Gallery

According to new research from Mimecast, remote workers are increasingly putting their organizations at risk by failing to follow security awareness training best practices.

Mimecast polled 1000 global respondents working from corporate workstations to compile the latest report, Company-issued computers: What are employees really doing with them?

In the report there was tons of risky behavior. For example, 73% of respondents frequently use their company-issued device for personal matters such as checking webmail (47%), carrying out financial transactions (38%) and online shopping (35%).

It also revealed that, although most (96%) of the respondents said they were aware of the repercussions of clicking through on malicious phishing links, nearly half (45%) open emails they consider to be suspicious.

This is despite the fact that 64% claimed to have received special security training to equip them better for the new normal of working from home. Nearly half (45%) also admitted to not reporting such emails to their IT security teams.

“Employees need to be engaged, and training needs to be short, visual, relevant and include humor to make the message resonate. Awareness training can’t be just another check-the-box activity if you want a security conscious organization.”

As organizations continue to work in a remote environment, it’s important to implement frequent phishing tests to ensure your users are always aware of the latest attacks.

The Australian Taxation Office has advised Australians to delete a particular email and to not provide any personal information.

Data from the Australian Competition and Consumer Commission reveals those in the 35-44 age bracket lost the most money from phishing scams in September. This research was released in lieu of this phishing attack.

Australians have been warned of a JobKeeper scam asking for recipients’ driving licence and their Medicare card:

This email claims the ATO is ‘checking claims’ made through the wage subsidy scheme Australians in that age group lost $87,000 combined last month, $20,000 more than Australians over the age of 65 – who lost $66,000.

A survey by digital security firm Avast found meanwhile almost half of Australians (49%) have encountered a phishing attack this year. Their findings showed 73% of Australians have experienced a phishing scam in their personal life and 7 per cent had received a phishing attack at work.

The survey found phishing attacks were the most common scams encountered by Australians at 78%, followed by phone call scams (55%) and smishing scams (41%), which are text message scams.

It’s important for your organization to be aware of the potential warning signs. New-school security awareness training can train your users on how to spot and report a suspicious email.

Phishing attacks are growing in prevalence during the pandemic, according to David Dufour, Vice President of Engineering and Cybersecurity at Webroot. Webroot’s recent threat report concludes that people are receiving 34% more emails than before the pandemic, and this increase was accompanied by an uptick in phishing attacks.

“Well, I think none of this will be surprising, but it’s just kind of critical to bring up so people are keeping it top of mind,” Dufour said. “A lot of things are, hey, make a donation or, you know, click here, click this link to be able to donate to help COVID survivors or things of that nature. Or maybe, hey, you want to get your stimulus check quicker, click this link and give us your account information, and we’ll get your stimulus check deposited in, you know, a few minutes. None of that is true…They’re just trying to get you to click that link.”

Dufour added that the combination of the increase in email volume and the distractions of working from home creates a perfect environment for phishing attacks to succeed.

“The problem that we’re seeing is kind of twofold,” Dufour said. “One – people are getting inundated with emails from colleagues or, you know, customers even, where it may be coming from their personal account, it may be coming from their business account because everyone’s working at home, so they’re getting a lot of email from unfamiliar places, and some of it’s legitimate for them to do their job. And the other big issue is you’re at home with little Susie or little Johnny from school and you’re trying to make them lunch and you’re trying to answer emails and you’re trying to respond to your boss, and so there’s also a distraction factor, where people aren’t as focused on what they’re reading and they’re more apt to click as well.”

Dufour concluded that employees want to learn how to make smarter decisions, and organizations need to help educate them.

“The security industry has realized that the user is not as dumb as we want to make them out to be,” he said. “People really want to do the right thing. If we can educate them – like I said, most people know what phishing is. We just gotta keep it top of mind and in their brain to be aware of it. But on top of that, the thing that people really need to be doing is slowing down and taking the time to read what’s going on. And if you’re in a busy spot, maybe don’t answer your email. Set aside some time when you can do it thoughtfully.”

New-school security awareness training can create a culture of security within your organization by teaching your employees how to avoid falling for social engineering attacks.

New insight from Accenture Security highlights specific ways attackers are changing their tactics to make Microsoft’s email platform a tool rather than an obstacle for phishing attacks.

We all tend to think of our email platform as something that helps create a more secure environment four our networks. But new disturbing information found in Accenture’s 2020 Cyber Threatscape Report shows that, in the wild, parts of Microsoft Exchange (and Exchange Online), as well as Outlook Web Access are being used as part of sophisticated phishing campaigns:

• Threat groups like Belugasturgeon are hiding within Exchange traffic to obfuscate both command relays and data exfiltration
• Hackers are attempting to gain access to Exchange servers responsible for the Client Access Server role to deploy web shells that facilitate the harvesting of credentials during an Outlook on the Web session.
• Belugasturgeon even went as far as to register one of their pieces of code as a Microsoft Exchange Transport Agent (reputable transport agents include antivirus, mail filtering, etc.) so that they could gain access to email passing through Exchange and be able to create, modify, or delete messages.

This level of sophistication makes it clear that the bad guys are willing to do whatever it takes to gain access to your credentials and email.

