SonicWall, a leading perimeter security vendor, issued a mid-year update to its annual threat report in July. Amid the global disruption caused by the coronavirus pandemic some threat trends are surprising:

  • The number of malware attacks is down by 33%.
  • The instances of ransomware are up globally by 20%, but over 100% in the US.
  • Office files (Word, Excel, and PDF) continue to be used primarily for malicious intent.

There was a huge spike of IoT malware — up as much as 50%.
Also noted, but not at all surprising: Cybercriminals are increasingly targeting the large number of employees who are working from home.

Cybercrime has increased since the start of the pandemic, and the latest targets now include medical facilities, hospitals, and research labs. These focused attacks have two purposes: First, to disrupt normal business and day-to-day activity; second, to obtain research data related to potential vaccines and coronavirus solutions. Nation states – most likely China, Russia, and North Korea – are very interested in obtaining intellectual property. Based on these attacks, it appears to be far easier for these cybercriminals to steal someone else’s work than to do their own.

New, never-before-seen malware variants found in the first half of 2020 increased by more than 60%. This occurred despite the overall decline in the number of malware attacks. From this, we surmise cybercriminals are experimenting to see what version can effectively get through normal defenses.

In the first half of 2020, Office files and PDFs comprised one third of all new malicious files. One of the key takeaways from the analysis of these files is that “threats are becoming more evasive and more nefarious.”

However, ransomware is on the rise. By way of contrast, global ransomware rose 15% in all of 2019. In the first half of this year, despite a global pandemic that constrained most business activity in the second quarter, it is up 20%.

The report notes a very strong correlation between where the coronavirus hit and when ransomware attacks occurred. Looking closely at the numbers, I believe this trend will continue, and the United States is going to experience more cybercrime during the next few months until the rest of the country (particularly the South and West) reduce the number of infections.

One of the scariest aspects of these recent attacks is summarized as follows:

“To make matters worse, many ransomware operators have taken to selling or otherwise releasing company data if the organization refuses to or cannot pay.

“Even for companies that cooperate with the criminals’ demands, the trouble often doesn’t stop when the ransom is paid. Many organizations pay the ransoms, only to find their files are irretrievably corrupted or have been wiped out altogether. Ransomware attacks are so devastating that they’ve forced a number of companies out of business.”

Here is an analogy to put that in perspective. A stranger breaks into your house, steals some of your belongings, and contacts you, offering to sell them back. You agree, and after the items are returned, you find they are damaged beyond repair. Worse, some of the personal documents you kept in your desk drawer have been published on the internet so that everyone can see your financial position. You, as an individual, would be mortified. When this happens to a small business, the consequences are enormous.

In terms of IoT – devices that connect to the internet to provide various services – the first six months of 2020 saw twice the number of attacks as 2019. The report forecasts that the end of the year may show numbers surpassing the combined values of 2018 and 2019.

In the consumer space, IoT devices include: Amazon Echo, Nest smoke alarm, Ring doorbell, various home security systems, smart TVs, and even smart refrigerators. http://iotlineup.com has an extensive list.

In the business environment, IoT devices include: smart locks, smart video cameras, and smart lights and energy management. These components comprise all the security elements of typical building management functions.

What’s the motivation of cybercriminals to attack these devices? They are looking for a “back door” into networks with lower chances of detection so they can deploy other forms of malicious software to compromise the computers on that network. It is essential for both the IoT device manufacturers and people who use them to insist that security considerations should be top of mind for all new devices (older ones are unlikely to be retrofitted).

I don’t think have made any mention of Coinhive in recent editions because I knew it had been shut down in early 2019. But just to recap: Coinhive was a cryptocurrency mining service that installed software in a computer’s web browser to exploit that computer’s resources to mine bits of the cybercurrency, Monero.

In 2020, as if there wasn’t enough anguish, there is a replacement called XMRig, another Monero cryptominer. In June, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that XMRig was among the three signatures that make up 90% of potential threats.

So, there you have it. From SonicWall’s perspective, we were not even half-way through the year and things were already looking pretty dicey from a security standpoint. There is general consensus among security companies that attacks will only increase, and as the coronavirus continues to beat down United States businesses, along with the disruption from the upcoming presidential election, the cybercriminals are not going to stand idly by. They are going to take full advantage of the turmoil, and they will exploit it to the best of their ability.

Thanks, and safe computing!

Some phishing campaigns work by impersonating well-known organizations or brands. If cybercriminals send an email that looks just like one that comes from a company you are familiar with – and possibly even doing business with – then their hook is set. You can either take the bait or delete the email.

Microsoft is a tempting target for cybercriminals to spoof because it has a large number of subscription-based products, like Office, OneDrive, Outlook, and even Windows.

