Gallery

Recent attacks are helping cyber insurers better understand what security strategies need to be in place and how to price policies based on the risk those policies cover.

Remember, insurance companies of all kinds are in business to stay in business. That means that while they are willing to share the risk with your organization, they’re not in the business of just paying out on a claim without a fight. And because that’s not a good look for cyber insurers, it makes more sense for them to be proactive and do one or more of the following:

• Help to reduce the risk of attack by establishing what cyber defenses must be in place
• Price policies across the board correctly so there’s enough revenue coming in to cover the percentage of claims that should be paid
• Limit what attack scenarios are covered – sometimes in specific down to the kind of attack, the role of the attacker, the role of internal employees in the attack, etc.

According to a recent Wall Street Journal article on the subject, cyber insurers are getting really smart at limiting their risk. With premiums rising by 92% in 2021, according to reinsurance company Swiss Re, the focus now is on the impact an attack could have on, say, a supplier that could impact millions of people, evaluating which cloud providers the insured use, and possibly requiring insureds to hold capital in reserve for worst-case scenarios.

In other words, cyber insurers are better understanding the nature of cyber risk. While news of premiums hiking significantly isn’t pleasing, in the end, it may be a necessary step until there’s enough significant data on attacks for insurers to determine what the risk reality looks like.

Until then, it’s up to organizations to continue to put up strong cyber defenses designed to keep attackers from succeeding – something that should include Security Awareness Training as part of the strategy.

Delivering an equally new Royal ransomware, this threat group monitored by Microsoft Security Threat Intelligence has already shown signs of impressive innovation to trick victims.

Microsoft keeps track of new threat groups, giving them a DEV-#### designation to track them until there is confidence around who is behind the group. In the case of DEV-0569, this threat group uses malvertising, and malicious phishing links that point to a malware downloader under the guise of being a legitimate software installers or software update, using spam emails, fake forum pages, and blog comments as initial contact points with potential victims.

According to Microsoft, the group has expanded its social engineering techniques to improve their delivery of malware, including delivering phishing links via contact forms on the targeted organizations’ website and hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to their targets.

Take the example below, where the threat group hosted their malicious downloader, known as BATLOADER, on a site that appears to be a TeamViewer download site.

Source: Microsoft

Microsoft have also noted the expansion of their malvertising technique to include Google Ads in one of their campaigns, establishing legitimacy and blending in with normal ad traffic.

This level of innovation shows that threat actors are stepping up their game to establish legitimacy in any way possible – including paying for ads – so that victim’s defenses are down. It’s all the more reason for organizations to educate their users through Security Awareness Training to always be watchful, even in situations where everything seems “normal”; as that legitimate search query on Google could result in enabling malicious activity.

Maggie Miller at Politico had the scoop: “TALLINN, Estonia — Some 150 NATO cybersecurity experts assembled in an unimposing beige building in the heart of Estonia’s snow-covered capital this week to prepare for a cyberwar.

It’s a scenario that has become all too real for NATO member states and their allies since the Russian invasion of Ukraine. The conflict has forced Ukraine to defend against both missile attacks and constant efforts by Russian hackers intent on turning off the lights and making life more difficult for their besieged neighbors.

A phishing campaign is impersonating Apple and informing the user that their Apple account has been suspended due to an invalid payment method, according to researchers at Armorblox.

“Attackers crafted the targeted email in order to convince recipients that they were receiving a legitimate email communication from the brand Apple, Inc.,” the researchers write. “With the subject of the email reading: We’ve suspended your access to apple services, it is clear the attacker’s intention was to establish a sense of urgency in order for the email to be opened. Once opened, unsuspecting victims were met with minimalist email (black with white text) informing recipients that validation of the card associated with his or her apple account failed to validate. The consequence was clear – access to services that use the account would be lost.”

The link in the email will take the user to a spoofed login page designed to steal their credentials.

“The goal of the targeted email was to get victims to go to a fake landing page created in order to exfiltrate sensitive user credentials,” the researchers write. “The information included and language used within the email aims to lead victims to click the main call-to-action (login now) located at the bottom of the email. Once clicked, victims were directed to a fake landing page, which was crafted to mimic a legitimate Captcha security check landing page.”

The researchers note that while the emails bypassed security filters, observant users could recognize this scam by looking at the URL (bachemad[.]com).

“The email was sent from a valid domain,” Armorblox says. “Traditional security training advises looking at email domains before responding for any clear signs of fraud. However, in this case a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity.”

New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.

Law enforcement authorities across Europe, Australia, the United States, Ukraine, and Canada have taken down a popular website used by cybercriminals to impersonate major corporations in voice phishing (vishing) attacks. The website, called “iSpoof,” allowed scammers to pay for spoofed phone numbers so they could appear to be calling from legitimate organizations.

According to Europol, which coordinated the operation, users of the website are believed to have scammed victims around the world out of more than €115 million (approximately US$120 million).

