Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Malware

Profile of growing attacks against the internet infrastructure - infographic

Cisco’s 2014 Security Report as an infographic

Dell's New Unknown Threats Infographic

According to Dell organisations are overlooking powerful new unknown threats.

Read more here https://brianpennington.co.uk/2014/02/20/byod-cloud-and-the-internet-are-the-top-areas-of-concern-for-security-threats/

BYOD, Cloud and the Internet are the top areas of concern for security threats.

A Dell global security survey reveals “the majority of IT leaders say they do not view these threats as top security concerns and are not prioritizing how to find and address them across the many points of origin”.

Key findings of Dell’s research include:

  • 37% ranked unknown threats as a top security concern in the next five years
  • 64% of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the United States, 85% said this approach is needed, contrasting with Canada at 45% followed by the U.K. at 43%
  • 78% in the Unites States think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector
  • 67% of survey respondents say they have increased funds spent on education and training of employees in the past 12 months
  • 50% believe security training for both new and current employees is a priority
  • 54% have increased spending in monitoring services over the past year; this number rises to 72% in the United States

Among the IT decision-makers surveyed, BYOD, cloud and the Internet were the top areas of concern for security threats.

BYOD. A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk.

  • 93% of organizations surveyed allow personal devices for work. 31% of end users access the network on personal devices (37% in the United States)
  • 44% of respondents said instituting policies for BYOD security is of high importance in preventing security breaches
  • 57% ranked increased use of mobile devices as a top security concern in the next five years (71% in the U.K.)
  • 24% said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches

Cloud. Many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications. Survey findings prove these stealthy threats come with high risk.

  • 73% of respondents report their organizations currently use cloud (90% in the United States)
  • 49% ranked increased use of cloud as a top security concern in the next five years, only 22% said moving data to the cloud was a top security concern today
  • In organizations where security is a top priority for next year, 86% are using cloud
  • 21% said cloud apps or service usage are the root cause of their security breaches

Internet. The significance of the unknown threats that result from heavy use of Internet communication and distributed networks is evidenced by

  • 63% of respondents ranked increased reliance upon internet and browser-based applications as a top concern in the next five years.
  • More than one-fifth of respondents consider infection from untrusted remote access (Public Wifi) among the top three security concerns for their organization
  • 47% identified malware, viruses and intrusions often available through web apps, OS patching issues, and other application-related vulnerabilities as the root causes of breaches
  • 70% are currently using email security to prevent outsider attacks from accessing the network via their email channel

76% of IT leaders surveyed (93% in the United States) agree that to combat today’s threats, an organization must protect itself both inside and outside of its perimeters.

The full Dell report can be found here.

The European Cybercrime Centre – one year on

What are the main future cybercrime threats on the horizon? And how has the European Cybercrime Center (EC3) contributed to protect European citizens and businesses since its launch in January 2013? 

These questions are at the core of an EC3 report presented today, and discussed at a conference organised by the Commission, with participants from law enforcement authorities, national and EU institutions and the private sector.

Criminal behaviour is changing fast, exploiting technological developments and legal loopholes. Criminals will continue to be creative and deploy sophisticated attacks to make more money, and we must be able to keep up with them. The expertise of the EC3 is helping us to fight this battle and boost European cooperation. Through several successful, far-reaching operations in the past year, the European Cybercrime Centre has already earned well-deserved fame amongst law enforcement agencies”, said Commissioner for Home Affairs Cecilia Malmström.

Troels Örting, Head of the European Cybercrime Centre added: “In the 12 months since EC3 opened we have been extremely busy helping EU law enforcement authorities to prevent and investigate cross-border cybercrime. I am proud and satisfied with our results so far, however we cannot rest on our laurels. I am especially worried about the increasingly complex forms of malware that are surfacing, along with more technologically advanced cyber-scams, and the so-called ‘sextortion’ of minors. We have only seen the tip of the iceberg, but EC3, backed by our valued stakeholders and partners, is dedicated to supporting Member States’ future frontline cybercrime operations.

According to a recent Eurobarometer

  • 12% of European internet users have had their social media or email account hacked
  • 7% have been the victim of credit card or banking fraud online

EC3 achievement highlights

The main task of the European Cybercrime Centre is to disrupt the operations of organised crime networks that commit serious and organised cybercrime (for more details, see MEMO/13/6 and infographics).Concretely, the EC3 supports and coordinates operations and investigations conducted by Member States’ authorities in several areas. Recent examples include:

High-tech crimes (cyber-attacks, malware)

In its first year, the EC3 assisted in the coordination of 19 major cybercrime operations, for instance: 

  • Two major international investigations (Ransom and Ransom II) were concluded, related to so-called Police Ransomware – a type of malware that blocks the victim’s computer, accusing the victim of having visited illegal websites containing child abuse material or other illegal activity. Criminals request the payment of a “fine” to unblock the victim’s computer, making the Ransomware look as if it comes from a legitimate law enforcement agency. Cybercriminals convince the victim to pay the ‘fine’ of around €100 through two types of payment gateways – virtual and anonymous. The criminals investigated by EC3 infected tens of thousands of computers worldwide, bringing in profits in excess of one million euros per year. 13 arrests were made (mainly in Spain) and the networks were broken up.
  • EC3 has also supported several international initiatives in the areas of botnet takedowns, disruption and investigation of criminal forums and malware attacks against financial institutions, such as the recent takedown of the ZeroAccess botnet together with Microsoft and high-tech crime units from the German BKA, Netherlands, Latvia, Luxembourg and Switzerland.

Online child sexual exploitation

At present, EC3 supports 9 large child sexual exploitation police operations within the European Union. In the first year of EC3, significant efforts – jointly with many Member States and non-EU cooperation partners – were put into combating the illegal activities of paedophiles engaged in the online sexual exploitation of children using hidden services.

EC3 is involved in many operations and joint investigations targeting the production and distribution of child abuse material on various internet platforms. It is providing ongoing operational and analytical support to investigations on the dark net, where paedophiles trade in illicit child abuse material in hidden forums, as well as to investigations into ‘sextortion’. Sextortion is the term given to the phenomenon where child abusers gain access to inappropriate pictures of minors and use the images to coerce victims into further acts or the abuser will forward the images to family and friends of the victim.

