Gallery

A new survey of executives sheds light on how well organizations fared with cyberattacks in the last 12 month as well as what attack vectors are going to increase future breaches.

I’ve spent quite a bit of time here writing about the experienced and expected continued increases in cyberattacks due to the evolution of cybercrime-as-a-service, the partnerships between cybercriminal groups, and the increased sophistication of attacks.

In other words, cybercrime is now fully acting like legitimate businesses.

A new survey of executives from cybersecurity analysis vendor ThoughtLab provides us a view into what’s transpired back in 2021, and what execs are expecting moving forward. In their newly released report, Cybersecurity Solutions for a Riskier World, we see that both cybersecurity incidents and “material” breaches increased in 2021:

• Organizations experiencing a cybersecurity incident grew 15% in 2021 over 202 with just over one-quarter of organizations (26.2%) being involved in an attack
• While material breaches were far less common, the percentage of organizations experiencing them (.82%) in 2021 was a 24% increase over 2020

And when asked whether their organization is “well prepared for today’s rapidly changing threat landscape”, on average, 27% of all executives said they weren’t, with 40% of CSOs feeling even more strongly about their lack of preparedness.

When asked about the types of attacks that were responsible for the breaches, as well as which ones pose the highest risk over the next two years, a pattern of risk begins to emerge:

The top two highest risks for the foreseeable future are also two of the main causes for recently experienced breaches. They also all involve the unwitting participation of your users. And if you consider that the top initial attack vector in ransomware attacks is phishing, you can include some part of ransomware involving users as well.

What’s needed to protect organizations from future attacks is to prepare users. Prepare them from phishing, vishing, SMiShing, and social engineering – all commonly-used methods to trick users into engaging with malicious content that is the catalyst for breaches. It’s only through Security Awareness Training that users begin to understand how attacks work, what tactics are used, and how to identify a malicious piece of content in email or on the web, reducing the likelihood that users will engage and help the attacker.

Bitdefender warns that Microsoft Office applications are vulnerable to phishing tactics that exploit international domain names (IDNs). Affected applications include Outlook, Word, Excel, OneNote, and PowerPoint.

“Homograph (also known as homoglyph) phishing attacks are based on the idea of using similar characters to pretend to be another site,” the researchers write. “While most of them are easily recognizable by end-users with proper training (for example, g00gle.com), the homograph attacks based on international domain names (IDN) can be unrecognizable from the domains they are spoofing.”

This technique shows that users can’t rely solely on checking the URL to ensure that they’re not visiting a phishing page.

“Even if a browser decides to display the real name after opening the link, the email client uses the display name in the preview pane,” the researchers write. “Users, who are trained to validate a link in an email client before they click it, will be susceptible to click on it because it has not yet been translated to a real domain name in their browser. The real domain name would only be seen after the page has started to open. The website that opens even has a valid security certificate and is fully controlled by a threat actor.”

The researchers note that this technique probably won’t become as commonplace as other phishing tactics, but it’s still worth watching out for.

“The good news is that homograph attacks most likely are not going to become mainstream – they are not easy to set up or maintain,” Bitdefender says. “However, they are a dangerous and effective tool used for targeted campaigns by APTs (or advanced persistent threats) and high-level adversaries such as Big Game Hunting by Ransomware-as-a-Service groups– whether targeting specific high-value companies (whale phishing) or high-value themes (for example popular cryptocurrency exchanges).”

TechRadar also reported on this attack, adding that homograph attacks abuse the internationalization of the web. “In the early days of the internet, all domain names used the Latin alphabet, which has 26 characters. Since then, the internet grew to include more characters, including, for example, the Cyrillic alphabet (used in Eastern Europe, and Russia). That gave threat actors a wide playground, as by combining different characters, they can create phishing sites whose URL looks identical to the legitimate site.”

The India-aligned APT SideWinder is using a variety of social engineering techniques to target Pakistani government and military entities, according to researchers at Group-IB. The threat actor is using phishing emails as well as a malicious VPN app placed in the Google Play Store.

“The SideWinder APT is believed to be an Indian nation-state threat actor. In their attacks, SideWinder was seen targeting government, military, and economic sectors in Southeast Asia: in Afghanistan, Nepal, Sri Lanka, Bhutan, Myanmar, the Philippines, Bangladesh, Singapore, and China,” the researchers write. “However, since the discovery of the group in 2012, Pakistan has been the primary target of SideWinder. In the last year alone, several SideWinder’s attacks targeting Pakistan have been detected. SideWinder was particularly interested in the Pakistani military targets.”

SideWinder is using a phishing domain, “pakgov[.]net,” in order to impersonate multiple Pakistani government entities. The threat actor also posted links on Facebook leading to a malicious website that purported to offer enrollment for COVID-19 vaccinations.

“Once the victim clicks on the link, an archive with a malicious .LNK file or RTF document is downloaded,” Group-IB says. “In the case of LNK, the files have a Microsoft Word icon, making it appear more legitimate, encouraging people to open. Whether the initial vector was a phishing email or a phishing link posted on social media, the malicious payload is always launched using the DLL side-loading technique, which provides persistence and has RAT functionality.”

The threat actor is using a script that deflects users who don’t have a Pakistani IP address, in order to minimize their footprint.

“[W]hen a client visits this link, which the anti-bot script does not like, the script redirects to a legitimate document located on a legitimate resource: finance.gov.pk,” the researchers write. “And, the script won’t even work if the client’s IP address differs from Pakistan’s – the client will automatically be redirected to the legitimate resource. These are common techniques that are used to avoid detection by threat researchers.”

A smishing campaign is impersonating the UK-based delivery company Evri with text messages informing recipients that their package couldn’t be delivered, according to Paul Ducklin at Naked Security. The messages state that a driver tried to deliver a package, but no one was home. The texts contain a link for the recipient to reschedule their delivery. If a user clicks on this link, they’ll be taken to a phishing site that attempts to harvest their personal and financial information.

Ducklin offers the following recommendations for users to avoid falling for these types of scams:

“Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.
“Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
“Report compromised cards or online accounts immediately. If you get as far as entering any banking data into a fake pay page and then realise it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number. (Remember that you don’t have to click [OK] or [Continue] for a web form to capture any partial data you have already entered.)
“Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.”

As cybercriminal groups hone their craft, one analysis shows them shying away from zero-day exploits, use of valid accounts, and third-party vulnerabilities to gain initial access during attacks.

If you were an attacker, the challenge with getting initial access is that most methods have a limited window of time for success. Buying an account off the dark web is only good until the password is changed. Use of a third-party vulnerability or a zero-day exploit will eventually be patched.

But phishing users… well, there’s plenty of those to go around, right? Whether you are spear phishing to target specific individuals within an organization, or broadly phishing anyone who’ll engage with your malicious email content, it seems like there will always be someone willing to “help”.

According to new data from Kroll’s Q1 2022 Threat Landscape report, we find that threat actors have – at least for the first quarter of this year – shifted initial access tactics and put a lot of emphasis on phishing, used in 60% of all attacks. This is a 54% increase from Q4 2021’s number, where only 39% of attacks leveraged phishing.

If this trend continues – and, really, even if it doesn’t – attackers know there are plenty of fish in the “phishing sea”. That is, unless you put that same kind of limitation on the viability of an initial attack vector on phishing.

And just how do you do that?

Unlike the other three attack vectors mentioned in the report (and above), phishing doesn’t have a limited lifespan; users can repeatedly be used as pawns in the next attack and the next. That is, unless you minimize the viability of users assisting phishing attacks by enrolling them in Security Awareness Training designed to educate them on how phishing attacks work, what to look for to avoid assisting the attacker, and keep them abreast of the latest campaigns, trends, and uses of social engineering.

So-called “Black Hat SEO” services have popped up on Dark Web forums bringing advantageous search results to anyone willing to pay a small monthly fee.

According to security vendor Cybersixgill, threat actors are making use of services that exploit illegal SEO tactics using a combination of stuffing keywords, redirecting links from other sites and making use of paid links. Any domain – whether malicious or legitimate – that uses these techniques will eventually be delisted from search engines. But, because threat actors can change domains like the wind changes directions, making temporary use of the beneficial SEO rankings has become so popular that it’s now being offered as a service.

Now you may be thinking these “SEO experts” are playing by the same rules as regular companies – but that’s just not the case. According to Cybersixgill, an example domain for sale had a whopping 177,105 backlinks pointing to it – something not possible for a legitimate organization to accomplish (unless you’re one of the Internet’s most popular websites).

The danger in ranking high for specific search terms is it allows threat actors an opportunity to rank for a seemingly benign term – or even something very targeted to a specific company, industry, or area of research – that would make someone within an organization visit a malicious website and click on malicious links or download malicious files.

Good cyber hygiene best practices taught by Security Awareness Training involve only visiting known-safe websites (whether that’s based on the website being known to the user or because a security solution that scrutinizes domains and/or websites says it is. Be sure your users know about this problem; otherwise they may find out next time they run a search.

A joint operation by INTERPOL and the cybercrime unit of the Nigeria Police Force have concluded a yearlong investigation into the SilverTerrier business email compromise gang by arresting the man they believe is the gang’s leader.

“The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and INTERPOL’s private sector partners in combating cybercrime,” said Garba Baba Umar, Assistant Inspector General of the Nigeria Police Force, Head of Nigeria’s INTERPOL National Central Bureau and Vice President for Africa on INTERPOL’s Executive Committee. “I hope the results of Operation Delilah will stand as a reminder to cybercriminals across the world that law enforcement will continue to pursue them, and that this arrest will bring comfort to victims of the suspect’s alleged campaigns,” he added.

Bernardo Pillot, INTERPOL’s Assistant Director, Cybercrime Operations, said, “This case underlines both the global nature of cybercrime and the commitment required to deliver a successful arrest through a global to regional operational approach in combatting cybercrime.”

The investigation, which the police called Operation Delilah, was assisted by three private companies: Palo Alto Networks, Group-IB, and Trend Micro. Palo Alto’s Unit 42 blog provinces some interesting perspective on how closely and relentlessly the investigators tracked the unnamed suspect’s activities. Emailed comments from Group-IB highlighted the benefits of public-private cooperation in breaking cybercrime cases. “Prompt threat intelligence sharing, private-public partnership, and effective multi-party coordination by INTERPOL’s Cybercrime Directorate were crucial to the success of the operation, the company’s CEO, Dmitry Volkov said in an emailed statement.

Business email compromise has long been one of the more damaging crimes that depends upon social engineering, and it’s gratifying to see a successful international investigation with significant participation by the private sector. New-school security awareness training can enable your employees to avoid falling for scams and other forms of social engineering.

Consumer Affairs reported on how big of a problem SMS phishing scams have become, and how it’s about to get a lot worse. According to a recent FBI report, more than 320,000 Americans were targeted by these schemes in 2021, resulting in $44 billion in losses. Consumers on average get an average of 19.5 spam texts per month, over double the rate it was three years ago.

These scams often start with a message that includes a link so a supposed survey, prize winnings, or an urgent notification about a bank account or credit card. Victims are then asked to either go to a website, call a phone number, or enter information that is all controlled by the attackers.

Who Is Being Targeted?

In a nutshell, nobody is immune. Scammers target organizations of all types and sizes, as well as their employees. Ian Matthews, President and CEO of WMC Global, says there’s a simple reason these types of scams are on the rise. “Ninety-seven percent of Americans own some form of a smartphone, with over a quarter of younger Americans and those with income under $30K relying on smartphones for online access.”

One of the favorite tactics used by cybercriminals is finding the names of company employees, and sending a message while pretending to be a fellow employee. Another popular scheme involves using a domain name that only looks legitimate.  Smishers know that mobile browsers often don’t display the full URL of a link, so they’ll create one that has just enough of the primary domain name in it to trick their victims into thinking that the link can be trusted.

SIM Swapping

SIM Swapping – the act of transferring a mobile phones’ actual SIM card to one controlled by threat actors – has been around for a number of years. Hackers gather publicly available information about their victims, and use it to contact their target’s mobile carriers and pretend to be them. They claim they need to move their phone number or they lost a device. If the carrier believes them, they will transfer the information from the victim’s SIM card to the one controlled by the attacker.

If the attacker is successful, they can now use the SIM in a phone in their possession to get all their victims’ calls and texts, including any two-factor authentication texts and one-time PINs used for security. With that information, the attacker can now access the victim’s various social media and financial accounts.

This is likely the next big mobile threat. Recently, the FBI warned that SIM swapping attacks had over a 500% increase in the number of attacks and monetary losses.

How Not To Fall Victim

Industry experts agree on the age-old advice, if something is too good to be true, it probably is. That said, here are some common signs to watch out for when receiving an unexpected text:

• Misspellings and grammar mistakes
• Unexpected prizes, gift cards, or even loans
• Anyone asking to confirm sensitive information. The government will never ask you to do this on unsecure channels!
• Be careful with links in SMS messages, just like you would in emails. When in doubt go directly to the website yourself rather than clicking a link
• If something just doesn’t feel right, do not engage with the SMS

In addition to the above, see our infographic on 20 ways to block mobile attacks: