the mass media. The inquiry was begun a complete month before Anthem informed OCR of the breach.

Anthem found the cyberattack in late January 2015. Anthem probed the breach, helped by the cybersecurity company Mandiant, and found the attackers initially gained access to its systems in December 2014. Entrance to its systems remained possible until January 2015 during which time the data of 78.8 million plan members was thieved.

The attack began with spear phishing electronic mails transmitted to one of its associates, the reply to which permitted the attackers to gain a footing in the network. From there they studied its systems and stole its data warehouse, thieving highly confidential information of its plan members, including names, employment details, email addresses, addresses, and Social Security numbers.

OCR’s compliance analysis exposed a number of areas where Anthem Inc., has failed to completely abide by HIPAA Laws. OCR declared that Anthem had failed to carry out a complete risk analysis to identify threats to ePHI, in violation of 45 C.F.R. § 164.308(u) (1) (ii) (A).

OCR also decided that inadequate policies and procedures had been applied to study records of information system activity in breach of 45 C.F.R. § 164.308(a) (1) (ii) (D), and there was a failure to limit access to its systems and data to approved people – a breach of 45 C.F.R. § 164.312(a).

HIPAA requires all protected units to avoid the illegal accessing of ePHI – 45 C.F.R. § 164.502(a) – which Anthem had failed to do.

Anthem selected to resolve the case and pay a considerable fine with no admission of liability. A robust corrective action plan has also been approved to tackle HIPAA failures and make sure safety is improved.

“Unluckily, Anthem failed to apply proper measures for identifying hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director, Roger Severino. “We know that big health care units are attractive targets for hackers, which is why they are expected to have strong password policies and to check and react to safety occurrences in a timely manner or risk implementation by OCR.” The size of the HIPAA fine reflects the scale of the break. “The biggest health data break in U.S. history completely merits the biggest HIPAA settlement in history,” said Severino.

KnowBe4 Starts ‘Domain Doppelgänger’ Bogus Domain Identification Tool

A new tool has been announced by the safety consciousness training and phishing simulation platform supplier KnowBe4 that can assist firms to identify ‘evil twin domains’ – lookalike deceived domains that are usually used by cybercriminals for phishing and spreading malware.

An evil twin domain is very similar to a real website that is used by a firm. It might contain an additional letter such as faceboook.com, have lost letters such as welsfargo.com, contain altered letters such as faecbook.com to catch out uncaring typists, or use substitute TLDs such as a.co.uk or .ca in place of a .com.

Evil twin domains are exceptionally common. A study carried out by Farsight Security between Oct. 17, 2017 and Jan. 10, 2018 found 116,000 domains that deceived well-known products. The study disclosed that for each real domain there were 20 duplicate domains and 90% of those domains tried to deceive visitors into thinking they were the actual domain used by the firm that was being deceived.

These duplicate domains can be used to get login identifications to the sites they imitate. Mail servers are set up using the domains for transmitting spam and phishing electronic mails to clients and workers, or for a range of other evil purposes. Checking for these bogus domains is therefore in the interest of all firms, from SMBs to big enterprises.

The tool – named Domain Doppelgänger – lets businesses to easily check for domains that might be deceiving their brand, letting them take action to take down the domains and warn clients and workers of the danger.

The free web-based tool will search for duplicate domains and will send back a detailed PDF report describing the number of private domains found, whether the domains have an active mail server, whether there is an active web server and the risk level linked with those domains.

“In place of using several methods to search for at-risk domains, IT experts can use KnowBe4’sDomain Doppelgänger tool as a one-stop shop to find, aggregate, examine and evaluate these domains,” said Stu Sjouwerman, CEO, KnowBe4. “By learning the duplicate domains that might impact your product, you can better safeguard your company from cybercrime.”

2018 Has Seen a Noticeable Surge in Email Impersonation Attacks

The September Email Danger Report circulated by cybersecurity firm FireEye has cast light on the latest methods being used by cybercriminals to dupe end-users into disclosing confidential information such as login identifications to online bank accounts and electronic mail facilities.

Phishing attacks continue to control the dangerous landscape and cybercriminals have been improving their methods to achieve a higher success rate. Standard phishing electronic mails, sent in massive batches to random receivers, require no earlier research on a person or business and can be effective if they reach an inbox. Nevertheless, spam sieving solutions are now much better at identifying these ‘spray and pray’ electronic mail attacks and end users can identify these electronic mails as malevolent with comparative ease if they do reach an inbox. A lot of phishers are now spending more time examining targets and are carrying out much more sophisticated attacks to enhance their success rate.

Among the most usual pieces of advice given to workers in safety awareness training sessions is never to click on a link or open an electronic mail attachment that has been received from a strange sender. If an electronic mail is received from a known individual, it is much more likely to be reliable. It is also much tougher for spam sieving solutions to identify these electronic mails as malevolent.

These imitation attacks involve the attacker imitating to be a known contact, such as the CEO or a coworker. In order to pull off a cheat such as this, the firm should be examined to identify a person within the firm and to find out their electronic mail address. That person’s electronic mail address is then spoofed to make it appear like the electronic mail has been sent from that person’s electronic mail account.

Better still, if an electronic mail account of a worker can be compromised, it can be used to send phishing electronic mails to coworkers from within the business. These Business Email Compromise (BEC) attacks are even tougher to recognize as malevolent, and if the CEO or CFO’s electronic mail account can be compromised, workers are much more likely to reply and open a malevolent attachment or click an embedded hyperlink.

Instead of having to create a message for one target, if access to an electronic mail account is gained, it becomes much easier to deceive large numbers of people with general phishing electronic mails. “By including a phishing link in the impersonation electronic mail, cybercriminals understood they could send out a vaguer electronic mail to a larger amount of people while still seeing a similar open rate,” wrote FireEye in the report.

This method works well if the electronic mail account has been compromised, however, it is also effective if the display name is deceived to demonstrate a person’s actual name instead of just the electronic mail address. Similarly, if the display name is modified to show a real electronic mail address used by the firm, many workers will trust the messages have come from that person and will not carry out additional checks to decide whether the electronic mail is genuine. An alternative method is to register a domain name that is extremely similar to the one used by a firm – with two letters transposed for example – which can be sufficient to fool numerous workers.

These kinds of impersonation attacks are known as friendly name deceiving and are often effective. FireEye notes that there has been a major increase in these kinds of phishing attacks in the first half of the year. Further, a lot of these electronic mails are being delivered – 32% as per the FireEye report.

The study demonstrates not only how important it is to apply an advanced spam sieving solution to block these electronic mails, but also how important it is for workers to receive safety consciousness training to assist them to recognize attacks such as these and to condition workers to carry out additional checks on the actual sender of an electronic mail before taking any action.

Cofense Looks Closely at Healthcare Phishing Attacks

Cofense, the prominent supplier of human-based phishing threat management solutions, has issued new research that demonstrates the healthcare industry lags behind other industrial sectors for phishing protections and is consistently attacked by cybercriminals who often succeed in gaining access to secret patient health data.

The Division of Health and Human Services’ Office for Civil Rights issued a synopsis of data breaches informed by healthcare companies that have involved over 500 records. Each week, many electronic mail breaches are registered on the portal.

The Cofense report examines deeper into these attacks and demonstrates that a third of all data breaches happen at healthcare companies.

There are several instances of how simple phishing attacks have led to attackers gaining access to secret data, some of which have led to the theft of enormous volumes of data. The phishing attack on Augusta University healthcare system, informed in August 2018, led to the health data of 417,000 patients being breached.

Cofense did a cross-industry comparison of 20 verticals including healthcare, the financial facilities, technology, manufacturing, and the energy sectors to decide how vulnerability and resiliency to phishing attacks differ by industrial sectors. The report compared electronic mail reporting against phishing vulnerability and demonstrated that healthcare has a resiliency rate of only 1.34, compared to 1.79 rate for all industries, 2.52 for the financial facilities, and 4.01 for the energy sector.