Payment fraud

The EC3 is currently providing operational and analytical support to 16 investigations, regarding payment fraud. In 2013 it supported investigations resulting in three different international networks of credit card fraudsters being dismantled: 

  • One operation led to the arrest of 29 suspects who had made a 9 million Euro profit by compromising the payment credentials of 30,000 credit card holders. 
  • The second network that was tackled resulted in 44 arrests during the operation (which followed 15 previous arrests; 59 arrests in total) in several Member States, two illegal workshops for producing devices and software to manipulate Point-of-Sale terminals dismantled, illegal electronic equipment, financial data, cloned cards, and cash seized. The organised crime group had affected approximately 36.000 bank/credit card holders in 16 European countries. 
  • The third operation targeted an Asian criminal network responsible for illegal transactions and the purchasing of airline tickets. Two members of the criminal gang, travelling on false documents, were arrested at Helsinki airport. Around 15,000 compromised credit card numbers were found on seized computers. The network had been using card details stolen from cardholders worldwide. In Europe, over 70,000 euros in losses were suffered by card holders and banks. 
  • An operation against airline fraudsters using fraudulent credit cards to purchase airline tickets was coordinated by the EC3 in 38 airports from 16 European countries. During the operation, more than 200 suspicious transactions were reported by the industry and 43 individuals were arrested (followed by another 74 arrests after the action day; 117 arrests in total). These were all found to be linked to other criminal activities, such as the distribution of credit card data via the internet, intrusions into financial institutions’ databases, other suspicious transactions, drug trafficking, human smuggling, counterfeit documents including IDs, and other types of fraud. Some of those detained were already wanted by judicial authorities under European Arrest Warrants.

Future threats and trends in cybercrime

Currently, around 2, 5 billion people worldwide have access to the internet and estimates suggest that around another 1, 5 billion people will gain access in the next four years. As our online life, with all its immense advantages, will continue to grow, so will our exposure to online crime. In its first yearly report, the EC3 looks at future cybercrime threats and trends. Among others, it points to the following: 

Growing ranks of criminals. The threshold for stepping into the business of cybercrime is becoming very low. Already now, a complete underground economy has developed, where all sorts of criminal products and services are traded, including, drugs, weapons, hired killings, stolen payment credentials and child abuse. Any kind of cybercrime can be procured even without technical skills – password cracking, hacking, tailor-made malware or DDoS attacks.

More demand. It is expected that the demand for and use of cybercrime services will increase, resulting in an even stronger growth of the development, testing and distribution of malware; building and deployment of botnets; theft and trade in payment credentials as well as money laundering services.

Increased sophistication. The development of more aggressive and resistant types of malware is expected. This includes ransomware with more advanced encryption complexity; more resilient botnets; and banking malware and Trojans with advanced sophistication, in order to circumvent protection measures by financial institutions.

Even more global. Due to rapidly spreading internet connectivity, cybercrime originating in Southeast Asia, Africa and South America will grow.

Going mobile. A shift of malware development is expected towards the operation on, and distribution through, mobile devices.

Smarter distribution. New ways of distributing aggressive and resistant types of malware are expected in the coming years. There is also an increasing, worrying trend of offering child abuse through live streaming, which leaves police without evidence unless intercepted at the time of transmission.

Increased need for money-laundering. Criminals will seek easy ways of cashing and laundering profits. Targeting large numbers of citizens and small to mid-sized companies for relatively small amounts is a scenario likely to continue. But also the use of payment credentials for online purchases will grow. The demand for e-currencies and other anonymous payment systems will rise further.

Targeting of cloud services. The hacking of cloud services becomes more and more interesting for criminals. It is expected that criminals will increasingly aim at hacking such services for the purpose of spying, retrieval of credentials and extortion.

To address these developments and fight a crime that by its very nature knows no borders or jurisdictions, the EC3 will continue to provide operational support to law enforcement agencies from EU Member States and from non-EU cooperation partners. It will further develop its expertise in training and capacity building, strategic analysis and digital forensic support.

Reproduced from http://europa.eu/index_en.htm

No such thing as hacker proof a Deloitte Infographic

Based on a study of global cyber activity, hackers continue to be responsible for the largest number of data breaches. The general trend of vulnerabilities that allow attackers to compromise availability, confidentiality, or integrity of a computer system is upward. For 2012, there were approximately 101 new vulnerabilities each week.

Europe’s Threat Landscape 2013 a report by ENISA

The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. 

Questions addressed are:

  • What are the top cyber-threats of 2013?
  • Who are the adversaries?
  • What are the important cyber-threat trends in the digital ecosystem?

Among the key findings is that cyber threats have gone mobile, and that adoption of simple security measures by end-users would reduce the number of cyber incidents worldwide by 50%.

The ENISA Threat Landscape presents the top current cyber threats of 2013 and identifies emerging trends. In 2013 important news stories news, significant changes and remarkable successes have left their footprint in the cyber-threat landscape. Both negative and positive developments have formed the 2013 threat landscape. In particular:

Negative trends 2013:

  • Threat agents have increased the sophistication of their attacks and of their tools.
  • Clearly, cyber activities are not a matter of only a handful of nation states; indeed multiple states have developed the capacity to infiltrate both governmental and private targets.
  • Cyber-threats go mobile: attack patterns and tools targeting PCs which were developed a few years ago have now migrated to the mobile ecosystem.
  • Two new digital battlefields have emerged: Big Data and the Internet of Things.

Positive developments in the cyber threat trends in 2013 include:

  • Some impressive law-enforcement successes. Police arrested the gang responsible for the Police Virus; the Silk Road operator as well as the developer and operator of Blackhole, the most popular exploit kit, were also arrested.
  • Both the quality and number of reports as well as the data regarding cyber-threats have increased
  • Vendors gained speed in patching their products in response to new vulnerabilities.

The top three threats:

  1. Drive-by-downloads
  2. Worms/Trojans
  3. Code injections.

Key open issues, identified are:

  • The end-users lack knowledge yet they need to be actively involved. Adoption of simple security measures by end-users would reduce the number of cyber incidents for 50% worldwide!
  • Numerous actors work on overlapping issues of threat information collection and threat analysis. Greater coordination of information collection, analysis, assessment and validation among involved organisations is necessary.
  • The importance of increasing the speed of threat assessment and dissemination, by reducing detection and assessment cycles has been identified.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “This threat analysis presents indispensable information for the cyber security community regarding the top threats in cyber-space, the trends, and how adversaries are setting up their attacks by using these threats.”

The full report can be found here.

.

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries

.

The Cost Of Insecurity

It is simple, your investment in securing your data will be considerably less than the potential cost of a breach and the subsequent clean up.

RSA’s August 2013 Online Fraud Report featuring a review of “phish lockers”

RSA’s August 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name.

This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections.

Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time.

Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware’s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don’t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera.

The first visible action that the user will see is the browser window being shut down, then the desktop’s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page.

The phish locker malware usually comes with a few hardcoded web forms, each requiring a relevant set of credentials from infected bank customers. Usually, the information requested by the malware corresponds with phishing attacks targeting the particular bank. For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user’s mobile number.

When banking Trojans infect user machines, they are present on the device and can log a user’s keystrokes and steal documents, certificates, cookies and other elements dictated by the botmaster. Banking malware regularly sends logs of stolen information to its operator, using pre-defined domains as communication resources. Phish lockers on the other hand, are not designed to carry out such complex activity and use basic methods to transmit stolen data such as email.

In order to facilitate sending emails from the infected PC, the malware’s author programmed it to use Extended SMTP, predefining a sender and a few recipients that will act as a fallback mechanism in case the data gets intercepted or the mailbox blocked/closed for some reason.

Yet another differentiator that separates banking Trojans from phish lockers is the mode of activity. While banking malware steals and listens for data at all times when the browser is open, the locker closes the browser altogether, and then does the stealing. Once the information from the locker’s web forms is sent, the malware remains inactive and does not carry out any other malicious activity on the PC, allowing the user to regain control.

RSA’s conclusion

It is rather interesting to see Trojans of this type, which are considered very basic when compared to most banking Trojans in the wild. It is even more interesting to see them appearing in geographies where banking security is considered to be very advanced.

This phenomenon may be linked with the trend towards privatization of banking Trojans. This has created a barrier for many cybercriminals as they are denied access to purchase more advanced malware kits to launch attacks. This could be perhaps be pushing some cybercriminals to write and deploy simple malicious codes that will at least get their dirty work done.

Phishing Attacks per Month

RSA identified 45,232 phishing attacks launched worldwide in July, marking a 26% increase in attack volume in the last month.

US Bank Types Attacked

National banks continue to be the most targeted by phishing within the U.S. banking sector with 74% of attacks in July while credit unions were targeted by one out of every ten attacks last month.

Top Countries by Attack Volume

The U.S. remained the country most attacked by phishing in July, targeted by 58% of total phishing volume. Germany endured the second highest volume of phishing at 9%, followed by the UK at 8%. India, France, Canada, South Africa and Italy were collectively targeted by 15% of phishing volume.

Top Countries by Attacked Brands

U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks. Brands in the UK, India, Italy and China together endured one-quarter of phishing attack volume.

Top Hosting Countries

The U.S. remained the top hosting country in July with 45% of global phishing attacks hosted within the country, followed by Canada, Germany, and the UK. To date, RSA has worked with more than 15,300 hosting entities around the world to shut down cyber attacks.

Previous 3 RSA Online Fraud Report Summaries

Cisco’s Infographic is an interesting turn on the ROI message as it looks at security from the loss prevention angle rather than earnings.

Especially with Data Centre downtime costing on average $336,000 per hour.

100,000 new security threats are identified each day

94% of all data compromised involves servers

Is Your Business Safe From Cyberattacks? An excellent Infographic from Imperva shows the seven stages of a targeted attack and makes eight recommendations on how to protect your data.

Is your business safe from a cyber attack

Infographic: Email Security Perception v Reality

Overconfident Employees and Lack of Email Security Tools Lead to Risky Behavior

A study by SilverSky, reveals that when it comes to email security in the workplace, 98% of employees believe they demonstrate either equally secure or more secure behaviours than their colleagues.

The study examines corporate email security habits and perceptions, and is based on an online, quantitative survey conducted in July 2013. Respondents included 119 business professionals at U.S. organizations across a variety of industries.

Key findings from the study include:

  • 43% of respondents indicated they were “very concerned about email security and go above and beyond the company prescribed procedures” to protect their business communications.
  • 30% of respondents claimed to be “much more security conscious” than their co-workers.
  • 56% have accidently sent an email to the wrong person while at work
  • 53% have received unencrypted, risky corporate data (credit card numbers, social security numbers, etc.) via emails or email attachments.
  • One in five respondents know of someone within their organization who has been caught and reprimanded for sending out sensitive information without adhering to corporate protocol.
  • 53% were quick to single out co-workers, saying they’ve received unencrypted, sensitive data – such as sensitive attachments, social security numbers, protected health information, and valuable corporate secrets – via email
  • 17% admitted to sending out this risky data themselves.
  • 32% of organizations currently use an email data loss prevention (DLP) solution
  • 21% use an email encryption solution
  • 46% of respondents indicated that email security could be improved within their organizations

This study points to a strong “superiority bias” effect, or inflated employee overconfidence, when it comes to corporate email security. However, this overconfidence could be potentially dangerous for businesses, as it could lead to poor email security habits, which ultimately lead to real legal, regulatory and reputational risks through data loss.

How many times have you been slapped with a speeding ticket in the past year? Now think about how many times you’ve driven over the speed limit in the same time period, my guess is for most of us, that number is significantly higher,” said Andrew Jaquith, Chief Technology Officer and SVP, Cloud Strategy at SilverSky.

The new SilverSky study draws many parallels between email security habits and driving habits. The vast majority of drivers perceive themselves to be attentive, safe operators, but in reality, most speed, eat and talk or text while behind the wheel. Likewise, many employees consider their email security behaviours to be superior to those of their colleagues. However, this hubris is likely to lead to careless behaviour that could have serious consequences for the organization

RSA’s June 2013 Online Fraud Report featuring the Bugat Trojan

RSA’s June 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’s developers managed to develop and deploy mobile malware designed to hijack out-of-band authentication codes sent to bank customers via text messages.

Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010. This privately owned crimeware’s earlier targets were business and corporate accounts, its operators attempting high-value transactions ($100K-$200K USD per day) in both automated and manual fraud schemes. It is very likely that Bugat’s operators started seeing a diminished ability to target high-value accounts due to added authentication challenges, forcing them to resort to developing a malware component that is already used by many mainstream banking Trojans in the wild.

Bugat joins the lineup of banking malware that makes use of SMS capturing mobiles apps. The first occurrences of such malware were observed in use by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo (Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to denote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which malicious apps were discovered was Carberp in early 2013, and with this case, Bugat is the most recent banking Trojan to have its own SMS-forwarding app, now coined BitMo.

Among other banking Trojan features, Bugat comes with a set of HTML injections for online banking fraud and possesses Man-in-the-Browser script functionality. This very feature is what allows it to interact with victims in real time and lead them to download the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remains almost entirely exempt from this type of malware since the Apple policy limits app downloads from third party sites.

When Bugat infected online banking customers access their financial provider’s login page, the Trojan is triggered to dynamically pull a relevant set of injections from the remote server, displays them to the victim and leads them to the BitMo download under the guise of AES encryption being adopted by the bank.

The malware requests application permissions linked with the SMS relay, while the next injection on the PC side requests that the victim enter a code appearing on the mobile device – connecting the infected PC and the mobile handset. Once installed and deployed BitMo begins hijacking and concealing incoming text messages from the  bank, disabling the phones’ audio alerts, and forwarding the relevant messages to its operators’ drop zones. Bugat’s entrance to the mobile space only demonstrates the increasing use of SMS forwarders as part of Trojan-facilitated fraud.

Although the injection set created by Bugat’s developers, as well as the distribution mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed sophisticated, the actual malware apps are rather basic and show no innovation. That being said, it is very clear that all banking Trojans, both commercial and privately operated codes, are increasingly making use of SMS forwarders in their criminal operation.

Phishing Attacks per Month

RSA identified 36,966 phishing attacks launched worldwide in May, marking a 37% increase in attack volume. Trending data shows that a rise in phishing attacks typically occurs in Q2.

Number of Brands Attacked

In May, 351 brands were targeted in phishing attacks, marking a 13% increase. Two new entities suffered their first attack in May.

