HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Continue reading “HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns”

Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials

A phishing campaign has been spotted that misuses Google Translate to make the phishing webpage seem to be an official login page for Google.

The phishing emails in the campaign are similar to several other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body almost identical to the messages sent by Google when a user’s Google account has been accessed from an unknown device or place.  The messages contain the Google logo and the text, “A user has just signed in to your Google Account from a new Windows appliance. We are transmitting you this electronic mail to confirm that it is you.”

Below the text is a clickable button with the text “Consult the activity.” Clicking the link will direct the user to a website that has a spoofed Google login box. If identifications are entered, they will be sent to the scammer.  

The electronic mails are sent from a Hotmail account – facebook_secur@hotmail.com – which is the first warning sign that the electronic mail notification is a fraud. On desktop browsers, the URL that users are directed to is obviously not official. A further indication that this is a fraud.

Nevertheless, the scam will not be so clear to any user on a mobile appliance. If the button in the electronic mail is clicked, the user will be directed to a phishing webpage that is served through Google Translate. The visible part of the URL in the address bar begins with translate.googleusercontent.com/translate, which makes the URL seem genuine. The use of Google Translate may be adequate to see the electronic mails bypass mobile safety defenses and the evidently official Google domain is likely to fool a lot of users into thinking the webpage is genuine.

If the user enters their Google identifications in the login box, an electronic mail is generated which transmits the identifications to the attacker. The user is then redirected to a bogus Facebook login page where the attackers also try to get the user’s Facebook login identifications.

The second attempt to phish for login identifications is easier to identify as fake as an old login box for Facebook is used. However, but at that point, the user’s Google account will already have been compromised.

The scam was recognized by Larry Cashdollar at Akamai.

Office 365 Phishing Campaign Uses SharePoint Partnership Request as Bait

A solitary Office 365 username/password blend can provide a hacker access to a huge quantity of confidential information. The information detailed in electronic mails can be of big value to rivals, identity thieves, and other fraudsters.

Office 365 identifications also give hackers access to cloud storage sources that can have extremely confidential business information and compromised accounts can be utilized to disperse malware and carry out additional phishing campaigns on a company’s workers and business associates.  

With the possible returns for a fruitful phishing attack so high, and a high proportion of companies using Office 365 (56% of all organizations internationally in 2018) it is no surprise that hackers are conducting targeted attacks on companies that use Office 365.

Office 365 Phishing Campaign Utilizes SharePoint Collaboration Request as Lire

A fresh report from Kaspersky Lab has emphasized an Office 365 phishing campaign that has confirmed to be highly effective. The campaign was first known in August 2018 and is still active. Kaspersky Lab approximates that as many as 10% of all companies using Office 365 have been targeted with the hack.

The campaign has been dubbed PhishPoint because it uses a SharePoint partnership request to lure workers into disclosing their Office 365 identifications. The electronic mails are reliable, the hyperlink seems to be genuine, the method used to get Office 365 login information is unlikely to stimulate doubt, and the campaign is able to sidestep Office 365 anti-phishing safeguards.

Electronic mails are transmitted to Office 365 users requesting partnership. The electronic mails have a genuine link to OneDrive for Business, which guides users to a document having an “Access Document” link at the bottom. As the hyperlink guides the user to a genuine document in OneDrive for Business, it is not recognized as a phishing electronic mail by Office 365.

If the user clicks the link he/she will be redirected to an Office 365 login page on a website managed by the attacker. The login page appears identical to the genuine login page utilized by Microsoft; however, any identifications entered on the site will be captured by the attacker.

Safeguarding Against Office 365 Phishing Attacks

Safeguarding against Office 365 phishing campaigns needs a defense in depth approach. Microsoft’s Advanced Threat Protection must be implemented to obstruct phishing electronic mails and avoid them from reaching inboxes, even though this campaign demonstrates that APT controls are not always effective. A better choice is to use a spam filtering/anti-phishing solution that looks deeper than the URL and examines the page/document where users are directed.

Endpoint safety solutions offer an additional safeguard against phishing attacks and web filters can be used to avoid users from visiting phishing websites. However, these technical solutions are not dependable.

New cheats are continuously being developed by cybercriminals that bypass anti-phishing defenses. Workers, therefore, need to be trained on how to identify phishing electronic mails and must be taught cybersecurity best practices. Through regular training, workers can be conditioned on how to react to electronic mail threats and can be changed into a robust last line of defense.

