Long-time readers will notice that it is pretty rare for me to post good news to this blog. I’m sure good technology things happen every day, but we don’t get called when something is working properly, and the mainstream media usually don’t report on anything but bad news. Fortunately for us – because let’s face it, we are sorely in need of “W’s” in the fight against cybercrime – a prominent hacking group responsible for thousands of cyberattacks worldwide resulting in more than $120M in ransom payments has been dismantled by a joint law enforcement operation led by the UK and US. The action resulted in what they are calling a complete dismantling of the APT (advanced persistent threat) known as Lockbit.
What this means for you
On top of seizing control of nearly all of Lockbit’s operational assets, including 34 servers, 200 cryptocurrency accounts and arresting 2 Russian nationals, they actually converted Lockbit’s own dark website into a “reverse” leak site that touted the task force’s takedown of the APT as well as posting their own countdowns to when additional data on the Lockbit crew would be leaked to the internet, turning a commonly used cybercrime tactic back on the criminals. Before the site was “pwned” by authorities, it was used by Lockbit to publish a list of its victims and ransom countdown timers.
This was no small effort – it required coordination between 10 countries and at least three major law enforcement agencies. It will hopefully result in some of the victims being able to recover encrypted data and maybe discourage some portion of the cybercriminal element from continuing operations, but let’s be realistic – this APT was one head of a massive hydra, and the assets neutralized were a fraction of the compromised computers and accounts used as zombies or command and control servers across the globe. In the above-mentioned “Operation Cronos” action 14,000 rogue accounts were shut down. For perspective, a cybercrime botnet was discovered in 2009 that was comprised of nearly two million computers. That number has likely been dwarfed many times over by now. It’s too early to declare victory by a longshot, but as the old proverb instructs, “How do you eat an elephant? One bite at a time.”
Image by Schäferle from Pixabay
Most of you know that I do not recommend using certain “freemail” accounts for any aspect of your professional lives. In short, many of them are poorly supported, barely secured and frequently targeted by cybercriminals because of these elements and because of who uses them. The ones that are being heavily targeted now are mostly legacy accounts that were established by old ISP companies that have since merged, sold or otherwise transformed into another company. Examples include sbcglobal.net, att.net, roadrunner.net, aol.com, yahoo.com, earthlink.net, etc, but they all share a common aspect: responsibility for maintaining the services that power these emails has been passed from company to company like a red-headed stepchild and the services are clearly suffering from neglect.
I’ve had this email for years! I can’t change this email!!
Invariably, we’re going to have this conversation, with you or perhaps with an elder member of your family. And yes, for some folks, changing an email address that you’ve had for 10+ years is going to be a huge pain. There are alternatives to completely abandoning the account, but there is still going to be some work to keep it, you and your loved ones safe. It depends highly on the email service, but most of them have made token efforts to upgrade their security and accessibility. Log into the account, look for account settings, specifically security to see if any of the following are available:
- First and foremost, if they offer multi-factor/2-factor authentication, set it up and use it. This is a no-brainer, and just about everyone has a cell phone.
- Set up a backup email account – most email services offer the ability to set another email account as a way to rescue or recover a forgotten password.
- Even if they can’t do 2-factor, some freemail services let you attach a cellphone for recovery purposes. Support personnel (if/when you can actually reach them) can use the cellphone to verify you are the proper owner of the account when you are in the process of attempting to recover access.
- Check to see if the password to secure this account has been compromised using this website: https://haveibeenpwned.com/Passwords. Even if it hasn’t, if it’s an easy to guess password, change it and write it down if it’s not one you or they are going to easily remember.
In the end, these are only stop-gap measures. Some email domains are currently on their 4th or 5th handoff, and at a certain point they are likely going to end up with the lowest bidder – something you never want for a critical technology service like email. Your eye should be on transitioning to a more sustainable platform like Gmail or Outlook.com.
Photo by Christin Hume on Unsplash
A little over a month ago, I wrote about how being vigilant wasn’t going to be enough to stay safe on the internet. Don’t get me wrong, being vigilant about technology safety is a base-level requirement, like understanding elemental concepts like “fire hot” and “that scorpion is dangerous”. But knowing you need to be careful and exerting the discipline and training to actually be safe are miles apart in execution. In case you haven’t heard my analogy before, internet security is likely juggling dozens of plates while hackers continually toss more plates into your hands. They win when you drop even one plate, and they have an endless supply of plates and patience while they wait for you to lose focus. But what if you could add some robot arms to your juggling act?
We can all use an extra hand (or two) these days
At one point, it was possible for a normal human being to self-manage their business technology. Many business owners saw it as a rite of passage in securing their own domain name, spinning up a website and email boxes for all their employees, while simultaneously ordering a bunch of computers in black-and-white boxes. You could buy and install virus and spam protection from a friendly nerd named Norton and it did the trick. All was (relatively) well until the internet connected everything and hackers discovered that cybercrime was profitable. Hugely profitable. They upgraded quietly while the rest of the world marched on oblivious, starting an arms race in which our self-built technology infrastructure was outpaced before we even know there was a race. While you were busy running a business (and not a never-ending technology upgrade parade), they were running their own business of dismantling or bypassing your rapidly aging technology security.
Unfortunately, the insurance companies see this, and are now recommending or requiring all companies big and small to use advanced security tools that even the large enterprises with dedicated IT staff are only now adopting. But here’s where you have the advantage in this juggling act: big companies need a lot more robot arms than you do to keep all those plates in the air but, as always, there’s a catch: you still need some robot arms and implementing them isn’t as simple has mail-ordering some parts in a Holstein-colored box. Today’s new security technologies are complicated like you might imagine robot arms to be, and even worse, if you install or use them incorrectly, the insurance companies might even deny your claims. But you have this covered because you are partners with C2, right? Call us and ask about our new security bundle for small businesses – let’s add some robot arms to your juggling act!
Image by kiquebg from Pixabay
Russian security firm Kaspersky has just released details of an elaborate, multi-year, multi-country heist that netted hundreds of millions for the group orchestrating the crime. Rather than a series of spectacularly violent bank robberies, this campaign played out quietly and slowly on the technology infrastructure of over 100 financial institutions in 30 different countries. Unfortunately for us, Kaspersky and the banking industry are keeping specific names out of the public spotlight, as expected. It can be assumed that the organizations involved don’t want to damage their reputations, and authorities typically refuse to comment on onging investigations. How did the criminals gain such unprecedented access? Simple malware campaigns targeting employees and officials, which eventually led to a fully compromised infrastructure that allowed the criminals to quietly funnel away millions and leave very few traces behind.
What this means for you:
It may sound a bit cliched to trot out the saying, “There are 2 types of companies, ones that have been hacked, and ones that have been hacked and don’t know it,” but in this case, the criminals were able to steal vast amounts of money by staying well under the radar, an approach that is at direct odds with the normally disruptive and in-your-face style of malware and hacking many people have encountered previously. By lurking quietly in the background, the criminals gained complete familiarity with organizational procedures and employee habits, allowing them to digitally impersonate privileged officials and processes to move money around and out of the organization with impunity. Without a smoking gun, shell casings, fingerprints or DNA evidence, the only trail authorities could follow was the money one – a trail that was obfuscated by digital sleight-of-hand and spoofed internet addresses. Even though your organization may not be targeted for this kind of heist, there are many other types of data cybercriminals value, and it’s in their best interest to not get caught. Don’t look for the obvious malware symptoms – those types of attacks are analogous to vandalism and random, impersonal pollution. The real cyberattack you need to worry about is the one you can’t see.
Image courtesy of 1shots at FreeDigitalPhotos.net
If you thought you were the only one still using Windows XP, you are still in good company despite Microsoft’s widely publicized plan to end official support for the operating system in April of this year. NetMarketShare.com’s January 2014 report on installed desktop operating systems shows that an estimated 30% of the world’s computers are still using Windows XP, an operating system that is now approaching 13 years of age. NetMarketShare bases its statistics from metadata gathered by 40K websites around the world, so its also likely that this percentage may actually be slightly higher, as many XP machines are likely being used in legacy systems that do not require internet access to function.
In case you were wondering what that 30% equates to in actual numbers, there is an estimated 1.5 billion computers in use today. Based upon that number, it’s possible that several hundred million computers may continue to run an OS that will no longer get security updates from Microsoft, a number that has security analysts everywhere hyperventilating. Even though most anti-malware vendors will continue to provide support for XP, it will become increasingly difficult for them to remain effective on an OS for which Microsoft itself is abandoning.
What this means for you:
If you were thinking, “Well, this doesn’t impact me, I’m on Windows 7/8,” think again. Many cyberattacks are driven by zombified PC’s that have been gathered together into “Botnets” that can focus an incredible amount of processing power on anything they are rented to do, including sending out millions of phishing emails, spam and other nefarious activities. In the current state of desktop security, it’s commonly held wisdom that being targeted by a cyberattack is not a question of “if”, but of “when”. Cybercriminals rely on compromised resources to much of their dirty work, and their arsenal could become radically reinforced by the millions of computers still running XP, especially now that it will no longer be patched by Microsoft after April. If you are still operating PC’s with Windows XP, you should seriously consider upgrading those systems to a more modern OS if possible, and if an upgrade isn’t possible, replace them ASAP, as they will become an increasing liability for your organization.
Knowing full well that American Express is the credit card of choice for many professionals, cyber criminals are targeting AMEX customers in a wave of convincing phishing emails. The emails appear to be from AMEX stating that fraudulent activity has been detected on the recipient’s card, and provides a link for the user to update their information. The link actually leads through a series of redirection scripts on compromised websites and eventually lands the user on a website that has the outward appearance of a legitimate AMEX website. This site’s sole purpose is to collect critical personal data such as your Account ID, Social Security Number, Mother’s Maiden Name which will shortly be used to perpetrate some actual account and identity theft.
What this means for you:
By now you should naturally be suspicious of any emails that show up in your inbox asking you to reset your credentials, especially if you did not explicitly perform a password or credential reset. Rolling over the links in the emails will show you the destination URL, and if the link isn’t one you recognize, stop right there and trash the email. Even if the URL looks legitimate, don’t use the link in the email. Go to your credit card website by manually typing in a URL that you know is good. Not sure what the URL is? Look for one printed on the back of your credit card, or failing that, just call the customer service number via phone. As a rule, credit card companies and banks will notify you via phone of suspected fraudulent activity, so emails like this should always be viewed with a healthy amount of skepticism.
Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.
How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.
Apply Common Sense
Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.
Who’s the email from? And who is the actual recipient?
In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.
In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.
But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!
Are the embedded links legitimate?
Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)
In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?
What this means for you:
These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.
In a rare public admission, Apple has indicated that some of its own internal Macintoshes have been compromised in a cyberattack that security researchers believe similar to the one that breached Facebook last week. Announcements from Apple of this type are very rare, as Apple has long touted one of the strengths of its platform was how “unhackable” it was compared to Windows. In this particular case, Apple has little to lose, as it’s pointing the finger of blame for the hack at Java and a vulnerability that was taken advantage of to gain access to Apple employee computers.
What this means for you:
Apple’s recent breach is just one more notch in cybercrime’s belt that includes a long list of illustrious companies like the Wall Street Journal, Twitter, Facebook, Jeep, and Burger King, not to mention the numerous intrusions of government agencies and countless hacks of businesses that go unnoticed and un-reported. In the case of the Apple and Facebook breaches, the source has been tied to a mobile development website that both company’s employees accessed, and according to both companies, there appeared to be no evidence that customer data was compromised in the attacks. As I’ve maintained all along, the business world is now entering a new age of security unknowns as serious criminals continue to exploit technology to serve their needs, and are able to outspend and outgun the average small and medium size business. Before the age of computers and the internet, your odds of being targeted by a criminal organization were minute compared to today, where organized crime can now “crowd-source” affiliate-based networks that pay anonymous hackers in any number of a dozen untraceable ways to rent out zombified computers and webservers by the hour for a handful of dollars, and use pre-scripted attacks to launch massive, shot-gun targeted campaigns that only need to snag a small percentage of victims in order to be profitable. This is not some imaginative, cyberpunk movie plot – it’s happening right now, as you read this article. Moving forward, the only way to combat this growing threat will be a combination of vigilance and smart investments in security technology, policy and training.
A recently published whitepaper from Redwood, CA security firm Imperva reports a disturbing trend that many technology professionals already suspected: current anti-malware manufacturers can’t keep up with the pace of virus development now that malware has moved from the realm of mischief to big-time criminal enterprise. Researchers from Imperva and students from Technion-Israel Institute of Technology put together a study that pitted 80 new viruses against over 40 of the top commercial antivirus products on the market, including Symantec, McAfee and Kaspersky and found that they were only able to detect 5% of the new malware infections.
It’s important to note that the sponsor of this study, Imperva, has a material stake in future anti-malware development, as their focus has been on developing a method of protection that differs from the traditional signature detection approach used by the mainstream antivirus developers. Signature detection relies on antivirus manufacturers being able to “capture” and reverse-engineer a computer virus strain to develop ways to combat infection, a process that is entirely reactive and time-consuming. As you might have guessed, new viruses can do their damage in minutes on a vast scale thanks to the internet, so relying on protection developed after the virus has been in the wild is of no help to those already infected. Cybercriminals realize they have the advantage of surprise on their side, and are investing heavily in staying ahead of signature detection algorithms.
What this means for you:
Future security is going to rely heavily on a combination of methods: signature detection, heuristic analysis (watching for anomalous behavior), virtualization/compartmentalization and good old fashioned paranoia/preparedness. The public at large has been lulled into a false sense of security in thinking that purchasing a product off the shelf will absolve them of the need to remain vigilant. As some of my clients can personally attest, you can have the best antimalware products on the market and still get infected. Technology security is more than purchasing software and hardware – it’s a process and state of mind that must constantly be maintained. If you are uncertain how to evolve your business practices to step up your state of readiness, give C2 Technology a call – we can help!
Image courtesy of graur razvan ionut / FreeDigitalPhotos.net
A 2013 whitepaper published by security firm Fortinet provides eye-opening details on the increasingly well-organized world of cybercrime that now features standardized pricing, polished branding, affiliate networks and zombie armies that can be rented for as little as $15/hour. Depending on the size of the botnet army, an incredible amount of damage can be done in an hour, making this one hell of a deal if your business is exploiting security flaws and stealing identities. Criminals have noticed the huge upside to cybercrime and, like they have always done, wasted no time investing big dollars and resources in this new “industry.”
What this means for you:
Overall, it’s unlikely criminals are outspending the big companies in the cyber arms race, but it’s almost a certainty that they are outspending and are better “armed” than most small and medium-sized businesses, especially ones that can’t (or won’t) afford the necessary investment in preparation and security. The most important thing you can do as a business owner that uses technology for any aspect of your business is ensure that you are taking the appropriate precautions and making the right security investments in your technology platforms. Keep in mind this doesn’t stop at buying hardware and software, but also includes training your employees as well as holding your vendors accountable for security as well.
Image courtesy of chanpipat / FreeDigitalPhotos.net
- 1
- 2