phishing Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

phishing

OPINION: Don’t let fatigue be the cause of MFA bypass

960 640 Guest Post

By Steven Hope (pictured) , Product Director MFA at Intercede

If names such as Conficker, Sasser and MyDoom send a shiver down your spine, you are not alone. In the not-too-distant past computer viruses, whether simple or sophisticated had the power to cripple organisations large and small, as cybercriminals sought to wreak havoc, and gain notoriety and wealth.

For security professional’s endpoint/perimeter protection was the name of the game, with firewalls and anti-virus software providing the first line of defence. Whilst this type of malware still exists it is no longer the main attack vector, however, the threat landscape is ever evolving and, with the growth of man-in-the-middle (session hijacking), SIM hacking and targeted phishing attacks, preying on vulnerable authentication, including Multi-Factor Authentication (MFA).

In the same way that anti-virus has never been able to protect systems from 100% of trojan, worms, botnets, ransomware etc, there is no such thing as a phishing-proof solution, bar hardware-based PKI & FIDO for now. However, there are ways to be more resistant to phishing attacks. Unfortunately, the weakest form of resistance is also the most commonplace – passwords. Guess, buy or socially engineer a password and you instantly have access to whatever it is ‘protecting’, be it a social media account, or a mission-critical system. If it was deemed important enough to have a password in front of it, then the chances are that it has a degree of value, financial, or otherwise to the organisation that can be exploited.

The obvious choice, therefore, is to add another layer of security, so if the password is breached then there is another obstacle to overcome. This is commonly known as multi-factor authentication (MFA), but this can be a misnomer, if, for example, one of those factors is a poorly managed password programme (not following NIST guidelines and failing to have a Password Security Management solution). Given the weakness of passwords, MFA of this type is typically only as secure as the second factor. So, whilst potentially more secure than a standalone password, it is far from being resistant to phishing and some might argue whether this really is MFA.

Brute force attacks to guess passwords are still used today, but many cybercriminals are far more likely to focus less on cracking the computer and more on engineering the employee through techniques such as spear phishing, BEC (Business Email Compromise) and consent phishing. The aim here is to encourage the identified target to unwittingly handover the information they need.

A perfect example of this is the exploitation of the complacency surrounding push notifications (commonly known as ‘push fatigue’). Push notifications are increasingly used as the second factor when logging on to a system, or making a purchase. A message asks the account owner to accept, enter a one-time-code (OTC), or use a biometric (via the fingerprint reader on a mobile device).

Cybercriminals have learnt that bombarding accountholders with push notifications, creating a fatigue, can than result in the owner complying with their request; after all if pressing decline a few times doesn’t make the popups stop, may pressing Accept will. If they already have the username and password (readily available and traded at very low cost on the dark web) they can do as they please, whether that be making a transaction, emptying an account, downloading or deleting data. If the term ‘trojan horse’ had not already been attributed in the world of cybersecurity it would be an apt description of what cybercriminals are doing with push notifications.

So, if poorly managed passwords are weak and 2FA easily bypassed, it is a valid question to ask where that leaves authentication, especially given the lack of recognised standards (although I would encourage anyone to look at FIPS 201, published by NIST). The reality is that a multi-faceted and multi-factor authentication (MFA) approach needs to be phishing resistant. The better staff are trained (CUJO AI reported in January that 56% of Internet users try to open at least one phishing link every month), the more factors there are, the more secure you are. How far you go on the scale from passwords (not phishing resistant) to PKI (the highest level of authentication assurance) will very much depend on where you sit in the food chain and whether the organisation could be perceived to be a high value target, whether of itself or for its role in a wider and richer supply chain.

The reality for most organisations of any size is that different people and tasks will require different assurance levels, so any MFA solution used needs to have the ability to scale how credentials are applied appropriately. Authlogics Push MFA has been built with the end user in mind, giving them useful information with which to make a more informed accept/decline decision. Furthermore, after declining a logon they can simply tap the reason why and push fatigue protection will automatically kick in.

In the third quarter of 2022, the Anti-Phishing Working Group (APWG) reported 1,270,883 phishing attacks, the worst ever recorded by the group. The reason is simple – phishing works. Every expectation is that 2023 will continue to see numbers rise. However, using the right MFA as part of an overall security strategy can provide the resistance needed to repel ever more sophisticated, persistent and persuasive attacks.

Investing in a phishing prevention toolkit 

960 640 Stuart O'Brien

Phishing remains one of the biggest security threats to all businesses – regardless of size and industry. This was reflected in the Cyber Security Breaches Survey 2021, as phishing was identified as the most common type of security attack (82%) last year. 

The accelerated shift to hybrid work environments, triggered by the COVID-19 pandemic, has played a fundamental role in increased phishing activity. Shifting to remote working opened the door even wider to phishing, malware and other cyber threats – with attackers targeting users away from the office. 

Phishing is a threat that cannot be avoided, but it can be controlled. In June 2022, VIPRE produced a whitepaper which highlights that there are solutions that businesses can put in place to help stop valuable data from reaching the wrong hands.

Lee Schor, Chief Revenue Officer of VIPRE outlines the crucial technology tools and training needed to reduce the threat of phishing attacks and ultimately, for organisations to create a phishing prevention toolkit…

The Evolution of the Phishing Landscape

Phishing is the practice of sending a deceptive message to trick the user into revealing sensitive information, or to deploy malicious software, such as ransomware, onto an organisation’s IT network. Once sensitive information has been captured, the consequences can be severely damaging to a business – from financial repercussions, to loss of customers and damaged reputation.

In the modern threat landscape, cyber-attack methods are becoming increasingly sophisticated, and specifically, phishers are now using advanced social engineering to lure users into giving away confidential company data. For example, in 2021, Microsoft Office 365 users were targeted with a sophisticated phishing email to trick users into giving away their credentials via a compromised SharePoint website.

Over time, phishing has also become increasingly harder to detect, as it is highly targeted and constantly evolving to take advantage of both users and organisations – ever more so with the increase in hybrid working. VIPRE’s whitepaper outlines that there are now more phishing tactics than ever before, from vishing (voice), angler phishing (social media) to smishing (SMS phishing). Therefore, it is crucial that businesses prioritise how they can protect themselves and their users from falling victim to an attack. To get started, it is crucial that organisations invest in the right solutions to create a layered prevention toolkit, but what should this consist of?

Protecting IT Systems with Software Solutions 

Technology solutions can support businesses by acting as a layer of securityprotection to help identify, stop and block potential phishing threats from entering the network. But, with the evolution of phishing tactics, it is crucial that organisations deploy the right digital tools across the business to cover every potential attack entry point.

Email is the leading attack vector used by cybercriminals to deliver phishing, ransomware and malware attacks. The first step in preventing phishing via email, is to ensure that businesses have the right protection in place at the time of receiving and handling emails; such as email attachment sandboxing; anti-phishing protection; data loss prevention tools (DLP) and outbound email protection.

Innovative technologies such as machine learning can be used to scan emails for possible phishing scams by comparing links to known phishing data. If phishing is suspected, the malicious links are removed from the email message to mitigate any chance of the user clicking on them. Additionally, DLP tools help to stop sensitive information from leaving the organisation at the time an employee sends an email by offering a crucial double-check. For example, DLP tools can be used to prevent emails from being sent to the wrong person, as when a user clicks ‘send’ they are asked to confirm the email address(es) for the recipient(s) they are sending it to.

The initial step of having email security in place helps to neutralise malicious links before they enter the user’s inbox. But with the emergence of zero-day threats, having website security, such as URL sandboxing, has become a necessity. This is because phishing emails will often redirect a recipient to a website to enter personal information. Therefore, when a user clicks on a URL in an email, the destination web page and its content can be automatically sandboxed – where the user will be shown a detailed block page with a sanitised live preview of the page they are trying to access – shielding the business from any potentially malicious payloads.

Empowering Users with Education and Training

Digital tools can help to identify and stop potential phishing emails – but these technologies are not the complete solution. Employees need to also be regularly made aware of existing threats, wherever they are working and on whatever device they are using – which is especially important in the hybrid working environment.

No phishing prevention plan is effective without users understanding the threat landscape. Human intervention is sometimes the only way of spotting or stopping a phishing attempt. Therefore, it is crucial that businesses implement a security and phishing awareness training programme which educates users

on the different types of phishing and potential threats. Such education should be continuous and conducted on a regular basis throughout the year – not just a one-off tick box session. This is because cyber threats constantly evolve – so if the training is out of date – so is the business’s security protection.

It is vital that this training includes phishing simulations and penetration testing so that employees can face real-life scenarios. This type of education will help identify areas of weakness where organisations need to provide support to employees through additional training, for example, and will help businesses to continuously assess the success of a phishing awareness programme.

Conclusion

Investing in a phishing toolbox is essential to fully protect your organisation against ever-changing attacks and zero-day threats delivered via SMS, phone, and email.  By implementing the right technology, combined with user education and securityawareness training to give all-around protection, businesses can carefully manage and avoid phishing threats. As the growth of the cyber security threat landscape shows no signs of slowing down, organisations can be reassured that they have the necessary protective layers in place to combat the modern threat landscape by using the right tools and training.

#CSAM: How to protect yourself from phishing attacks

960 640 Stuart O'Brien

This year’s cyber security awareness month provides a timely reminder of the increasingly dangerous threat posed by phishing. With more and more people using the internet for everyday services and work, and the general improvement in the quality and plausibility of phishing messages,  there’s been a record growth in email phishing during the pandemic.

Experts agree that “these campaigns can be difficult to spot as they use very similar verbiage and branding to the company they are trying to mimic”, so it’s key that everyone learns, and learns fast how to “fight the phish”.

In this article, Infosecurity Magazine shares 5 ways to #BeCyberSmart when it comes to detecting phishing messages and what you need to do when you come across one.

Read More.

Agari Report: New BEC scam 7X more costly than average, bigger phish start angling in

960 640 Stuart O'Brien

Sophisticated threat actors, evolving phishing tactics, and a $800,000 business email compromise (BEC) scam in the second half of 2020 all signal trouble ahead, according to analysis from the Agari Cyber Intelligence Division (ACID).

After attacks on Magellan Health, GoDaddy, and the SolarWinds “hack of the decade,” one thing is distressingly clear. Phishing, BEC, and other advanced email threats continue to be one of the most effective attack vectors into organisations. And it’s getting worse.

Throughout the second half of 2020, ACID uncovered a troubling rise in eastern European crime syndicates piloting inventive forms of BEC. Indeed, the state-sponsored operatives launching attacks from pirated accounts in the SolarWinds attack were just a few of the sophisticated threat actors moving into vendor email compromise and other forms of BEC.

But in November, a sudden surge in the amount of money targeted in BEC scams could be tracked back to the resurgence of one particular source—the threat group we’ve dubbed Cosmic Lynx.

After sewing chaos with COVID 19-themed scams earlier in the year, the group’s tactics shifted toward vaccine ruses. More alarmingly, the group’s emails also started requesting recipients’ phone numbers in order to redirect the conversation. It’s unclear if the request is designed to disarm recipients or if actual phone messages or conversations are now part of the con.

The second biggest driver behind the late-year increase in the amount sought in BEC scams is a potent new pretext—capital call investment payments. Capital calls are transactions that occur when an investment or insurance firm seeks a portion of money promised by an investor for a specific investment vehicle.

In emails to targets, BEC actors masquerade as a firm requesting funds to be transferred in accordance to an investment. Because of the nature of such transactions, the payments requested are significantly higher than the average $72,044 sought in wire transfer scams during 2020. The average payout targeted in these capital call cons: $809,000.

To learn more about the latest trends in phishing, BEC scams and advanced email threats and how to stop them, request information at https://www.handd.co.uk/agari-secure-email-cloud/.

In case you missed ZIVVER at the Security IT Summit…

960 640 Guest Post

By Zivver

Last month marked ZIVVER’s first appearance at the Security IT Summit and we had a great time meeting so many people (virtually).

If you took some time during the summit to connect with us, we look forward to staying in touch!

And if you missed your chance to meet with us at the summit, now’s a great time to get to know ZIVVER.

We’re a relatively new player in the UK, but our secure communication platform has already established us as a market leader in the Netherlands. In a few short years we’ve earned the trust of over 3000 organisations, including leading insurance companies, top healthcare institutions and the national judicial system, to safeguard their sensitive data. 

How ZIVVER works

Our smart technology platform is designed to prevent human errors, which is consistently cited as the top cause of data leaks (over 75%). With ZIVVER, users receive real-time awareness training when sending sensitive communications electronically, enabling them to prevent mistakes before hitting send.  

The service conveniently integrates with leading email clients such as Outlook and Gmail, so it’s easy to use and won’t impact existing workflows. Plus, with a generous 5TB limit, you’ll never have to worry about file size limits again when you need to transfer files safely. ZIVVER also helps organisations to improve their regulatory compliance as well as business performance. 

Many companies quickly see a positive business case with us. That’s why over 98% of our customers renew their service agreements, and our average rating on Gartner Peer Reviews is 4.7 out of 5. 

Curious to find out more?

Organisations usually concentrate their security efforts on preventing inbound threats such as spear phishing and anti-virus protection, but often overlook the need to properly safeguard their outbound communications. This can create additional risks since outbound communications typically cause more data breaches. 

Learn how to enhance your email security in our new Outbound Email Security Essentials white paper

You can easily download it by visiting this page.

One million scam emails reported to NCSC

960 640 Stuart O'Brien

An influx of cryptocurrency investment scams is among a range of online threats which have been blocked as a result of more than 1 million suspect emails being reported by the public in just two months.

More than half of the 10,000 online links to scams blocked or taken down by the National Cyber Security Centre (NCSC) with the help of the public relate to cryptocurrency schemes, where investors are typically promised high returns in exchange for buying currency such as Bitcoin.

The scams have all been detected since the launch in April of the Suspicious Email Reporting Service, a tool which allows the public to forward suspect emails which may link to fraudulent websites.

The service, which was launched as part of the Government’s Cyber Aware campaign, has received a daily average of 16,500 emails and has now reached the milestone of one million.

While cryptocurrency scams – which cost the public millions of pounds annually – have been the main scam detected, there have also been numerous examples of fake online shops and spoofs involving brands such as TV Licensing, HMRC, Gov.uk and the DVLA.

NCSC Chief Executive Officer Ciaran Martin, said: “Reaching the milestone of one million suspicious emails reported is a fantastic achievement and testament to the vigilance of the British public.

“The kind of scams we’ve blocked could have caused very real harm and I would like to thank everyone who has played their part in helping make the internet safer for all of us.

“While it’s right that we should celebrate reaching this milestone, it is important for all of us to remain on our guard and forward any emails that don’t look right to report@phishing.gov.uk.”

Digital Secretary Oliver Dowden, said: “We are committed to making the UK the safest place to be online and are working tirelessly to defeat cyber criminals.

“I urge everyone to continue reporting suspicious emails and follow our Cyber Aware campaign top tips for staying secure online alongside our worl-leading National Cyber Security Centre advice.”

The Suspicious Email Reporting Service was launched as part of the Cyber Aware campaign, which promotes protective behaviours to keep your online accounts and your devices as secure as possible.

To use the reporting service, people are asked to simply forward suspect emails to report@phishing.gov.uk. If they are found to link to malicious content, it will be taken down or blocked, helping prevent future victims of crime.

Latest figures show that 10% of the scams were removed within an hour of an email being reported, and 40% were down within a day of a report. 10,200 malicious URLs linked to 3,485 individual sites have been removed thanks to the 1 million reports received.

The Suspicious Email Reporting Service was co-developed with the City of London Police. As well as taking down malicious sites it will support UK policing by providing live time analysis of reports and identifying new patterns in online offending – helping them stop even more offenders in their tracks.

Going phishing? Five emails you don’t want in your inbox

960 640 Stuart O'Brien

Phishing attacks are the most common form of cyber attack. Why? The simplicity of email gives cyber criminals an easy route in, allowing them to reach users directly with no defensive barriers, to mislead, harvest credentials and spread malicious elements.

All organisations think it won’t happen to them, but phishing isn’t a trap that only ensnares the gullible or those unacquainted with technology. Far from it. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Some of today’s most sophisticated phishing attacks are almost indistinguishable from legitimate business communications – they’re well-written, thoroughly researched and establish a thread of communication with the victim before attempting to steal their credentials or bank balance.

Email is the single biggest attack vector used by adversaries who employ a plethora of advanced social engineering techniques to achieve their goal. Andy Pearch, Head of IA Services at CORVID, describes five common types of social engineering attack that no employee – from CISO to HR assistant – wants to see in their inbox…

1. Payment diversion fraud

Cyber criminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account. Payment diversion fraud targets both businesses and individuals and the results can understandably be devastating.

There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorised to do so – threat actors target finance and HR teams, who would expect to process payments and deal with changes to personal account details, so are more likely to comply with the fraudulent request.

2. CEO fraud

Impersonating a VIP – often the CEO – is big business for adversaries, knowing the recipient will often action the request straightaway. Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible, so it stands more chance of succeeding. They prey on users’ implicit trust of their seniors to coerce them into providing commercially sensitive information, personal information, or bank account details.

These deceitful requests often convey a sense of urgency, and imply the interaction can only be carried out via email – the victim therefore has no time to question the validity of the request, and is unable to call the CEO to confirm if it’s genuine.