“The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords,” Europol says. “The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims. The investigations showed that the website has earned over EUR 3.7 million in 16 months.”

As a result of the operation, 142 users and administrators of the site were arrested in November. More than 100 of these, including iSpoof’s main administrator, were arrested in the UK. London’s Metropolitan Police Commissioner Sir Mark Rowley stated that online fraud should be a major priority for law enforcement.

“The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century,” Rowley said. “Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands. By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people.”

New-school security awareness training can enable your employees to thwart social engineering attacks.

Europol has the story.

The phenomenon known as “quiet quitting,” in which employees become disengaged from their work while formally remaining in their jobs, can lead to serious security risks, according to Tim Keary at VentureBeat. Apathetic employees are more likely to make security mistakes, such as falling for social engineering attacks or reusing passwords. Particularly unhappy employees may also intentionally harm the organization by leaking data.

Jeff Pollard, VP Principal Analyst at Forrester, stated, “It’s important to be aware of quiet quitting, so a quiet quitter doesn’t become a loud leaker. Leading indicators for quiet quitting include an individual becoming more withdrawn becoming apathetic towards their work. If those feelings simmer long enough, they turn into anger and resentment, and those emotions are the dangerous leading indicators of insider risk activity like data leaks and/or sabotage.”

Jon France, CISO of (ISC)2, stated that the spike in remote work due to the pandemic has increased this risk.

“While quiet quitting is a relatively new term, it describes an age-old problem — workforce disengagement,” France said. “The difference this time around is that in a remote work environment, the signs may be a little harder to spot. To prevent employees from quiet quitting, it is important for CISOs and security leaders to ensure and promote connection and team culture.”

Keary concludes that organizations can mitigate these risks by following security best practices.

“One of the simplest solutions is to implement the principle of least privilege, ensuring that employees only have access to the data and resources they need to perform their function,” Keary says. “This means if an unauthorized user does gain access to the account or they attempt to leak information themselves, the exposure to the organization is limited. Another approach is for organizations to offer security awareness training to teach employees security-conscious behaviors, such as selecting a strong password and educating them on how to identify phishing scams. This can help to reduce the chance of credential theft and account takeover attempts.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize social engineering attacks.

It’s easy to think of the typical online holiday scam as something that affects mostly individuals. Sad, maybe, and unfortunate, but not something that might seriously threaten a business, or another organization.

For example, a lot of scams are circulating that offer a free Yeti cooler, or some other attractive bauble, like a Samsung Smart TV, or a snazzy dutch oven by Le Creuset.  All you have to do is enter your credit card to cover shipping and handling–fair enough, right? Because after all you’re going to get a swell Yeti. Of course, there is no Yeti, but the scammers have got the marks’ paycard information.

But there are lessons here in social engineering that can be applied by organizations, too. Vox’s Recode explains, “Basically, these scammers are deploying lots of technical tricks to evade scanners and get through spam filters behind the scenes. Those include (but aren’t limited to) routing traffic through a mix of legitimate services, like Amazon Web Services, which is the URL several of the scam emails I’ve received appear to link out to. And, [security researcher Zach] Edwards said, bad actors can identify and block the IP addresses of known scam and spam detection tools, which also helps them bypass those tools.”

There’s also more use of domain hop architecture in spam, helping the scammers hide their tracks and evade security tools. That’s not all. Recode goes on to report that, “Akamai said this year’s campaign also included a novel use of fragment identifiers. You’ll see those as a series of letters and numbers after a hash mark in a URL. They’re typically used to send readers to a specific section of a website, but scammers were using them to instead send victims to completely different websites entirely. And some scam detection services don’t or can’t scan fragment identifiers, which helps them evade detection, according to Katz. That said, Google told Recode that this particular method alone was not enough to bypass its spam filters.”

The upshot of the greater sophistication email spam now exhibits is that the social engineers are working to bypass the technical protections organizations have in place. As is so often the case, the individual user is the last line of defense, and a well-informed, properly skeptical user is to some extent armored against attempts like this. The email might look as if it came from a legitimate sender, the offer might be attractive, but new school security awareness training can help your people understand that, really, there’s no such thing as a free Yeti.

Craig Hale at Techradar reported: “A post on a “well-known hacking community forum” claims almost half a billion WhatsApp records have been breached and are up for sale.

The post, which multiple sources have confirmed is likely to be true, claims to be selling an up-to-date, 2022 database of 487 million mobile numbers used on WhatsApp, which contains data from 84 countries. This means that almost one-quarter of all WhatsApp’s estimated two billion monthly active users are possible at risk.

If you use WhatsApp, your details could well be up for sale

More than 32 million of the leaked records are said to be from users in the US, with 11 million from UK users. Other affected nations include Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), Turkey (20 million), and Russia (10 million).

Leaked phone numbers could be used for any number of reasons, including marketing and phishing, highlighting the importance of a good ID theft protection tool.”  And of course new-school security awareness training!

Full article at TechRadar : https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale