Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

phishing

Going phishing? Five emails you don’t want in your inbox

960 640 Stuart O'Brien

Phishing attacks are the most common form of cyber attack. Why? The simplicity of email gives cyber criminals an easy route in, allowing them to reach users directly with no defensive barriers, to mislead, harvest credentials and spread malicious elements.

All organisations think it won’t happen to them, but phishing isn’t a trap that only ensnares the gullible or those unacquainted with technology. Far from it. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Some of today’s most sophisticated phishing attacks are almost indistinguishable from legitimate business communications – they’re well-written, thoroughly researched and establish a thread of communication with the victim before attempting to steal their credentials or bank balance.

Email is the single biggest attack vector used by adversaries who employ a plethora of advanced social engineering techniques to achieve their goal. Andy Pearch, Head of IA Services at CORVID, describes five common types of social engineering attack that no employee – from CISO to HR assistant – wants to see in their inbox…

1. Payment diversion fraud

Cyber criminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account. Payment diversion fraud targets both businesses and individuals and the results can understandably be devastating.

There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorised to do so – threat actors target finance and HR teams, who would expect to process payments and deal with changes to personal account details, so are more likely to comply with the fraudulent request.

2. CEO fraud

Impersonating a VIP – often the CEO – is big business for adversaries, knowing the recipient will often action the request straightaway. Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible, so it stands more chance of succeeding. They prey on users’ implicit trust of their seniors to coerce them into providing commercially sensitive information, personal information, or bank account details.

These deceitful requests often convey a sense of urgency, and imply the interaction can only be carried out via email – the victim therefore has no time to question the validity of the request, and is unable to call the CEO to confirm if it’s genuine.

3. Whaling

The opposite of CEO fraud, whaling targets senior executives rather than impersonating them. These targets are often the decision-makers in a business who have the authority to give the go-ahead on financial transactions and business decisions, without further levels of approval. These phishing attacks are thoroughly researched, containing personalised information about the company or individual, and are written in the company’s tone, adopting fluent business terminology that’s well-known to the VIP target.

4. Spear phishing

Perhaps the most widespread form of email-based cyber attack, spear phishing targets individuals and specific companies with links to credential harvesting sites or requests for confidential information, such as bank details and personal data. Attackers study their victim’s online presence to include specific information which adds credibility to their request, such as purporting to be from a streaming service the victim is subscribed to, or a supplier that is known to the target company.

5. Sextortion

Not all phishing attacks are subtle. A form of cyber blackmail, sextortion is when cyber criminals email their target claiming to have evidence of them committing X-rated acts or offences, and demanding payment to stop the criminals from sharing the evidence with their victim’s family or employer.

Attackers count on their victim being too embarrassed to tell anyone about the email (although they haven’t done anything wrong), because it’s a taboo subject most wouldn’t feel comfortable talking about with others. They often make the email sound like they’re doing their victim a favour in keeping the details to themselves. The victim may decide to pay up to stop embarrassing details about their private lives being made public, regardless of whether they’re true or not. Payments are usually demanded in Bitcoin so the transaction is untraceable, meaning the adversary cannot be identified.

But if the victim knows they’re innocent, why do these attacks still work? It’s all about credibility – attackers harvest email addresses and passwords from previous cyber attacks, which are available on the internet, and include them in their email to add credibility. If an attacker emails you claiming to know one of your passwords and includes it for proof, you’re more likely to believe the rest of the email is genuine.

Conclusion

These common types of social engineering attack cannot be ignored by any organisation – these threats are very real and won’t disappear anytime soon. Email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources; employees shouldn’t have to carry the weight of identifying these threats, essentially plugging the gaps in flawed cyber security strategies. Organisations need to treat email as the serious security risk that it is and begin to put appropriate measures in place.

Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques, which removes the burden from users and instead leaves technology to do its job. Furthermore, technology enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning employees can make quick, informed and confident decisions as to whether the email should be trusted.

With such sophisticated technology available and a growing threat landscape that shows no sign of slowing, it’s time for organisations to make a change and adequately protect themselves from incoming attacks.

VIDEO – Top tips to spot phishing attacks

960 640 Guest Post

By Falanx

Phishing, viruses and ransomware are some of the most common attacks aimed at organisations of all sizes, with phishing emails proving the most successful.

With this October being Cyber Security Awareness month, empower your staff to recognise and defend against these attacks.

Here are some of the signs to look out for > https://falanx.com/cyber/top-tips-to-spot-phishing-attacks/

Save £35k by deleting emails from your CEO

960 640 Guest Post

You work in finance. You get an email from your CEO addressing you by your first name, apologising for the late Friday email, but requesting you make an urgent payment to a regular supplier, with account details helpfully provided in the email. You’d pay it, right?

CEO fraud is an increasingly common type of phishing attack, where a threat actor impersonates a senior executive, and attempts to coerce an employee into transferring funds or personal information to the attacker’s account.

The average cost of this attack has risen to £35,000, but how do they keep getting away with it? Check out the latest advice from Corvid:

https://www.corvid.co.uk/blog/save-yourself-35k-delete-ceo-emails

Automation reduces the risk of phishing attacks

960 640 Stuart O'Brien

It’s hard to overestimate how fundamental email has become to initiating cyberattacks. While there are numerous ways for attackers to target organisations, email is nearly always the common denominator.

Email phishing attack detection, analysis and rapid response is one of the biggest challenges email admins and security teams face today.

Did you know?

  • Phishing represents 98% of social incidents and 93% of breaches.
  • Email continues to be the most common vector for cyber attacks (96%).

Download our latest Whitepaper in Partnership with Ironscales: Office 365 is not built to defend against modern real world email threats

Learn why organisations that rely on cloud email services must budget for advanced phishing prevention, detection and response.

https://discover.everycloud.co.uk/automation-reduces-the-risk-of-phishing-attacks

For more information, contact:

Paul Richards, Director, EveryCloud

Mob: +44 7450 100 500 | DDI: 0203 904 3182 | Tel: 0800 470 1820

Email: paul.richards@everycloud.co.uk

Do you provide Phishing Detection solutions? We want to hear from you!

960 640 Stuart O'Brien

Each month on IT Security Briefing we’re shining the spotlight on a different part of the cyber security market – in April we’re focussing on Phishing Detection solutions.

It’s all part of our ‘Recommended’ editorial feature, designed to help IT security buyers find the best products and services available today.

So, if you’re a Phishing Detection specialist and would like to be included as part of this exciting new shop window, we’d love to hear from you – for more info, contact Chris Cannon on c.cannon@forumevents.co.uk.

Here are the areas we’ll be covering, month by month:

Apr – Phishing Detection
May – Advanced Threat Dashboard
Jun – Browser/Web Security
Jul – Authentication
Aug – Penetration Testing
Sep – Vulnerability Management
Oct – Employee Security Awareness
Nov – Malware
Dec – Network Security Management

For information on any of the above topics, contact Chris Cannon on c.cannon@forumevents.co.uk.

Millennials ‘most vulnerable’ to phishing attacks

960 640 Stuart O'Brien

‘Digital savvy’ millennials are more likely to fall victim to cyber threats than baby boomers and older generations, demonstrating a concerning lack of knowledge on cyber threats such as phishing and ransomware.

New research, commissioned by cybersecurity and compliance company Proofpoint for their fifth annual ‘State of the Phish’ report, also revealed that 83 percent of global respondents experienced phishing attacks in 2018, compared to just 10 percent of respondents reporting experiencing a ransomware attack.

Also amongst the standout findings was the revelation that despite popular belief, older generations were actually less likely to fall victim to cyber attacks than their younger counterparts. 58% of those aged 22-27 knew correctly what phishing was, compared to 73% of those aged 54+ who knew correctly what phishing was. In addition, 52% of those aged 54+ knew correctly what ransomware was, whereas only 40% of those aged 22-37 knew correctly what ransomware was.

“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organisation,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint.

“As these threats grow in scope and sophistication, it is critical that organisations prioritise security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”

“Lack of cybersecurity awareness, in particular amongst the millennial/Generation Z demographic, presents a greater threat than many businesses expect,” added Adenike Cosgrove, strategist, EMEA, Proofpoint.

“Our latest research shows that surprisingly, older generational groups can more accurately identify threats such as phishing and ransomware than digitally-savvy millennials. This tells us that millennials, despite being much more comfortable and at ease with digital platforms, display greater complacency towards threats and perceived risks.

“With the percentage of millennials in the workforce set to reach 50 percent globally by 2020, it’s imperative that businesses focus on developing a people-centric approach to security and deploy cybersecurity awareness training programs that aim to change employee behaviour. The bottom line is that organisations that do not consider the human factor as a key pillar to their cyber defence strategy will continue to be prime targets for cybercriminals, putting their businesses at risk of potentially crippling attacks.”

A copy of the report can be downloaded here: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

Cybersecurity responsible for 36% of management stress

960 640 Stuart O'Brien

Over half of SME owners count internet issues as one of their biggest bugbears heading into 2019, with phishing emails from overseas ‘billionaires’ topping the list of the strangest mailbox scams from the past 12 months.

In a survey conducted by Q2Q, 52% of company bosses complained that problems with their internet were responsible for some of their firm’s biggest technology-related headaches. While an additional 41% of respondents said that six months on, GDPR compliance was still causing confusion within the workplace.

The research also found that phishing emails – including those masquerading as financial information requests from the CEO, and communications purporting to be from a foreign billionaire looking to pass on significant sums of money – made up 38% of the most common scam communications.

Unsurprisingly then, cyber-security was responsible for 36% of management stress, with 22% of respondents citing emerging online risks as one of their biggest IT challenges heading into the New Year.

The research also found that around 64% of SMEs choose to outsource their IT support, while – shockingly – 10% of company owners didn’t have any sort of technical provision.

Andrew Stellakis, managing director at Q2Q, said; “Hearing that internet issues are still responsible for over half of SME’s IT-related headaches is simply inexcusable in this day-and-age. There are plenty of things which can cause a slow connection, but understanding the root cause is key to getting the most out of our systems, employees and the working day.

“It’s also rather worrying that – six months on – 40% of SME’s are still unsure about the rules and regulations surrounding GDPR. Over the past 18 months, I’ve spent a lot of time working closely with SMEs to ensure they are fully compliant – and it isn’t as daunting as it may seem.

“The appointment of a dedicated IT provider or GDPR officer – either in-house or externally – is often left until something goes wrong. But, as the news has been filled with reports of cyber-attacks and GDPR fines over the past few months, it should be all SME owners’ New Year’s resolution to ensure their company – and reputation – remains intact in 2019.”

INFOGRAPHIC: Only 29% travel sites opt to fully protect consumers with EV SSL

960 640 Stuart O'Brien

UK phishing scams jumped 648% YoY on Cyber Monday, with lack of EV SSL certificates on travel websites cited as a primary cause.

Sectigo investigated security levels on the websites of 35 airlines, 27 hotel groups, 23 travel comparison websites, 11 car hire firms and eight train operating companies, to find out whether they are doing all they can to protect customers as we approach peak travel season.

Among its key findings were:

  • Only 29% of these enterprises had an EV SSL certificate on their website.
  • As many as 65% of these organisations only have a free SSL certificate, with neither any company branded address on their homepage nor any “Not secure” warnings.
  • Up to 6% had no EV certificate whatsoever

Full findings are illustrated in the infographic below:

Vigilance urged for EMEA businesses as phishing season begins

960 640 Stuart O'Brien

Businesses in EMEA are being urged to remain vigilant as phishing attacks ramp up during the winter months.

F5 Labs, in collaboration with Webroot, has launched its second annual Phishing and Fraud report, highlighting an anticipated threat surge from October until January.

According the report, fraud incidents in October, November, and December tend to jump over 50% compared to the annual average.

Indicative of the scale of the problem, 75,6% of all websites taken offline by the F5 SOC platform between January 2014 and the end of 2017 were related to phishing attacks. This is followed by malicious scripts (11.3%) and URL redirects (5.2%), which are also used in conjunction with phishing operations. Mobile phishing (2%) was also identified as a growing issue.

“We’re in the middle of a cyber-crimewave where phishers and fraudsters take advantage of people at their most distracted,” said David Warburton, Senior EMEA Threat Research Evangelist, F5 Networks.

“It is prime season for individuals giving up credentials or inadvertently installing malware. Businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.”

Although phishing targets vary based on the nature of the scam, a remarkable 71% of attackers’ efforts from 1 September to 31 October 2018 focused on impersonating just ten organisations.

Technology companies were most mimicked (70% of incidents), with 58% of phishers’ time spent posing as big hitters like Microsoft, Google, Facebook, Apple, Adobe, Dropbox, and DocuSign during the monitored period.

The finance sector was also under fire. 13 of the top 20 fastest growing targets were financial organisations. Banks accounted for 55% of these, five of which were major European entities.

Notably, some of the most successful malware programs started out as banking malware. For example, Trickbot, Zeus, Dyre, Neverquest, Gozi, GozNym, Dridex, and Gootkit are all banking trojans known to have spread initially through phishing campaigns.

The Phishing and Fraud report stresses that the best first line of defence is a consistent education programme and creating a culture of curiosity. Tests by Webroot show that security awareness training can have a particularly ameliorative effect.

Companies that ran 11 or more training campaigns reduced employee phishing click-through rates to 13%. Six to ten sessions saw a 28% click-through rate, rising to 33% with one to five employee engagements.

In addition to awareness-raising, F5 Labs stresses the importance of organisations implementing access control protections, including multi-factor authentication and credential stuffing controls, to prevent phished credentials becoming a breach. Other report recommendations include the following defensive tactics:

  • Email labeling. Clearly label all mail from external sources to prevent spoofing. A simple, specially formatted message can alert users to be on guard.
  • Anti-virus (AV) software. AV software is a critical tool to implement on every system a user has access to. In most cases, up-to-date AV software will stop the malware installation attempt. Set your AV policy to update daily at a minimum.
  • Web Filtering. A web filtering solution helps block access to phishing sites. Not only will this prevent a breach (providing the phishing site is known by your web filter provider), but it presents a valuable teaching opportunity by displaying an error message to the user
  • Traffic decryption and inspection. F5 Labs analysed malware domains from Webroot that were active in September and October 2018. 68% of them were phoning-home over port 443, which is the standard TCP port used for websites encrypting communications over SSL/TLS. If organisations do not decrypt traffic beforeinspection, the malware installed through phishing attacks will go undetected inside the network.
  • Single-Sign On (SSO). The fewer credentials users manage, the less likely they are to share them across multiple applications, create weak passwords, and store them insecurely. 
  • Report phishing. Provide a means for employees to easily report suspected phishing. Some mail clients now have a built-in phish alert button to notify IT of suspicious activity. If your email client doesn’t have this feature, instruct all users to call the helpdesk or security team.
  • Change email addresses. Consider changing the email addresses of commonly targeted employees if they are receiving an unusually high number of phishing attacks on a continual basis.
  • Use CAPTCHAs. Use challenge-response technologies like CAPTCHA to distinguish humans from bots. However, users can find them annoying so use in cases where it’s highly likely a script is coming from a bot.
  • Access control reviews. Review access rights of employees regularly, especially those with access to critical systems. These employees should also be prioritised for phishing training.
  • Look out for newly-registered domain names. Phishing sites are often newly registered domains. When F5 reviewed the list of active malware and phishing domains collected by Webroot in September, only 62% were still active a week later.
  • Implement web fraud detection. Implement a web fraud solution that detects clients infected with malware. This stops cybercriminals logging into your systems and allowing fraudulent transactions to occur.

“Phishing is a big problem and we expect attacks to continue because they are so effective, especially during the winter period” added Warburton.

“As organisations get better at web application security, it will be easier for fraudsters to phish people than to find web exploits. Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a critical requirement to reduce the risk of an attack becoming a major incident.”

GUEST BLOG: Phishing and Facebook – A test of reputation for businesses

960 640 Stuart O'Brien
By Asaf Cidon, VP Email Security, Barracuda Networks
 
Facebook is never far from the news agenda, so it was no surprise to see the company under the media spotlight again when it was revealed that a recent hack exposed the personal information of 30m users.
After polling visitors to Cloud Expo earlier this year on their views of Facebook and data privacy, we took to the floor at the IP Expo show in London earlier this month to learn how businesses were feeling about their defences in the wake of the latest high profile attack. 
 
The last time we spoke to the tech industry at a UK trade show, it was on the back of the news that millions of Facebook profiles were apparently exploited for political purposes, so we were keen to understand how views had changed in the six months since then. 
 
Back in April, trust in Facebook appeared to have been badly affected, with 55% claiming that they trusted Facebook less as a result of the Cambridge Analytica scandal. Results from IP Expo further confirmed this, with 41% of respondents citing that they didn’t trust Facebook even before this latest news story. What’s encouraging is that individuals are taking measures to protect themselves – 28% said that they had amended their security and sharing settings as a result, almost identical to the 29% who said the same at Cloud Expo.
 
Individuals in the IT industry have definitely become more wary of how they’re using Facebook, but did this have any bearing on their business?
 
So what does this mean for businesses? 
 
Whilst we still don’t know a great deal about what happened, we do know that while initial reports suggested 50 million accounts were accessed, it was actually closer to 30 million.
 
Despite this smaller number, it’s clear that hackers were able to get unfettered access to a significant amount of sensitive information. For 15 million users, the hackers had access to their name, phone number, and email address.
 
But for 14 million users, the attackers had access to the above as well as their relationship status, work, education, religion, current city, gender, username, device type, pages followed, last ten places checked into or tagged in, and 15 most recent searches.
 
Much of the information up for grabs plays right into the hands of cyber criminals planning their next phishing attack, and as it also includes people’s workplaces, it’s only natural to assume that this could well lead to an increased risk of phishing attacks at work.
 
So is this a precedent that businesses should be prepared for?
 
More than a third of the visitors we spoke to at IP Expo (35%) felt that the Facebook hack was likely to increase the likelihood of phishing attacks on businesses, since attackers would be emboldened by its success. Around 20% of our respondents felt it could work the other way though, as businesses would be forewarned and, therefore, forearmed against such attacks. 
 
Whatever the reality, businesses are certainly not being complacent when it comes to resisting phishing attacks. One in four (25%) of the 200 businesses who took part felt that they have both the technology and the user education in place to feel very confident in their protection. Confidence in technology but not user education meant that 38% felt quite confident in their ability to resist an attack, whilst a focus on user education over technology had instilled confidence in 22%. Only 7% felt that they were sitting ducks, with neither the technology nor user education in place to protect their business.

What now for businesses and individuals?
 
Anyone who regularly uses Facebook needs to review their security and sharing settings immediately, if they haven’t done so already. This is especially important if you have other apps connected to your Facebook account, as this gives attackers even more of a prize should they take over your account.
 
For businesses, the best defence against phishing and spear phishing is to help make users aware of the threats and techniques used by criminals. Organisations should implement a simulation and training program to improve security awareness for their users, regularly training and testing employees to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training, as it helps humans recognise the subtle clues to identify phishing attempts, and gives employees a baseline understanding of the latest techniques attackers are using.
 
Effective user training can help prevent a lot of attacks, but keeping out attacks that don’t enter via email requires a combination of effective perimeter filtering, specially designed network architecture and the ability to detect malware that may already be inside the network. Businesses also need to keep up to date with software, security and firewall updates to ensure they have the most sophisticated approach to security in place to defend against threats. This demonstrates that SSO/MFA are not the silver bullet of protection against account compromise, because if the authentication provider gets compromised all connected applications are breached. This demonstrates the importance of using AI that can monitor employee behavior and detect anomalies in real time.
 
With huge global organisations such as Facebook and Google showing themselves to be susceptible to cyber-attacks, it’s clear that businesses need to remain vigilant. Every new breach further proves that the public needs to preserve and protect their own cloud data, because the providers are not. 
  • 1
  • 2