An Apple Byte : iPhone Users Targeted With Password Reset Scam

It’s been reported that some iPhone users have recently been targeted with an MFA bombing / multi-factor fatigue phishing attack.

The attack (which uses a bug in Apple’s password reset feature) bombards the user’s phone with password reset requests and ‘Allow’ or ‘Disallow’ options. If the user eventually clicks on ‘Allow’ in an attempt to stop the many prompts, they receive a call from scammers pretending to be Apple Support, asking the user to verify a one-time code in an attempt to gain access to the account and/or to sensitive user information.

So far, it’s understood that these attacks have been highly targeted at certain individuals and users should note that Apple Support will never call a user unless that user has specifically asked them to. It’s also been reported that turning on Apple Recovery Key for the account is a way to stop the multiple notifications generated by the scammers.

Security Stop Press : Thousands Of Brand Subdomains Hijacked For Spam

Cyber Security Company, Guardio Labs, has reported uncovering a major “SubdoMailing” campaign which involves the hijacking of 8,000+ trusted domains to send millions of spam and malicious phishing emails daily.

Brands whose subdomains are being exploited in the campaign include MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay.

Guardio Labs said it has identified the threat actor behind the campaign as ‘ResurrecAds,’ a bogus ad network known for reviving “dead” domains from big brands and using them as backdoors to exploit legitimate services and brands and circumvent email protection.

The advice to businesses, which should already have antivirus protection in place, is to exercise caution and to avoid opening any unsolicited and suspicious looking emails, even if they do appear to be from known brands.

Security Stop Press : Scam Ad Linked To Phishing Site Tops Google

UK Consumer champion Which? has reported that a scam mobile advert linked to a site mimicking the legitimate Lyca Mobile site was able to bypass the Google Ads verification check to reach the top of Google’s search listing.

Which? reported that scammers got around Google’s ad verification check by claiming to be “Vodafone Finance Management”, a subsidiary of Vodafone on Companies.

The scam ads, which appeared at the top of Google for three days in late January linked to a copycat website designed to steal card details (a phishing website).

A spokesperson for Vodafone told Which? they had “reported the issue to Google for immediate resolution and to stop it happening again.” Also, a spokesperson for Lyca Mobile told Which? that they “welcome moves by Google and others to crack down on this type of activity to protect both consumers and brands from malicious actors.” 

Tech Insight : Cyber Criminals With A PR Department

A whitepaper by researchers at Sophos highlights how, rather than remaining anonymous, ransomware gangs now engage with the media to shape the narrative around a hack and gain a tactical and strategic advantage.

The Ransomware Threat 

Ransomware is a type of malicious software designed to block access to a computer system or data (typically by encrypting it), until a ransom is paid. It’s worth remembering that even if a ransom is paid, it may not mean that data is ever returned. Ransomware has become increasingly popular among cybercriminals due to its lucrative nature and the ease with which it can be distributed, such as via phishing emails, malicious downloads, or exploiting security vulnerabilities. The rise of cryptocurrencies has also facilitated anonymous ransom payments, making it harder to trace and prosecute perpetrators.

Ransomware’s effectiveness in generating revenue for attackers plus the increasing digitisation of many business-sectors have contributed to its growing prevalence as an attack ‘vector’. For example, ransomware attacks have increased by over 37 per cent this year compared to previous years (ThreatLabz) and over the last five years, there has been a 13 per cent rise in ransomware attacks. Also, the global cost of ransomware is estimated to have exceeded $30 billion this year (tech.co).

The Commoditisation and Professionalisation of Ransomware 

The Sophos whitepaper highlights the fact that whereas historically, cybercriminals preferred to operate in obscurity and avoid public attention (for obvious reasons), there has been a marked shift in the behaviour of ransomware gangs. Sophos says that, aided by the commoditisation and professionalisation of ransomware, these criminal groups are now actively engaging with the media for a variety of tactical and strategic reasons.

Why? 

Some of the key reasons highlighted by Sophos as to why ransomware gangs now court the media include:

– Leveraging media attention. It seems that ransomware gangs now understand that their activities are newsworthy and are prepared to use media coverage to bolster their credibility and exert pressure on victims. For example, they sometimes link to existing coverage on their leak sites, thereby showcasing their notoriety and influence (making a name for themselves and bolstering their criminal ‘brand’).

– Many ransomware gangs now seek direct communication with journalists and invite and facilitate communication with them. For example, criminal gangs do this through FAQs on their leak sites, dedicated private PR channels, and public notices. This approach not only allows them to control the narrative but also serves as a means to intimidate victims by demonstrating their media reach.