Latest Speedup Linux Backdoor Trojan Used in Widespread Attacks

Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.

The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.

As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.

A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.

The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.

Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.

The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.

Importance of Safety Awareness Training Emphasized by Censuswide Study on Phishing Danger

A fresh study by the consultancy company Censuswide has exposed the extent to which workers are being deceived by phishing electronic mails and how in spite of the danger of a data breaches and regulatory penalties, many companies are not providing safety awareness training to their workforce.

Continue reading “Importance of Safety Awareness Training Emphasized by Censuswide Study on Phishing Danger”

Spotify Phishing Scam Identified: User Accounts Breached

Scientists at AppRiver have noticed a Spotify phishing cheat that tries to get users to disclose their Spotify identifications. The electronic mails use brand imaging that makes the electronic mails seem to have been transmitted by the music streaming facility. The emails are genuine, even though there are indications that the messages are not genuine.

The electronic mail template used in the Spotify phishing cheat asserts the user requires to verify their account details to get rid of limitations and make sure they can carry on to use their account. The messages contain the Spotify symbol and contact information in the footer. The electronic mails have a link that account holders are requested to click to take them to the Spotify website where they are requested to enter in their account identifications.

The Spotify phishing scam doesn’t contain a spoofed sender electronic mail address which makes this cheat quite easy to identify. Spotify is mentioned in the electronic mail address, but the domain makes it clear that the electronic mail has not come from a domain used by Spotify. That said, a lot of electronic mail receivers might fail to check the sender name and might click the link and be directed to the phishing web page.

The phishing web page used to gather account identifications also has Spotify branding and seems to be almost identical to the genuine Spotify login page. The only indication that the website is not genuine is the URL.

The information gathered through this phishing cheat might let the attacker gain control of a user’s account. The password to the site will be gotten, which might be used to gain access to other accounts maintained by the sufferer if the password has been reused on other websites. Passwords can also disclose other information concerning an individual, such as their dates of birth, and can provide hints as to how their passwords are produced. That can make brute force attacks on other websites much easier and faster to perform.

Increase in Phishing Emails Using .Com File Extensions

The anti-phishing solution supplier Cofense, formerly PhishMe, has informed a noticeable rise in phishing campaigns utilizing files with the .com extension. The .com extension is utilized for text files with executable bytecode. The code can be performed on Microsoft NT-kernel-based and DOS operating systems.

The campaigns recognized through Cofense Intelligence are mainly being transmitted to financial facility divisions and are utilized to download a range of malevolent payloads including the Loki Bot, Pony, and AZORult information stealers and the Hawkeye keylogger.

Some of the electronic mails in the campaigns clarify the user must open a .iso file attached to the electronic mail to see information linked to the electronic mail notification. The .iso file contains the .com executable. One such electronic mail announced to be from a firm that had received payment, however, had no outstanding bills. The electronic mail requested the receiver check the payment with the finance division to decide if a mistake had been made. The attachment seemed to be a credit notification from the bank.

The subject lines utilized in the phishing campaigns are different and include shipping information notices, price requests, remittance advice, bank information, and bills, even though the two most usual subjects contained a reference to ‘payment’ or a ‘purchase order’.

The payment themed electronic mails were utilized with the AzoRult information stealer and the purchase order subject lines were utilized with Loki Bot and Hawkeye.

Most of the campaigns utilized the .com file as an electronic mail attachment, even though some variations utilized an intermediate dropper and downloaded the .com file through a malevolent macro or exploit. The latter is becoming more usual as IT safety teams are prepared to the direct delivery method. Most of the malware variations used in these campaigns interconnected with domains hosted on Cloudflare. Nevertheless, Cofense notes that the actual C2 is not hosted on Cloudflare. Cloudflare is utilized as a domain front as Cloudflare is often entrusted by companies and is for that reason less likely to arouse doubt.

Cofense expects there will be an increase in the use of .com attachments in phishing campaigns and suggests companies to include the file extension in their anti-phishing training programs and phishing electronic mail simulations to main users when attacks happen.

Z Services Selects TitanHQ to Provide New Cloud-Based Security

The Dubai-based managed facility supplier Z Services has increased its partnership with TitanHQ and is now offering cloud-based web filtering and in-country electronic mail archiving as a facility to clients all over the MENA region.

Cybersecurity is a crucial business concern all over the MENA region and businesses are increasingly looking to managed facility suppliers to provide solutions to improve their safety posture. It makes much more intelligence to have cybersecurity as an operational expenditure rather than a capital expenditure, which is achieved through cloud-based facilities instead of appliance-based solutions. Z Services has been increasing its customer base by supplying these solutions to SMEs through ISPs.

Z Services increased its cybersecurity facilities earlier this year with a new partnership with TitanHQ. The managed facility supplier began offering a new cloud-based anti-spam facility – Z Services Anti-Spam SaaS – which was powered by TitanHQ’s SpamTitan technology. The facility obstructs nuisance spam electronic mail and delivers safety against ransomware, malware, and phishing attacks.

The fame of the facility has encouraged Z Facilities to increase its partnership with TitanHQ and begin offering a new web filtering and electronic mail archiving facility to companies in the region via their ISPs. Its Internet security-as-a-service offering is powered by WebTitan and the in-country electronic mail archiving facility is powered by ArcTitan. TitanHQ provided its solutions in white label form letting Z Services to rebrand the solutions and generate its MERALE SaaS offering – An economical, auto-provisioned, Internet safety and compliance facility.

Through MERALE, SMEs are able to obstruct web-based dangers such as phishing and avoid ransomware and malware downloads while cautiously monitoring the online content workers can access. In addition to improving Internet safety, companies benefit from output gains through the obstructing of types of web content such as dating, gambling, and social media sites. An extensive reporting suite gives companies all the information they require on the online activities of the staff. The in-country electronic mail archiving facility assists companies abide by the government, state, and industry rules meet eDiscovery requirements.

“We trust that MERALE will be a game-changer in how small and medium companies in the region make sure their safety, and as a subscription-based facility, it removes the need for heavy investments and long-term commitments,” said, Nidal Taha, President – Middle East and North Africa, Z Services.

U.S. Treasury Probing $700,000 Loss to Phishing Scam

In July 2018, the Washington D.C. government fell for an electronic mail cheat that led to wire transfers totaling approximately $700,000 being sent to a scammer’s account.

The scammer mimicked a seller used by the city and demanded unsettled bills for construction work be paid. The seller had been hired to work on a design and build the project on a permanent supportive lodging facility.

The electronic mails demanded the payment method be altered from check to bank transfer, and particulars of a Bank of America account was specified where the payments needed to be directed. Three separate payments were made adding up $690,912.75.

The account details provided were for an account managed by the scammer. By the time the cheat was exposed, the money had already been drawn from the account and might not be recovered. As per a Washington Post inquiry, the scammer had mimicked the company Winmar Construction.

The electronic mails were transmitted from a domain that had been listed by the scammer that imitated that of the construction company. The domain was same except two letters which had been transferred. The scammer then generated an electronic mail address using that domain which was utilized to request payment of the bills.

As per the Washington Post, before this cheat, the D.C. government was targeted with several phishing electronic mails, even though Mike Rupert, a representative for the city’s chief technology officer, said those phishing attacks were not fruitful and were not linked to the wire transfer cheat.

These cheats are usual. They frequently involve an electronic mail account compromise which lets the scammers identify sellers and get details of remaining payments. David Umansky, a spokesman for the city’s chief financial officer stated the Washington Post that the attacker had gotten the information required to pull off the scam from the seller’s system and that D.C. officers failed to identify the fake domain and electronic mail.

After noticing the fake wire transfers, the D.C. government got in touch with law enforcement and steps have been taken to trace the scammers. Extra safety controls have now been implemented to avoid similar cheats from succeeding in the future, including the requirement for extra confirmation to take place to verify the genuineness of any request to alter bank information or payment methods.

The U.S Treasury Division has now started an inquiry into the breach, as bank scam is a central offense. That inquiry is continuing.

Cofense Expands 24/7 Global Phishing Defense

Cofense has declared that it has expanded its 24/7 Phishing Defense Facility to deliver even greater help to clients beyond business hours and make sure that phishing dangers are identified in the shortest possible time.