3. Whaling

The opposite of CEO fraud, whaling targets senior executives rather than impersonating them. These targets are often the decision-makers in a business who have the authority to give the go-ahead on financial transactions and business decisions, without further levels of approval. These phishing attacks are thoroughly researched, containing personalised information about the company or individual, and are written in the company’s tone, adopting fluent business terminology that’s well-known to the VIP target.

4. Spear phishing

Perhaps the most widespread form of email-based cyber attack, spear phishing targets individuals and specific companies with links to credential harvesting sites or requests for confidential information, such as bank details and personal data. Attackers study their victim’s online presence to include specific information which adds credibility to their request, such as purporting to be from a streaming service the victim is subscribed to, or a supplier that is known to the target company.

5. Sextortion

Not all phishing attacks are subtle. A form of cyber blackmail, sextortion is when cyber criminals email their target claiming to have evidence of them committing X-rated acts or offences, and demanding payment to stop the criminals from sharing the evidence with their victim’s family or employer.

Attackers count on their victim being too embarrassed to tell anyone about the email (although they haven’t done anything wrong), because it’s a taboo subject most wouldn’t feel comfortable talking about with others. They often make the email sound like they’re doing their victim a favour in keeping the details to themselves. The victim may decide to pay up to stop embarrassing details about their private lives being made public, regardless of whether they’re true or not. Payments are usually demanded in Bitcoin so the transaction is untraceable, meaning the adversary cannot be identified.

But if the victim knows they’re innocent, why do these attacks still work? It’s all about credibility – attackers harvest email addresses and passwords from previous cyber attacks, which are available on the internet, and include them in their email to add credibility. If an attacker emails you claiming to know one of your passwords and includes it for proof, you’re more likely to believe the rest of the email is genuine.

Conclusion

These common types of social engineering attack cannot be ignored by any organisation – these threats are very real and won’t disappear anytime soon. Email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources; employees shouldn’t have to carry the weight of identifying these threats, essentially plugging the gaps in flawed cyber security strategies. Organisations need to treat email as the serious security risk that it is and begin to put appropriate measures in place.

Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques, which removes the burden from users and instead leaves technology to do its job. Furthermore, technology enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning employees can make quick, informed and confident decisions as to whether the email should be trusted.

With such sophisticated technology available and a growing threat landscape that shows no sign of slowing, it’s time for organisations to make a change and adequately protect themselves from incoming attacks.

VIDEO – Top tips to spot phishing attacks

960 640 Guest Post

By Falanx

Phishing, viruses and ransomware are some of the most common attacks aimed at organisations of all sizes, with phishing emails proving the most successful.

With this October being Cyber Security Awareness month, empower your staff to recognise and defend against these attacks.

Here are some of the signs to look out for > https://falanx.com/cyber/top-tips-to-spot-phishing-attacks/

Save £35k by deleting emails from your CEO

960 640 Guest Post

You work in finance. You get an email from your CEO addressing you by your first name, apologising for the late Friday email, but requesting you make an urgent payment to a regular supplier, with account details helpfully provided in the email. You’d pay it, right?

CEO fraud is an increasingly common type of phishing attack, where a threat actor impersonates a senior executive, and attempts to coerce an employee into transferring funds or personal information to the attacker’s account.

The average cost of this attack has risen to £35,000, but how do they keep getting away with it? Check out the latest advice from Corvid:

https://www.corvid.co.uk/blog/save-yourself-35k-delete-ceo-emails

Automation reduces the risk of phishing attacks

960 640 Stuart O'Brien

It’s hard to overestimate how fundamental email has become to initiating cyberattacks. While there are numerous ways for attackers to target organisations, email is nearly always the common denominator.

Email phishing attack detection, analysis and rapid response is one of the biggest challenges email admins and security teams face today.

Did you know?

  • Phishing represents 98% of social incidents and 93% of breaches.
  • Email continues to be the most common vector for cyber attacks (96%).

Download our latest Whitepaper in Partnership with Ironscales: Office 365 is not built to defend against modern real world email threats

Learn why organisations that rely on cloud email services must budget for advanced phishing prevention, detection and response.

https://discover.everycloud.co.uk/automation-reduces-the-risk-of-phishing-attacks

For more information, contact:

Paul Richards, Director, EveryCloud

Mob: +44 7450 100 500 | DDI: 0203 904 3182 | Tel: 0800 470 1820

Email: paul.richards@everycloud.co.uk