[metaslider id=2951] … Read More
Kaspersky: Banking malware attacks up 30.6% in 2016; finance sector phishing also more prevalent
Given the latest reports by both Kaspersky and the Anti-Phishing Working Group it is imperative that corporations ensure that their end users are trained in spotting a phishing attempt.
SC Magazine – February23, 2017
The number of cyberattacks targeting financial institutions and their customers soared to new heights in 2016, according to Kaspersky Lab, which observed nearly 1.09 million banking trojan attacks on users in 2016 – a roughly 30.6 percent jump over the previous year.
Meanwhile, of the nearly 155 million phishing attacks detected on Windows machines by Kaspersky in 2016, about 47.5 percent impersonated banks, payment service providers (e.g. PayPal and Visa) or e-shops (e.g. Amazon and eBay), compared to roughly 34.3 percent in 2015. “At the moment this is the highest percentage of financial phishing ever registered by Kaspersky Lab,” the company noted in its “Financial Cyberthreats in 2016” report, issued Wednesday.
In another first, Kaspersky found that phishing pages impersonated legitimate banking services more often than any other online service offering, including global web portals and social networks. Phishers imitated banking sites about 25.8 percent of the time, compared to approximately 17.4 percent of the time in 2015. Phishing attacks in 2016 that imitated e-shops and payment services also surpassed their respective 2015 shares.
Amazon was the most commonly impersonated brand in Windows-based financial phishing scams, while Apple was the most frequently mimicked brand in Mac-based scams.
The findings complemented a separate, fourth-quarter Phishing Activity Trends Report published Thursday by the Anti-Phishing Working Group (APWG), which identified more phishing attacks in 2016 than in any year since it began monitoring the practice in 2004. The APWG observed a 65 percent increase in phishing incidents in 2016, with phishing activity in the fourth quarter higher than during any period in 2015.
Banking Malware Makes a Comeback
After noting a significant decline in desktop malware attacks targeting financial data in 2014 and 2015, Kaspersky observed a major turnaround in 2016, as financial attackers executed a quarter-million more banking trojan attacks than they had launched the year before.
According to the report, this increase means that “although professional cybercriminal groups shifted a lot of their attention to targeted attacks against large companies, including banks and other financial organizations, smaller groups of criminals are continuing to target victims with the help of relatively widespread malware, which is available on the open web.”
In fact, while the number of attacked individual users and corporate users both increased, individuals actually comprised an even larger share of total attacks in 2016 (about 82.8 percent) than they did in 2015 (about 78.5 percent). Corporations were attacked about 17.2 percent of the time in 2016, compared to roughly 21.5 percent of the time in 2015.
The Zbot banking trojan family remained most popular among cybercriminals in 2016 – used in 44.1 percent of banking malware attacks observed by Kaspersky, compared to about 58.2 percent of attacks in 2015. The Gozi trojan, used in approximately 17.2 percent of these attacks, ate into Zbot’s share, while use of Tinba fell markedly, from 20.7 percent of attacks in 2015 to only about 3.5 percent in 2016.
More than half of the users targeted in desktop banking malware attacks during 2016 were based in 10 countries, including Russia (19.8 percent) and Germany (14.9 percent). U.S. users saw the sixth most attacks of this nature, as the country’s overall share of such attacks shrank from about 4.2 percent in 2015 to roughly 3.3 percent last year.
Kaspersky noted a dramatic 430 percent year-over-year increase in Android banking malware incidents, after more than 305,000 users were attacked in 2016. While only 3,967 users were attacked in January, incidents quickly skyrocketed, peaking in October with nearly 75,000 attacks before falling off sharply.
Kaspersky attributed the sudden spike to a pair of key developments in the mobile malware world: attackers began distributing the malware Asacub via SMS, while other bad actors started to distribute the Svpeng trojan through the Google AdSense advertising network.
Stolen Health Record Databases Sell For $500,000 In The Deep Web
From Dark Reading – February 21, 2017 – Ericka Chhickowski
Electronic health record databases proving to be some of the most lucrative stolen data sets in cybercrime underground.
Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats, who increasingly see EHR-related documents as some of the hottest commodities peddled in the criminal underground. A new report today shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.
The data comes by way of a report from Trend Micro’s TrendLabs Forward-Looking Threat Research (FTR) Team, which took a comprehensive look at how attackers are taking advantage of healthcare organizations’ weaknesses to devastating effect. Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys. It might therefore be beneficial for medical clinics to invest in a secure and robust EMR (electronic medical record) platform that might not be so easy to steal patient data. Dermatology clinics, for instance, can seek out software providers like PatientNow or the ones like them that can provide them with secure EMR software (Dermatology PatientNow) that will be suitable for their clinic.
“Monetizing raw data such as PII is nothing new in the underground. What makes EHR in the underground so different is that some of the data can be used to create a whole new list of offerings,” says Mayra Rosario Fuentes, the author of the TrendLabs report. “These wares include fraudulent documents like tax returns or fake IDs, fake driver’s licenses or birth certificates, but also stolen prescriptions with which the buyer can buy drugs. This gives them access to controlled substances such as Ambien, a popular sleep disorder medication known to be abused by many users.”
Fuentes and her FTR team combed through the Deep Web to understand pricing models used by the criminals to sell EHR data. Complete databases may be the most highly coveted items for sale, but other wares based on raw and processed stolen health data were well within the price ranges of even petty crooks.
Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.
Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets. According to a a separate report out today featuring a survey conducted by 451 Research on behalf of Thales, 69% of US healthcare organizations report their biggest spend is on perimeter defenses.
Meanwhile, they’re leaving holes in the network big enough to drive monster trucks through them, by way of Internet of Things (IoT) medical devices and other poorly secured systems. The TrendLabs report detailed research conducted through Shodan that showed how many of these systems were left accessible to the public internet with minimal to no access controls. Not only did these systems exposing the network to further lateral attacks, but in many instances they provided direct access to the EHR systems themselves, as was the case from exposed interfaces to Polycom conference systems that researchers found in one case.
Sophos Finalist for Best UTM Solution
Sophos is being recoginized as a finalist for the best UTM Solution – SC Awards
Best UTM Security Solution
Given the continuous convergence of the market, we’ve decided to retire some categories this year and integrate a number of individual categories from previous years into this unified threat management (UTM) category. The former categories – Best Enterprise Firewall, Best Intrusion Detection System/Intrusion Prevention System Product, Best IPsec/SSL VPN, Best Anti-Malware Gateway and Best Web Content Management – are now integrated here. As formerly, contenders in the UTM security category should take an “in-depth” defense approach. Entrants should have an integrated, multifunction endpoint/UTM offering – not a single-function product. These products typically aggregate a wide variety of threat data into a single unified tool. Many organizations define those threat categories as anti-malware, content management, IDS/IPS and spam filtering, along with firewall/VPN. Entrants should meet this minimum functionality and can include anti-malware gateway, anti-spam gateway and anti-phishing gateway, as well as provide web content filtering for laptops, desktops and, optionally, servers that blocks or filters objectionable websites and content.
LogRhythm’s Security Analytics Platform: Product Overview
By Dan Sullivan – TechTarget
Expert Dan Sullivan examines LogRhythm’s Security Analytics Platform, a product that leverages big data analytics and machine learning to help protect enterprises.
LogRhythm’s Security Analytics Platform is one of several security applications that leverage big data technologies to help mitigate the risk of targeted, persistent threats. It is part of an emerging class of big data security analytics products that are designed to capture, integrate, analyze and store at higher rates and volumes than found in earlier generation security information and management products.
LogRhythm Security Analytics covers a range of analytics areas across an enterprise attack surface, such as user behavior and network anomalies. The platform is designed to give enterprises a holistic view of potential threats using risk-based analytics. Enterprise customers have the option of customizing analytics rules of the platform or using preset threat detection and compliance modules. The security analytics platform also offers users the ability to search, collect and correlate forensic data in the event of a security incident or data breach.
How it works
The big data security analytics platform incorporates advanced analytics technologies for correlation and pattern recognition, as well as multidimensional analysis across users and endpoints. The platform uses machine learning for advanced threat detection; specifically, LogRhythm’s artificial intelligence engine offers continuous automated analysis of different types of data to correlate and identify potential threats. The AI engine comes with nearly 1,000 preconfigured correlation rule sets as well as GUI for security managers to create and customize their own rules.
LogRhythm Security Analytics also offers a forensics analytics feature. The forensics analytics tool is powered by Elasticsearch, an open source search engine, and is designed to help security managers search through large amounts of data quickly using contextual criteria and full-text terms.
In addition, the platform takes advantage of the LogRhythm Knowledge Base, which is regularly updated with new intelligence and components for integrating with endpoint devices. For example, the knowledge base includes rules for parsing over 600 different types of logs and specialized modules for privileged user monitoring, user and endpoint anomaly detection and web application defenses.
There is substantial support for compliance reporting within the LogRhythm Security Analytics platform, including HIPAA, PCI DSS, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, FISMA, ISO 27001 and NERC-CIP regulations.
The security analytics platform can work in conjunction with the LogRhythm Security Intelligence Platform, which offers both traditional SIEM capabilities as well as threat intelligence services.
Support, cost and deployment
LogRhythm provides a number of customer support options, the two most popular being Standard Support and the premium-level Platinum Support. The standard tier offers access to the LogRhythm support portal and access to user forums as well as technical phone support. Phone support is available from 7am to 6pm MST in this tier. Platinum Support, meanwhile, offers 24/7 phone and email support in addition to other standard-level support options.
The platform can be deployed as high performance appliances or as a software application in a virtual environment. For pricing information, contact the vendor.
Conclusion
The LogRhythm Security Analytics Platfrom provides a consolidation point for endpoint and network event data. Its machine learning capability is an essential feature for detecting anomalous events as they occur as well as for supporting forensic analysis, while its support for compliance reporting across a number of major regulations will appeal to businesses in regulated industries. Businesses looking to consolidate device and network logging and analysis may find a good fit with LogRhythm Security Analytics platform.
New type of malware encrypts computer hard drives — not just files
Dive Brief:
- A new type of ransomware is encrypting computer hard drives rather than individual files, according to a Threat Post report.
- Called Mamba, the new malware has been found on machines in Brazil, the United States and India. Once Mamba infects a machine, it encrypts the hard drive and victims receive a ransom note.
- The ransomware is likely being spread via phishing emails, according to researchers at Morphus Labs in Brazil.
Dive Insight:
Ransomware continues to be a major challenge for businesses, as employees routinely fall for phishing scams and companies regularly pay ransoms rather than deal with trying to recover their critical data, further encouraging cybercriminals. While regular backups can help protect companies, Mamba can make that more complicated.
“Traditional backup methods rely on the operating system already being in place to centrally manage restoring files from a centralized backup server,” said Travis Smith, senior security research engineer at Tripwire. “By taking out the entire operating system, the ransomware is increasing the overall cost of restoring data through backups.” Rather than restoring from backups, more businesses will likely pay the ransom as the easiest and sometimes cheapest option.
Earlier this month, the chair of the Federal Trade Commission urged businesses to do more to protect consumers from ransomware.FTC Chair Edith Ramirez put companies on notice that the agency expects them to play a role in protecting their customers from ransomware.