The Cofense Phishing Defense Center (PDC) was introduced to ease the load on IT safety teams by letting them offload some of the load of searching through electronic mails informed by their end users and analyzing those electronic mails to identify the actual threats.

When workers report doubtful electronic mails – through Cofense Reporter for example – the electronic mails are transmitted to Cofense Triage for scrutiny. The malware and danger experts in the Cofense PDC team carry out an in-depth study of the reported dangers and send complete information back to clients’ incident responders that let them take action to alleviate the threat. The quicker a threat can be identified, the lower the possibility of a worker reacting to the danger.

The Phishing Defense Service saves companies a substantial amount of time and effort and lets dangers to be identified and alleviated much more quickly. With the volume of phishing dangers rising, occurrence responders can easily get caught up identifying dangers in the hundreds of electronic mails that are informed as ‘suspicious’ by their workers. Data from Cofense indicates that usually, just 10%-15% of reported electronic mails are malevolent, however, all messages must be tested and evaluated.

The Cofense PDC team already works round-the-clock to evaluate active phishing dangers, nevertheless, the growth of the facility makes sure that irrespective of the time of day or night, new dangers are recognized in the shortest possible time frame. This is particularly vital for firms that have offices in several countries and time zones. Those businesses must not have to wait until business hours for dangers to be identified. They need to be identified day or night.

“Since threat actors do not sleep, neither should your defense capabilities,” clarified Josh Nicholson, Senior VP of Professional Services at Cofense. “Our improved, round-the-clock phishing defense facility puts clients at ease by offering expert analysis and reaction for any informed doubtful electronic mail, any day, any time, in a matter of minutes.”

The expansion will make sure that malware experts are always on hand to evaluate informed phishing attempts and assist clients to alleviate new phishing attempts much more quickly.

75% of Workers Lack Security Awareness

MediaPro has published its 2018 State of Secrecy and Safety Consciousness Report which evaluates the level of safety consciousness of workers across various industry sectors. The report is based on the replies to surveys sent to 1,024 workers throughout the United States that investigated their knowledge of real-world dangers and safety best practices.

This is the third year that MediaPro has carried out the survey, which classifies respondents in one of three groups –Risk, Novice, or Hero – based on their knowledge of safety dangers and understanding of best practices that will keep them and their company safe.

In 2016, when the survey was first carried out, 16% of respondents rated a risk, 72% were rated beginners, and 12% were rated as champions. Each year, the proportion of beginners has decreased and the proportion of champions has increased. Unluckily, the proportion of workers ranked as a danger to their company has also enhanced year-over-year.

In this year’s State of Secrecy and Safety Consciousness Report, 75% of all experts were rated as either a moderate or severe threat to their organization. 30% of respondents were considered to be a danger to the company, 45% were beginners, and 25% were champions. 77% of respondents in management ranks demonstrated a lack of safety consciousness, which is of specific concern as they are often targeted by phishers.

The main concerns were an incapability to identify the indications of a malware infection and a phishing attempt. There was also a weak understanding of social media dangers. When asked queries linked to malware, nearly 20% of workers failed to identify at least one sign of a malware infected computer. Given the rise in cryptomining attacks, it was a concern that a sluggish computer was the most usually ignored indication of a malware infection.

Phishing attacks carry on to increase but phishing awareness is much worse than last year. 14% of respondents failed to recognize all indications of a phishing electronic mail compared to just 8% previous year. The most usually neglected phishing attempt was the proposition of a hot stock tip, which was failed by 20% of respondents. There was also poor knowledge of Business Email Compromise (BEC) cheats.

It was a similar account for social media security, with about 20% of respondents making bad conclusions on social media sites – conclusions that might create problems for their business such as disclosing confidential information or replying to possibly defamatory comments by colleagues.

An analysis of scores by industrial sectors disclosed the financial facilities performed the worst of the seven industrial sectors represented in the study. 85% of respondents in the financial facilities had a lack of safety consciousness to some degree.

“These levels of riskiness are shocking. It just takes one individual to click on the incorrect electronic mail that allows in the malware that exfiltrates your business’s data. Without everyone being more cautious, people and business data will carry on to be at risk,” said Tom Pendergast, chief safety and secrecy planner at MediaPRO.

Brands Most Usually Spoofed by Phishers Exposed

Vade Secure has issued a new report describing the brands most usually targeted by phishers in North America. The Phishers’ Favorites Top 25 list discloses the most usually spoofed brands in phishing electronic mails found in Q3, 2018.

For the latest report, Vade Security followed 86 brands and rated them based on the number of phishing attacks in which they were mimicked. Those 86 brands account for 95% of all brands deceiving attacks in Q3, 2018. Vade Secure notices that there has been a 20.4% rise in phishing attacks in Q3.

As was the case the preceding quarter, Microsoft is the most targeted brand. Phishers are trying to gain access to Azure, Office 365, and OneDrive identifications. If any of those login identifications can be acquired, the attackers can raid accounts and steal private information, and in the case of Office 365, use the electronic mail accounts to carry out more attacks on people within the same company or use contact information for outer spear phishing attacks. Vade Secure has noted a 23.7% increase in Microsoft phishing URLs in Q3.

The level to which Microsoft is targeted is shown in the graph below:

In second place is PayPal, the prominent deceived brand in the financial facilities. Here the goal is simple. To gain access to PayPal accounts to make transferals to accounts managed by crooks. There has been a 29.9% increase in PayPal phishing URLs in Q3, 2018.

Netflix phishing cheats have risen substantially in Q3, 2018. Vade Secure records there has been a 61.9% increase in the number of Netflix phishing URLs. The goal of these campaigns is to gain access to clients’ credit card particulars, through dangers of account closures that need confirmation using credit card details, for instance. The rise in Netflix phishing attacks saw the brand rise to third place in Q3.

Bank of America and Wells Fargo cheats make up for the top five, which had 57.4% and 21.5% phishing URL rises respectively. While down in 7th place overall, Chase bank phishing cheats are notable because of the huge increase in phishing attacks targeting the bank. Q3 saw a 352.2% rise in Chase bank phishing URLs, with a similar increase – 359.4% – in phishing attacks deceiving Comcast. The maximum growth in phishing URLs was for CIBC. Vade Security informs there was a 622.4% rise in spotted phishing URLs, which lifted the Canadian Imperial Bank of Commerce up 14 spots in the ranking to 25th place.

The report also demonstrates that phishers prefer Tuesdays and Thursdays for attacks targeting company users, while Netflix phishing cheats most usually take place on a Sunday. Vade Secure’s research also disclosed phishers are now using each phishing URL for a briefer period of time to evade having their electronic mails obstructed by electronic mail safety solutions.

As a consequence, more electronic mails are delivered to inboxes, emphasizing the significance of increasing safety awareness of the staff.

KnowBe4 Starts ‘Domain Doppelgänger’ Bogus Domain Identification Tool

A new tool has been announced by the safety consciousness training and phishing simulation platform supplier KnowBe4 that can assist firms to identify ‘evil twin domains’ – lookalike deceived domains that are usually used by cybercriminals for phishing and spreading malware.

An evil twin domain is very similar to a real website that is used by a firm. It might contain an additional letter such as faceboook.com, have lost letters such as welsfargo.com, contain altered letters such as faecbook.com to catch out uncaring typists, or use substitute TLDs such as a.co.uk or .ca in place of a .com.

Evil twin domains are exceptionally common.  A study carried out by Farsight Security between Oct. 17, 2017 and Jan. 10, 2018 found 116,000 domains that deceived well-known products. The study disclosed that for each real domain there were 20 duplicate domains and 90% of those domains tried to deceive visitors into thinking they were the actual domain used by the firm that was being deceived.

These duplicate domains can be used to get login identifications to the sites they imitate. Mail servers are set up using the domains for transmitting spam and phishing electronic mails to clients and workers, or for a range of other evil purposes. Checking for these bogus domains is therefore in the interest of all firms, from SMBs to big enterprises.

The tool – named Domain Doppelgänger – lets businesses to easily check for domains that might be deceiving their brand, letting them take action to take down the domains and warn clients and workers of the danger.

The free web-based tool will search for duplicate domains and will send back a detailed PDF report describing the number of private domains found, whether the domains have an active mail server, whether there is an active web server and the risk level linked with those domains.

“In place of using several methods to search for at-risk domains, IT experts can use KnowBe4’sDomain Doppelgänger tool as a one-stop shop to find, aggregate, examine and evaluate these domains,” said Stu Sjouwerman, CEO, KnowBe4. “By learning the duplicate domains that might impact your product, you can better safeguard your company from cybercrime.”

