foc us on : ransomwareransomware one of the fastest growing areas of cybercrime. unlike other...
TRANSCRIPT
FOCUS ON:
RANSOMWARE
the security awarenessC O M P A N YSAC
Ransomware has changed everything. It wasn’t all that long
ago that a data breach meant the loss of personally identifiable
information. Said information would be turned loose on the
dark web and often sold to other cybercriminals.
While major data breaches still occur at record levels, the
theft and resale of PII is no longer necessary for criminal hackers
to make a profit. Instead, ransomware has made it possible for
them to steal your data and sell it right back to you.
Ease of use and promises of lucrative paydays have made
ransomware one of the fastest growing areas of cybercrime.
Unlike other threats to information security, this one is
supported by a sophisticated network of criminals and a strong
business model that features customer service for victims.
With its popularity growing, ransomware has become the
focus of information security professionals worldwide. In the
following pages, we’ll cover every aspect, from the origins of
ransomware, to the criminals behind it, with a focus on how to
avoid becoming a victim.
Case Study: The Original RansomwareHistory does tend to repeat itself.
Malicious MacrosMacros - Useful? Dangerous?
What is Ransomware?Exactly what it sounds like.
Top 10 Ways to Avoid Phishing ScamsHow to identify and avoid being phished.
Catching MalwareHow to ‘avoid’ it and how to ‘catch’ it.
Case Study: My Mom Got HackedRansomware is a business after all.
The Ransomware Business ModelHow ransomware works.
The Lifecycle of RansomwarePrintable infographic
What is the Dark Web?The Dark Web may not be exactly what you perceive it to be.
Who are the Cybercriminals?A short rundown of who the cybercriminals are...and are not.
Cybercrime Starts With You!You are also the solution.
Case Study: Ransomware Red-Flags NASCAR TeamHow NASCAR got hacked.
Mouse-Overs: A Case StudyThink before you click.
Smishing: Phishing Gone MobileText message phishing —the new craze that is sweeping the nation.
Ransomware Case StudyVictim: The University of Calgary
Types of MalwareWho knew there were so many?
3
4
5
6
7
8
8
9
10
12
13
14
15
16
17
18
CONTENTS FOCUS ON:
RANSOMWARE
Ransomware’s rise to prominence over the last year has been fueled both by its success and by media attention. It has become the
default method for cyber criminals to
extort money from their victims using
advanced encryption technology and is
delivered, most often, by some form of
social engineering.
But the original ransomware attack occurred long before computers were household items. Back in 1989, a company called PC Cyborg mailed an estimated 20,000 floppy disks to 90 different countries. The contents of the disk were labeled as “AIDS Information - Introductory Diskettes” and came with an installation for an interactive computer program that calculated a person’s chances of contracting AIDS by asking them a series of questions. What recipients of the disk did not know is
that once they installed the program, they also
installed a Trojan known now as the
AIDS Trojan. After a certain number of boots user’s computers were encrypted until a licensing fee of $189 was mailed to a PO Box in Panama.
Case Study:
The O
rig
inal R
anso
mw
are
The encryption method of the Trojan was quite weak and it didn’t take long to crack. The Computer Incident Advisory Capability sent
out a report on Dec 19, 1989 to alert people of
the scam, and inform them that, if infected,
they should not pay the fee since recovery
procedures had already been developed.
(To read the full report: http://www.securityfocus.com/advisories/700) The man behind the malware, Dr. Joseph L. Popp , was eventually arrested and charged. But
the judge saw him unfit for trial, allowing Dr. Popp to walk without any conviction. Popp also claimed that he planned to donate all profits to AIDS education and research. Perhaps his intentions were good, but Dr. Popp’s Trojan would be be further analyzed and its weaknesses corrected, ultimately setting the blue print for what we now know as ransomware.
Sound Familiar?
History does have a tendency to repeat itself. And humans have a
tendency to be curious. A study in which 297 flash drives were dropped
on a large university campus revealed that nearly half of found drives will be plugged in. Now, imagine if those USB drives had been sent by mail in professional looking packaging (and imagine if they contained ransomware). It’s fair to estimate that an overwhelming majority would be plugged in and their contents accessed. In 1989, Dr. Popp convinced his targets to plug in his malicious disks through the use of social engineering. Fast-forward to today, nearly 30 years later, and people are still plugging in devices from unknown sources.
What did we learn?
We learned that plugging in USB
flash drives from unknown sources is
a bad idea. We learned that social
engineering has a track record of
success and we need to stay alert
at all times. We learned that the only thing
that’s changed in computer security
over the years is the number of
users and, therefore, the number of
targets for cybercriminals.
As always, think before you click.
If it sounds phishy, it is. Use common
sense, and when in doubt, delete.
“See something? Say something! Incident reporting is all about timing!”the security awarenessC O M P A N YSAC
© 20
16 Th
e Sec
urity
Awar
enes
s Com
pany
, LLC
.
Macros explained:Microsoft Office documents containing built-in macros
can be dangerous. Macros are essentially bits of computer code, and historically they’ve been vehicles for malware. Luckily, modern versions of Office contain security features that will protect you from macros. Macros are still potentially dangerous. But, like a lion at the zoo, you’d have to go out of your way to be hurt by them. As long as you don’t bypass the built-in security features, you shouldn’t have to worry.
What is a macro? Microsoft Office documents — Word, Excel, PowerPoint,
and other types of documents — can contain embedded code written in a programming language known as Visual Basic for Applications (VBA). This allows you to
automate repetitive tasks - Macros you’ve created yourself are fine and don’t pose a security risk. However,
malicious people could write VBA code to create
macros that do harmful things. They could then embed
these macros in Office documents and distribute them online.
Macro virus in action:As you might expect, malware authors
took advantage of such insecurities in Microsoft Office to create malware. One of the most well-known is the Melissa
virus from 1999. It was distributed as a Word document containing a macro virus. When opened, the macro would execute, gather the first 50 entries in the users address book, and mail a copy of the macro-infected Word
document to them via Microsoft Outlook.
How to Protect Yourself To actually be infected, you would have to download a file containing a malicious macro and go out of your way to disable Office’s built-in security features. As a result of this, macro viruses are now much less common. Here’s all you need to do: Only run macros from people or organizations you trust when you have a good reason to do so. Don’t disable the built-in macro security features by clicking the “Enable Content” button that appears as part of the Security Warning. Macros are like any other computer program and can be used for good or for bad. Organizations may use macros to do more powerful things with Office or you may create macros to automate repetitive tasks on your own. But, like any other computer program, you should only run macros from sources you trust.
MALICIOUS MACROS
DO NOT CLICKENABLE CONTENT
How you get infected:New threats include sophisticated social engineering
and spear phishing attacks that convince users to enable macros and allow the malicious code to run. The sender tries to get you to open the Excel or Word attachment and then enable macros.
How Ransomware Works: Once a cyber criminal’s target is established, social engineering campaigns are carried out to bypass the security of an organization or individual. This is most often done with phishing emails that contain malicious links or documents. Once clicked or downloaded, the malware installs itself on the victim’s computer. Before encrypting, the malware communicates to a server maintained by the criminals. The server then generates two sets of keys: one on the target computer, and one on the criminal’s server.
With this sort of “handshake” in place, the malware begins encrypting files and changing extensions, effectively rendering them useless to the owner. The victim, realizing that they now have no control over their systems and are denied service, has two choices: pay the requested ransom—most often in the form of bitcoins —to retrieve the decryption key from the criminals, or attempt to restore their systems through the use of data backups.
Bitcoin is a digital asset and a payment system invented by
Satoshi Nakamoto.
Why Ransomware
Works: The really simple answer to why
ransomware works is because humans generally
value possessions over money, especially when those possessions
are irreplaceable. To that end, the data stored on our hard drives, whether
it’s precious family photos and the novel you’ve been working on for five years, or the
PII of thousands of clients from an organization standpoint, holds top value.
The more complicated answer comes down to psychology. Ransomware is a scare tactic that
criminals use to frighten their victims. The fear of losing data notwithstanding, humans are also afraid
of looking foolish, afraid of admitting mistakes and afraid of being punished. So they’ll gladly
pay the ransom in hopes of making the entire situation go away.
Its success is also driven by its simplicity. Beginners can purchase the
malware on the dark web for cheap, and it’s fairly simple to use once they have
it. Furthermore, unlike previous data breaches, attackers have a built in
customer. Rather than selling the stolen data to other criminals
on the dark web, they can just sell it right back to the
victims they robbed.
Ransomware is exactly what it sounds like: a form of malware that holds you, your computer and your data hostage for a ransom. It hides itself in fraudulent email attachments and bogus links. When clicked or downloaded, they unleash a Trojan which encrypts your data—effectively locking you out of your computer. In short, it’s a phishing scam built as scareware that criminals use to con victims out of their money by kidnapping data. As you can imagine, large companies have been the top target. The more data there is to kidnap, the bigger the payday. Recent attacks have seen major corporations forced into forking over tens of thousands of dollars. But the monetary loss is often dwarfed by the damages sustained while data is inaccessible. Take a hospital, for example: in a scenario where employees and managers suddenly lose access to medical records and software they rely on to care for patients, money is not the only thing at stake. Ransomware can lead to a life-or-death situation. Ransom fees aside, the cost of downtime is devastating for any size company, in any line of work.
A Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-
thieves and hackers trying to gain access to users' systems.
Personally Identifiable Information is any data that could potentially
identify a specific individual.
Stop clicking so fast. Read each message as it comes in , and think before you click.
Top 10 Ways to Avoid Phishing Scams
Mouse-over links to see what really lies beneath the URL.
If you receive an email asking you login to your account, don’t login through the email.
Open a new browser tab, type in the URL and login to your account through the website.
Verify the email address and company logos. Scammers can change a single letter in an email address or slightly change the color of a logo to make them look quite similar and easily undetectable.
Beware of poor spelling and grammar. They are big, red flags that an email is probably a phishing attack.
If an email says you have a date with your favorite movie star or that some uncle you’ve never heard of wants to send you money, it is probably a phishing attack.
If you have agreed to sell an item through an online marketplace, and someone offers to pay more than what the item is worth, it is a scam.
There are new phishing scams being sent every day, and they are getting more refined. Read security blogs and stay
in the know about the latest risks, threats & ways to protect yourself through common sense and security awareness.
(One fun and informative blog that you can check out isblog.thesecurityawarenesscompany.com)
Notify companies such as Amazon, PayPal or your bank if you receive a phishing email
masquerading as a real message.
Phishing emails often come with malware attached. Scan incoming emails with anti-virus and anti-malware software.
wy
xx
u
y
“See something? Say something! Incident reporting is all about timing!”the security awarenessC O M P A N YSAC
© 20
16 Th
e Sec
urity
Awar
enes
s Com
pany
, LLC
.
Your human detection skills should apply common sense. Always ask yourself a few key questions:
Verb: catch; engage a person’s interest, to perceive, notice, observe, discern, detectWith this second definition of catch or catching malware, we combine technology and
common sense. And here is when we DO want to catch the malware.First, let’s talk about the technology. No malware detection software is perfect, and the bad
guys are always coming up with new ways to sneak past the scanning software. But, if used properly, detection software can make your life better.
For your Windows or Apple computers at home, consider using two different products, perhaps one you pay for and one of the many free malware detection software products. Do a little research to make sure there are no known conflicts between the two. Many folks only use free anti-virus and spyware detection software. Whichever approach you take, be sure to scan your machine and all storage devices (like backup drives) regularly. Scan all incoming and outgoing email for infections. Update the software as recommended by the vendor.
With increasingly hostile attacks toward Android and iOS, a similar detection-based approach is suggested for mobile devices. Products come and go, so it’s up to you to search for the best mobile security or anti-virus apps. Search through reviews and ask tech savvy friends. The better software offers privacy settings, blacklisting, app scanning and a host of other valuable security features.
Now, what if some super-smart new malware (like a zero-day or a previously unknown attack) gets past the technology? Then it’s up to you, the human firewall, to stay alert and on the defense. On any device, phishing awareness is ultimately the final barrier to getting infected. Stay alert, use common sense, and, when in doubt, don’t click but ask! (As usual, never make changes to any security settings, install or remove any software without permission at work. Make sure you know and follow policy.)
Catching Malware
So how can you catch malware? Oh, let us count the ways.
Bad habits. Clicking without thinking.
Accepting invitations to “events” or to be “friends” with people you don’t know in real life.
Responding to ads that say your computer is infected.
Believing you won the Irish lottery or that a great aunt from Ethiopia left you a fortune.
Accepting IM attachments from strangers.
Not using antivirus and malware detection software.
Not using a personal firewall. (Only do this on personal devices. Never add, edit or delete security on business equipment.)
Downloading apps & games with poor reputations.
Visiting websites your browser says are questionable.
Leaving JavaScript on by default, except when required at work.
Not patching and updating software.
Giving out personal details to websites you don’t know.
Clicking on email attachments from unknown people.
Using Adobe Reader/Acrobat with default settings.
Do I know the person who sent me this file/link/invite?
Do I really want to take a chance on getting infected?
What makes the most sense?
Should I click before I think?
Should I contact this person to verify the
authenticity?What does company policy say?
Does the email/invite look “odd”
or “suspicious” inany way?
