60% of the US Workforce Will Be Working Remotely by 2024 (and That’s a Problem)

The latest data from analyst firm IDC shows massive growth in the remote workforce in the coming years – something that puts organizations at greater risk for a cyberattack.

Everyone already knows that a material percentage of today’s workforce is doing so remotely as a result of COVID-19. But the projections found in IDC’s U.S. Mobile Worker Population Forecast, 2020–2024 paint a picture that, if not properly addressed proactively, will be a cybercriminal’s paradise.

According to the research, the number of mobile workers will increase from 78.5 million in 2020 to 93.5 million in the US in 2024 – an increase of nearly 20%. IDC breaks down the mobile workforce into two distinct categories:

  • Information Mobile Worker – these are typically those people working from a single location using a specific endpoint to access data, content and applications. Examples of IM workers include programmers, analysts, marketers, accountants and lawyers.
  • Frontline Mobile Workers – the users in this group are typically client-facing and distributed and can be working on a number of devices. Examples of these workers include nurses, store associates, and field technicians.

The challenge with growth in either group is two-fold. First, they’re not ready, as indicated by the lack of good password hygienethe lack of preparation for cyberattack. Second, they’re already under attack, as indicated by the amount of malicious content they interact with in email and on the web already and nearly two-thirds of them have already had a credential compromised.

Taking your workforce mobile/remote is an idea whose time has come. It’s just necessary that organizations put proper Security Awareness Training in place to ensure their mobile workforce understands the cyber-minefield they’re embarking into, the increased need for them to help protect the organization when mobile, and to always be vigilant when using corporate devices, applications, or data.


Newly Relaunched ProLock Ransomware Seeks Ransoms as High as $3 Million

Seeing successful attacks as frequently as one per day, the creators of ProLock seek out larger organizations using the QBot trojan to infiltrate, spread throughout, and infect a network.

What starts as yet another phishing attack that uses a weaponized VBScript via Office documents turns out to be a far more invasive attack that brings operations to its’ knees and organizations considering reaching for their wallets.

According to security researchers at Group-IB, ProLock’s evolution from a failed prior iteration under the name PwndLocker has yielded a bit of malware so effective in its ability to perform network reconnaissance and lateral movement, its creators are big game hunting for organizations across both North America and Europe, looking to take down the largest of ransoms.

Now some good news.

Group-IB’s researchers have indicated that the phishing attacks used are “simple and straightforward” as seen in the email example below:


There’s a really simple way to stop this ransomware from ever gaining control over your network: teach your users to not click on suspicious email links or attachments. This is easily done by enrolling them in new school Security Awareness Training that shows them what to look for, how to remain vigilant while doing their job, and how to keep from becoming the entry point for this and any other phishing-based attack.


Global Ransomware Attacks Increase by 715 Percent as Cybercriminals Capitalize on the Pandemic Opportunity

The massive rise in frequency is a signal that cybercriminals are not only finding their ransomware campaigns successful, but are also seeing increases in ransom amounts.

The goal of any business is to build a product where you make a very healthy profit margin. Once you have that, you take it to market and continue to increase the reach of your sales efforts to see both revenue and profits increase annually.

This is exactly the same mentality cybercriminal enterprises have when it comes to ransomware – if it works, send it out to more people. If they’re willing to pay $1000, see if they will pay $5000, $10,000, and more. Recent data has shown that ransomware creators are doing both.

According to BitDefender’s Mid-Year Threat Landscape Report 2020, the first half of 2020 saw a 7x jump in the frequency of ransomware attacks when compared to the same time in 2019. The report shows that the distribution of attacks was relatively evenly distributed across the first six months of this year.

We’ve also seen ransoms jump by an average of 60 percent this year, signaling that cybercriminals are keenly aware of what the havoc they’ve wreaked is worth to an infected organization.

According to the Bitdefender report, both the pandemic and the shift to working from home play a significant role in the success rate of attacks, as users have their defenses down and have been overwhelmed by the unprecedented change in the way we all work and live. Half of remote employees simply aren’t prepared for the organization’s dependence upon them to be vigilant against cyberattacks including ransomware. New school Security Awareness Training provides an effective means to not only educate users on how the bad guys go about phishing and social engineering attacks, but also on how users can become and remain vigilant while doing their job – thus, lowering the threat surface for ransomware attacks.

With such a massive increase in the amount of ransomware attacks, organizations should assume that ransomware is only going to become more prevalent, pervasive, and profitable for the bad guys.


Phishing Attacks Continue to Grow More Sophisticated

Both criminal and nation-state threat actors have “rapidly increased in sophistication” over the past twelve months, according to Microsoft’s Digital Defense report. Microsoft found that attackers are putting more effort into social engineering tactics, and they’re incorporating more familiar techniques like credential stuffing to maximize their effectiveness.

