Cybercriminals spoof major accounting and payroll firms in tax season malware campaigns

In monitoring tax-related malicious activity, researchers found that threat actors have been using the financial malware TrickBot to impersonate companies, including ADP and Paychex.

“These campaigns attempted to deceive recipients into believing they were emailed by large accounting, tax and payroll services firms and carried malicious Microsoft Excel attachments,” IBM’s John Zorabedian, Dr. Martin Steigemann and Ashkan Vila wrote in today’s blog post.

“The size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and businesses that are customers of these well-known companies.” All three of the sample emails that were analyzed were written in English, indicating that the attackers were targeting victims in the United States.

Read entire post TrickBot used in tax season email spoofing | Kacy Zurkus | InfoSecurity
Advertisements

How GDPR is affecting the video games you love

The GDPR replaces the 1995 EU Data Protection Directive, forcing every company around the globe to abide by strict rules when handling European subjects’ personal data. The regulations were adopted to protect EU residents and arm them with awareness about how companies use their information.

While GDPR addressed tech companies that have dealt with and make money off user data, like Facebook and Google, the expansive definition of “personal data” — everything from names and email addresses to biometrics and IP addresses — means that gaming companies have had to comply, too. And that has cost them time and money to avoid incurring fines.


Is your organisation GDPR compliant?
Find out more about ContinuityLink’s
Certified Data Protection Officer training >

This is good for gamers in the EU, who will have a much better idea what information is collected when they play, buy products or use services. Game enthusiasts outside Europe will benefit, too, as some organizations, like Razer, treat the GDPR as a privacy bellwether and adopted it globally.

Read entire article How GDPR is affecting the games you love | David Lumb | Endgadget

Is spam email defeated or not?

Looking back at the first spam messages sent in the 1800s, Virus Bulletin editor Martijn Grooten said that in the 1980s spam was impolite, in the 1990s it was a nuisance, in the 2000s it was a threat but in the 2010s spam was apparently ‘solved.’

He said that statistics have proved that email spam was “something we could not keep up with no matter how good your spam filter is.

Grooten said that spam “exists as people like to break the law” and the issue of dealing with unsolicited bulk email remains a challenge as solutions do not work.

He pointed to “solutions” such as only accepting email from people you have previously approved, calling this “unworkable as you would need global approval system, and some sort of PKI.

Read entire article #Irisscon: Is Spam Email Defeated or Not? | InfoSecurity

List of data breaches and cyber attacks in October 2018 – 44,701,278 records leaked

Rather than posting the usual long list of data breaches and cyber attacks, I’ve decided to go down a new route.

These monthly blogs will now look at three lesser-known stories in detail, as well as give a total number for all records exposed in the month.

It’s been the usual mix of data breaches this month, with lots of mistakes being made and lots of ransoms being paid. This month’s total number of known leaked records is 44,701,278.

> See the List of data breaches and cyber attacks in October 2018 | Lewis Morgan | IT Governance

Girl Scouts alerted to possible data breach

Reports suggest that as many as 2800 girl scouts in Orange County may have been affected in an incident which lasted just a day.

Is your organization GDPR compliant? Find out more about the Certified Data Protection Officer trainingAffected information could include names, email and home addresses, driver’s license details, insurance policy numbers and health history information.

Those hit by the breach were contacted last week.

They were told that the attack began on September 30 when an unauthorized third party gained access to an official Girl Scouts Orange County Travel email account, which was used to “send emails to others” — presumably phishing emails.

> Read entire article Girl Scouts alerted to possible data breach | Phil Muncaster | InfoSecurity

Email still poses a cyber-threat, but there is hope

Cyber-criminals have taken advantage of this era of email and turned it into number one attack vector used to breach enterprises, infiltrate networks, hijack devices and extort money or sensitive data.

Email attachments, in particular, are used by attackers to inject malware into an organization to create the beachhead that facilitates the rest of the attack. With employees opening hundreds of emails every day, it’s akin to an ongoing game of Russian Roulette within the organization.

See also: How to create an un-hackable e-mail accountProtecting against email threats remains a key concern for organizations of all sizes across the world. However, despite the availability of tools and technologies such as email encryption, sandboxing and artificial intelligence, headlines have been dominated by news of email-borne attacks.

Those threats are not only dominating the cyberspace but are also getting smarter. Last month, Virginia bank’s email systems suffered a series of phishing attacks, which took phishing techniques another step further by embedding a malicious office file inside a different attachment, to bypass traditional security solutions as well as sandboxes.

> Read entire article Email Still Poses a Cyber-Threat, but There is Hope | Liron Barak | InfoSecurity

One easy way to reduce ransomware risk

Risk managers who teach employees what suspicious email looks like can drastically reduce the risk of being hit with ransomware.

Posted on Canadian Underwriter | By Greg Meckbach

Ransomware is when criminals hack into computer systems, encrypt files and demand a ransom from the computer owners to decrypt those files.

A lot of ransomware comes with “emails that look suspicious,” Elissa Doroff, XL-Catlin’s vice president of underwriting and product manager for technology and cyber liability, said in an interview.

Training a worker not to open a file attached to an email with the .exe extension is one way to reduce ransomware risk, Doroff advised. Another is to make sure that all software is updated with the patches provided by software vendors.

Security and privacy awareness training is the best line of defense.

Read entire article One easy way to reduce ransomware risk | Canadian Underwriter

2017: Spam down, Phishing up!

The spam and phishing scene last year was a mixed bag: The average amount of spam in 2017 decreased to 56.63%, which is 1.68% less than in 2016.

Posted on InfoSecurity By Tara Seals

However, the number of phishing attacks increased – the Kaspersky Lab anti-phishing system was triggered 246 million times on the computers of Kaspersky Lab users, which is 59% higher than in 2016.

According to Kaspersky Lab’s Spam and Phishing in 2017 report, spammers have shown themselves to be thoughtful actors, instantly monitoring global issues and major events worldwide with one main purpose: to capture and capitalize on their victim’s attention. These cybercriminals have been following a global agenda by using hot topics such as the FIFA World Cup and Bitcoin to fool users and steal their money or personal information in the last 12 months.

In 2017 we saw a slight decrease in spam activities, but spammers haven’t missed any reason to steal users’ personal information, keeping their eyes on what’s happening in the world.

Read entire article Spam Ticked Downward in 2017, but Phishing Was Up | InfoSecurity

Pyeongchang Olympics ‘already target of hackers’

Hackers have already begun targeting the Pyeongchang Olympic Games with malware-infected e-mail which may be aimed at stealing passwords or financial information, researchers said.

Security firm McAfee said in a report that several organisations associated with the Olympics had received malicious e-mail, with the primary target being groups affiliated with ice hockey.

The majority of these organisations (targeted) had some association with the Olympics, either in providing infrastructure or in a supporting role,” the McAfee report said.

The attackers appear to be casting a wide net with this campaign.

McAfee said the e-mails came, in fact, from an address in Singapore, and instructed readers to open a text document in Korean.

Read entire post Pyeongchang Olympics ‘already target of hackers’ | The Straits Times

How to create an un-hackable e-mail account

You will need:

1. Your smartphone
2. Your computer

Think about the last 7 years – how many websites have you registered with, how many usernames and passwords created… how many times you have used the same password or small, simple variations of it, for valuable accounts like your e-mail or your online banking? By this time, most of these resources have been hacked at least once (including LinkedIn) and the passwords used there have been compromised, with or without their/your knowledge.

Having a secure e-mail account is imperative to your privacy.

In this short article I am going to show you how to create a nearly un-hackable e-mail account using just your phone and computer in less than 10 minutes.

Let’s start!

Since most people are familiar with Gmail, let us use this e-mail provider – although the same rules apply to others and you can replicate them at your favorite e-mail provider with ease. I chose Gmail because of the connected services Google offers – Google Drive, Google Docs, Gmail, Google Voice, Google Plus, etc. Secure one, secure them all! I suppose you already have a Gmail address you would like to protect – step one is to protect it with a good, unique password which you are not using anywhere else. And by unique I mean really unique – not just adding a symbol or a number at the end of your regular password which you use everywhere. Choose something you will remember easily – a phrase works best, as in this example:

Go to this link – https://myaccount.google.com/intro/signinoptions/password – to change your password.

Once done, move on to the next step.

Setting up a recovery phone number

It is important NOT to use your cell phone number as a recovery phone, because intercepting an SMS is cheap and affordable – now that even small crime rings can afford the equipment necessary, SMS authentication is considered insecure. Every person you ever contacted knows your phone number – we don’t need that kind of publicity when protecting your most important communication tool.

Edward Snowden on passwords: Last Week Tonight with John Oliver (hilarious!). Watch video

We will open a Google Voice account which will provide us with a free US number for use for our recovery process. Remember, if you lose access to your phone and / or the password to your gmail account, you will not be able to recover it if you use Google Voice, as they are essentially using the same account. Backup your phone regularly!

Go to https://voice.google.com/ and create an account, you will get a free US number to use with it. Once you get the number, note it down – as it will be your secure phone number for verification of this account and perhaps others, if you choose to.

Now go to https://myaccount.google.com/security and in the Account Recovery options, set up your new phone number as a recovery phone.

Now let us enable 2-Step Verification

To do this, download and install the Google Authenticator app on your phone. You will need it for this account and many more – as many services now offer 2-step verification of identity via this or similar apps.

Go to https://myaccount.google.com/signinoptions/two-step-verification and follow the prompts to enable it on your phone – either via the Google app or via the Authenticator app, I would recommend downloading and setting up both, just in case.

After doing that, perform a full backup of your phone to your computer – in case you lose your phone, you should be able to restore the app to a new one without losing access to your account forever.

Backup e-mail address

It is recommended to set up an e-mail account only you know about, which exists only for recovery purposes, with a unique password – and not used for anything else but recovery. Don’t use your work e-mail or a throwaway e-mail account used for registrations on different websites – as these are often compromised and their passwords – exposed. Remember: the security of your e-mail account is as strong as this backup e-mail address. Protect it in the same way or better to ensure your account’s safety. One service I would recommend for backup e-mail accounts setup is ProtonMail – of course, you should enable mailbox encryption and 2-factor authentication there, too.

1 of 4 UK employees have ‘purposefully leaked business data’

New research from Egress Software Technologies has revealed that one in four (24%) UK employees have intentionally shared confidential business information outside their organization, typically to competitors or new and previous employers.

The firm quizzed 2000 workers whose jobs required them to frequently use email to shine a light on risks surrounding email misuse within the enterprise.
Half of respondents said they either had or would delete emails from their sent folder if they had sent information somewhere they shouldn’t, with more than a third (37%) admitting they do not always check emails before clicking send.
Of those who had sent an email to the wrong person by mistake, one in 10 admitted to leaking sensitive data such as bank details or customer information. Less crucially, but no less embarrassingly, 40% had also accidently insulted the recipient or included rude jokes, swear words or risqué messages.

Catching the hackers in the act

Cyber-criminals start attacking servers newly set up online about an hour after they are switched on, suggests research.

The servers were part of an experiment the BBC asked a security company to carry out to judge the scale and calibre of cyber-attacks that firms face every day.

About 71 minutes after the servers were set up online, they were visited by automated attack tools that scanned them for weaknesses they could exploit, found security firm Cyber Reason.

Once the machines had been found by the bots, they were subjected to a “constant” assault by the attack tools.

hacker bot
The attack bots look for well-known weaknesses in widely used web applications

Thin skin

The servers were accessible online for about 170 hours to form a cyber-attack sampling tool known as a honeypot, said Israel Barak, head of security at Cyber Reason. The servers were given real, public IP addresses and other identifying information that announced their presence online.

“We set out to map the automatic attack activity,” said Mr Barak.

To make them even more realistic, he said, each one was also configured to superficially resemble a legitimate server. Each one could accept requests for webpages, file transfers and secure networking.

After 21 hours, the first booby-trapped phishing email landed in the email inbox for the fake employees, said Mr Barak. It was followed by a steady trickle of messages that sought, in many different ways, to trick people into opening malicious attachments.

Source: BBC

Read entire post grey  Related Training grey