US Bank Types Attacked

U.S. nationwide banks maintained the highest volume of phishing in May while regional banks saw a 7% increase in phishing volume, from 12% to 19%. Since February, the attack volumes targeting regional banks and credit unions have fluctuated quite a bit.

Top Countries by Attack Volume

The U.S. remained the country most targeted by phishing in May, absorbing 50% of the total phishing volume. The UK held steady, once again recording 11%  of attack volume. South Africa, the Netherlands, Canada, Australia, and India accounted for about one-quarter of attack volume.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing among worldwide brands, absorbing 30% of phishing volume in May. UK brands were targeted by one-tenth of phishing volume followed by India, China and Brazil.

Top Hosting Countries

The U.S. remained the top hosting country in May, hosting 47% of global phishing attacks. Germany was the second top hosting country with 8% of attacks hosted within the country, followed by the UK, the Netherlands, France, and Canada.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA April 2013 Online Fraud Report Summary here.
  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.

.

76% of companies have had a data breach or expect to have a breach

Experian Data Breach Resolution and the Ponemon Institute have released a study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident.

The report, “Is Your Company Ready for a Big Data Breach?” examines the consequences of data breach incidents and the steps taken to lessen future damage.

Respondents include senior privacy and compliance professionals of organisations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.

A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions

The study’s key findings include:

Companies experience and anticipate harm due to breaches Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.

  • 76% of privacy professionals say their organisation already had or expects to have a material data breach that results in the loss of customers and business partners.
  • 75% say they have had or expect to have such an incident that results in negative public opinion and media coverage.
  • 66% of companies have or believe they will suffer serious financial consequences as a result of an incident.

Despite consequences, incident response remains a challenge Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.

  • Despite experiencing a breach, not all companies prepare for a future breach.
  • 39% of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
  • 10% of organizations have data breach or cyber insurance.
  • A majority of organisations surveyed do not provide clear communication and notification to victims following an incident.
  • 21% of respondents have communications teams trained to assist in responding to victims.
  • 30% of respondents say their organisations train customer service personnel on how to respond to questions about the data breach incident.
  • 65% also lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
  • The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
  • Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
  • Forensics is lacking. Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
  • Only 36% have the tools or technologies to assess the size and impact of a data breach.
  • 19% have advanced forensics to determine the nature and root causes of cyberattacks.
  • 25% have the ability to ensure the root cause of the data breach was fully contained.

The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach

.

Small firms lose up to £800 million to cyber crime a year

New research from the Federation of Small Businesses (FSB) shows that cyber crime costs its members around £785 million per year as they fall victim to fraud and online crime.

The report shows:

  • 41% of FSB members have been a victim of cyber crime in the last 12 months, putting the average cost at around £4,000 per business.
  • Around 30% have been a victim of fraud, typically by a customer or client (13%) or through ‘card not present’ fraud (10%).

For the first time, the FSB has looked at the impact that online crime has on a business. The most common threat to businesses is virus infections, which 20% of respondents said they have fallen victim to; 8% have been a victim of hacking and 5% suffering security breaches.

The FSB is concerned that the cost to the wider economy could be even greater as small firms refuse to trade online believing the security framework does not give them adequate protection. Indeed, previous FSB research shows that only a third of businesses with their own website use it for sales.

The report also finds:

  • almost 20% of members have not taken any steps to protect themselves from a cyber crime
  • 36% of respondents say they regularly install security patches to protect themselves from fraud
  • almost 60% regularly update their virus scanning software to minimise their exposure to online crime

In response to this, the FSB has developed 10 top tips for small firms to make sure they stay safe online

  1. Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
  2. Carry out regular security updates on all software and devices
  3. Implement a resilient password policy (min eight characters, change regularly)
  4. Secure your wireless network
  5. Implement clear and concise procedures for email, internet and mobile devices
  6. Tran staff in good security practices and consider employee background checks
  7. Implement and test backup plans, information disposal and disaster recovery procedures
  8. Carry out regular security risk assessments to identify important information and systems
  9. Carry out regular security testing on the business website
  10. Check provider credentials and contracts when using cloud services

Launching the report at an event in London today, Mike Cherry, National Policy Chairman, Federation of Small Businesses, said:

Cyber crime poses a real and growing threat for small firms and it isn’t something that should be ignored. Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth. For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime. While we want to see clear action from the Government and the wider public sector, there are clear actions that businesses can take to help themselves.

“I encourage small firms to look at the 10 top tips we have developed to make sure they are doing all they can. We want to see the Government look at how it can simplify and streamline its guidance targeted specifically at small firms and make sure there is the capacity for businesses to report when they have been a victim of fraud or online crime

James Brokenshire, MP Parliamentary Under Secretary for Security, Home Office, said:

Having personally been involved in the cyber security debate for several years now, I am pleased that the Home Office is working with the FSB to highlight the current experiences of small businesses.

“Cyber security is a crucial part of the Government’s National Cyber Security Strategy and we need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business. This report will help give a greater understanding of how online security and fraud issues affect small businesses, giving guidance as well as valuable top tips to protect their business

David Willetts, MP Minister for Universities and Science, Department for Business, Innovation and Skills

The Department for Business, Innovation and Skills (BIS) published guidance in April 2013, ‘Small businesses: what you need to know about cyber security’, based on our comprehensive ‘10 Steps to Cyber Security’ guidance. This guidance sets out the current risks, how to manage these, and plan implementation of appropriate security measures.

“We know only too well of the importance of securing buy-in from both big and small business in implementing appropriate protection against cyber risks – business success can depend on it. Increasing security drives growth.

“I support all efforts, like the FSB’s, to provide clarity on the issues small businesses are facing, and more importantly, what they can do about them. I urge all small businesses to follow the FSB’s advice

.

RSA’s March Online Fraud Report 2013, with a focus on Email and Identity takeover

RSA’s March 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information from them. Compromised credentials are then typically sold in the underground or used for actual fraud attempts on that user’s bank/card account. Financial institutions have all too often been the most targeted vertical with phishers setting their sights on monetary gain, followed by online retailers and social networks.

Most understand the purpose of targeting financial institutions, but online retailers and social networking sites? Why would a fraudster target them? In most cases, they use an email address to authenticate their users’ identities, and they are not the only ones. Of course the user is made to choose a password when opening any new online account, but as research reveals, password reuse across multiple sites is a huge issue. A typical user reuses the same password an average of six times, or the same password to access six different accounts.

Access Phishing campaigns have already been targeting webmail users for years now with campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the shape of OWA (Outlook Web Access) for business users.

Trojan operators followed suit and have not remained oblivious to the potential that lies in gaining control over victim identities through their email accounts. In fact, almost all Trojan configuration files contain triggers to webmail providers as well as to social networking sites. This is designed with the purpose of getting access in order to gain more information about potential victims in order to take over their online identities.