“Email phishing in the enterprise context continues to grow and has become a dominant vector,” the report states. “Given the increase in available information regarding these schemes and technical advancements in detection, the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals. Attack techniques in phishing and business email compromise (BEC) are evolving quickly. Previously, cybercriminals focused their efforts on malware attacks, but they’ve shifted their focus to ransomware, as well as phishing attacks with the goal of harvesting user credentials.”

Microsoft warns that attackers are automating their attacks in order to avoid detection,which results in millions of new malicious URLs being distributed each month.

“In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URL-based phishing threats (URLs set up for the explicit purpose of launching a phishing credential attack),” the report says. “These URLs were set up and weaponized just in time for the attacks and had no previous malicious reputation. We’re seeing approximately 2 million such URL payloads being created each month for credential harvesting, orchestrated through thousands of phishing campaigns.”

Microsoft notes that the number of COVID-19 themed phishing attacks has fallen in recent months, after spiking in March. This isn’t surprising: the attackers exploited the chaos and confusion at the start of the pandemic, then adapted their lures when things (sort of) began to settle down.

“Over the past several months, we have seen cybercriminals play their well-established tactics and malware against our human curiosity and need for information,” Microsoft says. “Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic.”

While attackers are constantly evolving their tactics to evade new defenses, Microsoft notes that most of these attacks are still fundamentally similar.

“Despite sophistication and diversity of the attacks, the methodology is often the same, whether the actors use large-scale attacks for financial gain or targeted attacks to support geopolitical interests,” the report says. “A phishing email can be a massive campaign targeting millions of users or a single, targeted email that represents a socially engineered marvel many months in the making.”

Likewise, Microsoft points out that organizations and individuals can thwart most cyberattacks by implementing basic security hygiene.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA),” Microsoft says. “Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”

New-school security awareness training can enable your employees to recognize phishing attacks and teach them how to proactively protect their accounts.

Microsoft has the story.


Don’t Just Catch a Phish, Captcha One

Researchers at Menlo Security have identified a phishing site that uses three layers of visual captchas to evade detection by automated security crawlers. Captchas are brief tests on websites that ask you to enter a word or select a series of images to prove you’re not a robot. Almost everyone has encountered these, since they’re usually used by legitimate sites to filter out malicious or unwanted traffic from bots.

In this case, however, the attackers are using captchas to prevent good bots (i.e., bots that are designed to hunt down phishing sites) from accessing the phishing page. The researchers also note that the captchas have the added benefit of lending credibility to the phishing page, since users associate these tests with legitimate sites.

“Two important things are happening here,” they write. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

When a user first accesses the phishing site, they’ll be presented with the familiar “I’m not a robot” reCAPTCHA checkbox. After clicking this box, the user will be asked to select the correct set of images to proceed (for example, images with bicycles, street signs, school buses, and so forth). The user will have to solve three of these tests before they’re allowed to access the phishing page, which is a convincingly spoofed version of an Office 365 login portal designed to steal their credentials.

“Microsoft happens to be the brand that is most phished across our customer base,” the researchers explain. “This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.”

Attackers are constantly adapting their techniques to stay ahead of improved security technology. New-school security awareness training can give your employees the knowledge they need to avoid falling for these attacks.

Menlo Security has the story.


Organizations Working From Home Opens Wider Target for Cybercriminals

With so many people working from home, more attackers are adapting their strategies to focus on employees as a way to bypass organizations’ defenses, FCW reports. During a webcast hosted by Venable, several Federal and industry experts discussed the challenges associated with remote work, particularly in organizations that previously required physical modes of identification.

Sean Connelly, Trusted Internet Connection (TIC) program manager at the Cybersecurity and Infrastructure Security Agency (CISA), said attackers are increasingly using fake social media accounts and phone calls to trick employees into handing over their credentials or installing malware.

“Those attacks are shifting everywhere traditional network security controls are not located,” Connelly said. “Many attackers are actually calling employees and encouraging them to log on to those fake pages and then grabbing their credentials from those pages.”

Connelly added that it’s much harder to defend against phishing attacks on social media when employees are working from home.

“How do you put security controls around a social messaging app?” Connelly asked.

Wendy Nather, Head of Advisory CISOs at Duo Security, explained that many previous security assumptions are suddenly no longer applicable.

“Because we’re not physically co-located anymore, there are a lot of authentication factors we used to assume, that we now can’t use,” Nather said. “If somebody calls the help desk, how are you going to verify them if they can’t walk over and show you their CAC [Common Access Card]?”

Likewise, Ross Foard, a senior engineer at CISA, said well-established forms of authentication in the government are hard to transfer to a remote environment.


What’s the Information Stolen in a Phishing Attack Really Worth?

Once a scammer tricks their victim out of web credentials, credit card details, or online access to a bank account, the details collected are worth plenty by simply selling them on the dark web.

The cybercriminal industry is much like regular businesses; each one specializes in a particular product or service and has no interest in doing “everything”. For example, when a phishing attack successfully yields online credentials to Office 365, in many cases, the credentials are sold by the initial attacker, rather than utilized by them to further launch attacks.