While the means to mitigate the issues mentioned above likely revolves around keeping any Exchange systems you still manage up to date with patching, it’s still important that users be vigilant around any abnormal communications issues – emails not being received by an intended recipient or not receiving an email from an external party could both be signs that, (assuming the user in question is involved with either a financial aspect of the organization, intellectual property, customer data, or employee information) a bad guy could be messing with your email conversations and inserting themselves in a case of business email compromise.

Researchers at GreatHorn warn that a large-scale phishing campaign is using open redirects to evade email security filters. Open redirects allow attackers to take a URL from a non-malicious website and tack on a redirect, so that when the link is clicked it will take the user to a phishing page. This results in a phishing link that can fool both humans and technology. A human may inspect the URL and conclude that it will take them to a legitimate site, while security filters will struggle to flag the link as malicious.

“The Threat Intelligence Team described this campaign as a ‘comprehensive and multi-pronged attack,’ with multiple hosting services and web servers being used to host fraudulent Office 365 login pages,” the researchers write. “Malicious links, delivered via phishing emails to regular users worldwide, are bypassing their email providers’ native security controls and slipping past nearly every legacy email security platform on the market.”

Based on similarities in the phishing emails and malicious sites, GreatHorn believes a single actor is behind the campaign.

“The URLs in the phishing emails sent to users vary,” the researchers write. “Some employ redirects; others point directly at the phishing kit pages. The phishing kit itself uses the same naming structure in nearly all cases: http://t.****/r/, where *** represents the domain. However, the URL path varies across individual messages, as part of a common tactic used to bypass simple blocking rules that prevent these messages from reaching users.”

The phishing pages are designed to steal credentials, but they also contain JavaScript that will install malware on the victim’s computer.

“The phishing webpages impersonate a Microsoft Office 365 login, using the Microsoft logo and requesting that users enter their password, verify their account, or sign-in,” GreatHorn says. “Given this campaign’s breadth and highly targeted nature, the sophistication and complexity suggest that the attackers’ significant coordinated effort is underway. Additionally, GreatHorn’s Threat Research Intelligence Team identified attempts to deploy the Cryxos trojan on multiple browsers, including Chrome and Safari.”

New-school security awareness training can prepare your employees to identify and thwart phishing emails that bypass your technical defenses.

It’s Cyber Security Awareness Month  which is a great time of year for everyone to dispense security wisdom like Oprah giving away cars.

But looking back at some of the blogs I’ve written over the years, particularly around Cyber Security Awareness Month, and dare I say, some of my peers, there’s a bit of an issue — and that is that we’re often so focussed on showcasing our cyber security knowledge that it can be easy to forget who the knowledge is intended for.

The effect can be visualised by the following chart:

It’s important that as security professionals we use the opportunities presented by Cyber Security Awareness Month wisely, and communicate better. Below are five tips which have helped me, and may be of use to you too.

1. Quit blaming others: Yes, we all get it. Sometimes people make mistakes, do silly things, or ignore you altogether. It’s so easy to declare, “Lol, users!” rolling your eyes a bit, and exhaling while letting your shoulders drop in the way a parent does just before they tell their 8 year old how disappointed they are in their exam results.
   Instead, let’s be the people who, in the face of mistakes, buy them an ice cream and make light of it. After all, is a little bit of ransomware really worth ruining friendships over?
2. Argue behind closed doors: Security professionals don’t always agree on things. And that’s a good thing, we need to be constantly challenging assumptions and out of date practices. I guess we are also egomaniacs who love being right and putting others down. But that’s a topic for another time.
   The point is that people who don’t work in security don’t need to be confused. So, if someone says to their colleagues, “use a password manager” don’t jump in on social media and say how bad you think the advice is, how MFA is a better option, or how l33t you are for being able to memorise 78 different unique passwords each being 16 characters long.

   Baby steps are what we need, and if we can help people be a little bit more secure today than what they were yesterday, that’s great. If professionals want to disagree, or say how one method is superior to another, they can do it out of the public sight where it doesn’t look like cybersecurity isn’t full of infighting imbeciles.

3. Be specific: Whenever asked a security question the reflex action is to sharply inhale before saying, “well, it depends” which is then followed by 15 minutes of incoherent rambling which includes liberal use of phrases such as, “risk”, “appetite”, “appropriate”, and “threat model”.
   I get it, I used to be a consultant in a previous life, and it’s what pays the bills. But when your colleagues, friends, or family members ask you a question, don’t beat around the bush – you’re not their consultant. Just tell them what to do, keep it specific and simple, but more importantly make it practical.
4. Be a storyteller: We’re not college professors or lecturers, and nobody really wants to listen to a professor (apologies to professors). So try to make your message interesting and engaging. Telling a story really helps people remember and apply messages. If you tell the family an engaging story around the dinner table about how a criminal got caught because they posted too much information about themselves on social media, it may be all that’s needed for people to evaluate their own choices and change their behaviours accordingly.
5. Make them cool: Making people who you directly come into contact with aware of cyber security and steps they can take is great. But do you know what’s better? Having them go on and spread the message further. So instead of just telling, show something interesting and cool. Think of a little hack as a magic trick. Show someone, amaze them, then teach them how to do it. They will be more than happy to show off their newly learnt trick to all their friends and family and be the cool one.

We aren’t trying to make everyone a cyber security expert during Cyber Security Awareness Month, and such a goal is unachievable. What we do want, is for people to make better risk decisions and know who to go to when they are in any doubt. If we can help people to be even 1% more secure during October than they were last month, then that in itself makes Cyber Security Awareness Month worth it.