Cofense Looks Closely at Healthcare Phishing Attacks

Cofense, the prominent supplier of human-based phishing threat management solutions, has issued new research that demonstrates the healthcare industry lags behind other industrial sectors for phishing protections and is consistently attacked by cybercriminals who often succeed in gaining access to secret patient health data.

The Division of Health and Human Services’ Office for Civil Rights issued a synopsis of data breaches informed by healthcare companies that have involved over 500 records. Each week, many electronic mail breaches are registered on the portal.

The Cofense report examines deeper into these attacks and demonstrates that a third of all data breaches happen at healthcare companies.

There are several instances of how simple phishing attacks have led to attackers gaining access to secret data, some of which have led to the theft of enormous volumes of data. The phishing attack on Augusta University healthcare system, informed in August 2018, led to the health data of 417,000 patients being breached.

Cofense did a cross-industry comparison of 20 verticals including healthcare, the financial facilities, technology, manufacturing, and the energy sectors to decide how vulnerability and resiliency to phishing attacks differ by industrial sectors. The report compared electronic mail reporting against phishing vulnerability and demonstrated that healthcare has a resiliency rate of only 1.34, compared to 1.79 rate for all industries, 2.52 for the financial facilities, and 4.01 for the energy sector.

One of the main causes for the low healthcare score has been past underinvestment in cybersecurity, although the industry is greatly controlled and healthcare companies are required by law to provide safety consciousness training to workers and should implement a variety of controls to safeguard patient data.

The high cost of data breaches – $408 per record for healthcare companies compared to a cross-industry average of $148 per record – has implied that healthcare companies have had to invest more in cybersecurity. Although still worse than other industries, the enhanced investment has seen improvements made even though there is still plenty of room for improvement.

Source: Cofense

By studying replies to simulated phishing electronic mails transmitted through the Cofense PhishMe phishing simulation platform, the Leesburg, VA-based firm was able to recognize the phishing electronic mails that are most usually clicked by healthcare workers. The top clicked messages were bill requests, manager assessments, package delivery electronic mails, Halloween eCard alerts, and beneficiary changes, each of which had a click rate of over 18%. Having access to this data assists healthcare companies to address the biggest dangers. The report also details how, through training and phishing simulations, vulnerability to phishing attacks can be radically decreased.

The report contains a case study that demonstrates how by using the Cofense platform, one healthcare company was able to halt a phishing attack within just 19 minutes. It is not unusual for breaches to take more than 100 days to identify.

The Cofense Healthcare Phishing Report can be downloaded here (PDF)

FTC Issues Warning Concerning New Netflix Phishing Scam

The U.S. Federal Trade Commission has circulated a warning about a new international Netflix phishing cheat that tries to deceive Netflix subscribers into revealing their account identifications and payment information. The cheat uses a tried and tested method to get that information: The warning of account closure because of payment information being out of date.

Users are transmitted a message requesting them to update their payment details since Netflix has experienced difficulties getting the monthly subscription payment. The user is provided with an “Update Account Now” button which they can click to insert their accurate banking/card information. Nevertheless, clicking the link will not guide the user to the official Netflix site, instead, they will be taken to a web page on a site operated by the scammer. On that site, Netflix login identifications will be harvested together with the banking information entered by subscribers.

The latest campaign was recognized by the Ohio Police Division, which shared a copy of the phishing electronic mail on Twitter. The FTC also issued a warning about the new Netflix phishing cheat in the latest blog post.

Image Source: Ohio Police via FTC

As you can see from the picture, the message appears official as it has the Netflix logo and color scheme. The message also strongly looks like official electronic mail communications often sent by Netflix. Nevertheless, there are tell-tale indications that the electronic mail is not what it appears. Netflix is naturally conscious who their subscribers are and addresses electronic mails to users by their first name. In this electronic mail, the message starts with “Hi Dear.”

Less visible is the hyperlink, however it is something that is fairly easy to check by hovering the mouse arrow over the button. That will show the actual URL, which is not the official Netflix website. One more indication is the phone number on the electronic mail is a U.S. number, which for any person based in another country would be extremely doubtful.

If the link is clicked, the page the user is directed to appears official and is nearly indistinguishable from the actual site, even though if a user checks the URL it will verify they are not on the actual Netflix site for their country.