One of the main causes for the low healthcare score has been past underinvestment in cybersecurity, although the industry is greatly controlled and healthcare companies are required by law to provide safety consciousness training to workers and should implement a variety of controls to safeguard patient data.

The high cost of data breaches – $408 per record for healthcare companies compared to a cross-industry average of $148 per record – has implied that healthcare companies have had to invest more in cybersecurity. Although still worse than other industries, the enhanced investment has seen improvements made even though there is still plenty of room for improvement.

Source: Cofense

By studying replies to simulated phishing electronic mails transmitted through the Cofense PhishMe phishing simulation platform, the Leesburg, VA-based firm was able to recognize the phishing electronic mails that are most usually clicked by healthcare workers. The top clicked messages were bill requests, manager assessments, package delivery electronic mails, Halloween eCard alerts, and beneficiary changes, each of which had a click rate of over 18%. Having access to this data assists healthcare companies to address the biggest dangers. The report also details how, through training and phishing simulations, vulnerability to phishing attacks can be radically decreased.

The report contains a case study that demonstrates how by using the Cofense platform, one healthcare company was able to halt a phishing attack within just 19 minutes. It is not unusual for breaches to take more than 100 days to identify.

The Cofense Healthcare Phishing Report can be downloaded here (PDF)

Pegasus Spyware Campaigns Gather Speed: Infections Identified in 45 Countries

Pegasus spyware is a genuine surveillance device that has been accredited to the Israeli cyber-intelligence company NSO Group. The spyware functions on both Android smartphones and iPhones to permit safety services to interrupt text messages, trail telephone calls, trail a telephone’s location and get passwords and data from apps connected to an infected appliance.

Since at least 2016, NSO Group has been offering Pegasus spyware to nation-state actors, as per the Citizen Lab, which has carried out an in-depth analysis into the use of the spyware.

The analysis into Pegasus spyware has been going on for two years, during which time the scientists have seen a major increase in the number of operators using the malware. In 2016, there were only 200 known servers linked with Pegasus spyware; nevertheless, by 2018 the number had risen to over 600 servers. There are currently 36 operators known to be using Pegasus Spyware. Infections have been identified in 45 countries and there are 10 operators with infections in another country.

Upsettingly, The Citizen Lab’s research shows that there are six operators in states that have a track record of using spyware on inhabitants targeting civil rights, namely the United Arab Emirates, Kazakhstan, Morocco, Saudi Arabia, Mexico, and Bahrain. The Citizen Lab declares that the spyware has been used by Gulf Cooperation Council states to trail dissidents, especially a UAE activist in 2016 and an Amnesty International staffer in Saudi Arabia this year. In a latest blog post, The Citizen Lab wrote: “Our conclusions paint a grim picture of the human-rights dangers of NSO’s worldwide propagation.”

The complete list of states where Pegasus spyware has been noticed is: Algeria, Bahrain, Uzbekistan, the United States, the United Kingdom, Uganda, the UAE, Turkey, Tunisia, Thailand, Togo, Switzerland, Tajikistan, Singapore, South Africa, Rwanda, Saudi Arabia, Poland, Qatar, Pakistan, Palestine, the Netherlands, Oman, Mexico, Morocco, Lebanon, Libya, Kyrgyzstan, Latvia, Kenya, Kuwait, Jordan, Kazakhstan, Iraq, Israel, Greece, India, Egypt, France, Canada, Cote d’Ivoire, Bangladesh, Brazil, Yemen and Zambia.

Although the spyware has been noticed in those states, NSO Group has criticized The Citizen Lab’s research claiming that it hasn’t supplied the spyware to several of the states in the list, and that it only provides its product in a limited number of states that have been permitted under its Business Ethics Framework. The Citizen Lab stands by its research and maintains that grave suspicions have been raised concerning “the usefulness of [NSO Group’s] internal mechanism if it exists at all.”