Tag Archives: cyber threats

Learn How to Protect Against the FBI’s Top 3 Cyber Threats

Every day, we share information digitally. Business as usual, right? But what about the risks trying to undermine your business, steal your data, and clean out your company’s bank account?

In June 2017, the FBI released its annual Internet Crime Report showing $1.3 billion in annual losses due to Internet crime. The numbers are probably even higher because companies are hesitant to publicize themselves as victims of cybercrime.

Cybercrime continues to plague our Internet society, and the FBI’s Internet Crime Complaint Center (IC3) highlighted three specific crimes in their annual report: Business Email Compromise, Ransomware, and Tech Support Fraud. We’ve expanded on these cyber threats so you can educate yourself and your employees, and hopefully, avoid becoming a victim.

Business Email Compromise

Business Email Compromise scams go by various names. Call it a BEC scam, CEO fraud, or a wire-transfer scam, the goal is always the same – target organizations that routinely execute wire transfers. Why? Because human error can be easily exploited.

How the Scam Works:

The premise of the scam starts with an attacker hacking or spoofing the CEO’s email account, often while he or she is out of the office. Next, the criminal emails specific targets in the organization requesting an urgent wire transfer. Due to the authority, urgency, and consistency of the email, many times organizations fall victim and comply with the wire transfer request.

Common scenarios here target the finance department while the CEO is out of the country on business travel and unavailable to confirm the request. During tax season, attackers will target the HR department requesting personal information, like employee W-2 forms. Hackers even pose as lawyers or law firms to request fraudulent transfers.

BEC Scam Prevention Tips:

  • Scrutinize the validity of any email requesting a wire transfer. Ensure it’s consistent with other transfer requests (timing, frequency, amount, recipient, etc.). Examine the sender’s email address for any changes mimicking the legitimate email.
  • Confirm the transfer request in person or via phone call. Make sure there are dual approval protocols in place as well as a protocol for requests made by traveling executives.
  • Educate your employees, emphasizing the warning signs. Oversharing is a cyber criminal’s dream, so use caution when posting an executive’s travel schedule or other employee information on social media.

Ransomware

Ransomware is the most notorious type of malware these days. Cyber criminals constantly have their lines in the water baiting victims to click on a phishing email or visit a compromised website to deliver ransomware.

The goal is to encrypt your files and deny you access to critical data or systems. Ransom demands in cryptocurrency (i.e. Bitcoin) keeps attackers anonymous and under-the-radar.

Ransomware Prevention Steps:

  • Regular Patching: Many vulnerabilities leveraged in ransomware attacks are well-known flaws that have been exposed (i.e. WannaCry and NotPetya). Many attacks can be prevented through regular patching and updates.
  • Close RDP; Use VPN: Close remote desktop protocols unless they’re strictly required. If you must use RDP, either whitelist IP’s on a firewall or do not expose it to the Internet. Only allow RDP from local traffic. Setup a VPN to the firewall and enforce strong password policies.
  • Segregate you Networks: Separate your network into smaller, independent networks. This limits a ransomware infection from propagating across an entire organization by isolating networks.
  • Offline Backups: Regularly backup any files stored on your devices. Ensure your backups are not connected to the rest of your critical network.
  • Employee Training: Educate the workforce about ransomware and the associated dangers and threats. Anti-phishing training is one good approach. But overall cyber security awareness is important as ransomware is delivered through other vectors as well.

Tech Support Fraud

Tech support fraud is a type of social engineering where the criminal poses as a legitimate party offering technical support to victims. The intent of the fraudsters is to gain access to a victim’s device. From there, they can leverage their access for financial gain or engage in other malicious activity.

Many fraudulent tech support operations exist. There are several different ways the criminals will try to reel you in:

  • Fraudsters are known to cold call and attempt to convince victims to allow remote access into their devices.
  • Pop-up or locked screens are leveraged to take advantage of unsuspecting victims who a link on a compromised website.
  • Fraudulent tech support companies use search engine optimization to appear at the top of search results for tech support.
  • Fraudsters register URL domains similar to legitimate sites to take advantage of typos or errors made by victims who are typing in a web address.

Beware the Overpayment Scam

Cyber criminals are always looking for a new way to victimize you, and the overpayment scam is gaining traction. Posing as good-hearted professionals, criminals offer victims a refund for previous tech support services. Once they gain online access to a bank account, they first transfer money around between the victim’s accounts to make it appear the refund was too much. Before the victim notices anything odd, the criminals will request a wire transfer for the excess funds.

Keys to Mitigate Risk

As cybercrimes continue to increase, your organization needs to be diligent about analyzing its cyber risk. Errors happen, and raising cyber awareness among your workforce is key.

ePlace provides cyber training programs on our risk management platforms as a resource for educating employees on cyber threats, and we encourage you to implement these if you haven’t already.

Finally, the FBI urges victims of computer crimes to report the incidents to IC3.gov. The IC3 unit is part of the FBI’s Cyber Operations Section and uses the reports to compile and refer cases for investigation and prosecution.

Cybersecurity Information Sharing Act: Government Surveillance or Critical Protection?

The controversial Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law as a part of the $1.1 trillion omnibus spending bill, establishing a process for organizations to voluntarily share threat indicators with the Federal government and other private entities to help organizations better prepare for and respond to cyber threats.

CISA Provisions

CISA calls for a voluntary program for cyber threat indicators to be shared with the government and circulated among participating organizations. The types of threat indicators to be shared include malicious code, suspected reconnaissance, and security vulnerabilities.

As an incentive, participating entities will receive liability protection from lawsuits arising out of participation in the program and will not be penalized for not using the information received from the government to improve cybersecurity defenses.

While proponents hail CISA as a critical step in combatting cyber threats, critics in the privacy community claim it is a government surveillance measure diminishing privacy rights. Critics also question whether the privacy safeguards are adequate and protections afforded for participation will be enough to incentivize organizations to join the program.

To address these concerns, CISA requires participating organizations to remove all personal information prior to sending threat alerts to the government. The Department of Homeland Security Secretary is tasked with developing guidance on the information that must be removed and how the government handles the information it receives. CISA also provides that information shared is considered proprietary information of the sharing entity, exempt from disclosure under the Freedom of Information Act and generally prohibited from being used for regulatory purposes by Federal or State agencies.

Healthcare Organizations

Several provisions under CISA pertain to healthcare organizations. To start, the Department of Health and Human Services is to develop a set of cybersecurity best practices for organizations in the healthcare industry. These best practices will be consistent with the standards in the HIPAA Security Rule, and may end up being more specific.

CISA also addresses systems that are connected to electronic health records, specifically medical devices. The HHS Secretary is to create a task force that will review the issues and challenges surrounding the security of networked medical devices. The task force will report on ways to improve and better prepare and respond to cybersecurity threats.

Key Takeaways

As cyber criminals are becoming more sophisticated, knowledge of emerging threats is critical to mitigate against such risks. Organizations should evaluate whether participation in the information sharing program would be a valuable way to obtain inside information about cyber threats in their industry and sector.

As an ePlace Solutions client, you are also entitled to receive various threat alerts that identify emerging cyber threats. For more questions about ePlace threat alerts, or to sign up for the threat alerts, please feel free to reach out to Matt Peranick at (559)577-1306 or mperanick@eplaceinc.com.

NIST Provides Update on Implementation of Cybersecurity Framework

The National Institute of Standards and Technology (NIST) released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (Framework). The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.

One of the most well-received aspects of the Framework has been its use as a common language for describing and sharing information and needs about cybersecurity and risk.

Many RFI respondents and workshop participants recommended “real world” applications and case studies be published to showcase Framework use. Suggestions included the use of Web-based resources, e.g. lessons learned and case studies, to help increase Framework awareness and understanding. Participants also recommended sharing more extensive mappings of existing standards and guidelines to the Framework.

NIST states that it is too early to update the Framework as more time is needed for organizations to understand and use the current version – no modifications or new versions of the Framework are anticipated within the next year. In the coming months NIST will focus on providing guidance on using the implementation tiers, will continue to explore options for future governance of the Framework.

