Neu Cyber Threats – 18th February 2021
After analysing 1.2 BILLION spam emails blocked by Google Mail over a five month period, researchers have discovered that users whose personal details have been exposed by a third-party breach, older age and those who use both desktops and mobile devices are among those at highest risk of becoming victims of a malicious phishing email campaign.
With ransomware attacks at their highest-ever and businesses around the world being targeted, the research can help aid workforces on what support their employees require. While most users use different accounts for work and personal use, those who had personal data exposed in a third-party breach were FIVE times more likely to be targeted by phishing or malware.
The research suggests that attackers harvest data breach information, not only for enumerating email addresses purposes, but also to potentially identify a user’s age or country of access – exposing users to lasting harms due to the lack of viable remediation options. Interestingly, the country where a user is operating from can create a significant difference in whether or not they are targeted as victims. The highest-risk countries are concentrated in Europe and Africa, although the United States of America is the largest target by sheer volume of emails.
Older users should be aware, as the odds of someone aged between 55 to 64 experiencing an attack is, on average, 1.64 times that of a 18 to 24-year-olds. The reasons for this are twofold, attackers may simply see older users as easier to dupe and coerce with newer phishing campaigns. Secondly, older people tend to have “larger online footprints,” making the discovery of their accounts easier.
Meanwhile, mobile-only and desktop-only users were less likely to be victimised than those who use both to access their Gmail accounts, while those who frequently check their emails are more than five times as likely to be targeted. It was found that many users do not engage with strict multi-factor authentication (MFA) that would help keep them safer too.
At Neuways, we would always recommend the use of MFA across businesses and employees’ work and personal use. By pairing a mobile phone number with an email address, you are giving yourself that extra layer of security that could be the difference between allowing a hacker access to your credentials or staying safe.
Business email comprises (BEC) continue to surge into 2021, as ransoms being paid continue to rise, too. Cyber criminals are continuing to evolve their tactics through various phishing email campaigns, with the end result being hundreds of thousands of pounds lost by businesses.
While it is usually high-profile hacks that gain media attention, BEC attacks remain a very real and very serious threat. They are simple – yet potent. Rather than developing malware or complex attack chains, a cyber criminal only needs to send an email mimicking an employee’s email account or use a compromised account. Victims are then conned into transferring money or into giving away further account credentials for the cyber criminal to exploit and/or sell.
The theme of remote working is one that has led to an increase in attacks, and has made email security that bit more important for businesses to be investing in now. By having a secure email security filter, businesses can block out many of the scam emails that are sent to their employees, limiting the potential for a breach.
Interestingly, it seems many cyber criminals are using lead-generation services to attain that initial email contact for certain businesses. It is there that they can establish who within companies they should be targeting. Recently, criminals have been targeting businesses with COVID-19 vaccine scams. Social engineering tactics are used to try and manipulate those in positions to spend money and what they think is an opportunity to vaccinate their workforce. In reality, their money is going straight into the pocket of a cyber criminal group.
We would advise businesses to actively engage with sharing news of cyber threats across their workforce. In doing so, employees will gain a knowledge of the threats that are out there, rather than falling victim to them.
A SMS phishing campaign that has been doing the rounds has seen businesses and employees targeted under the guise of tax refunds being offered. The effort is harvesting personal data and credit-card details of those who provide their credentials in the UK.
The messages claim to be from Her Majesty’s Revenue and Customs (HMRC), with recipients told that they’ve received a refund for ‘overpayment in year 2019/2020’, before being asked to click a link to proceed.
The link is a phishing page that requires various data such as a victim’s mother’s maiden name, before asking for credit card details in order for HMRC to ‘pay them back’. Unfortunately, the web pages used look very similar to those seen on the genuine government website – even including an official-looking coronavirus warning in order to add some realism. After inputting their banking information, the victim will click “submit” and the data will be sent to the cyber criminals databases.
SMS phishing differs from email phishing campaigns as the short, concise messaging sometimes leads to shortening of words and phrases, making hackers grammatical errors harder to spot than in emails. Remember the following when dealing with suspicious communications:
- Check the address bar to validate any URLs given
- Read carefully for any grammatical errors in messages and web pages
- Implement MFA within your business
- Use your common sense and never willingly provide your banking details without there being a good reason for it
The notorious Sandworm APT group have been blamed for a number of long-term cyber attacks against multiple businesses in industries across Europe. The data breaches date back to 2017 and include compromises of IT monitoring software. The group are behind the NotPetya malware a.k.a ‘the most destructive malware in history’, and have been known to cause damage through supply-chain attacks.
Documented research has linked the Sandworm team to a government-backed Russian APT group linked to separate attacks against Ukraine targets in 2015 and 2017, and the 2018 cyberattack on the Winter Olympics opening ceremony.
A recent hack on IT monitoring company Centreon, targeted Linux servers running the CentOS operating system. Although the initial compromise method is unknown at the time of writing, it is thought that the attackers deployed two backdoors and share many similarities to previous campaigns of the Sandworm group’s previous operations.
Known Sandworm-controlled servers have been found to be used as part of the command-and-control infrastructure for previous infiltrations of French and European companies.
To avoid succumbing to campaigns such as the ones that the Sandworm group typically run, we recommend applying any issued patches or updates as soon as they are available for any software your business runs. This will eliminate the risks posed by any kind of vulnerabilities exposed by threat groups. Typically, once these have been uncovered, the information is circulated via the Dark Web, giving other cyber criminals the opportunity to hack businesses that run the software. Developers will often quickly issue patches to solve the problems, but some companies do not have automatic updates set up or do not manually update their programmes on a regular basis – so as a result can be left exposed.