BLOG

A phishing campaign is targeting users of the UK-based digital banking company Monzo, BleepingComputer reports. Security researcher William Thomas came across an SMS phishing (smishing) campaign that’s sending text messages that purport to come from Monzo.

“The users are taken to a phishing site that displays a fake email login form and then requests information about their Monzo account, including full name, phone number, and the Monzo PIN,” BleepingComputer says. “If these details are provided, the threat actors now have everything needed to begin taking over victims’ Monzo accounts. When installing the Monzo app on a new device, like the threat actor’s smartphone, the service sends a device verification link for the first login to the user’s email address. As the threat actors now have access to victims’ email accounts, they can click on this ‘golden link’ and verify their device, giving full access to the Monzo account. The severity of gaining access to this link is illustrated in the emails sent by Monzo, who warn that the link should never be shared with other people.”

Thomas wrote in a blog post that the attackers can then attempt to bypass users’ multifactor authentication to gain access to their accounts.

“These details are enough to compromise a user’s email account and Monzo account,” Thomas wrote. “Additional social engineering steps might be involved, but there are many one-time passcode (OTP) stealing bots and other guides on how to trick victims into giving up access to the attacker.”

BleepingComputer explains that Monzo has a process for contacting users that users should be aware of.

“When Monzo wants to inform users about anything, it uses built-in app notifications or the account portal on the official website,” BleepingComputer says. “Monzo doesn’t use SMS to send notifications, and the platform would never urge users to follow any links from outside the app. If you’ve tapped on these links and provided any login details to the actors, reset your account passwords immediately and activate MFA on both your email and Monzo accounts.”

Multi-factor authentication is an important layer of defense, but users should know that it’s not foolproof. New-school security awareness training can enable your employees to recognize social engineering attacks.

A sextortion phishing campaign is targeting French speakers accusing them of viewing child abuse content, according to Paul Ducklin at Naked Security. The emails purport to come from the French police, and are designed to frighten users into replying to the email to assert their innocence. After a user replies, the scammer will attempt to convince them to pay a bogus fine to have the matter dropped.

Ducklin offers the following advice to help people avoid falling for these scams.

• “How likely does the message really seem? The sender of this email was given as Jean-Luc Godard, who in real life is a world-famous left-wing French filmmaker now in his 90s. The investigating officer you are told to email directly is Frédéric Veaux, the Director General of the French Police. If you were being charged, you would have to be formally accused by name, not simply sent an email starting simply Monsieur/Madame. (Interestingly, the subject line said Mr/Mme, mixing up English and French in an obvious mistake.)
• “If in doubt, don’t give it out. If this were a genuine criminal investigation, you would not be invited to submit evidence in mitigation informally via email. That would be insecure both for you and the police, and would almost certainly be useless in court anyway.
• “Don’t be afraid to check with a trusted source. If this email were genuine, and there really were police charges against you, then emailing back information of your own to defend yourself against as-yet unspecified, unknown claims against you would be a very bad idea. The police themselves would not ask you to do that, which makes it obvious that this email doesn’t come from the police in the first place.”

It’s not just France, either. We’ve seen an email from the Grand Ducal Police of Luxembourg, also in French, and better French than one usually sees. No one was named in the letter beyond “Madame/Monsieur,” but at least the hoods got rid of that “Mr.” Needless to say, it’s still not very plausible. Next time they may try Andorra, or Monaco, or the Sûreté du Québec.

New-school security awareness training can teach your employees to follow security best practices so they can thwart phishing attacks.

In a fiercely competitive market driven by hype and fear, security software vendors live or die by their reputation – so when Czech antivirus firm Avast Software recently feted an independent testing report that put its tools well ahead of its rivals, its stellar detection rate seemed like a marketing slam-dunk.

The company’s Avast Free and Avast One products both blocked 99 per cent of the 250 phishing URLs thrown at them by independent Austrian antivirus-testing firm AV-Comparatives, the report found, putting it ahead of rivals like Avira (97 per cent), McAfee (93 per cent), Kaspersky (90 per cent), Bitdefender (89 per cent), NortonLifeLock (70 per cent), and Malwarebytes (61 per cent).

Its Avast Secure Browser also rated highly, blocking 95 per cent of threats compared to Microsoft Edge (80 per cent), Mozilla Firefox (77 per cent), Opera (56 per cent), and Google Chrome (34 per cent).

“For many years, Avast’s threat detection engine has been a standout performer,” said AV-Comparatives founder and CEO Andreas Clementi in a glowing appraisal as the results were published.

“Recently, Avast has excelled in the anti-phishing category, which is bad news for opportunistic cybercriminals who often depend on the high success rates of phishing attacks as a means of generating greater return on investment.”

It’s a ringing endorsement, until you read the fine print – which explains that the report was not only sponsored by Avast, but that the company “selected the products to be tested”.

Look a bit further, and you’ll learn that Avast has become an asterisk in other companies’ comparative testing: tech-testing giant CNET, for one, failed to mention Avast in its latest list of recommended security tools, instead reminding prospective users of the recent discovery that Avast was collecting and selling user data through subsidiary Jumpshot.

That incident put consumer-affairs advocates into a tailspin, with Consumer Reports suggesting in early 2020 that it was time to stop using Avast software even as the software vendor argued that its founders “are passionate defenders of the right to privacy.”

Whether or not that is now true will be beside the point for many IT decision-makers at businesses large and small, who just want to know they can rely on their security software and on independent reports to choose the best protection they can find.

Is there really any difference?

Although the Avast-sponsored research suggests that company’s technology is head and shoulders above its rivals, larger tests suggest the race between security suites is in fact a photo finish.

AV-Comparatives’ latest Business Security Test, for example, found that 13 different vendors’ tools – including those from Avast – detected and blocked 99 per cent of malicious websites.

That was an improvement from the 2020 tests, in which only 10 vendors detected 99 per cent or more of threats, and security tools raised far more false alarms.

Avast scored well in both comparisons, while Kaspersky – which has, CNET also pointed out, long-fought insinuations that it has ties to Russian-government interests – topped the chart in both years.

Improvements in antivirus technology are tied to use of machine-learning technologies that have sped up the tracking and detection of new threats – but with so many strong options, how should IT decision-makers interpret and act upon comparative testing?

With current test results confirming that most security suites are functionally equivalent – scores in AV-TEST’s latest round of testing were so consistently high that the firm gave 14 of the 20 contenders its ‘Top Product’ badge – some experts are suggesting that paying for security tools these days is no longer necessary.

That, PCWorld recently argued, is because Avast’s top-rated security suite is free – as is Microsoft Windows Defender, a top-scoring security tool that is not only free, but already built into every single copy of Windows.

“Microsoft’s own built-in protections are no longer the joke they once were,” senior editor Mark Hachman said, warning that “consumers may be overspending for protection that other services provide for free.”

Other outlets have echoed the conclusion, with a Trusted Reviews analysis calling Defender “incredibly good” and “the most consistently reliable antivirus suite around”.

Scams follow fashion because money follows fashion. So it’s no surprise that non-fungible tokens (NFTs), which have become a hot speculative property, have drawn scam artists for phishing campaigns. They’re not so much interested in the NFTs themselves as they are in the speculators’ cash. OceanSea, a leading NFT marketplace, has responded to panicky tweets from users to reassure them that it’s on top of rumors of “an exploit” connected to the smart contracts traders use.

CoinDesk writes that, “On Twitter, traders shared what they’d initially thought were official OpenSea emails about the migration process from contract A to contract B. ” But the links shared in the emails apparently led to malicious contacts masquerading as part of OceanSea’s contract migration process. Devin Finzer (@dfinzer), OceanSea’s CEO, offered this perspective over Twitter:

“Feb 19, 2022

I know you’re all worried. We’re running an all hands on deck investigation, but I want to take a minute to share the facts as I see them:

As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”

“On Twitter, traders shared what they’d initially thought were official OpenSea emails about the migration process from contract A to contract B,” CoinBase explained, adding, “PeckShield, a blockchain security company that audits smart contracts, stated that the rumored exploit was “most likely phishing” – a malicious contract hidden in a disguised link. The company cited that same mass email about the migration process as one of the possible sources of the link.”

Fraud adapts quickly to new conditions and new opportunities, and NFT markets are, of course, not exempt. New-school security awareness training can help users recognize and avoid even novel scams.

Companies have long seen new technologies as a competitive advantage – and a way of attracting and keeping talent – but new research suggests that after four years of heavy IT investment, Australian and New Zealand companies need to find new ways to stand out, now that modern technologies have become “the minimum cost of doing business”.

Fully 88 per cent of ANZ companies had modernised the way they build applications by using APIs and microservices, according to the Infosys Digital Radar 2022, which found them to be the most widely-adopted of 19 technologies embraced by companies reinventing themselves for the new normal.

Most companies also invested heavily in Internet of Things (IoT) (implemented in 80 per cent of firms), augmented and virtual reality (78 per cent), cloud technologies (77 per cent), and enterprise applications (77 per cent).

That was a big change from the 2018 survey, when around a third of respondents said they still hadn‘t started embracing DevOps and Agile development, enterprise service management (ESM), legacy modernisation, data and analytics, cloud or IoT.

By 2021, almost none of the 2,700 C-level and senior executives from eight countries had invested in these areas.

Once seen as a way of breaking through a ‘digital ceiling’, those technologies had defined a new ‘digital floor’ – table stakes for any company hoping to be relevant in today’s digitally-enabled, customer-focused business environment.

“The technologies more readily adopted in Australia and New Zealand are those that promote enterprise agility via the rapid deployment of apps and microservices, as well as those that enrich customer experience to the greatest degree,” noted Andrew Groth, executive vice president and ANZ region head with Infosys.

“This new concept of the digital floor…. means that it’s no longer considered innovative or industry leading for companies to invest in digital. It’s now a prerequisite – and locally, investment in 5G, DevOps and Agile, and ESM are the minimum cost of doing business.”

Consistent with reports that digital transformation accelerated during the pandemic, Infosys also found many companies started implementing technologies like automation, cloud, and AR/VR between 2019 and 2021.

Significantly, AI investment appeared to have stalled during the pandemic – with 18 per cent of respondents saying they had yet to start AI implementations in 2019 and this proportion moving only marginally, to 16.4 per cent, last year.

Companies piled onto the AI bandwagon between 2018 and 2019, but the new numbers suggest many were forced to hit the pause button as two pandemic years forced them to divert resources to operational issues such as ESM.

Whereas 15 per cent of companies hadn’t started implementing ESM in 2019, by 2021 every company had done so.

ESG as a differentiator

When three-quarters of companies have implemented a particular technology, just buying that technology is no longer a strategic differentiator.

Differentiation, Infosys argues, will come more from the potential business value of human-focused investments in areas such as environmental, social, and governance (ESG).

Companies with strong ESG commitments were also the most effective users of technologies, Infosys found, estimating that improving the effectiveness of the average transformation could unlock $494b ($US357b) in incremental profits.

To realise these benefits, companies should focus on people-centric experience goals like better customer engagement, data-driven business culture, and increasing employee engagement.

They should also train and motivate employees to work in an agile way with “small behavioural nudges” that improve project delivery, Infosys recommended while also encouraging companies to build intellectually diverse, purpose-driven culture and evaluate business initiatives against ESG targets.

“The most successful businesses are no longer early digital adopters, nor those that invested the most in AI, blockchain, and IoT,” said Jeff Kavanaugh, vice president and global head of the Infosys Knowledge Institute.

“The most successful firms now see value in the relationship between digital technologies and the people they serve – and the companies best prepared to enter the post-pandemic era have already realised that technology itself isn’t a differentiator, but a commitment to people and purpose.”

Australian companies may be increasing their spend on cyber security but four out of five executives doubt they can keep throwing money at the problem indefinitely, according to an Accenture survey that confirmed “investing well” in cyber security delivers better financial and operational outcomes.

Fully 55 per cent of the more than 4,400 large-company executives, surveyed for Accenture’s recent State of Cyber security Resilience report, believe they are not effectively stopping cyber security attacks; finding and fixing breaches quickly; or reducing the impact of breaches – all of which are key reasons for increasing cyber security spend.

The highest-performing chief information security officers (CISOs) – dubbed ‘Cyber Champions’ – had all worked to build and maintain close relationships with the CEO, CFO, and board of directors, the report found, noting that “this proximity resulted in increased trust, autonomy, and the ability to tap into these relationships when defining the broader security strategy and ensuring alignment within the business.”

Cyber Champions, Accenture found, demonstrated several common best practices that suggested they “viewed cyber security in a fundamentally different way than those who reported diminished effectiveness and value from their cyber initiatives.”

The difference, noted Accenture APAC cyber defence lead Mark Sayer, is that the most successful companies view cyber attacks not as a risk, but an ongoing threat to their operations.

“They adopt a holistic approach to cyber security,” he said, “and all business operations, from head office to the supply chain, are aligned to support an active and vigilant approach to threat prevention.”

By staying on a more proactive footing, Accenture found, companies were able to reduce the cost of successful cyber attacks significantly.

Cyber Champions reported a cost per cyber attack that was 48 per cent lower – equivalent to $294,000 – than the next best-performing group in the survey, and 65 per cent lower than the third best-performing cohort.

When is enough cyber security, too much?

For all the potential benefits of an adaptive cyber security strategy, many respondents indicated that pouring ever larger amounts of money into cyber was becoming problematic.

Despite increased spending, the number of attempted breaches increased by 31 per cent over the previous year – to 270 per company, on average – fuelling concerns that it is simply not possible to outspend determined cybercriminals.

Fully 81 per cent of the Accenture survey respondents agreed that “staying ahead of attackers” is a constant battle and that the cost is becoming “unsustainable” – up from 69 per cent in the previous year’s survey.

Executives are starting to push back, according to a recent survey of 207 Australian IT decision makers – part of a global study by Sapio Research for security firm Trend Micro – in which 89 per cent said their businesses would be willing to compromise cyber security and allocate funding to digital transformation projects instead.

Recognising that their superiors were becoming increasingly concerned about what they see as excessive cyber security spending, fully 87 per cent had felt pressured to downplay the severity of cyber risks to their boards.

“Australian IT leaders are self-censoring in front of their boards for fear or appearing repetitive or too negative,” Trend Micro ANZ vice president Ashley Watkins said in releasing the results, “but this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure.”

“We need to talk about risk in a way that frames cyber security as a fundamental driver of business growth – helping to bring together IT and business leaders who are both fighting for the same cause.”

Only 47 per cent of IT leaders believe their C-suite completely understands cyber security risks, Trend Micro found, with 28 per cent blaming executives for not trying hard enough and 19 per cent saying executives just don’t want to understand.

Accenture Security global lead Kelly Bissell agreed, noting that company’s analysis suggested that “organisations too often focus solely on business outcomes at the expense of cyber security, creating greater risk.

“While getting the right balance isn’t easy,” he said, “those who have a clear view of the threat landscape, and a strong alignment on business priorities and outcomes, achieve greater levels of cyber resilience.”

The healthcare sector is particularly vulnerable to phishing attacks, according to Mike Azzara at Mimecast. Employees in the healthcare industry need to be wary of brand impersonation attacks designed to steal credentials or hijack payments.

“As employees get smarter about spotting common cyberattacks, hackers keep getting more creative,” Azzara says. “One of the more sophisticated types of attacks is brand impersonation, in which attackers pretend to be a well-known brand in an effort to get a user’s passwords, obtain sensitive information or install malware. Healthcare organizations face a far higher brand impersonation threat than other industries due to the combination of overworked staff, shifting IT priorities and an abundance of partners that can easily be impersonated.”

Azzara explains that IT employees at healthcare organizations are often more focused on keeping systems running, which can lead them to place less of an emphasis on cybersecurity.

“It’s common for IT teams at hospitals and health systems to focus on the knowledge base necessary for 24/7 operation of mission-critical systems such as telemetry, electronic health records and remote monitoring,” Azzara writes. “This can lead to gaps in security training among IT teams, which translates to gaps in training for the rest of the staff.”

Additionally, healthcare organizations must deal with a variety of third parties that can be easily impersonated by cybercriminals.

“Healthcare has a complex supply chain,” Azzara says. “Third-party vendors may supply everything from food and laundry to basic medical equipment to multimillion-dollar equipment for operating rooms. Individuals across the organization interact with these vendors every day. In their fast-paced work, they may not notice a slight change to a domain name, corporate logo or ‘Reply To’ address.”

Azzara adds that hospitals communicate with many other healthcare organizations, which further exposes them to phishing attacks.

“Hospitals and health systems share information with a wide range of other healthcare entities, including insurers, pharmacies and public health agencies,” Azzara says. “The need and desire to share sensitive information in a timely manner, combined with a heavy reliance on email communication, only adds to the degree of potential mistakes for attackers to exploit.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize phishing attacks.