All of these warning indications must be identified by users, but several people fail to cautiously check messages before clicking. To avoid phishing cheats such as this, make certain you carefully check all electronic mail messages before replying and if ever you receive an electronic mail containing any warning, visit the authorized URL for the firm directly by entering in the website directly into the browser instead of clicking a link in an electronic mail.

Backdoor and Ransomware Detections Rose Over 43% in 2018

The lately published Kaspersky Security Bulletin 2018 demonstrates there has been a 43% rise in ransomware detections and a 44% rise in backdoor detections in the first 10 months of 2018, emphasizing the increasing danger from malware.

Kaspersky Lab is now coping with 346,000 new malevolent files every day and has so far found more than 21.64 million malevolent objects in 2018.

Backdoor detections rose from 2.27 million to 3.26 million in 2018 and ransomware detections are up from 2.2 million detections to 3.13 million. Backdoors comprise 3.7% of malevolent files examined by Kaspersky Lab and ransomware comprises 3.5%.

The biggest cyberthreat in 2018 was banking Trojans, which comprised over half of all malevolent file detections. The main danger was the Zbot Trojan, which was used in 26.3% of attacks, after that the Nymaim Trojan (19.8%), and the SpyEye backdoor (14.7%). 7 of the top ten most widespread malware groups were banking Trojans. The remaining three were backdoors.

Financial wrongdoing, such as the theft of banking identifications and credit card numbers, makes up the majority of attacks, even though APT groups tend to focus on company data theft.

There were fewer new ransomware groups developed in 2018 than 2017, but even though there has been a reduction in ransomware development, the danger of attack is still substantial. The worst month of the year for ransomware attacks was September when 132,047 occurrences were seen. Over the preceding ten months, 11 new ransomware groups have been found and there have been 39,842 changes made to current ransomware variations. As per Kaspersky Lab, in the previous year, 220,000 company users and 27,000 SMB users have been infected with ransomware and had files encrypted.

WannaCry variations were the most generally used, comprising 29.3% of infections, followed by common ransomware (11.4%), and GandCrab ransomware (6.67%).

Banking Trojans and malevolent software invented to attack ATMs and POS systems will carry on to be the main dangers in 2019, as per the report.

Phishing Accounts for 50% of All Online Scams

An examination of existing cyber scam dangers by network safety company RSA demonstrates that phishing attacks have risen by 70% since Q2 and currently account for 50% of all online scam attacks experienced by companies.

Phishing attacks are widespread since they are easy to carry out and have a high achievement rate. An attacker can set up a webpage that impersonates a famous brand such as Microsoft or Google that appeals login details. Electronic mails are then transmitted having hyperlinks to the site together with a legal reason for clicking. As per a research carried out by Verizon, 12% of users click hyperlinks in phishing electronic mails.

RSA notes that the bulk of phishing attacks are carried out in the United States, Canada, and the Netherlands, which account for 69% of all attacks.

RSA has also drawn attention to a particular variation of phishing named vishing. Instead of using electronic mail, vishing attacks happen over the phone. A typical instance involves a scammer pretending to be from the target’s bank. Although the call is unwanted, the scammer pretends that there is a safety problem that requires to be settled and requests confidential information such as bank account information, passwords, and security questions and answers. Vishing accounts for 1% of all scam attempts even though it is a serious danger.

A new variation of vishing has even greater possibility to attain the desired result. Instead of the attacker calling a target, the attacks work in opposite with users calling the scammer. This is being done through search engine killing – Getting malevolent websites listed in the organic search engine results. Other variations include wrong information mailed on social media sites and help media.

14% of spam attacks involve brand misuse: Deceptive posts on social media that deceive a famous brand. 12% of scam attacks involved Trojan horses – malware which is fitted under wrong pretexts. As soon as installed, the malware harvests confidential information such as banking identifications. 2% of scam attacks involve the use of rogue mobile apps. 9,329 rogue moveable apps were identified by RSA in Q3, 2018.

Scam through moveable browsers accounted for the bulk of scam dealings (73%) in Q3 – A rise of 27% since this time last year.

APT28 Group Uses New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Organizations

A new spear-phishing campaign is being carried out by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government agencies in the United States, Europe, and a former USSR state using the earlier unidentified Cannon Trojan. The campaign was noticed by Palo Alto Networks’ Unit 42 team and was first known in late October.

The campaign is being carried out through spam electronic mail and uses weaponized Word document to deliver two malware variations. The first, the Zebrocy Trojan, has been used by APT28 in earlier campaigns and was first identified in 2015. The main purpose of the Zebrocy Trojan is to provide access to an appliance and establish a link with a C2 server. It serves as a downloader and backdoor and is used to send more malevolent payloads to systems of interest to the group.

Unit 42 scientists also identified a second Trojan. A new malware variation named the Cannon Trojan. Although Zebrocy uses HTTP/HTTPS for its C2 communications, the Cannon Trojan uses electronic mail. Electronic mail is supposed to be used to reduce the possibility of detection.

The Cannon Trojan is used to collect system information. That information, together with screenshots, are sent back to APT28 through electronic mail. If the target is of importance, the Cannon Trojan can download extra malevolent code.

One of the electronic mail campaigns uses the current Lion Air plane accident as the attraction to get users to open the malevolent Word document. The document name is Crash List (Lion Air Boeing 737).docx. If the user opens the document, Word tries to download a distant template that contains the malevolent macro.

Upon opening the document, the user is presented with a message stating the document has been generated using an earlier type of Word. The user should click on Enable Content to show the matters of the file. The macro will only be loaded if a link to its C2 exists. If no link is available, the macro will not run.

Provided there is a C2 link, the macro is launched. At this phase, most malevolent documents then download the payload. Nevertheless, this campaign uses the AutoClose function to delay the complete execution of the malevolent code. It’s only when the user closes the document that the macro will complete and the payload will be downloaded.

The CannonTrojan initially sends a message over SMTPS to one electronic mail account hosted by Czech electronic mail service provider Seznam then communicates with two additional attacker-controlled electronic mail accounts over POP3S, through which it gets its commands. Because of the level of encryption delivered by both SMTPS and POP3S, the C2 channel is tough to obstruct.

49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

2018 Safety Awareness Training Figures

A new study carried out by Mimecast has produced some interesting security mindfulness training figures for 2018. The survey shows a lot of companies are taking substantial risks by not providing sufficient training to their workers on cybersecurity.

Question the IT department what is the greatest cybersecurity danger and several will say end users. IT teams put a considerable amount of effort into applying and maintaining cybersecurity fortifications, only for employees to take actions that introduce malware or lead to an electronic mail breach. It is understandable that they are annoyed with employees. Most cyberattacks start with end users. By compromising one appliance, an attacker gains a footing in the system which can be utilized as a Launchpad for more attacks on the business.

However, it doesn’t need to be like that. Businesses can create a strong last line of protection by providing safety awareness training to employees to help them identify threats and to prepare them how to respond and report difficulties to their IT group. The difficulty is that a lot of businesses are failing to do that. Even when cybersecurity teaching is provided, it is often insufficient or not obligatory. That means it is just partly effective.

Mimecast’s security awareness training figures show that just 45% of firms provide workers with recommended safety awareness teaching that is obligatory for all employees. 10% of firms have training programs available, however, they are only voluntary.

Explore deeper into these safety awareness training statistics and they are not quite as they appear. Certainly, 45% of firms provide obligatory cybersecurity training but, in many cases, it falls short of what is needed.

For example, only 6% of firms provide monthly training and 4% do so three-monthly. For that reason, just 10% of the 45% are providing training regularly and are adhering to acceptable industry standards for safety. 9% of the 45% only provide safety awareness training when an employee joins the company.

The training processes used proposed safety awareness training, for a lot of businesses, is more of a checkbox item. 33% provide printed lists of cybersecurity guidelines or electronic mail instructions even though several employees will simply neglectthose messages and handouts.

30% issue prompts concerning possibly risky links, in spite of that little is done stop employees actually clicking those links. Businesses are in its place relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack suitable skills. Only 28% are using interactive training videos that involve users.

These safety awareness training figures show that firms clearly need to do more. As Mimecast proposes, effective safety awareness training means making training obligatory. Training must also be a continuous process and simply handing out advices is not sufficient.

You must involve workers and make the training more enjoyable and ideally, amusing.  “The easiest way to lose your audience is by making the training dull, unconnected,and worst of all, unmemorable.”