In mid-July, Abnormal Security, which specializes in preventing email fraud, discovered two different attacks designed to trap unsuspecting victims with subscription renewal. The crooks impersonated actual email notices from Microsoft. Their goal was to steal sensitive information from the recipients by convincing them that they need to renew their Microsoft Office 365 subscription.

The first campaign consists of an email telling the recipient that Office 365 is now called Microsoft 365 and that they should renew their subscription by a specific due date. The email contains a “Click to Renew” link that takes the recipient to a submission form requesting certain sensitive data, such as name, address, and credit card number.

In the second campaign, the email warns the recipient that their Microsoft 365 subscription has already expired and that by a particular date, they must renew it. A “Renew now” link takes the person to a PayPal page that prompts them to enter their PayPal payment details. (I had to look this up, but I learned that Microsoft does accept PayPal.) Typically, the transaction is processed directly, but in this case, it goes to the criminal’s PayPal account.
In both cases, anyone who took the bait will eventually find their PayPal payment information misappropriated and their Microsoft credentials compromised by the attackers.

Why These Attacks Work

A convincing phishing attack incorporates a variety of elements to trick its recipients. These two campaigns adopt several familiar tactics.

  • Official source. By pretending to look like an automated notice from Microsoft, the email gives the appearance of coming from an official source. As such, the recipients may be more likely to follow the instructions in the email.
  • Sense of urgency. Like any effective marketing campaign, the emails conveyed a sense of urgency by warning the recipient that their Microsoft 365 subscription needs to be renewed or has already expired. Further, both emails gave the recipient only a couple of days to renew before the deadline was up. Because Microsoft Office is considered an essential service by many individuals and small businesses, people may overlook the suspicious signs and quickly click on the link to try to renew.
  • Convincing landing page. Hosted on a web site called “office365family.com,” the landing page for the first campaign uses the Microsoft Office 365 name and branding to appear legitimate. The page also borrows images, links, and a website footer from Microsoft’s actual site. However, there are telltale signs that the page is not legitimate. The fonts are inconsistent and many of the header links are broken.
  • Real URL. The second campaign links to an official PayPal page. Yet, there’s no verification as to the product being purchased, no specific entity or individual as the payee, and no guaranteed transfer of goods.

How to Protect Yourself

To guard yourself against these types of phishing campaigns, take the following steps:

  • Double-check the sender’s name and email address to ensure that they’re coming from legitimate sources – don’t just trust the display name.
  • Double-check the webpage’s URL before signing in. Attackers will frequently hide malicious links in redirects or host them on separate websites that can be reached by safe links. This technique allows them to bypass link scanning within emails by traditional email security solutions.
  • If the web site name looks suspicious, do not enter your credentials! Instead, contact me if you have any questions.
  • Verify the information with your office administrator or IT solutions provider for cloud-based subscriptions.

Analysis

If you ask why anyone would do this, the answer is simple: these campaigns generate significant revenue for little effort. One result is straight-forward, because PayPal provides funds directly to the cyber criminal’s account. The one that gains access to a business’ email account is another way. How? Well with those credentials, they now have a list of all of their contacts. They can see who works for which business and can then craft a third, and more disconcerting scam: Business Email Compromise (BEC) or CEO fraud.

A follow-up campaign will be sent to those contacts attempting to claim missing accounts, or asking for wire transfer payments, or various “we need this funding by this time” emails that use social engineering to convince office administrators and in-house bookkeepers to send money to the stated claimant. Only, these emails are not from who they say they are. According to the FBI’s Internet Crime Complaint Center (IC3), businesses in the United States lost more than $1.7 billion in 2019 to BEC scams.

Protecting your business from this kind of malicious email threat follows similar rules to those I stated above. And I’ll add one more factor to keep yourself and your business safe: If you get an unexpected email that asks you to send funds, CALL the person who is requesting it to confirm they sent it. It takes one minute to make a call. It could save you and your business tens of thousands of dollars.

Thanks, and safe computing!

The Federal Bureau of Investigation (FBI) recently released the annual report from their Internet Crime Complaint Center (IC3). The 2019 Internet Crime Report contains some rather remarkable and sobering statistics recorded on the IC3 website during 2019.

One of the techniques I’ve learned about making a presentation to an audience is to engage with them physically. For example: “Please raise your hand if you’ve been a victim of some form of internet-based scam or fraud in the past 12 months.” Invariably some people in the audience will raise their hand. I’d continue by asking, “Now keep it raised if you went to the IC3 website to report it.” I would be very hard-pressed to convince you that any hands remained in the air. And with that little bit of background, let’s take a look at the numbers. I hope that after you read this newsletter you would contact the IC3 if you inadvertently fall victim to one of these scams.

In 2019, the IC3 received over 467,000 complaints with reported losses that exceeded $3.5 billion. That is approximately 1,300 reports per day and represents a 33% increase in the number of complaints from 2018 with a corresponding increase of 30% in losses. Those numbers reflect both the sheer volume of threats that are taking place and an enhanced effort by the FBI to let people know they should report scams to the IC3.

What accounted for the most substantial loss last year? 23,775 victims reported Business Email Compromise (BEC) attacks, which cost them over $1.7 billion in damages. BEC occurs when a bad actor compromises a legitimate business email account and requests a form of funds transfer. The FBI reports that a new variant of this scam appeared in 2019: diverting payroll funds. In this scheme, a human resources or payroll department would receive an email looking like it came from an employee with a request to update their direct deposit account information. The new account would generally route to a pre-paid card account. The likelihood of recovering those lost assets is extremely low.

Another high yielding scam from 2019 was Tech Support Fraud. The IC3 received over 13,000 complaints that amounted to more than $54 million in lost funds — a 40% increase from 2018. What is missing from this report is the number of victims who fell for the scam but who did not know to contact the IC3 to report their loss. Also missing is the total number of victims who didn’t succumb to the fraud in the first place. (I’d like to give a “shout out” to Rhea Hess for having received and faithfully ignored more of these fake tech support phone calls than anyone I know.)

Also on the list was the Ransomware category, comprised of 2,047 victims who lost $8.9 million. Now I have to admit, that is quite surprising given the high profile ransomware cases involving several cities, government agencies, and the health care industry last year. Again, that goes towards the question of who reports their victimhood to the IC3.

The final category is one that is significant yet frequently overlooked: Elder Fraud. Overall, the majority of losses and incidents occurred to victims who indicated their age was 60 years or over. That amounted to more than 68,000 individuals for a total of over $835 million in losses. Targeting this group is widespread because cybercriminals will invariably go to where they think the money exists.

The most treacherous scams for the over 60 age group involved Romance Fraud, Grandparent scams, and Family/Caregiver scams. The bad actor deceives the victim into believing there is a trusting relationship. The victim is persuaded to send money, or provide personal and financial information, to the bad actor. This situation frequently leads to Identify Theft or Account Takeover, where the criminal has sufficient personal identifying information that they can commit fraud against the victim’s financial accounts.

Steps You Can Take to Avoid Falling Prey — And What to Do If You Are a Victim

One of the best ways to avoid a lot of grief and heartache from these scams is to exercise a moment’s caution every time you encounter someone who is calling you for any personal information.

Similarly, if you need to contact any company for support, DO NOT search for their phone number! Scammers have already rigged the search results list on Google so that their fake phone numbers appear before the real ones. Those links go to fraudulent websites that will try to obtain personal or credit card information. If you need to contact any company, go directly to their website and look up the phone number.

If you think you’ve fallen victim to a scam, the first thing you should do is call me so that I can assess what has occurred. As appropriate, I will help you file a report with the local police, and work with you to contact your financial institutions.

I am going to insist that you log the case with the IC3 (https://www.ic3.gov). Your complaint must contain all of the required data, including banking information.

In terms of BEC fraud, there are more specific actions to take. These include:

  • Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless letter or Letter of Indemnity.
  • Never make any payment changes without first checking in with the intended recipient. Verify that email addresses are accurate when checking email on a cell phone or other mobile device.
  • And for heaven’s sake, call someone if there’s a significant amount of money involved, or if the request differs from your usual business process or procedures.

Thanks and safe computing!

In plain English, cryptojacking is the stealing the resources of your computer (processing power and electrical power) to mine a cryptocurrency. Data is “mined” on a computer by using special programs to solve complex, encrypted math equations to gain a piece of the currency.

Cybercriminals are always looking for the fastest and easiest way to conduct fraud, and one was revealed in late 2017. There is a company called Coinhive, which launched a service that mines for a digital currency, known as Monero, directly within a web browser. Anyone using the computer is completely unaware that anything is amiss; unless they realize their browser is running very, very, slowly.

According to Symantec, “cryptojacking is a way for cybercriminals to make free money with minimal effort. Cybercriminals can simply hijack someone else’s machine with just a few lines of code. This leaves the
victim bearing the cost of the computations and electricity that are necessary to mine cryptocurrency. The criminals get away with the tokens.”

In early 2018, Malwarebytes published a report on the current state of cryptomining and cryptojacking. Shown below is a map, which depicts the world view and it appears that the United States is greatly affected by this scourge:

According to cyber-guy Brian Krebs, “Monero differs from Bitcoin in that its transactions are virtually untraceable, and there is no way for an outsider to track Monero transactions between two parties. Naturally, this quality makes Monero an especially appealing choice for cybercriminals.”

If you think that something is not quite right with your computer, please give me a call. I want to be sure your computer isn’t running software you didn’t know anything about (and generating profits for crooks).