[metaslider id=2951] … Read More
Archives for February 2017
Kaspersky: Banking malware attacks up 30.6% in 2016; finance sector phishing also more prevalent
Given the latest reports by both Kaspersky and the Anti-Phishing Working Group it is imperative that corporations ensure that their end users are trained in spotting a phishing attempt.
SC Magazine – February23, 2017
The number of cyberattacks targeting financial institutions and their customers soared to new heights in 2016, according to Kaspersky Lab, which observed nearly 1.09 million banking trojan attacks on users in 2016 – a roughly 30.6 percent jump over the previous year.
Meanwhile, of the nearly 155 million phishing attacks detected on Windows machines by Kaspersky in 2016, about 47.5 percent impersonated banks, payment service providers (e.g. PayPal and Visa) or e-shops (e.g. Amazon and eBay), compared to roughly 34.3 percent in 2015. “At the moment this is the highest percentage of financial phishing ever registered by Kaspersky Lab,” the company noted in its “Financial Cyberthreats in 2016” report, issued Wednesday.
In another first, Kaspersky found that phishing pages impersonated legitimate banking services more often than any other online service offering, including global web portals and social networks. Phishers imitated banking sites about 25.8 percent of the time, compared to approximately 17.4 percent of the time in 2015. Phishing attacks in 2016 that imitated e-shops and payment services also surpassed their respective 2015 shares.
Amazon was the most commonly impersonated brand in Windows-based financial phishing scams, while Apple was the most frequently mimicked brand in Mac-based scams.
The findings complemented a separate, fourth-quarter Phishing Activity Trends Report published Thursday by the Anti-Phishing Working Group (APWG), which identified more phishing attacks in 2016 than in any year since it began monitoring the practice in 2004. The APWG observed a 65 percent increase in phishing incidents in 2016, with phishing activity in the fourth quarter higher than during any period in 2015.
Banking Malware Makes a Comeback
After noting a significant decline in desktop malware attacks targeting financial data in 2014 and 2015, Kaspersky observed a major turnaround in 2016, as financial attackers executed a quarter-million more banking trojan attacks than they had launched the year before.
According to the report, this increase means that “although professional cybercriminal groups shifted a lot of their attention to targeted attacks against large companies, including banks and other financial organizations, smaller groups of criminals are continuing to target victims with the help of relatively widespread malware, which is available on the open web.”
In fact, while the number of attacked individual users and corporate users both increased, individuals actually comprised an even larger share of total attacks in 2016 (about 82.8 percent) than they did in 2015 (about 78.5 percent). Corporations were attacked about 17.2 percent of the time in 2016, compared to roughly 21.5 percent of the time in 2015.
The Zbot banking trojan family remained most popular among cybercriminals in 2016 – used in 44.1 percent of banking malware attacks observed by Kaspersky, compared to about 58.2 percent of attacks in 2015. The Gozi trojan, used in approximately 17.2 percent of these attacks, ate into Zbot’s share, while use of Tinba fell markedly, from 20.7 percent of attacks in 2015 to only about 3.5 percent in 2016.
More than half of the users targeted in desktop banking malware attacks during 2016 were based in 10 countries, including Russia (19.8 percent) and Germany (14.9 percent). U.S. users saw the sixth most attacks of this nature, as the country’s overall share of such attacks shrank from about 4.2 percent in 2015 to roughly 3.3 percent last year.
Kaspersky noted a dramatic 430 percent year-over-year increase in Android banking malware incidents, after more than 305,000 users were attacked in 2016. While only 3,967 users were attacked in January, incidents quickly skyrocketed, peaking in October with nearly 75,000 attacks before falling off sharply.
Kaspersky attributed the sudden spike to a pair of key developments in the mobile malware world: attackers began distributing the malware Asacub via SMS, while other bad actors started to distribute the Svpeng trojan through the Google AdSense advertising network.
Stolen Health Record Databases Sell For $500,000 In The Deep Web
From Dark Reading – February 21, 2017 – Ericka Chhickowski
Electronic health record databases proving to be some of the most lucrative stolen data sets in cybercrime underground.
Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats, who increasingly see EHR-related documents as some of the hottest commodities peddled in the criminal underground. A new report today shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.
The data comes by way of a report from Trend Micro’s TrendLabs Forward-Looking Threat Research (FTR) Team, which took a comprehensive look at how attackers are taking advantage of healthcare organizations’ weaknesses to devastating effect. Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys. It might therefore be beneficial for medical clinics to invest in a secure and robust EMR (electronic medical record) platform that might not be so easy to steal patient data. Dermatology clinics, for instance, can seek out software providers like PatientNow or the ones like them that can provide them with secure EMR software (Dermatology PatientNow) that will be suitable for their clinic.
“Monetizing raw data such as PII is nothing new in the underground. What makes EHR in the underground so different is that some of the data can be used to create a whole new list of offerings,” says Mayra Rosario Fuentes, the author of the TrendLabs report. “These wares include fraudulent documents like tax returns or fake IDs, fake driver’s licenses or birth certificates, but also stolen prescriptions with which the buyer can buy drugs. This gives them access to controlled substances such as Ambien, a popular sleep disorder medication known to be abused by many users.”
Fuentes and her FTR team combed through the Deep Web to understand pricing models used by the criminals to sell EHR data. Complete databases may be the most highly coveted items for sale, but other wares based on raw and processed stolen health data were well within the price ranges of even petty crooks.
Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.
Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets. According to a a separate report out today featuring a survey conducted by 451 Research on behalf of Thales, 69% of US healthcare organizations report their biggest spend is on perimeter defenses.
Meanwhile, they’re leaving holes in the network big enough to drive monster trucks through them, by way of Internet of Things (IoT) medical devices and other poorly secured systems. The TrendLabs report detailed research conducted through Shodan that showed how many of these systems were left accessible to the public internet with minimal to no access controls. Not only did these systems exposing the network to further lateral attacks, but in many instances they provided direct access to the EHR systems themselves, as was the case from exposed interfaces to Polycom conference systems that researchers found in one case.
Canada will soon force companies to disclose hacking attempts, data breaches
The federal government is in the final stages of enacting legislation that will require all businesses in Canada to report any cyber security breach as soon as they become aware of it.
It’s a step meant to close what critics say has been a major gap in this country’s protection of personal and financial data.
The new laws were passed as part of the Digital Privacy Act in 2015, but have not yet come into effect due to the need for “related regulations outlining specific requirements.”
Industry stakeholders had also asked government for a “transition period” allowing them to better prepare their computer systems and internal policies to report hacking attempts and issues pertaining to computer viruses on their networks.
That pause is about to expire, according to Innovation, Science and Economic Development Canada, which wrapped up a series of public consultations in the fall.
A spokesman said a summary of those consultations was posted to the federal department’s website in October. Draft regulations, outlining exactly when and how business must report data breaches, are expected to appear in the Canada Gazette, the official publication of the federal government, in the coming weeks. Those draft regulations will be opened for another round of public consultations before they are forwarded to Parliament for approval.
In much of Europe, and an increasing number of U.S. states, any breaches of personal data or financial information at a private corporation must be immediately reported to authorities.
Outside of Alberta, which enacted its own legislation requiring the reporting of a hack or other breach of data, Canada has not had such strict reporting laws.
Until now, it was up to a company to decide whether to go public if it was hacked, allowing a vast majority of cyber intrusions to go unnoticed.
It’s been an issue the federal Office of the Privacy Commissioner has been warning about for years.
In 2007, apparel and home goods company TJX was forced to admit that its systems had been hacked. The admission followed mounting pressure from financial institutions that had been forced to deal with an increase in fraudulent charges to their customers’ accounts. While TJX announced the news in 2007, the company was later revealed the breach had actually started in 2005 and that it involved more than 100 million credit card numbers, double what it initially stated.
Under the new legislation, companies will be forced to immediately report the system breach, what information was lost and how the attacker gained access. The information would have to be reported to the Office of the Privacy Commissioner of Canada, who will decide whether it needs to be released publicly. At the very least, the information collected by the commissioner’s office could be used to alert other businesses to the hackers’ tactics. It could be forwarded to financial institutions to minimize fraudulent charges or identity theft, for instance. The privacy commissioner’s office could also order the business to notify individuals who may be affected by the breach.
Companies will also need to maintain a record of all breaches involving personal information and provide a copy of those record to the privacy commissioner’s office upon request. Organizations that fail to report data breaches to the privacy commissioner’s office or keep records of prior incursions could face fines of as much as $100,000.
“Think of it like the federal government enforcing cyber hygiene on businesses in Canada,” said David Masson, country manager for Canada at cyber-security firm Darktrace. “What this does is change the way businesses actually do security issues. They are going to have to do it now. They’re going to have to have adequate safeguards in place … and actually use the tools they’ve got and know what’s going on in their networks.”
The requirements from government come as Canadian businesses are reeling from an onslaught of new attacks from hackers. A newly released study from cloud security company Scalar Decisions Inc. found the average number of cyber attacks against small and medium-sized business in Canada has risen 44 per cent since the company began tracking data in 2014. The report surveyed more than 650 information technology workers at small and medium-sized businesses across the country. Those businesses spent a total of $7.2 million in 2016 to recover from data breaches.
Of those affected by ransom ware, an increasingly popular attack by hackers that locks a company’s computers until a ransom has been paid to the attacker, only 21 per cent reported the incident to authorities, according to Scalar.
“Organizations need trained personnel who understand how to react when faced with threats,” said Ryan Wilson, chief technology officer at Scalar in a statement. “The increase in incidents and decreasing confidence we are seeing coincides with the growing sophistication, severity and cost of attacks.”
Darktrace’s Masson agreed, saying that while large companies may have the talent and resources to respond to a attack on their computer networks, small and medium-sized firms may not. However, the new requirements will still mean those small and medium-sized businesses must report a data breach to the Office of the Privacy Commissioner or face a possible fine.
“The big guys know what to do and have the resources and security teams to do it with,” said Masson. “Small and medium enterprises don’t have that.”
Monique Moreau, vice-president of national affairs for the Canadian Federation of Independent Business, said a vast majority of businesses in Canada have no idea that these regulations are coming. She said she would like to see leniency from the federal government, particularly when it comes to small business owners, for first-time offences.
“Government has a role to play here. What we’re always emphasizing is education before enforcement.For a vast majority of business owners, the first time they will hear about this is when this happens to them,” said Moreau. “Do they know (about the reporting requirement)? Probably not. Are they prepared at this point? Probably, also, not.”
The CFIB, which represents 109,000 small and medium-sized businesses across the country, said it will be notifying its membership about the upcoming regulations as more specifics regarding the legislation are posted in the Canada Gazette. Moreau said the organization has 200 country managers who regularly liaise with members about various business issues and that this will become one of the new issues they will be highlighting.
SnoopWall NetSHIELD Nano Wins Best Network Access Control (NAC) in the Cybersecurity Excellence Awards
SAN FRANCISCO, Feb. 14, 2017 /PRNewswire/ — SnoopWall, Inc, the global leader in Breach Prevention, today announced receiving the coveted Cybersecurity Excellence Award for its tiny, powerful, cost-efffective NetSHIELD Nano breach prevention appliance.
“We’re humbled and honored to receive this prestigious award from our peers in the cyber and information security space,” said Gary S. Miliefsky, CEO of SnoopWall, Inc. “When small to medium enterprises (SMEs) are looking for a cost effective way to prevent breaches on their intranet networks, they look towards SnoopWall. Our NetSHIELD Nano is an incredibly tiny, powerful and cost-effective breach prevention solution that any SME can afford.”
The Cybersecurity Excellence Award is a prestigious award that honors individuals, products and companies that demonstrate excellence, innovation and leadership in information security. This independent awards program is produced in cooperation with the Information Security Community on LinkedIn, tapping into the experience of more than 300,000+ cybersecurity professionals to recognize the world’s best cybersecurity products, individuals and organizations.
“Congratulations to SnoopWall for winning the 2017 Cybersecurity Excellence Award for Network Access Control (NAC) hardware with their tiny breach prevention Nano appliances,” said Holger Schulze, founder of the 350,000-member Information Security Community on LinkedIn which organizes the awards program. “With over 450 entries, the 2017 awards are highly competitive. All winners and finalists reflect the very best in leadership, excellence and innovation in today’s cybersecurity industry.”
Fitting within the palm of your hands, the patented NetSHIELD Nano is the world’s smallest network access control (NAC) and breach prevention intranet security appliance. This is a tiny, powerful, plug-in-and-protect solution that detects and blocks zero-day malware (0day), ransomware, remote access Trojans (RATs). In addition, in milliseconds it blocks rogue devices, manages the Bring Your Own Device (BYOD) dilemma and, with pinpoint accuracy, finds all vulnerabilities in trusted network assets/devices including on wired and wireless networks and all internet of things (IoT) devices. It has a complete standalone secure web-management interface, as well as support for all major switches, hubs, wireless devices and can send threat feeds to all SIEMs and SIMs over Syslog or SNMP traps plus email alerts. In addition, for larger organizations and MSSPs it can be completely managed remotely through the Command Center of the NetSHIELD Enterprise appliances.
About SnoopWall, Inc.
SnoopWall is the world’s first breach prevention security company delivering a suite of network, mobile and app security products as well as cloud-based services protecting all computing devices from prying eyes and new threats through patented counterveillance cloaking technology. SnoopWall secures mission critical and highly valuable confidential information behind firewalls with our award winning patented NetSHIELD appliances and with WinSHIELD on windows and MobileSHIELD on Google Android and Apple iOS mobile devices with next generation technology that detects and blocks all remote control, eavesdropping and spying. SnoopWall’s software products and hardware appliances are all proudly made in the U.S.A.
‘Shock And Awe’ Ransomware Attacks Multiply
From Dark Reading – Kelly Jackson Higgins
Ransomware attackers are getting more aggressive, destructive, and unpredictable.
RSA CONFERENCE 2017 – San Francisco – The data-hostage crisis isn’t going away anytime soon: In fact, it’s starting to get a lot scarier and destructive, and with a more unpredictable outcome.
Security experts long have warned that ponying up with the ransom fee only plays into the hands of ransomware attackers; it doesn’t necessarily guarantee victims get their data back and unscathed, even though most of these bad guys thus far honor their promise of decrypting hijacked data after they receive their payment. Ransomware is rising dramatically, growing by a rate of 167 times year over year, according to SonicWall, with some 638 million attack attempts in 2016, up from 4 million the previous year. Kaspersky Lab data as of last October shows there’s a ransomware attack every 40 seconds.
James Lyne, global head of security research at Sophos Labs, warns that ransomware attacks are starting to become more of a no-win for victims, as some attackers are also now stealing the data they encrypt for further monetization, destroying it altogether, and even waging subsequent attacks on a victim. The attackers are more sophisticated with their encryption methods, and more aggressive, instituting tighter payment deadlines and including organized-crime style threats that sound more like a physical hostage negotiation, he explains.
He describes their brazen demands and attacks as a “shock-and-awe” approach that’s catching fire among cybercriminals hoping to more efficiently strong-arm their victims and potentially cash out more quickly.
“We’re seeing more and more inclusion of a timer” and a warning that the victim has X amount of time to pay the ransom or the attackers will begin to delete the files, or purge the data entirely, he says. In one attack Lyne investigated, the attackers warned the victim if he or she balked at payment or contacted law enforcement, they would delete the keys for decrypting the data so it wouldn’t be retrievable at all.
“Not even the cybercriminals can recover the data” then, he says.
“It irrevocably shreds them. You’re not going to get the data back even if you go to a forensics specialist,” Lyne says. “They’re starting to move toward a more aggressive approach of ‘hand over the money more quickly.'”
“It’s a really interesting tactic because it invokes panic in the user” so they are afraid to talk to tech support for help, he says.
Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. “Traditional blackmailers know if someone pays once, they are probably going to pay again,” he says.
Lyne plans to show such case of a repeat attack during his RSAC session entitled Reversing the Year: Let’s Hack IoT, Ransomware and Evasive Payloads. “I’m going to show an example of where they got infected and the user pays, cleans up, and the attacker waits a period of time before doing the exact same thing again,” he says.
So the days of cleanup post-ransomware infection meaning the event is over may soon be gone. Variants such as Ranscam actually erase the victim’s files after promising to relinquish the files after the ransom is paid. The Ranscam attackers basically fool the victim into thinking the data is retrievable; they didn’t even invest in encryption, so it’s a rather evil but ingenious way to wage a low-cost, high-return attack, according to Cisco’s Williams.
Lyne says another big worry is ransomware attackers pilfering the data they locked for future monetization after the victim pays up. To date, most ransomware attacks have been opportunistic rather than targeted, even though industries such as healthcare and law enforcement have been among the hardest hit.
“In truth, most of these we’ve heard of weren’t targeted … the samples I look at have no example that they targeted specific types of businesses,” he says.
Even so, he’s seeing ransomware attackers stealing credentials and other potentially valuable data from their marks. “It encrypts your data, you pay money to get it back and it then nicks your data” as well, says Lyne, who will demonstrate one such attack here.
“It’s not widespread … but it’s something people need to be aware of now,” he says. “You can’t just pay money and consider the incident over.”
Another thing to watch for: ransomware targeting databases, which indeed is a sign of fishing for valuable data.
Headless But Deadly
Another sign of the times with the ransomware boom is campaigns that are abandoned by the attackers but still spread to victims, leaving them stranded with encrypted data and no ransom payment option. “We see this quite a lot,” Lyne says, and it tends to be lower-level, older variants such as Vipasana and Satana, and campaigns where the email or payment contact channel are shut down. “Now there’s ransomware floating around that’s shredware: there isn’t a way to get your data back,” he says.
Craig Williams, senior technical leader and security outreach manager for Cisco Talos, points to CryptoWall 3 as an example of this: “When it was abandoned, it stopped working and there was no key exchange,” which made it benign, he says.
The Talos team was seeing 130,000 ransomware samples per day in December of last year.
With the newer generation of more sophisticated and businesslike ransomware, more of the old-school rudimentary variants are likely to be scrapped in favor of more effective attack tools. Even so, the phishing emails and other ransomware-rigged places will still infect users. “This is a sign of things to come. So you should prepare,” Lyne says.
Meantime, ransomware variants such as Samsam, which included a self-propagation feature that let it spread like a worm, rather than just via email or malicious web content. Worm-like ransomware spreading could infect more victims more quickly, Cisco’s Williams says.
Be Prepared Or Prepare To Lose Data
The best defense from ransomware is preparation: expect the worst, and run regular backups. “Have a backup that works, one that’s not constantly connected to your computer such that you end up with an encrypted backup that’s also infected with ransomware,” Lyne says. There are even ransomware variants that target backups, so offline data backups are the best bet.
Cloud-based backups can be helpful as well, Cisco’s Williams says. “Don’t put your eggs in one basket … Have unique usernames and passwords” for those types of services, he says