Intel Security Survey – The Top 8 Attack Activities to Track

McAfee, now part of Intel Security, issued a report, When Minutes Count, that assesses organizations’ abilities to detect and deflect targeted attacks. “You only gain the upper-hand versus attackers when you address the time-to-discovery challenge,” said Ryan Allphin, Senior Vice President and General Manager, Security Management at Intel Security. “Simplify the frantic work of filtering an ocean of alerts and indicators with real-time intelligence and analysis, and you can quickly gain a deeper understanding of relevant events and take action to contain and deflect attacks faster.”

The eight most common attack activities that successful organizations track to detect and deflect targeted attacks:

  1. Internal hosts communicating with known bad destinations or to a foreign country where organizations don’t conduct business.
  2. Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP traffic over port 80, the default web port.
  3. Publicly accessible or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets. It neutralizes the value of the DMZ.
  4. Off-hour malware detection. Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.
  5. Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. Perimeter network defenses, such as firewall and IPS, are seldom configured to monitor traffic on the internal network (but could be).
  6. Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures.
  7. After being cleaned, a system is re-infected with malware within five minutes—repeated reinfections signal the presence of a rootkit or persistent compromise.
  8. A user account trying to login to multiple resources within a few minutes from/to different regions—a sign that the user’s credentials have been stolen or that a user is up to mischief.

USPS Joins the Long List of Breached Organizations

According a statement released by the US Postal Service (USPS), attackers have likely compromised personal information of some 800,000 current and past employees, as well as data for customers who contacted the USPS Customer Care Center via phone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. Affected employee information includes name, date of birth, Social Security number, address and other contact information.

The USPS explained in a FAQ document that as part of the cyber security intrusion mitigation efforts, the Postal Service took some systems offline over the 11/8-11/9 weekend.

The identity of the attackers is unknown.

UK ICO Fines Hotel Booking Website for Leaking Both PI and Encryption Key

The UK Information Commissioner’s Office (ICO) has warned organizations to protect their websites against one of the most common forms of online attack – known as SQL injection. The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers. Further, although the customers’ payment details had been encrypted, the decryption key was stored with the data, allowing the attackers to access the customers’ full card details, including the three digit security code needed to authorize online payments.

Worldview would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Dairy Queen Confirms “Backoff” Infection

Dairy Queen, Inc. has confirmed (press release) that the systems of some DQ® locations and one Orange Julius® location in the U.S. had been infected with the “Backoff” malware.   Because nearly all DQ and Orange Julius locations are independently owned and operated, the company worked closely with affected franchise owners, law enforcement authorities, and the payment card brands to assess the nature and scope of the issue.  The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at 395 U.S. locations.

See also  “Backoff” PoS Malware – Warnings and Recommendations.

PCI Security Standards Council Updates Skimming Prevention Guidance

The PCI Security Standards Council released an update to its guidance for merchants on protecting against card skimming attacks in point-of-sale (POS) environments, Skimming Prevention: Best Practices for Merchants.

Security best practices outlined in the guidance include:

  • Identify risks relating to skimming – both physical and logical based
  • Evaluate and understand vulnerabilities inherent in the use of POS terminals and terminal infrastructures, and those associated with staff that have access to consumer payment devices
  • Prevent or deter criminal attacks against POS terminals and terminal infrastructures
  • Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack

Appendices provide information on assessing vulnerability risks, meeting PCI DSS Requirement 9.9 for ensuring proper inspection of POS devices, and limiting the attack vector by implementing simple daily routines and training employees.

A high-level guidance, Skimming Prevention: Overview of Best Practices for Merchants, is also available.

 

Homeland Security and Secret Service Issue PoS Advisory

On August 22, 2014 the Department of Homeland Security (DHS) and US Secret Service issued an advisory encouraging organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections.  A particular family of PoS malware, dubbed “Backoff”, has impacted numerous businesses throughout the United States. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. The Secret Service currently estimates that over 1,000 U.S. businesses are affected.

DHS strongly recommends actively contacting your IT team, antivirus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised. Companies that believe they have been the victim of this malware should contact their local Secret Service field office.