Since email accounts are an integral part of user identities online, they have also become the pivotal access point for many types of accounts. When it comes to online retailers and merchants, the email address is most often the username in the provider’s systems or databases. When it comes to bank accounts, the customer’s email is where communications and alerts are sent, and sometimes even serve as part of transaction verification.

Beyond the fact that email is part of customer identification and point of communication, the compromise of that account by a cybercriminal can have more detrimental effects. Email takeover may mean that a hostile third party will attempt, and sometimes succeed, to reset the user’s account information and password for more than one web resource, eventually gaining access to enough personal information to enable complete impersonation of the victim.

Although some webmail providers use two-factor authentication for account password resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it simpler for criminals to access and sometimes attempt to reset access to accounts.

Fraudsters will typically probe the account for more information and sometimes lock it (by changing the password) in order to prevent the genuine user from reading alerts after a fraudulent transaction was processed on one of their accounts.

Since email is a convenient way for service providers to communicate with untold numbers of customers, online merchants will, in the name of ease of use, reset account credentials via email. Hence, if a cybercriminal is in control of the email account, they will also gain control over the user’s account with that merchant.

From there, the road to e-commerce fraud shortens considerably, either using that person’s financial information, or attaching a compromised credit card to that account without ever having to log into their bank account in order to access their money, and in that sense, email access equals money.

Another example is transportation companies, which are part of any online purchase and those who provide shipping service to companies as well as governmental offices. They also use email addresses as their users’ login identifiers and will reset the account via email.

A takeover of a user’s email account in this scenario will also mean takeover of that person’s/business’ service account with the transport provider. For fraudsters, this type of access translates into purchasing labels for their reshipping mules, charging shipments to accounts that don’t belong to them, and providing an easier route to reship stolen goods and even reroute existing orders.

Email account takeover may appear benign at first sight, but in fact it is an insidious threat to online banking users. The first issue with email account takeover (due to credentials theft or a password reset), is that users re-use passwords. When fraudsters steal a set of credentials, they will likely be able to use it to access additional accounts, sometimes even an online banking account.

The second issue is that fraudsters will use victim email access for reconnaissance with that person’s choice of financial services providers, bank account types, card statements (paperless reports delivered via email), recent online purchases, alert types received from the bank, contact lists (often including work-related addresses), social networking profile and more.

How Risky Is Email Account Takeover? Email account takeover can be a route to identity theft that only requires access to perhaps the least secure part of the online identity used by financial and other organizations and is perhaps one of the least evident elements that can become a potential facilitator of online fraud scenarios.

Email addresses can serve as a “glue” that binds many parts of a person’s online identity, connecting a number of different accounts that interlink. A typical online banking customer may use a Gmail address with their bank account, use that same address for a PayPal account, shop on eBay using that address, and receive their card statements at that address from their card issuer. All too often, that address is also their Facebook access email, where they have saved their phone number, stated where they work and for how long, and mentioned a few hobbies.

RSA’s Summary

Account hacks of this type happen all the time, and often make the headlines in the media. In some cases, there are a few hundred potential victims while in others, there are millions. The value of an email address to a cybercriminal should not be underestimated. This element of an online identity must be treated with added caution by all service providers that cater to consumers.

The line that crosses between ease of access and user experience always passes very close to security redlines, but sometimes very slight modifications in the weight customer email accounts can have on overall account access can turn a fraud attempt into a failed fraud attempt.

Phishing Attacks per Month

In February, RSA identified 27,463 phishing attacks launched worldwide, marking a 9% decrease from January. The overall trend in attack numbers when looking at it from an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In February, 257 brands were targeted in phishing attacks, marking a 12% decrease from January. Of the 257 targeted brands, 48% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide bank brands were the prime target for phishing campaigns, with 69% of total phishing attacks, while regional banks saw an 8% increase in phishing attacks in February.

Top Countries by Attack Volume

The U.S. remained the country that suffered a majority of attack volume in February, absorbing 54% of the total phishing volume. The UK, Canada, India, and South Africa collectively absorbed about one-quarter of total phishing volume in February.

Top Countries by Attacked Brands

In February, U.S brands were targeted by 30% of phishing volume, continuing to remain the top country by attacked brands. Brands in Brazil, Italy, India, Australia, China and Canada were each respectively targeted by 4% of phishing volume.

Top Hosting Countries

In February, the U.S. hosted 44% of global phishing attacks (down 8%), while the UK and Germany each hosted 5% of attacks. Other top hosting countries in February included Canada, Russia, Brazil and Chile.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.

RSA’s December Online Fraud Report 2012 including an excellent piece on Ransomware

RSA’s December Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below. 

Ransomware is a type of Trojan/malware that can lock files on an infected machine and restrict access to the computer unless the user pays a “ransom” for the restrictions to be removed

Infection campaigns and methods used by Ransomware are identical to those used for any other malware/Trojan infection. For example, recent Ransomware campaigns infected users via the Blackhole exploit kit; another campaign relied on drive-by-downloads via malicious tags in news sites and forums. 

Ransomware campaigns can take on a variety of forms. One of the most common scams is using fake anti-virus programs, making a user believe their computer is infected with unwanted software that can only be removed by purchasing the attacker’s special anti-virus program. However, Ransomware campaigns can take on a number of forms including bogus messages from law enforcement or even a recent example in Australia where a medical clinic’s patient records were targeted unless the clinic paid the attackers $4,200. 

Although victims are promised their files will be unlocked once they pay the “fine”, in most cases the botmaster cannot control the infected bot and the files/computer will remain locked (depending on the malware’s function). 

In order for criminals to remain untraceable, Ransomware payments must be kept anonymous and these Trojans’ operators prefer prepaid payment cards/vouchers (available at retail locations in the US, Europe and now in Arabic-speaking countries as well). It appears that Ransomware is a flourishing business in the cybercrime arena since this type of malware has been proliferating, and attack numbers are on the rise. Ransomware is so popular that although this Winlock type malware can come as a standalone piece, nowadays it is often coupled with other Trojan infections to add monetization schemes to new and existing botnets. Ransom components are sold as ‘plugins’ for some of the well-known banking Trojans including Citadel, Carberp, ICE IX, Zeus, and SpyEye. 

New commercial Ransomware

A recent variant analyzed by RSA researchers revealed a new type of Ransomware, dubbed “Multi-Locker” by its operators. This malware appears to be a commercial creation, destined for sale to cybercriminals interested in launching infection campaigns to spread it. The Multi-Locker ransom and botnet administration control panel were written by a Russian-speaking blackhat, based on a peer’s existing code (the “Silent locker” Trojan). Much like other known Ransomware codes, the malware comes with adapted HTML lock pages designed to appear per each user’s IP address’ geo-location. The pages display in the corresponding language, naming the local national police and demanding ransom in the local currency ($/€/£/other) via prepaid cards/vouchers available in that country.

Multi-Locker is available to cybercriminals through a vendor in underground fraud communities. The malware was announced in the underground in the beginning of October 2012 and offered for sale at USD $899 per kit. In the ad, the vendor guarantees the locking of files on Windows-based machines running any version of Windows, from 2003 to Windows 8. 

Most ransom Trojans to date have been designed to accept prepaid cards or vouchers issued in the US and Europe. Multi-Locker’s vendors are adding their research regarding prepaid media used in Arabic-speaking countries and assure buyers that they will enrich their knowledge to enable them to easily cash out the funds at the end of the line. 

Multi-locker Botnet and control panel

Unlike the majority of ransom Trojans, the Multi-Locker Ransomware was designed with a main point of control that can manage some of the activity of infected bots. The basic control interface shows botmasters some basic statistics such as the total number of bots on that botnet and the payments that come in from each bot. The botnet interface parses each payment made according to the prepaid card type the victim provides.

The panel also displays the botnet’s conversion rate (how many successful infections/ locks out of the entire campaign) at any given moment by showing the total number of lock pages loaded versus the number of bots (that ratio hovering around 20%). 

New features coming soon: DNS-Locker

The most interesting module this Trojan offers is apparently yet to come: DNS Internet Locker. The DNS Locker will be a restriction that will take over the Internet browser, forcing to only display the Ransomware Operator’s HTML lock page, demanding payment for the browser to be released. 

The vendor is very boastful about having researched solutions online and having found none that can help infected users find a way to rid their machines from the malware, adding that even starting the computer in sage mode will not remedy the lock, guaranteeing the future DNS Locker will work on even the newest versions of Windows. 

RSA’s Conclusion

Ransomware were first seen coming from Russia 2005-6 and have since evolved in terms of tactics and scope. Ransomware Malware is particularly lucrative to botmasters operating out of Eastern Europe as almost all were written by Russian-Speaking coders and sold by Russian-Speaking vendors in the Fraud Underground.

Ransomware’s success rate may differ in each country/geography, according to the number of users who decide for the unlocking of the PC. Unfortunately the numbers for this type of attack continue to grow as online users are not very aware of the threat and may attempt to resolve the issue on their own by providing payment to the botmasters.

Phishing Attacks per Month

In November, RSA identified 41,834 unique phishing attacks launched worldwide, making a 24% increase in attack volumes from October. The growth in attacks in November is mostly attributed to the online holiday shopping season as fraudsters try to leverage this time of year to lure victims.

Number of Brands Attacked

In November, 284 brands were targeted in phishing attacks, marking a 6% decrease from October. Of the 284 brands attacked 45% endured 5 attacks or less.

US Bank Types Attacked

Nationwide banks continued to be the most targeted by phishing in November, experienced nearly 80% of all attack volumes.

Top Countries by Attack Volume

In November the US was targeted by 42% of total phishing volume. The U.K accounted for 20% of the attack volume, with India emerging as the third most targeted by volume with 7% of all global attacks. India replaced Canada who saw a significant decrease, from 27% of total attack volumes in October to just 4% in November.

Top Countries by Attacked Brands

In November, the countries that featured the greatest number of targeted brands were the U.S. (30%), still leading by a wide margin, followed by the UK with 11%. Though absorbing a relatively small number of attacks in November, Brazilian brands ranked third of the most targeted with 6%, attesting to the diversity of attacked brands in the country.

Top Hosting Countries

Despite a 6% drop in the month prior, the U.S. continues to be the top hosting country for phishing attacks; one out of every two attacks in November was hosted in the U.S. France was the second top host, accounting for 7% of phishing attacks in November, most of which were hosted by a single ISP.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s November Online Fraud Report 2012 including advice on avoiding fraud

RSA’s November Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below.

In 2011, RSA’s e-commerce authentication technology was used by many of the top card issuers around the globe to protect nearly a half a billion e-commerce transactions and their statistics for 2011 (2012 will be posted when available) are;

  • Over the course of 2011, 7% of all e-commerce transactions were identified as fraudulent, an increase of 2% in 2010
  • During the 2011 holiday shopping season (November 1 – December 31), U.S. consumers spent over $1.4 billion online, an increase of 18% from 2010
  • Identified fraudulent transactions during this same time totaled more than $82 million, an increase of 219% from 2010. Cyber Monday accounted for $2.5 million
  • Top online retailers based on e-commerce transaction volume and amounts in 2011 included three major airlines
  • The top five cities where e-commerce fraud originated over the holiday season include New York, Los Angeles, Chicago, Washington DC and Houston

Fraud is always lurking around every corner, but is especially prolific at this time of year with so many people shopping online. Consumers can follow some very simple tips to stay safe online:

  • Tune up defenses for ALL devices. Just like you would tune up your car before driving to visit relatives during the holidays, you should ensure that any device you plan to shop with (computers, tablets, smartphones and even gaming systems) gets a tune up with the latest browsers and security patches.
  • Shop with retailers that take security seriously. Before entering any personal or payment information, you should look for the closed padlock on your web browser’s address bar and ensure the web address starts with “https” – the “s” standing for secure. Also, look for protection beyond just passwords. For example, many merchants now support the Verified by Visa / MasterCard SecureCode standards which will provide you with additional security. Finally, always make sure there is a phone number or physical address for the merchant in case there is an issue with your purchase.
  • Avoid advertisements, coupons or deals that seem too good to be true. Fraudsters use many scams to try to direct you to a malicious website to download a Trojan onto your computer.
  • Be on the lookout for phishing emails. Fraudsters will be launching countless phishing attacks this time of year trying to secure your payment account information so be on high alert. When the emails start coming in with subject lines screaming “Account Alert” or “Reactivate your account” and making claims such as “invalid login attempts into your account online from an unknown IP address have been identified,” ensure you delete it right away.

Phishing Attacks per Month

In October, RSA identified 33,768 unique phishing attacks launched worldwide, a 5% decrease from September. While attack volume has been decreasing over the last three months, total phishing attack numbers for the second half of 2012 already represent a 9% increase over first half numbers with November and December still to go.

Number of Brands Attacked

In October, 269 brands were subject to phishing attacks, marking a 14% decrease from September. A decrease in the number of targeted brands is likely the result of an increased focus of attacks on several familiar brands.

US Bank Types Attacked

Nationwide banks in the U.S. experienced a slight decline in attacks, down 3%, while U.S. credit unions saw a 5% increase in phishing attacks in October.

Top Countries by Attack Volume

In October, the U.K continued to be the country targeted by the most volume of phishing, with a total of 34%, despite a 14% drop from September’s number. Canada and the U.S. together were targeted by 51% of phishing volume in October. South Africa made a surprising appearance in October, targeted by 4% of phishing volume throughout the month.

Top Countries by Attacked Brands

In October, U.S. brands were targeted the most by phishing,– representing 34% of targeted brands, followed by brands in the UK (12%), and Australia and Canada (both 6% respectively)

Top Hosting Countries

The U.S. continued to host the majority of phishing attacks in October – with three out of every four attacks during the month being hosted in the U.S. Other top hosting countries in October included the UK, Germany, and Canada.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

6 Experts predict the IT security and compliance issues and trends for 2013

Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.

Rather than bore you with my predictions I thought I would extract the predictions of several vendors and a distributor and put them into one single post so it is easier to see trends and when we get to the end of the year we can see if they were right.

The 6 specialist predictors this year are from the following organisations:

  1. Wick Hill
  2. Websense
  3. WatchGuard
  4. Kaspersky
  5. Fortinet
  6. Sophos

Wick Hill Group’s Ian Kilpatrick delivers his top five trends for 2013

  1. BYOD. “BYOD was arguably the biggest buzz word of 2012 and is now an unstoppable, user-driven wave which will continue to make a major impact on the IT world in 2013 and beyond. Smartphones, tablets and laptops all come under this category, as well as desktop PCs used remotely from home. BYOD is a transformative technology and 2013 will see companies trying to integrate it into their networks. While tactical needs will drive integration, strategic requirements will become increasingly important.
  2. Mobile Device Management. The very rapid growth of mobile devices such as smartphones, tablets and laptops, but particularly smartphones, led to concerns about their management and security in 2012. With employees using their smartphones for both business and personal use, the security and management issues became blurred. Mobile Device Management solutions were a strong growth area in 2012, which will accelerate in 2013.
  3. High density wireless. Wireless requirements have been significantly incrementing over the last year and this trend will continue in 2013. BYOD has changed both the data transfer and performance expectations of users.
  4. Data back-up and recovery. While large organisations have always been at the forefront of back-up and recovery, data centres and big data have put significant demands on them during 2012. Alongside that, smaller organisations have been under immense pressures from ever increasing data volumes, archiving and compliance requirements.
  5. Data leakage protection. With growing volumes of data and with regulatory bodies increasingly prepared to levy fines for various non-compliance issues, data leakage protection will continue to be a major cause for concern during 2013. Companies will be looking closely at how to secure and manage their data as their network boundaries spread even wider, with increased use of social networking and BYOD, increased remote access, the rapid growth of wireless, increased virtualisation and the move towards convergence.

Websense’s 2013 Security Predictions (the link also contains a video clip explaining the predictions).

  1. Cross-Platform Threats. Mobile devices will be the new target for cross-platform threats.
  2. Malware in App Stores. Legitimate mobile app stores will host more malware in 2013
  3. Government-sponsored attacks. Government-sponsored attacks will increase as new players enter.
  4. Bypass of Sandbox Detection. Cybercriminals will use bypass methods to avoid traditional sandbox detection
  5. Next Level Hacktivists. Expect Hacktivists to move to the next level as simplistic opportunities dwindle
  6. Malicious Emails. Malicious emails are making a comeback.
  7. CMS Attacks. Cybercriminals will follow the crowds to legitimate content management systems and web platforms.

WatchGuard Technologies reveals its annual security predictions for 2013

  1. A Cyber Attack Results in a Human Death
  2. Malware Enters the Matrix through a Virtual Door
  3. It’s Your Browser – Not Your System – that Malware Is After
  4. Strike Back Gets a Lot of Lip Service, but Does Little Good
  5. We’ll pay for Our Lack of IPv6 Expertise
  6. Android Pick Pockets Try to Empty Mobile Wallets

Additionally WatchGuard believes:

  1. An Exploit Sold on the “Vulnerability Market” Becomes the Next APT
  2. Important Cyber Security-Related Legislation Finally Becomes Law

“2012 was an eye-opening year in cyber security as we saw the number of new and more sophisticated vulnerabilities rise, impacting individuals, businesses and governments,” said WatchGuard Director of Security Strategy Corey Nachreiner, a Certified Information Systems Security Professional (CISSP). “This is a year where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys.”

Kaspersky Lab’s Key Security Predictions for 2013

The most notable predictions for the next year include the continued rise of targeted attacks, cyber-espionage and nation-state cyber-attacks, the evolving role of hacktivism, the development of controversial “legal” surveillance tools and the increase in cybercriminal attacks targeting cloud-based services

  1. Targeted attacks on businesses have only become a prevalent threat within the last two years. Kaspersky Lab expects the amount of targeted attacks, with the purpose of cyber-espionage, to continue in 2013 and beyond, becoming the most significant threat for businesses. Another trend that will likely impact companies and governments is the continued rise of “hacktivism” and its concomitant politically-motivated cyber-attacks.
  2. State-sponsored cyber warfare will undoubtedly continue in 2013. These attacks will affect not only government institutions, but also businesses and critical infrastructure facilities.
  3. In 2012 an on-going debate took place on whether or not governments should develop and use specific surveillance software to monitor suspects in criminal investigations. Kaspersky Lab predicts that 2013 will build on this issue as governments create or purchase additional monitoring tools to enhance the surveillance of individuals, which will extend beyond wiretapping phones to enabling secret access to targeted mobile devices. Government-backed surveillance tools in the cyber environment will most likely continue to evolve, as law-enforcement agencies try to stay one step ahead of cybercriminals. At the same time, controversial issues about civil liberties and consumer privacy associated with the tools will also continue to be raised.
  4. Development of social networks, and, unfortunately, new threats that affect both consumers and businesses have drastically changed the perception of online privacy and trust. As consumers understand that a significant portion of their personal data is handed over to online services, the question is whether or not they trust them. Such confidence has already been shaken following the wake of major password leaks from some of the most popular web services such as Dropbox and LinkedIn. The value of personal data – for both cybercriminals and legitimate businesses – is destined to grow significantly in the near future.
  5. 2012 has been the year of the explosive growth of mobile malware, with cybercriminals’ primary focus being the Android platform, as it was the most popular and widely used. In 2013 we are likely to see a new alarming trend – the use of vulnerabilities to extend “drive-by download” attacks on mobile devices. This means that personal and corporate data stored on smartphones and tablets will be targeted as frequently as it is targeted on traditional computers. For the same reasons (rising popularity), new sophisticated attacks will be performed against owners of Apple devices as well.
  6. As vulnerabilities in mobile devices become an increasing threat for users, computer application and program vulnerabilities will continue to be exploited on PCs. Kaspersky Lab named 2012 the year of Java vulnerabilities, and in 2013 Java will continue to be exploited by cybercriminals on a massive scale. However, although Java will continue to be a target for exploits, the importance of Adobe Flash and Adobe Reader as malware gateways will decrease as the latest versions include automated update systems for patching security vulnerabilities.

Costin Raiu, Director of Global Research & Analysis Team Kaspersky Lab said, “In our previous reports we categorised 2011 as the year of explosive growth of new cyber threats. The most notable incidents of 2012 have been revealing and shaping the future of cyber security. We expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure. The most notable trends of 2013 will be new example of cyber warfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.”

Fortinet’s FortiGuard Labs Reveals 2013 Top 6 Threat Predictions

  1. APTs Target Individuals through Mobile Platforms. APTs also known as Advanced Persistent Threats are defined by their ability to use sophisticated technology and multiple methods and vectors to reach specific targets to obtain sensitive or classified information. The most recent examples include Stuxnet, Flame and Gauss. In 2013 we predict we’ll see APTs targeted at the civilian population, which includes CEOs, celebrities and political figures. Verifying this prediction will be difficult, however, because after attackers get the information they’re looking for, they can quietly remove the malware from a target device before the victim realizes that an attack has even occurred. What’s more, individuals who do discover they have been victims of an APT will likely not report the attack to the media. Because these attacks will first affect individuals and not directly critical infrastructure, governments or public companies, some types of information being targeted will be different. Attackers will look for information they can leverage for criminal activities such as blackmail; threatening to leak information unless payment is received.
  2. Two Factor Authentication Replaces Single Password Sign on Security Model. The password-only security model is dead. Easily downloadable tools today can crack a simple four or five character password in only a few minutes. Using new cloud-based password cracking tools, attackers can attempt 300 million different passwords in only 20 minutes at a cost of less than $20 USD. Criminals can now easily compromise even a strong alpha-numeric password with special characters during a typical lunch hour. Stored credentials encrypted in databases (often breached through Web portals and SQL injection), along with wireless security (WPA2) will be popular cracking targets using such cloud services. We predict next year we’ll see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it’s true that we’ve seen the botnet Zitmo recently crack two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.
  3. Exploits to Target Machine-to-Machine (M2M) Communications. Machine-to-machine (M2M) communication refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. It could be a refrigerator that communicates with a home server to notify a resident that it’s time to buy milk and eggs, it could be an airport camera that takes a photo of a person’s face and cross references the image with a database of known terrorists, or it could be a medical device that regulates oxygen to an accident victim and then alerts hospital staff when that person’s heart rate drops below a certain threshold. While the practical technological possibilities of M2M are inspiring as it has the potential to remove human error from so many situations, there are still too many questions surrounding how to best secure it. We predict next year we will see the first instance of M2M hacking that has not been exploited historically, most likely in a platform related to national security such as a weapons development facility. This will likely happen by poisoning information streams that transverse the M2M channel — making one machine mishandle the poisoned information, creating a vulnerability and thus allowing an attacker access at this vulnerable point.
  4. Exploits Circumvent the Sandbox. Sandboxing is a practice often employed by security technology to separate running programs and applications so that malicious code cannot transfer from one process (i.e. a document reader) to another (i.e. the operating system). Several vendors including Adobe and Apple have taken this approach and more are likely to follow. As this technology gets put in place, attackers are naturally going to try to circumvent it. FortiGuard Labs has already seen a few exploits that can break out of virtual machine (VM) and sandboxed environments, such as the Adobe Reader X vulnerability. The most recent sandboxing exploits have either remained in stealth mode (suggesting that the malware code is still currently under development and test) or have actively attempted to circumvent both technologies. Next year we expect to see innovative exploit code that is designed to circumvent sandbox environments specifically used by security appliances and mobile devices.
  5. Cross Platform Botnets In 2012. FortiGuard Labs analyzed mobile botnets such as Zitmo and found they have many of the same features and functionality of traditional PC botnets. In 2013, the team predicts that thanks to this feature parity between platforms, we’ll begin to see new forms of Direct Denial of Service (DDoS) attacks that will leverage both PC and mobile devices simultaneously. For example, an infected mobile device and PC will share the same command and control (C&C) server and attack protocol, and act on command at the same time, thus enhancing a botnet empire. What would once be two separate botnets running on the PC and a mobile operating system such as Android will now become one monolithic botnet operating over multiple types of endpoints.
  6. Mobile Malware Growth Closes in on Laptop and Desktop PCs. Malware is being written today for both mobile devices and notebook/laptop PCs. Historically, however, the majority of development efforts have been directed at PCs simply for the fact that there are so many of them in circulation, and PCs have been around a much longer time. For perspective, FortiGuard Labs researchers currently monitor approximately 50,000 mobile malware samples, as opposed to the millions they are monitoring for the PC. The researchers have already observed a significant increase in mobile malware volume and believe that this skewing is about to change even more dramatically starting next year. This is due to the fact that there are currently more mobile phones on the market than laptop or desktop PCs, and users are abandoning these traditional platforms in favor of newer, smaller tablet devices. While FortiGuard Labs researchers believe it will still take several more years before the number of malware samples equals what they see on PCs, the team believes we are going to see accelerated malware growth on mobile devices because malware creators know that securing mobile devices today is currently more complicated than securing traditional PCs.

Sophos think the following five trends will factor into the IT security landscape in 2013

  1. Basic web server mistakes. In 2012 we saw an increase in SQL injection hacks of web servers and databases to steal large volumes of user names and passwords. Targets have ranged from small to large enterprises with motives both political and financial. With the uptick in these kinds of credential-based extractions, IT professionals will need to pay equal attention to protecting both their computers as well as their web server environment
  2. More “irreversible” malware. In 2012 we saw a surge in popularity and quality of ransomware malware, which encrypts your data and holds it for ransom. The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage. Over the coming year we expect to see more attacks which, for IT professionals, will place a greater focus on behavioral protection mechanisms as well as system hardening and backup/restore procedures
  3. Attack toolkits with premium features. Over the past 12 months we have observed significant investment by cybercriminals in toolkits like the Blackhole exploit kit. They’ve built in features such as scriptable web services, APIs, malware quality assurance platforms, anti-forensics, slick reporting interfaces, and self protection mechanisms. In the coming year we will likely see a continued evolution in the maturation of these kits replete with premium features that appear to make access to high quality malicious code even simpler and comprehensive
  4. Better exploit mitigation. Even as the number of vulnerabilities appeared to increase in 2012—including every Java plugin released for the past eight years—exploiting them became more difficult as operating systems modernized and hardened. The ready availability of DEP, ASLR, sandboxing, more restricted mobile platforms and new trusted boot mechanisms (among others) made exploitation more challenging. While we’re not expecting exploits to simply disappear, we could see this decrease in vulnerability exploits offset by a sharp rise in social engineering attacks across a wide array of platforms
  5. Integration, privacy and security challenges. In the past year mobile devices and applications like social media became more integrated. New technologies—like near field communication (NFC) being integrated in to these platforms—and increasingly creative use of GPS to connect our digital and physical lives means that there are new opportunities for cybercriminals to compromise our security or privacy. This trend is identifiable not just for mobile devices, but computing in general. In the coming year watch for new examples of attacks built on these technologies.

Sophos “The last word, Security really is about more than Microsoft. The PC remains the biggest target for malicious code today, yet criminals have created effective fake antivirus attacks for the Mac. Malware creators are also targeting mobile devices as we experience a whole new set of operating systems with different security models and attack vectors. Our efforts must focus on protecting and empowering end users—no matter what platform, device, or operating system they choose”

For a retrospective view why not ready my post from last year “7 experts predict the IT security and compliance issues and trends of 2012

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: