Tag Archives: cybercriminals

Cybercriminals Target Executives with Whaling Attacks

It looks like cybercriminals are looking for the “bigger fish in the sea” with the rise of whaling. While phishing middle to lower level employees is still extremely relevant in the world of cybersecurity, some attackers are now looking for a bigger reward by going after the executives. The term “whaling” is more than fitting as it refers to phishing executives (whales) of large corporations.

Whaling

What is Whaling?
Whaling refers to targeted spear-phishing campaigns directed at senior executives, who often have access to delicate information such as employee or customer data. A successful whaling attack can yield executive passwords and other account details that can open up corporate hard drives, company networks, and even commercial bank accounts.

Where a regular phishing email will typically address a personal aspect of the target’s life, a whaling email will likely take the form of a business critical email, customized to a senior executive’s precise position and responsibilities in the company. Last year, a senior executive in charge of customer satisfaction at his company opened an email about a customer complaint. He followed the link to see the details of the complaint only to find himself redirected to an illegitimate website that ended up giving the attacker access to his company’s network.

Going After the Big Catch
In the last two years alone, as many as 7,000 US businesses have fallen victim to whaling attacks, resulting in over $740 million in losses. With the rewards for a successful cyberattack becoming bigger and bigger each day, so too are the security measures corporations are taking. Unfortunately, cybercriminals are also becoming more sophisticated with their attacks. With whaling, however, criminals must become more educated about their targets.

Most senior executives are aware of all the malicious spam they could encounter. Cybercriminals are now taking months to research the company they are after, to find out as much as possible in order to craft an email in a way that seems completely legitimate to the recipient. A successful attack happens only when the cybercriminal sends an email that has a reasonable rationale and builds trust by including pertinent and specific information that seems confidential.

Attackers have even begun to take to social media to see what charities or hobbies their target executive is involved in. Executives with open public profiles make prime targets for whaling attacks.

Don’t Become the Next Trophy Catch
Here are some guidelines to follow to limit your exposure to becoming the next trophy on the wall for cybercriminals:

  • Minimize or lock down the exposure of senior management by implementing privacy restrictions
    • Facebook – Don’t have an open profile that is visible to the general public and be weary of accepting friend requests from individuals you don’t know
    • Twitter/Instagram – Don’t let anyone and everyone follow you. Make sure to implement security measures where you can accept/deny follow requests.
  • Don’t rely on traditional security tools to safeguard network user information
  • Monitor suspicious emails by creating a reporting system
  • Assess your organization’s overall exposure to phishing attacks – launch a practice phishing attack to see how many employees actually visit the website in the email.

Weak Passwords Pose Cybersecurity Risk for Campus Networks

Passwords
Colleges and universities already present prime targets for hackers, and easily guessable passwords make the problem worse.

Using a weak password is the equivalent of laying out the welcome mat for hackers, but that hasn’t stopped some users from prioritizing convenience over password strength.

A SplashData analysis of 2 million passwords found that “123456” and “password” once again topped of the list of the most popular passwords in 2015. Other frequently used passwords included “12345678,” “qwerty” and “12345.”

Easy to type and just as easy to guess, these risky passwords are especially problematic for colleges and universities, which not only have a large number of users accessing the network but also represent enticing targets for cybercriminals.

Higher ed IT professionals can help protect users’ personally identifiable information and researchers’ intellectual property by teaching faculty, staff and students the importance of strong passwords and passphrases.

 

Law firms should update potential electronic security vulnerabilities

Expect_Us

The Panama Papers scandal should prompt law firms, and other professional services firms, to update their electronic security measures, says Toronto business lawyer Joel Berkovitz.

Panamanian law firm Mossack Fonseca, which specializes in the creation of offshore companies, claims it was the victim of a hacking in the massive leak of its client files — a reported 11.5 million documents covering a 40-year period — turned over to journalists from news outlets around the world.

“This is a bit of a warning signal for Canadian law firms, and other professional entities regarding their electronic security measures,” says Berkovitz, a lawyer with Shibley Righton LLP.

He says the reputational damage done to the firm as a result of the leak could pale in comparison to the financial burden it could face in the years to come.

“This is a huge problem for the law firm because, if they were negligent in their electronic security system, they could be liable to clients for any damage that flows from the material that was leaked. If there are fines or prosecutions as a result, they might look to sue the law firm for damages,” Berkovitz tells AdvocateDaily.com.

Internet security experts recently told Wired magazine that the law firm’s front-end computer systems, such as its webmail and client portal software, were outdated and shot through with security vulnerabilities.

“If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology,” Alan Woodward, a professor of computer science at the U.K.’s Surrey University, told Wired.

Berkovitz says there is a chance prosecutors will try to use the leaked documents even though, had they not been leaked, many would be covered by solicitor-client privilege.

“Solicitor-client privilege generally covers all legitimate communications between clients and their lawyers, and is fiercely guarded by courts,” he says. “Lawyers can’t waive privilege over documents, because the privilege is not theirs to waive, but in cases of inadvertent disclosure the courts sometimes find that that privilege has been lost. If governments try to bring prosecutions based on the leaked documents, expect to see a fierce fight over whether solicitor-client privilege has been lost.”

The Canada Revenue Agency (CRA) has requested access to the documents in order to determine whether any tax rules were broken by holders of the offshore accounts, while the Royal Bank of Canada has defended its role after it emerged it used Mossack Fonseca to create more than 370 foreign corporations for its clients over the course of many years, the CBC reports.

“Right now, there seems to be some limited ties to Canada, but no evidence of any wrongdoing,” Berkovitz says. “Given the vast scope of the documents though, it’s likely more ties to Canada will be discovered as time goes on.”

But, he warns, people shouldn’t look at this as a smoking gun. 

“People are jumping to a lot of conclusions that offshore accounts and holding companies are necessarily evidence of tax evasion or any other illegal activity,” Berkovitz says. “That may be true for some of these entities, but there are all sorts of legitimate tax-planning reasons for using these types of companies. It comes down to the difference between legitimate strategies to minimize your tax obligations versus tax evasion.”

He says the CRA will look at transactions to determine if they comply with s. 245 of the federal Income Tax Act, the General Anti-Avoidance Rule. The rule requires all transactions to be carried out for a bona fide purpose other than to avoid tax.

“A transaction will not offend the Anti-Avoidance Rule as long as the primary purpose of the transaction is not to avoid tax,” Berkovitz says. “If you’re a global company with operations in many countries, there are many legitimate business reasons why you may need to set up a company in Panama or another low-tax jurisdiction.”

Six Things Your Business Has That Cybercriminals Want

computer_hacker

The following article is excerpted from Under Attack: How To Protect Your Business and Your Bank Account From Fast-Growing, Ultra-Motivated and Highly Dangerous Cybercrime Rings, which was published by CelebrityPress on January 14th, 2016.

*****

Belief and opinion are the biggest hurdles in implementing effective security that can help prevent an attack by cybercriminals.

I remember growing up and hearing people say, “One man’s junk is another man’s treasure.” For businesses, what they perceive as something of “no value” can be extremely valuable to a criminal. They will maximize it and expose it, giving themselves a pretty sweet deal while the business and its customers suffer. This likely disturbs you to your very core, but it doesn’t disturb the perpetrator at all.

There are six specific areas of data that are considered the jackpot for cybercriminals. If you know what the gold is, you’ll know how to protect it better.

1. Banking credentials

Think about your payroll accounts and the abundance of information that is in them. A thief will not hesitate to figure out your banking credentials and piece them together, which will give them the ability to impersonate an authorized user on the account. Then—in a matter of a minute—the payroll account is drained. What would you do if your payroll account was suddenly emptied the night before payroll processing?

2. Sensitive data from customers, vendors, and staff

Credit card numbers, Social Security numbers, and other data that help a thief take over someone else’s identity are valuable pieces of information. In the cyber underground, they can go for anywhere from $10 to $300 per record, depending on its value. Does your business have any of this type of information stored on technology of any sort?

Related article — Cybersecurity Fails: 5 Times Businesses Put Their Customers at Risk

3. Trade secrets

Entrepreneurs and innovators work hard, many creating products and services that become a part of all our futures. Along with these exciting innovations come valuable information and data such as: secret formulas, design specs, and well-defined processes. There is a market out there for this information, because some people want to shortcut the path to success by copying those who paved the way. Are your ideas and processes safeguarded from thieves?

4. Email

under attack cybersecurity book cover kris fentonIt’s hard to imagine that an email account could be of real value, but there is information on there that cybercriminals love. Here are some numbers that a prominent credential seller in the cyber underground can get:
1. $8 for an iTunes account
2. $6 for accounts from Fedex.com, Continental.com, and United.com
3. $5 for a Groupon.com account
4. $4 for hacked credentials to hosting provider Godaddy.com, as well as the wireless providers ATT.com, Sprint.com, Verizonwireless.com, and Tmobile.com
5. $2.50 for active Facebook and Twitter accounts

If your inbox was held for ransom, would you pay to get it back? If your Webmail account got hacked and was used as the backup account to receive password reset emails for another Webmail account, do you know what would happen? The result would be that an attacker could now seize both your accounts!

And here’s a startling fact: If you have corresponded with your financial institution via email, the chances are decent that your account will eventually be used in an impersonation attempt to siphon funds from your bank account. Have you ever conducted any personal business on your email that you don’t want criminals to have access to?

5. Virtual hiding places

Using your unprotected network to launch attacks against others—perhaps one of your top clients or vendors—is a favorite technique for cyber attackers. They will expose the weakest link to their end target and literally “work their way up.”

They start with a smaller company that does business with a larger firm and may have access to some of its passwords and accounts due to the type of working relationship. Then the cybercriminal finds their way into that system and starts to extract the data that they desire. They may also infect the small business’ site with malware.

When larger corporate clients and vendors visit the infected site, the malware secretly attacks that person’s computer and infects the organization. This is known as a watering hole attack. If you were attacked and it impacted your clients, would they understand?

6. Your reputation

The higher up the scale of success you go compared to your peers, the more likely it is that some of them may desire to see you come back down a bit and “make room for someone else.” There are unscrupulous competitors out there, and also disgruntled employees.

Today, targeted reputation damage is a serious concern for small to mid-size businesses. In fact, damaging attacks, whether it be data theft or destruction by rogue employees, has moved up to the third leading cause of loss according to NetDiligence® 2013 Cyber Liability & Data Breach Insurance Claims — A Study of Actual Claim Payouts. Do you rely on your reputation to help drive your business?

Most everything that a business has access to using technology, whether it is to either retrieve or store information, is of value to someone who has made a career out of attacking businesses for their own malicious gain. It may be hard to accept this, because most of us do not think like a cybercriminal—we think about our futures, our reputations, and conducting the best business we can. However, in order to know what you’re up against, you really need to start understanding what criminals may see in your business through an honest and thoughtful perspective. It’s a conversation best had with someone who understands the full scope of cybersecurity.

********

Buy Under Attack at Amazon right here.