Verb: catch; contract (an illness) through infection or contagionIn English, the word “catch” has several meanings, but when talking about malware
we will stick with two of them. The first is like catching a cold or getting infected, and so it is with all types of computers and mobile devices. Even smart cars get infected with malware that can have deadly results.
Almost no matter where you go on the internet, you will sooner or later be targeted with malware. This is not because you are you, but because you are one of hundreds of millions of people who are mass-spammed in the hopes that a few people will catch or get infected by the malware.
In many cases, once you have caught the malware, your machine becomes a distributor of even more malware, attempting to catch other people. You have now become a part of a botnet —or collection of millions of personal devices that are owned and operated by criminal groups around the world.
If it sounds scary, it is. You really want to do everything you can to avoid catching any malware under THIS definition. Now, for the second meaning of ‘catch’...
“See something? Say something! Incident reporting is all about timing!”the security awarenessC O M P A N YSAC
© 20
16 Th
e Sec
urity
Awar
enes
s Com
pany
, LLC
.
The Ransomware Business Model At its core, when you look past the hacks and malicious intentions, ransomware is a business developed around customer service. If we think about it in terms of e-commerce, we get a better idea of why it has been so successful. It begins with the creators of the malware. Once the Trojan has been developed, its creators will often sell it to other cybercriminals and take a small percentage of the profits. The cyber criminals that target victims (or in e-commerce terms, customers) have an obligation to provide customer service, which includes technical support. Failure to do so puts their integrity at risk and may prevent them from working with other ransomware developers. Keep in mind that not a lot of people know much about Bitcoin, or even how to purchase them or use them in any manner. So when Grandma gets hit with Ransomware, it’s important that she receives detailed instructions on how to make the payment. It’s also important for the cyber criminals to make things as easy as possible. This is really Business 101. Ease of use, customer service, and customer satisfaction all play major roles in the success of ransomware. Ease of Use – the customer receives detailed instructions on how to make a payment and get their data back. Like all businesses, especially those that are internet-based, convenience is key. Customer Service – even with detailed instructions, criminals have to be prepared to deal with non-tech savvy customers. After all, that is the ransomware market: people who are easy to phish. Therefore, customer service is of the utmost importance. One strain of ransomware went as far to offer live support via chat. Customer Satisfaction – like every business, satisfaction is an absolute must for repeat business. If a victim pays the ransom (akin to buying goods and services), the seller (our cybercriminal) has an obligation to fulfill his end of the bargain. If word gets out that decryption keys are being withheld even after payment, future victims will be much less likely to make the payment. In the case of Simone, her mom ran into an issue and couldn’t process the payment on time. The criminals could have said tough luck and demanded the increased payment, instead they did what any good business would do and forgave the mishap. The ransomware economy would collapse if customer satisfaction wasn’t met.
This tale from journalist Alisa Simone explains how her mom got hit with ransomware.
The long and short of it is this: a woman in Massachusetts receives a ransomware message that she has seven days to pay the $500 fee.
After seven days, the price doubles and eventually all of her files will be destroyed.
How she got infected with ransomware wasn’t disclosed. But it’s fair to assume she was phished or clicked a bogus advertisement on a
compromised website.
She agreed to pay the fee, but due to the ever-changing Bitcoin rates, she came up about $25 short and missed the seven-day deadline, causing
the price to double. Interestingly enough, the woman pleaded with the criminals explaining how a snow storm prevented her from getting to a
Bitcoin ATM and that she had every intention of paying the initial $500 fee. The criminals responded by sending the decryption key.
This story really illuminates two
things:
First, ransomware can happen to
anyone. Cybercriminals aren’t just
targeting major enterprises or large
businesses. Attackers aren’t biased.
Second, ransomware, as Simone
noted, is really e-commerce more than
anything.
Case Study: My MomGot Hacked
The Lifecycle of Ransomware
InceptionA team of cyber criminals creates malware that, when implemented, crawls the infected computer and
encrypts files that can only be decrypted by the criminals. They then either research targets and
plan out attacks, or sell the malware on the dark web to other cyber
criminals.Infection
Once a target is established, social engineering campaigns are carried
out to bypass the security of an organization or individual. This
is most often done with phishing emails that contain malicious links
or documents. Once clicked or downloaded, the malware installs
itself on the victim’s computer.
EncryptionBefore encrypting, the malware
communicates to a server maintained by the criminals. The server then generates two sets of keys: one on the target computer, and one on the criminal’s server.
With this sort of “handshake” in place, the malware begins
encrypting files and changing extensions, effectively rendering
them useless to the owner.
ExtortionThe victim, realizing that they now have no control over their systems and are denied service,
has two choices: pay the requested ransom—most often in the form of bitcoins—to retrieve the decryption key from the criminals, or attempt
to restore their systems through the use of data backups.
ExtractionWhen the ransom is paid, the criminals usually release the decryption key and allow the
organization to return to an online status. In some cases, the criminals
may refuse and attempt to extort more money. There is never a
guarantee of cooperation.
You may have read or heard about the infamous Dark Web. The general perception of the Dark Web assumes it is rife with criminal activity—a place to buy drugs and stolen credentials or hire hitmen—the digital version of the black market. While some of that is unfortunately true, the Dark Web isn’t all illicit activity and scary cybercriminals. It has other purposes, like providing a private, completely safe chat room for victims of rape or abuse, and giving journalists a place to safely communicate with whistleblowers without the worry of being monitored by governments. An important distinction to make is the difference between the Dark Web and the Deep Web. The two are incorrectly interchanged in publications, with most tabloids opting to use the former given its shock value. The Deep Web is everything you don’t see when you visit a website. If you visit someone’s blog, the page where they design and post new blogs is a part of the Deep Web. If you’ve ever worked with a content management system (CMS), you have accessed the Deep Web. Medical records, scientific data and subscription information are all part of the Deep Web.
The Dark Web is a part of the Deep Web (a very small part of it). It cannot be accessed by standard browsers or search engines and instead requires specific software. Websites on the Dark Web have their identities hidden so they cannot be traced. Likewise, visitors have their IP addresses hidden so they are anonymous when browsing and can’t be tracked or have their privacy compromised. This is accomplished, most often, with Tor, a free platform designed to keep you private in a world where our personal data is for sale.
“Tor protects you by bouncing your communications around
a distributed network of relays run by volunteers all around the
world: it prevents somebody watching your Internet connection
from learning what sites you visit, and it prevents the sites you
visit from learning your physical location.”
To read more about the specifics of Tor and to download the software for your own use, visit Torproject.org.
What is theDARK WEB?
“See something? Say something! Incident reporting is all about timing!”the security awarenessC O M P A N YSAC
© 20
16 Th
e Sec
urity
Awar
enes
s Com
pany
, LLC
.
THIS IS A HACKER:In the 1996 movie Independence
Day when the world is attacked by aliens, David Levinson (Jeff Goldblum) successfully breached the aliens’ network by reading satellite transmissions of their communications. His brilliant idea to stop the aliens from eradicating Earth was to attack their network by “giving it a cold”—a computer virus—that would disable their shields. Levinson and Capt. Steven Hiller (Will Smith) socially engineered their way into the mothership by disguising themselves as aliens and flying an alien aircraft up to the ship. Essentially, this was a real life version of a phishing attack. Levinson uploads his virus to the mothership, which ultimately disables the force fields of all the alien ships (denial of service).
In short, a hacker saved the world.
Script KiddiesYounger, less-informed cyber threats who generally attempt to misbehave by using malware purchased from the internet underground. They do not always understand the consequences of their actions.
Malware AuthorsIn a way, malware authors are the brains behind much of cyber crime. They handcraft malicious codes and means of delivery, and often offer their services to lesser-skilled criminal hackers in exchange for a fee or percentage of profits.
HacktivistNot always conventional criminals, these hackers are a part of the “hacktivism” movement, which utilizes hacking to further political agendas such as human rights or freedom of speech and information.
Cyber TerroristsExperts agree that future conflicts will be initiated by cyberwarfare techniques. Examples like the alleged Russian-DDoS attacks against Ukraine and Latvia are often just the first steps. (Read more here: http://ubm.io/2bj6Dtp) Defending critical infrastructures has become a national mandate across the globe.
Scammers & PhishersThese are the criminals that reach into your inbox promising large sums of cash in return for a small, upfront payment (an advance-fee or 419 scam), or spoofing a service (such as a bank or credit card company) to get you to click on a malicious link or attachment.
Insider ThreatsInsider threats include current or former employees that compromise sensitive information, either intentionally, by accident, or negligence. Insiders can work alone or with outsiders, but the motive is generally personal gain. Aware individuals are less likely to trigger an unintentional security event or breach.
hackers arepeople too!If you merely scan the headlines
from popular news cycles, you might
be led to believe in a false narrative
about hackers. In truth, a hacker is
simply someone with an advanced
understanding of computers and
networks. Unfortunately, that word
has been used irresponsibly by the
media for decades, resulting in a
negative image which unfairly groups
bad guys with good guys. To be clear,
all hackers are not criminals; only
criminal hackers are criminals.
Want to learn more about the hacker community? Check out these two documentaries Hackers Are People Too and DEFCON: The Documentary!
THIS IS NOT A HACKER:From 2005 to 2007, a man by the name
of Albert Gonzalez carried out the biggest fraud in history by stealing and reselling 170 million credit card and ATM numbers. Gonzalez and his crew targeted the payment systems and networks of major corporations such as T.J. Maxx and Barnes & Noble, among many others. Gonzalez was eventually arrested, and is currently serving a 20-year prison sentence.
Gonzalez is not a hacker. He’s a criminal. Even if he used hacking techniques, and obviously has advanced computer know-how, as soon as he used his skills to break the law and harm his fellow citizens, he became a criminal.
“See something? Say something! Incident reporting is all about timing!”the security awarenessC O M P A N YSAC
© 20
16 Th
e Sec
urity
Awar
enes
s Com
pany
, LLC
.
Cyber Crime Starts With You!
DO NOT PANIC! Ask yourself a couple of questions before clicking. Do you actually have a Starbucks account? (Or, do you have a Starbucks “mag stripe” card that you load up from time to time? This is the same as cash, and anonymous!) Have you even visited Starbucks recently? Did you ever spend $132 at a Starbucks? Is there any errant charge on a credit card to Starbucks? The answers are probably, “No.” Remember to think before clicking on anything. Our advice? Delete, delete, delete!
Here’s a sample of what you can expect to see and what you should know how to defend against.
Once again, if you receive a message like the one on the right, think before you click anything! First of all, did you actually make a payment using PayPal recently? If you did, log in to PayPal directly and check your account that way. You can also contact the company yourself. Second, this email looks a little “phishy” anyway, don’t you think? Why would the email address come from a “paypal-billing.com” domain instead of “paypal.com,” and why would the email use a low-res, skewed version of their logo? Shouldn’t they have used the name on your account instead of addressing you as a generic “PayPal Member?” The grammar is also off and the last paragraph is an attempt to scare you into clicking the links (which are definitely phishing links). DELETE!
2017 will likely be worse for personal, professional and mobile security than any previous year. There are certainly no hints that the bad guys (including small-time criminals, organized cyber-gangs, nation-states engaged in state-sponsored espionage, and cyber-terrorists) are going to give up on the most successful tool in their arsenal: phishing.
According to a study by Trend Micro, 91% of APT (Advanced Persistent Threat) attacks start with a spear phishing email. The tremendous amount of spam, sales pitches and fraudulent emails must be separated from legitimate business and personal emails.
We all have spam filters and anti-virus software installed, but sitting at the end of all this technology is the most important line of defense: YOU. You are the ultimate arbiter. You sit there, deciding whether to click or not, deciding which emails to delete. You have
to make an intelligent decision about every email that reaches your inbox – at home, at work or on your mobile devices. You have to decide if the email is safe, if it comes from a friend or foe, if it’s hostile, and if it’s really from your boss, a family member, or a criminal halfway around the world.
The majority of phishing emails that actually bypass technical defenses and controls can still be detected and deleted by a person with a just a small dose of security awareness. This is where common sense comes in. You must stay alert and aware. It’s important to resist the temptation to click too quickly. We all must learn how to read between the lines in an email.
“See something? Say something! Incident reporting is all about timing!”the security awarenessC O M P A N YSAC
© 20
16 Th
e Sec
urity
Awar
enes
s Com
pany
, LLC
.
Mouse-OversA Case Study
Millions of businesses rely on shipping services every single day. So, perhaps receiving an email like the one below would not be too much of a surprise. After all, everyone has probably used UPS at one point or another. And the example looks like it’s from UPS, doesn’t it?
It’s got their logo, colors, and their web address. Plus, the number looks legit. So, it couldn’t hurt to click it and find out, right? Not if you’re being security aware! Before clicking, perform a quick mouse-over.
By hovering (not clicking!) your mouse’s cursor over a hot link (a URL or email address, for example), the real, underlying URL is revealed. Taking a few seconds for a Mouse-Over is a superb method to detect phishing attacks.
But look at what the mouse-over reveals here. The “content/GB/EN/” followed by that strange combination of letters in the URL should be a clue that something is odd, especially if you are not even located in Great Britain (GB).
Then, if we mouse over the tracking number link, we see “wwwapps.ups.com” in the URL, again followed by a strange series of numbers and letters. Suspicious, don’t you think?
Finally, take a look at the attachment. “Details.zip” is innocuous sounding enough, but think about the naming conventions of real business documents. Wouldn’t something like “CompanyName_UPSShipping_042015.pdf” be a more useful name?(And generally, services such as UPS won’t send you ANY sort of attachments that you aren’t aware you’ll be receiving first.)
(Continued q)
The better action would be to access your UPS account directly if you have one. If you are not satisfied with what you see there, contact the company directly.
When you adopt a security aware attitude, phishing emails like this lose their power. In fact, they seem a little silly! But not to the bad guys who send millions of these every day. Despite the fact that these types of emails are often not even personalized or as specifically tailored as a spear phishing attack, phishing remains the most successful attack. It relies upon laziness, curiosity, and a complete lack of awareness on the part of the recipient.
Many websites (including the IRS, UPS, PayPal, etc.) now have sections showcasing fake email examples to help you recognize when they’re legitimately communicating with you, and instructions about what to do if you think you’ve received a spoofed email.
UPS: http://bit.ly/1jNNGfH
PayPal: http://bit.ly/1ErWLHT
Etsy: http://etsy.me/1DlyB1T
Amazon: http://amzn.to/1zy6uu9
IRS: http://1.usa.gov/1gI0yUS
Mouse-Overs
More Examples from Real Life Emails
FAST FACTS > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
60.6%of attacksare motivated by
CYBER CRIME
27.7%of attacksare motivated by
HACKTIVISM
7.4%of attacksare motivated by
ESPIONAGE
C
(Continued)
4.3%of attacksare motivated by
CYBER WARFARE
5 out of 6large companies were
targeted with spear phishing campaigns
Smishing: Phishing Gone Mobile By now, we’ve all had our share of phishing scams show up in our inbox. They’re typically easy to spot due to poor grammar or absurd, urgent requests. But scammers aren’t just targeting your computers; they’re after your mobile devices, too. Smishing is phishing via text messages, or SMS (hence the term “smishing”). Often, scammers send a text to your phone disguised to be from your bank or other financial institution. It might warn that your account has been suspended and immediate action is required, accompanied by a (malicious!)
How to avoid becoming a victim of SmishingYou might think this could never happen to you. There’s no way you’d fall victim to a text message scam! But we urge you to not be overly confident. These scams are becoming more and more sophisticated, to the point of impersonating major banks to near perfection. Here are 5 ways to avoid becoming a victim:
A REAL WORLD SMISHING EXAMPLEEarlier this year, a man in Sheffield, England was conned out of nearly £23,000/$33,730 when he received a text message that appeared to come from his bank. The message warned him of potentially fraudulent activity on his account and advised him to call the listed phone number. The man obliged, called the number, talked to the fraudsters and ultimately was robbed of his life savings after they were able to extract his banking information from him. Read the entire story here: http://bit.ly/1nVNfGT.
link. In more sophisticated scenarios, the text message may ask you to call a phone number, which will connect you to a live person who pretends to be someone from your bank, requiring your personal information to verify your account. Regardless of the scenario, the core of the scam is based on the same principal as phishing: social engineering. Smishing works because the fraudster attempts to hack the human and not the device. Remember, being security aware isn’t a technical skill. YOU are the best defense against scammers.
If you get a text from your bank, delete it. Banks don’t send text messages unless you personally set up Text Banking, and even then you generally have to initiate the texting conversation with specific commands to receive specific information, and they won’t include any links.
Never call an unknown phone number, regardless of the message. If you receive a request to call a certain business, look up the customer service contact information of said business and call that number to verify.
Look out for urgency. Like with phishing emails, smishing attempts will often include words like “urgent” or “immediate” or “verify.” These are clear signs that a con is at play.
Never click on miscellaneous links. Unlike a computer where you can easily hover over a link to determine its legitimacy, it’s much more difficult to do so on a mobile device. A quick click is a quick way to get infected with malware!
When in doubt, delete. Don’t respond to random messages containing unknown phone numbers or URLs. If you’re not sure, just delete the message!
Around 1/3 of all SMS
spam includes smishing attempts.
33.61%of global phishing scams
caused infection.
Source: http://www.business2community.com/infographics/protecting-company-spear-phishing-infographic-01543662#79kuWWsLUxvwykkU.97
2015 STATS
ransomware case study
Dear Security Guru, I’m so afraid of getting ransomware. What can I
do to protect myself? – Concerned in CopenhagenYou’re not alone. It seems like an incident or new strain of
ransomware is reported every day. Criminals behind these attacks are getting craftier with social engineering, too, making them harder to identify. These “best practice” steps make protecting yourself fairly simple. As always, follow policy when handling work-related data and devices.
Don’t automatically click on links or attachments in emails without thinking, even if the email appears to come from someone you know. Phishing is the number one way criminals carry out their attacks.
Utilize the 3-2-1 Backup Strategy: On personal equipment, 1 is your primary device, 2 is your local backup, and 3 is off site (such as the cloud). Criminals lose their leverage if you have a way of retrieving your data without their decryption key. At work, always follow policy.
Trust but verify. Believe it or not, ransomware is coming to a smartphone near you. Google the reputation of any app before downloading and installing.
Stay up-to-date and informed. Not only should you make sure your computers, including mobile devices, are on the latest versions of software and firmware, you should also keep an eye on the news. Familiarize yourself with the latest threats and attacks.
Follow policy. Know how and when to respond to suspicious activity at work. If you’re not sure, ask!
VICTIM: University of Calgary
ATTACKER’S ANGLE: UCalgary was a target due to their status as a “world-class research facility.” The seizure of staff
and faculty email and lockdown of university-issued computers prevented access to valuable data.
RESPONSE: University IT was able to isolate the attack and restore affected portions of their network. Experts from
cybersecurity and the Calgary Police Service were brought in as a part of the investigation.
RESULTS: Despite the efforts of their IT team, the university determined their best course of action was to pay the
ransom and begin the process of decryption.
RANSOM PAID: $20,000 CDN/$15,500 USD
MacrosMacros are programs that are embedded in
documents to perform specific tasks. Macros aren’t inherently bad, and can be quite useful for doing repetitive tasks within applications like Word or Excel. But someone with nefarious intent (like a criminal hacker) can create a malicious macro to do any number of things: embed itself into other documents, install software without the users’ consent, and email itself to all your contacts.
Macro security has improved significantly over the years. For example, Microsoft created a new naming system in 2007 to help identify files with or without macros: any file that has the extension .docx is a regular file, and a file that contains the extension .docm has embedded macros. (Read more here: http://abt.cm/2bb9cRd) But even that isn’t foolproof! Follow
these steps to help avoid malicious macros:
1.NEVER download an attachment from an
UNKNOWN sender.
2.VERIFY AND SCAN with anti-virus software before you
download an attachment from a KNOWN sender.
3.DO NOT ENABLE macros unless you are 100% positive
they are legitimate and safe.
ADWARE
Adware is the least dangerous and most lucrative form of malware. It merely displays ads on your screen.
PUPSPUPs (Potentially Unwanted Programs) are generally not harmful, but are still software you don’t need or want. PUPs can eat up your system resources and turn a perfectly good computer into a snail.
SPYWARESpyware is software that can track your internet activities and send adware back to your system. Worse, RATs (Remote Administration Tools) can turn on your camera and microphone – without your knowledge.
VIRUSESA virus is a self-producing piece of software. It might be harmful, it might not; it depends upon its payload. However, they are no longer the malware of choice for smart criminals.
WORMSA worm is a program that replicates itself. Some destroy data and files in their path while others just clog computer resources.
TROJANS & BACKDOORS
A Trojan Horse is a piece of software that is secretly installed on your computer or mobile device. It can be programmed to do anything the designer chooses.
Backdoors – a specific kind of Trojan or Worm – open a digital “backdoor,” providing unauthorized access to a network.
KEYLOGGERSKeyloggers record and transmit everything typed in order to steal login credentials and other sensitive info.(Keep in mind: one legitimate use of a keylogger is parental control software!)
BROWSER HIJACKERS
A Browser Hijacker resets your browser settings without your knowledge. This is especially dangerous when banking or shopping online. These sites can look harmless, but in almost every case infectious malware lies in wait.
SCAREWARERogue security software, sometimes called Scareware, pretends to be a good program that will remove all your malware infections, but it is actually the malware itself! Often, it will even turn off your real anti-malware software so that it can function undetected.
Malware can be disguised as “Hi-Quality-but-Inexpensive” software, made to look so enticing you have to try it. It can be found on legit and beautifully designed sites as well as on social media...virtually anywhere! Be cautious!
FAKE SOFTWARE
Symantec’s researchers suggest that almost 1 billion different types of malicious software are roaming around the internet. In some countries, more than 50% of all computers are infected with malware. The bottom line? The exact numbers don’t matter, because there is too much out there to count!
Types of Malware