It is an unfortunate fact that the number of Cyber Attacks and Scams continues to grow at an alarming rate. Also, with Privacy Amendment (Notifiable Data Breaches) Act 2017 which came into effect from February this year, the stakes have never been higher.
As part of our commitment to providing as much information as possible to AFTA Members, we wanted to share a very topical article from CyberHeist News, published by KnowB4. It is so important that your business keeps on top of the changing legislation and threats.
Social engineering attacks are no longer the amateurish efforts of yesterday. Sure, your company may still get obvious phishing emails with blurry logos and rampant misspellings, or the blatantly fake "help desk" calls from unknown phone numbers, but more sophisticated attacks are becoming the norm.
Using both high-tech tools and low-tech strategies, today's social engineering attacks are more convincing, more targeted, and more effective than before. They're also highly prevalent. Almost seven in 10 companies say they've experienced phishing and social engineering.
For this reason, it's important to understand the changing nature of these threats and what you can do to help minimize them.
Know the Threat
Today's phishing emails often look like exact replicas of communications coming from the companies they're imitating. They can even contain personal details of targeted victims, making them even more convincing.
In one incident, bad actors defrauded a U.S. company of nearly $100 million by using an email address that resembled one of the company's vendors. And in the most recent presidential election, hackers used a phishing email that appeared to come from Google to access and release a top campaign manager's emails.
Bad actors can get sensitive data in many other ways. In one case, they manipulated call-centre workers to get a customer's banking password.
Another way is to target data that's visually displayed on a laptop or mobile-device screen. For example, a bad actor could pose as a trusted vendor in an office or a business associate in a foreign country and subtly capture data with a smartphone or hidden recording device.
Organizations continue to be at risk from insider threats and the lack of a strong identity management protocol. End users continue clicking on spam and have issues using multi-factor authentications (MFA). These policy and training shortfalls continue to contribute to weaker cyber defense across many organisations, according to a study by ObserveIT.
Spam remains a longstanding, popular, and effective means of attack. Spam click rates are up from 13.4% in the second half of 2017 to 14.2% in 2018. More people are clicking more, regardless of their organization’s policies.
ObserveIT’s “Multigenerational Workforce and Insider Threat Risk Study” found a disconnect between insider risk and cyber security awareness. The study found that, of the thousand respondents, 65% knew what insider threats were, and yet this form of compromise continues to rise.
Breaking their results down by generation, ObserveIT found that 90% of 45-to-54-year-olds followed their company’s cyber security policy. But fully 34% of 18-to-24year-olds were found to be unfamiliar with their employer’s cyber security policy.
Despite increased spending on cyber security, breaches continue to rise. The results point to the need to educate employees on the crucial part they play in keeping a company secure by curbing insider threats. In many respects it’s a challenge of acculturation.
A phishing campaign that delivers malware designed to steal banking data and other private information was discovered targeting a group of Australian businesses. Expect it to spread to other English-speaking countries shortly.
The attackers disguised their messages as invoices issued by MYOB, a local accounting software firm, according to a July 2018 Trustwave report. Users who clicked on the email links were directed to a file transfer protocol (FTP) server with a modular version of the DanaBot malware.
Once the three component pieces are activated, cybercriminals can send encrypted data, such as screenshots of victims’ machines, back to a command-and-control (C&C) server where it can be distributed covertly using channels like Tor.
Phishing campaign targets businesses
This tactic suggests that the perpetrators designed the phishing campaign specifically to target business professionals. Tracking invoices is critical in almost any kind of company, which means victims are likely to pay greater attention to these messages. Using FTP also makes the malicious emails appear more legitimate than they would if they came from an unknown HTTP address.
Finally, the fact the DanaBot banking Trojan is broken up into multiple, heavily encrypted pieces means that it is flexible and agile enough to evade detection.
Security professionals can help protect their organizations from phishing campaigns by developing a layered approach to email security. IBM experts recommend investing in external solutions that pull data from sensors and other sources to scan all incoming messages.
They also recommend that security teams implement perimeter protection using spam detection tools and antispam solutions that can run on internal mailer servers on corporate networks. Finally, mail clients should be connected to a protection mechanism that detects spam and phishing attempts. And oh, train those users.
We're accustomed to email being the bearer of malicious payloads. Phishing emails continue to represent one of the most important ways in which organizations are compromised and data lost. It's important to realize, however, that email phishing is simply one form that social engineering can take.
Wherever human beings communicate or interact with one another in any way, there's the potential for fraud and exploitation. Email remains a dominant form of online communication now, but it need not hold that place forever. Indeed, it almost surely will not. Chat apps and social media are growing in importance, and they too are infested by scams.
Any organization would benefit from new-school interactive training that enables employees to recognize social engineering in whatever form it takes. Whether it's an email carrying malware as the payload of an attachment, a maltweet, an intercepted and altered Snapchat session, or even a nice-looking person showing up at the office with a clipboard saying they are from the phone company and need to check some problem, it's all still social engineering.
Fighting social engineering is a constant struggle. Technical defenses help, but consensus is that well-informed and aware users are a better protection. Individuals are regularly tricked into giving access to their endpoints. Once they've done that, malware can be installed usually without their knowledge. That malware can remain dormant for an undetermined period before it executes. And all of this can happen even in the presence of sophisticated perimeter defenses.
Barracuda Networks is among the security companies who provide technical solutions but that also recognize the importance of the "human firewall" when it comes to phishing and other social engineering attacks. Jonathan Tanner, a software engineer at Barracuda, notes that the company blocked over 1.5 million phishing emails with 10,000 unique phishing attempts in May of 2018 and 1.7 million phishing emails with 2,000 unique attempts in June.
It's a "numbers game," Barracuda observes: more attempts equals a greater chance of success, and it takes just one success to cause significant harm.
Barracuda advises, in the spirit of "loose lips sink ships," that employees be educated not to share too much information by email or social media. Poor employee behaviour can cause a great deal of damage, and where behaviour is the risk, training can be a remedy. Dennis Dillman, Barracuda's Vice President of Product Management, advises that effective training programs should go beyond traditional classroom approaches. Training needs to move quickly and conveniently for employees.
Here's a current scam those involved in shipping and receiving should be aware of. Suppose you're expecting a package from a major package delivery company. You receive a seemingly legitimate email from the shipping company offering a means to track the progress of your delivery by simply clicking on the supplied link “Arrival Notification.” The only problem is, as a result of the Microsoft default being set to hide file extensions; you don’t see the full file name “Arrival Notification .exe.” You click on the file to check on your delivery but instead, you unleash an unwanted package, an executable file that compromises your computer with a seemingly innocent animated gif.
The scheme involves using Agent Tesla, a modern and powerful keystroke logger known to be used in malicious spam that pushes malware. This software monitors every move on your personal computer by way of the keyboard and monitor. Your computer now displays the victim viewing the animated gif in a browser on their monitor. It’s like looking in a mirror, and is known as “gifception.”
Whilst best that you avoid an attack all together, scams and hacks are evolving so quickly that even the most sophisticated systems can be defeated.
Cyber Insurance should be part of every organisation’s risk management strategy and should be tailored to bridge the gaps that exist within traditional insurance policies, including:
As well as legal liabilities that arise due to:
If you believe that this issue is relevant to your business, please feel free to contact Rebecca Fleming, Account Manager of our Travel Industry Division at Gow-Gates Insurance Brokers on (02) 8267 9919 or email firstname.lastname@example.org to discuss your circumstances or to obtain a quotation.
Gow-Gates Insurance Brokers advises that persons should not act on the material contained in this article as the items are of a general nature only and may be misinterpreted. We therefore recommend that advice be sought before acting in these areas.