– Bizarrely, some groups even give in-depth interviews, thereby hoping to provide a positive perspective of their activities, which could serve as a recruitment tool. This not only increases their notoriety but also offers insights into the ransomware scene from their perspective.

– Sophos reports that ransomware groups have even started issuing what they call “press releases,” often written in fluent English. These releases can, for example, range from recruitment announcements to attacks on organisations for not complying with their demands, thereby applying pressure, and causing reputational damage to victim organisations.

– According to Sophos, ransomware gangs have also started to focus on their own branding, using catchy names and slick graphics on their leak sites to attract media attention and distinguish themselves in the public domain.

Media Management Roles

Reading the above, it’s perhaps not such a surprise to learn that, in some well-established ransomware groups, Sophos reports that there are even individuals who have media management roles and are dedicated to negotiating ransoms and managing public communications. This indicates a worrying level of organisation and professionalisation akin to legitimate businesses.

Criticism and Mistrust of Media 

That said, and despite their engagement, it seems that the split personality and confused logic of ransomware gangs can’t help but shine through as they tend to display a contradictory attitude towards the media. For example, Sophos highlights how they often criticise journalists for what they perceive as unfair or inaccurate coverage and occasionally attack individual journalists to make them feel uncomfortable or cause reputational harm. However, as befits a more media-savvy approach (with a brand and image at stake) they also tend to refrain from making direct threats.

The Unique Position of Ransomware Gangs 

In the world of cybercrime, this need for publicity means that ransomware campaigns now occupy a unique position. Unlike other threats that thrive on remaining undetected, ransomware groups must make themselves known to demand ransoms. This involves using leak sites and media engagement. It should be remembered, however, that all this is used to apply pressure on victims, attract recruits, manage their public image, and shape the narrative of their attacks.

The Implications For The Security Community And Businesses 

To combat the problem of the increasing media savviness of ransomware gangs, many believe that the security community and media need to adopt specific strategies. These could include:

– Refraining from directly engaging with ransomware actors unless it aids in defence or is in the public interest.

– Factual reporting, i.e. focusing on providing information that aids defenders and avoids glorifying the threat actors, thereby reducing their manipulative power.

– Providing adequate support to journalists and researchers who may be targeted by these groups.

– Avoiding publicly naming or crediting threat actors unless necessary and factual, can deny them the publicity they seek, thereby limiting their powers and thwarting some of their criminal ambitions.

Why Aren’t Ransomware Gangs Afraid? 

As the Sophos whitepaper indicates, ransomware gangs often appear to be unfazed by the legal consequences of their actions. Some of the main reasons for this may be:

– An adequate level of anonymity and decentralisation. Despite their media engagement, ransomware operations still manage to maintain an adequate level of anonymity, often using encrypted communication and cryptocurrency for transactions, which makes the successful tracking and identification of perpetrators challenging.

– Jurisdictional challenges. Many ransomware gangs operate from countries with lax cybercrime laws or where local authorities are either unable or unwilling to cooperate with international law enforcement efforts. This creates a kind of safe-haven for cybercriminals.

– Sophistication of operations. Ransomware gangs are now becoming increasingly sophisticated, using advanced techniques to avoid detection, and employing a variety of methods to launder ransom payments.

– The ransomware-as-a-Service (RaaS) model allows ransomware developers to lease their malware to affiliates who conduct attacks, further complicating law enforcement efforts as the developers can claim ignorance of the actual attacks.

Some Sucesses 

Despite these challenges, police around the world have had some notable successes in recent years. Collaborations between international law enforcement agencies have led to the disruption of major ransomware operations, arrests of key figures, and seizure of ransom payments. For example, the takedown of the Emotet botnet, the arrest of individuals connected to the REvil and Egregor ransomware groups, and the recovery of part of the ransom paid in the Colonial Pipeline attack are some significant victories. However, these successes are relatively rare compared to the scale and frequency of ransomware attacks, while the constantly evolving nature of these cybercriminal groups continues to pose a substantial challenge to law enforcement worldwide.

What Does This Mean for Your Business?

This shift by ransomware gangs from hiding away to actively contacting the media seems counterintuitive, brazen, and shocking. For many of the reasons explained above, ransomware gangs don’t seem to fear detection and capture. Despite their media activities, the main point is that if businesses are well prepared with security measures in place, the ransomware threat can be mitigated and the gangs will have little to report.

