Gallery

Researchers at IBM Security X-Force are tracking a financially motivated cybercriminal group called “Hive0117” that’s impersonating a Russian government agency to target users in Eastern Europe.

“The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors,” the researchers write. “The activity predates and is not believed to be associated with the Russian-led invasion of Ukraine.”

The phishing emails contain a malicious zip file that will install the DarkWatchman remote access Trojan. The emails attempt to convince the user to download and open this file.

“The contents of the emails feature identical Russian-language text detailing several articles related to enforcement procedures associated with the Kuntsevsky District Court of Moscow, upheld by the ‘Bailiff of the Interdistrict Department of Bailiffs for the Execution of Decisions of the Tax Authorities,’” the researchers write. “The only variation observed by X-Force within the emails is in the name and ‘case number’ associated with the individual email and accompanying malicious ZIP archive file attachment.”

The researchers note that some of the emails were specifically sent to high-ranking employees at the targeted companies.

“X-Force discovered multiple emails that were sent in mid-February 2022 to individual users, including a state-owned communication company based in Lithuania, a prominent Industrial Enterprise in Estonia, and several electronic and telecommunication businesses located in Russia,” the researchers write. “In some cases, the emails were targeting company owners, as well as individuals in leadership positions associated with Dispatch Services and Sales. Targeted organizations could be of high value to criminal actors given the targets’ potential trusted access to a wide and distributed client base.”

It’s not just deep-pocketed corporations that prove attractive targets for social engineering. Any organization that holds information that can fetch a good price in the criminal marketplace will draw the attention of social engineers.

According to Risk & Insurance, a case in point may be found in community associations. They hold a great deal of personal data: names and addresses of their members, and often those members’ Social Security numbers, bank accounts, and credit card information. The value of these data in the criminal-to-criminal market is obvious.

Moreover, those data can all too often be poorly protected. Kevin Davis, president of Kevin Davis Insurance Services, told Risk & Insurance, “These groups are prime targets for cybercriminals due to their low-tech systems housing sensitive information…. Many do not have a risk assessment plan to identify system vulnerabilities, nor do they have a documented security-incident response plan. Once criminals get inside the community association system, they have easy access to social security numbers, banking information, email addresses, client information, anything that will create serious problems for the association.”

The article outlines five approaches criminals commonly use against community associations. Impersonation scams, whether by email or by phone, are often seen. “One of the most common types of social engineering scams in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA),” Davis said. A second risk is ransomware, usually installed when a worker is induced to click a malicious link. A third risk is posed by a lost or stolen device, since some associations overlook best practices in protecting such devices. Weak passwords, for example, are all too common. The fourth threat is business email compromise. And the fifth is a general risk shared by many businesses and other organizations: remote work increases exposure to compromise.

North Korea’s Lazarus Group is using social engineering attacks to target users of cryptocurrency, according to a joint advisory from the US FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department.

“The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs),” the advisory says. “The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.”

The threat actor is using spear phishing attacks to trick users into downloading malicious cryptocurrency apps.

“Intrusions begin with a large number of spear phishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” the advisory says. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as ‘TraderTraitor.’ The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.”

North Korean threat actors are well-known for conducting financially motivated operations for their heavily sanctioned government. New-school security awareness training can teach your employees how to avoid falling for social engineering attacks.

Organizations in the US lost $2.4 billion to business email compromise (BEC) scams (also known as CEO fraud) last year, according to Alan Suderman at Fortune.

“BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases they shouldn’t,” Suderman writes. “Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.”

Suderman cites a case from San Francisco, where a nonprofit lost more than half a million dollars to one of these scams.

“In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000,” Suderman says.

BEC actors also collaborate and share information with each other to improve their attacks.

“Unlike ransomware operators who try to keep their communications private, BEC scammers often openly exchange services, share tips or show off their wealth on social media platforms like Facebook and Telegram, “ Suderman writes. “A Facebook group called Wire Wire.com, which was until recently available to anyone with a Facebook account, acted as a message board for people to offer BEC-related services and other cybercrimes.”

Suderman concludes that organizations of all sizes need to be wary of BEC scams.

“Almost every enterprise is vulnerable to BEC scams, from Fortune 500 companies to small towns,” Suderman writes. “Even the State Department got duped into sending BEC scammers more than $200,000 in grant money meant to help Tunisian farmers, court records show.”

New-school security awareness training can enable your employees to thwart these types of social engineering attacks.

New insights into the state of data security show a clear focus on the weakest part of your security stance – your users – and organizations doing little to address it.

It’s frustrating when the answer is right there in front of the face of organizations today and you have to watch them scramble around the problem without really addressing it. This is exactly what I see in the data found in Thales’ 2022 Data Threat Report.

Within the report, we find data points of brilliance around awareness of the problem of users:

• Human Error is seen as the highest threat to organizational security, with 38% of organizations ranking it as the top threat. For reference, Nation States was only a top concern for 28% of organizations.
• 29% of organizations ranked ‘accidental human error’ as the top threat (and , again, for reference, only 17% ranked external attackers with financial motivation as a top threat)
• 79% of organizations are concerned about the security risks with an increasingly remote workforce

It’s evident that users play a role in making an organization insecure, right? So, we’d expect to see lots of spending on ways to secure the user. But according to the report, organizations are prioritizing network security (e.g., Intrusion Prevention Solutions, gateways, firewalls), key management, cloud security, and zero trust solutions.

It seems like the focus is way too much on trying to prevent data from leaving, instead of stopping attackers from ever getting in. With the data showing organizations are very aware of the factor users play in cyberattacks, I would expect to see more focus on Security Awareness Training to reduce the threat surface of phishing – a primary attack vector in nearly every kind of cyber attack. This kind of training helps to establish good cyber hygiene, a sense of vigilance, and has been shown to reduce the risk of users falling for social engineering tactics employed within phishing attacks.

Thanks to breakneck advances in technology, data’s integration into everyday life, and the increasing recognition of how it can be used to enhance and add value across various different areas, hard-walled silos in the IT industry are increasingly irrelevant.

According to the University of Canberra’s Professor of Affective Computing, Dr Roland Goecke, integration is key, and this creates a myriad of opportunities for the IT professional who wants to remain on the leading edge of the industry, and also make a real-world impact in people’s lives.

“Realistically, we’re early in the development of the data revolution, still in the pioneering phase in terms of widespread adoption – so now is the time to enter the field to shape its future,” he said.

“The first step is to have the understanding and knowledge to appreciate where data science, cloud computing or business informatics – to name a few – can make an impact.

“I believe that everyone will need some of these skills to varying degrees, across many different areas including business, government and environmental organisations.

“To make an impact in your field, it’s necessary to equip yourself with the relevant skills to tap into and create that impact, whether that is with a Master of Data Science or a Master of IT degree –upskill with a program that keeps abreast of the latest developments in the field, yet gives a valuable grounding.”

Fitbits and Apple watches everywhere

With an eye on the data science field, Professor Goecke sees some clear opportunities emergent.

In fitness-centric Australia, it seems that more wrists sport Fitbits and Apple watches than ever before – and that’s just data in a personal health and fitness setting.

“One of the fastest-growing areas, in which we see data science playing a constantly expanding role, revolves around health – and wellbeing-related data – whether that is in a clinical or hospital setting, or your fitness tracker measuring your heart rate,” Professor Goecke said.

“Health data is everywhere.

“However, in Australia, there is a shortage of data scientists who can deal with health-related data, because it’s not really taught as a direct specialisation in the health area.”

Professor Goecke says that when working with health-related data, it is important to have both the technical skills and a keen understanding of health settings – these could range from care provided at home to healthcare in rural and regional community settings.

“We need multidisciplinary teams working with health practitioners to make sense of health-related data,” he said.

“This can include population data. For instance, if you have been following news and communications around the COVID-19 outbreaks, vaccination rates, and how they relate to spatial data – the analysis of this would fall at the intersection of data science, informatics and epidemiology.”

Applying data science and informatics knowledge to sports strategy and analysis is a natural segue from health-related data applications – and it spans the spectrum from elite sport to everyday health and wellness.

“Modelling plays a huge part in this aspect of data science,” Professor Goecke said.

“Sports data analysis has taken huge steps – scientists can use data to measure not only performance, but the realities of training mode, and injuries incurred.

“Most of the professional leagues have GPS trackers in their clothing, which track positioning, acceleration data – but even if you have access to that tech, what do the results generated mean? How do you turn that into something meaningful for the coach – for instance, how much recovery time might an athlete need?”

Save the planet

With climate change a particularly hot topic – even more so with the recent COP26, or 2021 United Nations Climate Change Conference, dominating global headlines – Professor Goecke sees this as another area of opportunity for budding data scientists to make a difference.

“This is an area in which data scientists can have a huge impact on conversations around conservation, for instance,” Professor Goecke said.

“Imagine the ability to model what it means for the ACT or the Yass Valley to receive more or less rainfall, or to interpret the data gathered by camera traps and drones for animal conservation, and present it in a way that will help people to understand a conservation message – because the flipside of working with data is to be able to communicate what the data means.”

Professor Goecke says that traditionally, there has been a lot of emphasis on data-related technologies and techniques, but less focus on communications.

“While data science has grown out of maths and stats departments around the world, it is now one of the foremost areas highlighting the need for science communication skills – certainly, if you want to translate any of your work into policy and impact,” he said.

“Ideally, we need to understand that a 10-page report could probably better be visualised via Virtual Reality (VR) or Augmented Reality (AR), as a way of closing the loop and getting the message across.”

Professor Goecke also sees both an opportunity and a need in building the framework to scaffold data science work.

“Not everything that is technically possible should automatically be done, and questions of ethics and privacy always need to be considered,” he said.

“We need to look at such questions in the broader social context, and seek answers to questions like how should data be used, where and for how long it should be stored, what kind of energy and environmental impact this could involve?”

Professor Goecke feels this self-reflective questioning of the industry is a necessary ongoing process, as there is little current regulation.

“This is an area in its infancy, and one of great promise – but it needs to have safeguards built around it, the right oversight and ethics in place. There needs to be a balance of privacy and development – as data scientists, we need to make wise, clear-eyed judgments on a daily basis.”

Stolen client data from Mailchimp put customers of the cryptocurrency hardware wallets on notice of potential social engineering attacks claiming to be Trezor.

This week, email marketing company Mailchimp announced this week a data breach on March 26 after it discovered a threat actor using compromised credentials to gain access to the company’s internal customer support tools. In total, audience data was stolen from 102 customers in the finance and cryptocurrency sectors – likely to be used to phish the customers of those 102 companies.

Over the weekend, crypto hardware wallet maker Trezor emailed its customers informing them of the compromise and provided instructions to customers to update their Trezor Suite:

“Trezor has experienced a security incident involving data belonging to 106.856 of our customers, […] If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet.”

Trezor also posted tweets about their data being compromised on April 3^rd, warning customers that they would not be communicating via email to the time-being until the situation is resolved.

The initial Mailchimp compromise began as a phishing attack. According to their statement about the attack, “The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”

This attack is an unfortunate example of the potential ripple effect a single phish can have. While Trezor customers appear to have remained unscathed, you can see how a one user falling for a phishing attack could have impacted thousands of individuals and businesses. It’s why we’re so passionate about Security Awareness Training here at KnowBe4 – by training users to be vigilant at all times when interacting with emails, the risk of falling for social engineering tactics employed within a phishing attack is much lower, resulting in an equally lowered success rate for the initial attack itself.

New data from the FBI’s Internet Crime Complaint Center (IC3) shows a massive increase in the cost of internet crimes, with phishing and BEC topping the list.

The IC3’s recently-released annual Internet Crime Report gives us a broad picture of what kinds of cybercrimes are being perpetrated across the U.S. every year. This year saw increases in the number of reported cases – 847,376 (a 7% increase), and the amount of losses hitting nearly $7 billion!

From the case data, the IC3 helps us focus in on two specific concerns for businesses. First, is phishing/social engineering scams; the 323,972 cases made up 38% of all reported cases in 2021 and represent a 34% increase in case counts. The second is Business Email Compromise, which was responsible for nearly $2.4 billion in losses, but only slightly less than 20,000 cases. This equates to an average loss of $120,000 per case.

Ransomware cases were notably low on the spectrum – with only 3,729 cases and $49.2 million in losses. With ransomware being considered the number of cyber threat today, I’m guessing the IC3 simply isn’t being contacted in most cases. Even so, the healthcare sector dominated the list of victims by industry, with financial services, information technology, and manufacturing following in the list.

Phishing, BEC, and Ransomware are serious cybercrimes with even more serious repercussions. All tie back to the use of social engineering tactics to fool victims. Security Awareness Training is key in stopping these kinds of attacks at the common juncture point – when threat actors require corporate users to act in order for the attack to continue. Those users that take the training are more apt to spot an attack and stop it in its tracks.