Why? Because it’s a lot easier to make a quick buck and repeat the process using automated tools than to develop a complex multi-step attack campaign.

According to the 2020 Dark Market Report: The New Economy report from security vendor Armor, those stolen details are worth quite a bit on the dark web:

  • A credit card in the US can fetch as much as $12. One in the EU is worth as much as $35.
  • The value of cloned ATM cards are based on the bank account balance. For example, the ATM card associated with an account worth $10K in it would be worth between $600-800.
  • Paypal account credential values follow the account’s balance, with credentials to a $1000 account valued at $100.
  • Even social media accounts have value, with Twitter leading the pack at $16 per account

In every case above, the details purchased are used to then be used by the next bad guy. It’s an ecosystem where many cybercriminals have found a way to plug themselves in by simply doing the work of fooling victims into giving up information and then selling it off to the highest bidder.

Phishing attacks remain one of the most prevalent ways attackers steal these details. Teaching user to be vigilant while at work and home (which, for many, is the same place today) is a necessary step using new school Security Awareness Training. Those that undergo training are mindful of the potential harm an email or website can cause and are constantly watching for anything that appears to be abnormal, suspicious, or downright malicious in nature – avoiding the attack and keeping their details secure.


Beware of Fake Forwarded Phishes

There are many specific, heightened challenges of spear phishing emails coming from compromised, trusted third parties. Trusted third-party phishing emails usually come from the legitimate sender’s email account, which is under control of a malicious hacker. The challenges of these types of spear phishing emails were discussed previously

But the risks from a compromised, trusted third-party account don’t always go away when the trusted third party gets cleaned up and the hacker is removed. In fact, the threats from a trusted third-party compromise can last for months to years. The related spear phishing attack called a ‘fake forwarded email’ is an example.

This particular type of phish arrives with subject line and message body text belonging to a previous, genuine conversation held between two legitimate parties. The message text is usually a partial or full conversation from a previously discussed thread, which often happened months to years ago. Even though this type of email usually arrives from a new, illegitimate email address, often times, the receiver’s innate familiarity with the conversation thread makes the receiver accidentally miss the new sender’s email address. It’s what the phisher is hoping for and the whole reason for this type of spear phishing attack.

These types of phishing emails will always include a new request for the receiver, to either visit a particular included URL link or open a file attachment. The message to the sender requesting action is usually something simple and short, such as “Here’s that document you requested” or “This link has the invoice you were asking about.” Many times, the action instruction has nothing to do with the included thread. I’ve often been surprised about how disjointed the request is with the original thread, but the phishers are apparently having some success with them or they wouldn’t keep using them.


All the normal anti-phishing defenses, including good and frequent security awareness training, apply. But it’s important to share these types of phishing attacks with everyone so they know about them. It’s also always important to check the sender’s email address, even if the email seems like part of a continuing thread. It’s one thing to educate and discuss and another to test if people really are looking at the sender’s FROM email address when they get sent a recognizable thread. So, test this scenario as part of your regular simulated phishing campaigns. Pick an organizational-wide email thread that got a lot of traffic and back and forth conversation with lots of participants within the company. Then send it from an external, nearly look-a-like email address and see who falls for it. Real spear “phishermen” seem to think it works.

This is also a great chance to see if your best anti-phishing “champions” who hardly ever get tricked by a real or simulated phishing test do as well on a simulated fake forwarded email. For your champions, pick a more focused email thread that they were personally involved in instead of a company-wide thread. You might have to enlist another recipient you know who frequently corresponds with them.

Fake forwarded emails are one of the most popular types of spear phishing. Don’t let a real one be the first time your users are tested.


Joint Cybersecurity Advisory Outlines Approaches to Discovering and Remediating Attacks

This newly-released report is the result of a collaborative effort by cybersecurity authorities in Australia, Canada, New Zealand, the United Kingdom, and the United States.

Nothing says “this is the standard” like a set of guidelines that are written by and agreed upon by the world’s leading experts in cybersecurity. The Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity provides organizations with technical approaches, mitigation steps, and best practices designed to “enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”

Some of the most important content in this advisory is its mitigation content; having a planned response *is* important, but it’s better to keep an attack from happening. Some of the familiar recommendations include disallowing unrestricted RDP access (a commonly-used tactic for ransomware attacks) and disabling the interactive logon of service accounts (used as part of lateral movement activity), among others.

It also provides guidance around best practices to put in place prior to an incident occurring. These include:

  • Application whitelisting
  • Limiting privileged access
  • Maintain backups of essential data and systems
  • Use and maintain a secure workstation image

In addition, the collective cybersecurity authorities see the user as “the frontline security of [an] organization,” citing the need for “User Education.” According to the advisory, the education focuses on malicious downloads and phishing emails, as well as how to respond should they either come face to face with an attack, as well as should they fall for one.

Security Awareness Training helps to address these recommendations, educating the user with practical examples of modern attacks, while emphasizing the importance of the user’s role in organizational security.

Take a look at this advisory; it provides great context into what you should be doing both before and after an attack.