Proactive businesses should, for example, implement robust cybersecurity practices to prevent breaches, and develop and regularly update a comprehensive incident response plan. It’s also important for businesses to educate employees about ransomware tactics, including their use of media and public relations strategies, and to engage with cybersecurity experts to stay informed about the latest ransomware trends and defence strategies. Businesses also need to be aware, like the attackers, that they may need to prepare a media strategy in case of a ransomware attack to control the narrative and minimise reputational damage.

There’s also clearly a part that the media can play in limiting the manipulative power of ransomware gangs by not engaging with them and by denying them the publicity they crave. Better collaboration between law enforcement globally and increasing investment in detecting and tackling these groups is also an important priority to protect businesses. The more brazen and open attackers become, the more likely they are to make mistakes and leave clues and trails that could lead to their detection and capture.

By understanding the evolving landscape of ransomware threats and their media strategies, businesses and the security community can better prepare and respond to these increasingly sophisticated cyber-attacks.

Security Stop Press : ChatGPT Release Linked To Massive Phishing Surge

Threat Detection Technology SlashNext has reported that in the 12 months that ChatGPT’s been publicly available, the number of phishing emails has jumped 1,265 per cent, with credential phishing, a common first step in data breaches, seeing a 967 per cent increase.

SlashNext’s State of Phishing 2023 report notes that cybercriminals may have been leveraging LLM chatbots like ChatGPT to help write more convincing phishing emails and to launch highly targeted phishing attacks. Generative AI chatbots may also have lowered the barriers for any bad actors wanting to launch such campaigns (i.e. by giving less skilled cyber criminals the tools to run more complex phishing attacks).

Businesses can safeguard against phishing attacks by taking measures such as educating employees to recognise fraudulent communications, enforcing strong password policies, using MFA, keeping software up-to-date and installing anti-phishing tools, and by having an effective incident response plan to mitigate damage from breaches.

Security Stop Press : Booking.com Customers Targeted By Phishing Emails

It’s been reported that following a hack of online travel agency Booking.com’s email system, customers have been receiving phishing emails asking for their bank card details to avoid cancellation of their hotel booking.

The emails, which have been reported to come from a standard booking.com email address, appear to be targeting customers who have checked-in or are due to check in, and although they vary slightly in content, give customers a limited time (4 to 12 hours) to provide their card details following the fraudulent payment request.

It’s been reported that booking.com denies having its email hacked and blames the breach on partner hotels’ email systems being hacked following phishing attacks. The advice for those who have received the emails and are suspicious is to contact Booking.com’s customer service team, contact the hotel directly, or if payment has been made, to contact their bank.

Security Stop Press : New Phishing Campaign Targeting Teams

Microsoft has warned of a new phishing campaign from the “financially motivated” Storm-0324 threat actor which uses an open-source tool to send phishing lures through Microsoft Teams chats.

The goal is accessing corporate networks and enabling follow-on attacks like ransomware, i.e. handing off access to compromised networks to other threat actors. The campaign leverages the open-source TeamsPhisher tool to attach files to messages.

Microsoft says it has rolled out improvements to better defend against the threat and has suspended identified accounts. Microsoft also gives a list of recommendations to harden networks against Storm-0324 attacks on its website here.

Security Stop Press : Securing Staff In Summer Holidays (P1)

In this first instalment of a three-part series, we look at how staff can maintain the right level of security when using their devices in the summer holidays:

– Secure Your Devices. Ensure that all your devices (laptops, smartphones, tablets) are password-protected and have the latest security updates installed. This includes your operating system, antivirus software, and all applications.

– Secure Your Home Network. If you’re working from home in the holidays, make sure your home network is secure. Change your router’s default password and enable WPA3 encryption.

– Use a VPN. If you’re out and about and using public Wi-Fi networks, make sure you use a Virtual Private Network (VPN). This will encrypt your internet connection, making it harder for hackers to intercept your data. Also, turn off the auto-connect feature on your devices to prevent them from automatically connecting to public Wi-Fi networks, which can be insecure.

– Be Aware of Phishing Attempts. Cybercriminals often take advantage of holidays to launch phishing campaigns. Be wary of any unexpected emails, especially those asking for personal or financial information.

Security Stop-Press : Deepfake ‘Sextortion’ Scams

The (US) FBI has issued a warning that scammers are altering benign photographs and videos to create explicit deepfake photos videos. The deepfake videos and photos are publicly circulated on social media or pornographic websites and/or sent to victims for the purposes of targeting them with harassment or sextortion schemes. The advice is to exercise caution when posting or direct messaging personal photos, videos, and identifying information on social media, dating apps, and other online sites.

Featured Article : New Reports Reveal Two Key Cyber Security Insights

With phishing attacks being favoured for their effectiveness by attackers and most ransomware attacks now targeting backup storage, we look at what businesses can do to protect themselves.

Spear Phishing Accounted For Two-Thirds Of All Attacks Last Year 

A recent report from security provider Barracuda has revealed that although spear phishing attacks make up just 0.1 per cent of all email-based attacks in 2023, they were responsible for two-thirds of all breaches. The report showed that a massive 50 per cent of the 1,350 organisations surveyed had fallen victim to a spear-phishing attack in 2022, a quarter had had at least one email account compromised via an account takeover. The report also showed that of those who fell victim to a successful spear phishing attack, 55 per cent had machines infected with malware or viruses, and 49 per cent and 48 per cent respectively had sensitive data or login details stolen.

What Is Spear Phishing? 

Spear phishing is a targeted form of phishing that aims to deceive individuals or organisations by sending bogus, fraudulent emails or messages. While traditional phishing attempts are more generic and widespread, spear phishing campaigns are highly tailored and personalised to trick specific targets, such as employees of a particular company or members of an organisation.

Targets Are Researched 

The attackers behind spear phishing typically research their targets extensively to gather information that will make their messages appear legitimate and increase the chances of success. They may gather details from social media profiles, online directories, or leaked data from previous breaches. This information is then used to create highly convincing email messages that appear to be from a trusted source, such as a colleague, a client, or a supervisor.

Personalised Content To Make Them More Convincing 

Spear phishing emails often contain personalised content, such as the recipient’s name, job title, or other relevant details, which makes them appear more authentic. They may also exploit psychological manipulation techniques to evoke a sense of urgency, curiosity, or fear to compel the target to click on a malicious link or download a malicious attachment. Once the recipient interacts with the malicious content, the attacker may gain unauthorised access to sensitive information, such as login credentials, financial data, or proprietary information.

The Consequences 

Spear phishing attacks can have severe consequences for individuals and organisations, including data breaches, financial loss, reputational damage, and further exploitation of compromised accounts.

How To Protect Your Business From Spear Phishing 

To protect against spear phishing, it is important to exercise caution when opening emails, verify the legitimacy of unexpected or suspicious requests, and regularly educate and train employees on identifying and reporting phishing attempts. Also, account takeover protection solutions with artificial intelligence capabilities can be effective.

It is difficult, however, to stop attackers from gathering the information about a business and specific personnel within that business to help them target their attacks. For example, some information may have been gathered from information stolen in previous cyberattacks or data breaches and may have been gathered from social media. Businesses should, where possible, be careful about how much information is shared online about the business and staff members, e.g., ‘meet the team’ or ‘about us’ pages, as this could also be used by attackers.

A Launching Point For More Advanced Attacks 

Spear Phishing is widely recognised as one of the most successful and commonly used techniques in cybercriminal campaigns and is favoured by attackers because it capitalises on human vulnerabilities/human error, exploits the trust placed in familiar or authoritative sources, and can be easier than trying hack complicated and well-defended systems – cyber criminals always look for the maximum payoff from minimum effort and risk.

By carefully crafting personalised messages, attackers can significantly increase the chances of success in compromising targets compared to generic phishing attempts. The level of sophistication and customisation in spear phishing attacks makes them harder to detect and raises the probability of successful infiltration.

Moreover, spear phishing serves as a launching point for more advanced attacks, such as targeted malware infections, social engineering exploits, or business email compromise (BEC) schemes. Once an attacker gains a foothold through spear phishing, they can proceed with their malicious activities, including data exfiltration, network infiltration, or financial fraud.

Reasons For The New Figures 

The reasons why spear phishing makes up only 0.1 per cent of all email-based attacks but are responsible for two-thirds of all breaches (i.e they have disproportionately higher success rate compared to other types of email-based attacks) are, therefore, that:

– Spear-phishing attacks are highly targeted and tailored to specific individuals or organisations, and this customisation makes the attacks more convincing, increases the likelihood of victims falling for them and, therefore, increases their effectiveness.

– These attacks take advantage of human psychology and behavioural traits, such as trust, curiosity, and urgency and, by leveraging these vulnerabilities, attackers can trick individuals into divulging sensitive information or performing actions that compromise security.

– Spear Phishing bypasses technical security measures, e.g. firewalls, antivirus software, and spam filters, enabling attackers to circumvent traditional security controls and directly target individuals.

– While spear-phishing attacks may target a specific individual initially, their success can lead to broader repercussions. For example, compromising one employee’s credentials through a spear-phishing attack could provide the attacker with access to sensitive systems or information, potentially leading to a significant breach affecting an entire organisation.

Most Ransomware Attacks Target Backups 

The 2023 Ransomware Trends Report from software company Veeam has revealed that 93 per cent of cyber-attacks target backup storage to force the ransom payment because it removes the option of recovery. The report found that these attacks are successful in debilitating their victims’ ability to recover in three-quarters of events and that more than one-third (39 per cent) of backup repositories are completely lost in these backup-targeted attacks.

Ransomware? 

As the name suggests, ransomware is a type of malicious software designed to encrypt files on a victim’s computer or network, rendering them inaccessible until a ransom is paid to the attacker (usually to a crypto account like bitcoin to avoid detection). It is a form of cyber extortion that aims to extort money from individuals, businesses, or organisations by holding their valuable data hostage.

Paying The Ransom? 

It is widely known that paying the ransom often doesn’t work and even if the ransom is paid, data can still be destroyed and/or, the attackers don’t provide the decryption key and simply make off with the money.

That said, according to the Veeam report, for the second year in a row, most of the organisations surveyed (80 per cent) said they had paid the ransom to end an attack and recover data, despite 41 per cent of organisations actually having a “Do-Not-Pay” policy on ransomware. Still, while 59 per cent paid the ransom and were able to recover data, 21 per cent paid the ransom yet still didn’t get their data back from the cyber criminals. Additionally, only 16 per cent of organisations avoided paying ransom because they were able to recover from backups. Sadly, the global statistic of organisations able to recover data themselves without paying ransom is down from 19 per cent in last year’s survey.

Protecting Your Business Against Ransomware Attacks

Typically, preventing ransomware attacks involves a combination of proactive measures such as regularly updating software and systems, implementing robust security practices, training employees on recognising and avoiding suspicious emails or websites, maintaining secure backups of important data, and deploying reliable antivirus and anti-malware solutions.

Veeam notes in its comments about the report’s findings that while best practices like securing backup credentials, automating cyber detection scans of backups, and auto verifying that backups are restorable can help protect against attacks, “the key tactic is to ensure that the backup repositories cannot be deleted or corrupted. To do so, organisations must focus on immutability.”  

Immutability 

Veeam reports that those who have fallen victim to ransomware have learned lessons and 82 per cent use immutable clouds, i.e. a cloud computing environment where the data stored within the cloud infrastructure is maintained in an immutable or unchangeable state. Also, 64 per cent now use immutable disks, and only 2 per cent of organisations don’t have immutability in at least one tier of their backup solution.

Being Careful About Re-Infection During Recovery 

In Veeam’s study, respondents were asked how they ensure that data is ‘clean’ during restoration. 44 per cent of respondents said they complete some form of “isolated-staging” to re-scan data from backup repositories prior to reintroduction into the production environment. Whilst this is positive news, the flip side of this statistic is that more than half (56 per cent) organisations risk re-infecting the production environment by not having a means to ensure clean data during recovery. The point is, therefore, that it’s important to thoroughly scan data during the recovery process.

What Does This Mean For Your Business? 

The obvious effectiveness of spear phishing attacks and the fact that most ransomware attacks are now targeting backups presents significant challenges for businesses, requiring proactive measures to protect themselves.

As highlighted by Barracuda’ report, spear phishing attacks have proven to be highly successful, accounting for two-thirds of all breaches despite constituting a small percentage of email-based attacks. The targeted and personalised nature of spear phishing makes it difficult to detect, as attackers extensively research their targets to create convincing messages. To protect against spear phishing, businesses should, therefore, exercise caution when opening emails, verify the legitimacy of requests, and provide regular training to employees on identifying and reporting phishing attempts. Account takeover protection solutions with artificial intelligence capabilities can also be effective.

As highlighted by Veeam’s report, ransomware attacks, on the other hand, have increasingly targeted backup storage, rendering organisations unable to recover their data even if they pay the ransom. While some organisations have paid the ransom and recovered their data, many have not been as fortunate. For businesses, the key to protecting against ransomware attacks lies in proactive measures such as regularly updating software, implementing robust security practices, training employees, maintaining secure backups, and deploying reliable antivirus and anti-malware solutions. Additionally, businesses should focus on immutability, ensuring that backup repositories cannot be deleted or corrupted.

To combat the risks associated with spear phishing and ransomware attacks, businesses should favour a multi-layered approach to security. This includes investing in employee education and training, implementing strong technical security measures, and regularly evaluating and updating security protocols. Businesses can also help protect themselves by staying informed about emerging threats and best practices in cybersecurity to enable them to adapt their defences accordingly.