by Connor Madsen | Oct 9, 2020 | Industry Intel
New Jersey Hospital Pays Massive Ransom
Officials have decided to pay roughly $670,000 in ransom
following a ransomware attack on the University
Hospital in New Jersey. The hospital was likely forced into this decision after
being unable to restore from backups the 240GB of data stolen in the attack on
their systems. It’s not entirely clear what information was stolen, but given the
haste of payment it was likely highly sensitive patient data.
COVID-Related Cyberattacks Target Canadian Companies
A recent survey revealed that over 25% of all Canadian
business organizations had been targeted by a COVID-19-themed
cyberattack since the beginning of the year. Most of the organizations surveyed
also reported seeing a significant rise in overall cyberattacks since the pandemic
began. Worrisome findings also revealed that 38% of organizations surveyed were
unsure if they had fallen victim to any type of cyberattack, which could mean
the amount of customer information for sale on black markets could be
significantly higher.
Boom! Mobile Website Compromised
Customer data has been compromised for users of the Boom!
Mobile website, which was infiltrated by malicious JavaScript. It’s still
unclear how the unauthorized code got onto the site or how long was active.
Officials for the mobile company have confirmed they do not store payment card
data and that no Boom! Mobile accounts were compromised.
Major Ransomware Attacks Increase Through Q3
Researchers have reported a massive increase in ransomware
attacks in Q3 of 2020, with the Maze group being responsible for 12% of all
attacks. They also reported that Ryuk ransomware variants were responsible for
an average of 20 attacks per week. With the ongoing neglect of cybersecurity in
major corporations, ransomware attacks will likely continue as long as their
authors find them profitable.
Chicago Food Delivery Service Stricken with Data Breach
Nearly 800,000 customer records were compromised following a
data breach at ChowBus,
a Chicago-based food delivery service. With roughly 440,000 unique email
addresses exposed, many individuals are now more susceptible to additional phishing
attacks or identity theft. Fortunately, however, ChowBus does not store payment
card information on its site.
by Kyle Fiehler | Oct 6, 2020 | Business + Partners, SMBs
Like many of the technologies we discuss on this blog—think
phishing scams or chatbots—deepfakes aren’t necessarily new. They’re just
getting a whole lot
better. And that has scary implications for both private citizens and
businesses alike.
The term “deepfakes,” coined
by a Reddit user in 2017, was initially most often associated with
pornography. A once highly trafficked and now banned subreddit was largely
responsible for developing deepfakes into easily created and highly believable
adult videos.
“This is no longer rocket science,” an AI researcher told
Vice’s Motherboard in an early story on the problem of AI-assisted deepfakes
being used to splice celebrities into pornographic videos.
The increasing ease with which deepfakes can be created also
troubles Kelvin Murray, a senior threat researcher at Webroot.
“The advancements in getting machines to recognize and mimic
faces, voices, accents, speech patterns and even music are accelerating at an
alarming rate,” he says. “Deepfakes started out as a subreddit, but now there
are tools that allow you to manipulate faces available right there on your
smartphone.”
While creating deepfakes used to require good hardware and a
sophisticated skillset, app stores are now overflowing
with options creating them. In terms of technology, they’re simply a specific
application of machine learning technology, says Murray.
“The basics of any AI system is that if you throw enough
information at it, itcan pick it up. It can mimic it. So, if you give it enough
video, it can mimic a person’s face. If you give it enough recordings of a
person, it can mimic that person’s voice.”
There are several ways deepfakes threaten to redefine the
way we live and conduct business online.
Deepfakes as a threat to privacy
A stolen credit card can be cancelled. A stolen identity,
especially when it’s a mimicked personal attribute, is much more difficult to
recover. The hack of a firm dedicated to developing facial recognition
technology, for instance, could be a devastating source of deepfakes.
“So many apps, sites and platforms host so many videos and
recordings today. What happens when they get hacked? Will the breach of a
social media platform allow a hacker to impersonate you,” asks Murray.
Businesses must be especially careful about the data they
collect from customers or users, asking both if it’s necessary to collect and if
it can be stored safely afterwards. If personal data must be collected,
security must be a top priority, and not only for ethical reasons. Governments
are starting to enact some strict regulations and doling out some stiff fines
for data breaches.
Ultimately, Murray thinks those governments may need to
weigh in more heavily on the threat of deepfakes as they become even more
indistinguishable from reality.
“We’re not going to stop this technology. It’s here. But
people need to have the discussion about where we’re heading. In the same way GDPR
was created to protect people’s data, we’re going to need to have a similar
conversation about deepfakes leading to a different kind of identity theft.”
Deepfakes as a cybersecurity threat to businesses
It’s important to note the ways in which deepfakes can be
used to target businesses, not just to spoof individuals.
“These business-related instances aren’t too common yet,”
says Murray. “But we’re at the beginning of a wave right now in terms of
AI-enabled threats against businesses.
A late
2019 attack against a U.K. energy firm could be a sign of scary things to
come. Rather than video, this attack took advantage of voice-spoofing
technology to pose as an executive’s manager, insisting he wire nearly $250
thousand to a “supplier” immediately. In the aftermath of the scam, the victim
reported being convinced by both the accent and the rhythm of the fake speech
pattern.
To safeguard against what could be a rising attack method,
Murray recommends businesses understand what deepfakes are capable of and
follow best practices for avoiding fraud, no matter the technology.
“Have well-defined protocol for changing account details and
signing off on any invoices,” he advises “Train financial and accounting teams
especially rigorously on these protocols and encourage them to pick up the
phone and double-check when anything seems strange or off. In these days of
increased working from home it’s also tougher for financial staff to walk up to
other finance or sales colleagues and make informal double checks.”
Deepfakes and misinformation campaigns
Soon after deepfakes went mainstream, implications for
politics and the weaponization of misinformation became clear, prompting the
U.S. Senate to address the issue in
2018.
While initially used to humiliate or extort people, mostly
women, malicious actors began to see them as a way to sway public opinion or
sow chaos. Deeptrace,
a company dedicated to uncovering deepfakes, has noted instances where
manipulated video was used to promote social discord and scandal across the
globe.
“Deepfakes further undermine our ability to believe what we
read, and now even watch, on the internet,” says Murray. This leads to
widespread distrust, especially on issues where understanding is crucial, like
the coronavirus pandemic, where misinformation is bountiful.
To combat misinformation, Murray advises to keep in mind how
much of it is out there. Always consider the source of the information you’ve
received before acting on it, especially if it makes you angry or elicits some
other strong emotional response.
Deepfakes will likely make the internet even more difficult
to rely on as a source of information in the years to come. But reducing their
impact starts with understanding how far they’ve come and what they’re capable
of.
by Connor Madsen | Oct 2, 2020 | Industry Intel
Ryuk Shuts Down Universal Health Services
Computer systems for all 400 Universal
Health Services facilities around the globe have reportedly been shut down
following an attack by the Ryuk ransomware group. Ryuk is known for targeting
large organizations, but the healthcare industry has been gaining popularity
among these groups due to high volumes of sensitive information and typically
low levels of security. It’s unknown if the healthcare firm has paid ransoms
for the encrypted data or if they are restoring systems from available backups.
Global Insurance Firm Targeted by Ransomware
The Fortune 500 insurance firm AJG
was forced to take several computer systems offline over the weekend after
identifying a cyber-attack. It’s still unclear which ransomware variant was
responsible for the attack and officials with the firm haven’t revealed if customer
or employee information was stolen. Third-party researchers confirmed multiple AJG
servers, unpatched for a serious vulnerability, could have been the entry point
for the attack.
French Shipping Company Knocked Offline by Ransomware
All computer systems and websites belonging to CMA
CGM, a French shipping giant, were knocked offline by a crippling ransomware
attack. This attack on CMA CGM makes them the fourth international shipping
company to fall victim to a cyberattack, which have proven profitable, in as
many years. The company has verified that the Ragnar Locker ransomware group
was behind the attack, though they have not revealed the ransom asked.
Cyber Attack Forces Swatch to Disconnect Online Services
Though not confirmed by Swatch,
the Swiss watchmaker was reportedly forced to take many of their systems
offline after likely falling victim to a ransomware attack. While the company
did not verify the type of attack, ransomware’s prevalence this year makes it a
likely culprit. Swatch has announced they plan to seek legal action against the
attackers.
DDoS Attacks See Substantial Rise in 2020
There were over 4.8 million DDoS
attacks during the first half of 2020, a 15% rise over the same period last
year. May alone saw more than 900,000 DDoS attacks, a record for most in a
single month. Ninety percent of these attacks lasted for under an hour, marking
another shift from previous years’ attacks. They have also increased in
complexity, leaving victims and researchers with little time to defend
themselves.
by Justine Kurtz | Oct 1, 2020 | Business + Partners, SMBs, Threat Lab
Have you ever met a person who
thinks they know it all? Or maybe you’ve occasionally been that person in your
own life? No shame and no shade intended – it’s great (and important) to be
confident about your skills. And in cases where you know your stuff, we
encourage you to keep using your knowledge to help enhance the lives and
experiences of the people around you.
But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.
Overconfidence by the Numbers
Approximately
3 in 5 people (59%) worldwide think they know enough to stay safe online.
You may think 59% doesn’t sound
high enough to earn the label of “false confidence”. But there were two
outliers in our survey who dragged the average down significantly (France and
Japan, with only 44% and 26% confidence, respectively). If you only take the
average of the five other countries surveyed (the US, UK, Australia/New
Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK
respondents had the highest level of confidence out of all seven regions
surveyed with 75%.
8 in 10 people say they take steps to determine if an
email message is malicious.
Yet 3 in 4 open emails and click links from unknown
senders.
When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.
Individualism
According to Dr. Rajivan, it’s important to note that
Japan had the lowest level of confidence about their cybersecurity know-how
(only 26%), but the survey showed they also had the lowest rate of falling
victim to phishing (16%). He pointed out that countries with more individualistic
cultures seem to align with countries who ranked themselves highly on their
ability to keep themselves and their data safe.
“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”
– Prashanth Rajivan, Ph.D.
The Dunning-Kruger Effect
Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.
How These Numbers Affect Businesses
Only 14% of workers feel that a company’s cyber
resilience is a responsibility all employees share.
The
correlations between overconfidence and individualism may also translate into a
mentality that workers are not responsible for their own cybersecurity during
work hours. While 63% of workers surveyed agree that a cyber resilience
strategy that includes both security tools and employee education should be a
top priority for any business, only 14% felt that cyber resilience was a shared
responsibility for all employees.
How to Create a Cyber Aware Culture
The short answer: a strong combination of employee training and tools.
The long answer: when asked what
would help them feel better prepared to avoid phishing and prevent
cyberattacks, workers worldwide agreed that their employers need to invest more
heavily in training and education, in addition to strong cybersecurity tools.
Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity
awareness into their business culture, then they need to invest heavily in
their people.
“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”
– Prashanth Rajivan, Ph.D.
Additionally, he tells us, “Human
behavior is shaped by past experiences, consequences and reinforcement. To see
a real change in human behavior related to phishing and online risk-taking habits
in general, people need frequent and varied experiences PLUS appropriate
feedback that incentivizes good behavior.”
Ultimately, the importance of
training can’t be emphasized enough. According to real-world data from
customers using Webroot® Security Awareness Training, which provides both
training courses and easy-to-run, customizable phishing simulations, consistent
training can reduce click rates on phishing scams by up to 86.5%.
It’s clear a little training can go a long way. If you want to increase cyber
resilience, you have to minimize dangerous false confidence. And to do that, you
need to empower your workforce with the tools and training they need to
confidently (and correctly) make strong, secure decisions about what they do
and don’t click online.
Learn more
about Security Awareness Training programs.
by Connor Madsen | Sep 29, 2020 | Industry Intel
DHS Announces Massive Increase in LokiBot Attacks
By monitoring and tracking of cyberattacks over 2020, U.S.
Department of Homeland Security (DHS) officials have uncovered a significant
increase in cyberattacks being carried out by LokiBot,
a malicious info-stealer of stored passwords and cryptocurrency information.
The increase in LokiBot attacks can likely be attributed to its ability to
steal credentials from hundreds of applications, and its range of other features
that make it appealing to a wide variety of cyber criminals.
Long Island Hospital Suffers Data Breach
Blackbaud,
a third-party vendor for a Long Island hospital, may have exposed sensitive
patient information after it suffered a data breach this summer. In a July statement,
Blackbaud revealed personally identifiable information for a number of patients
was stolen but claimed it was destroyed shortly afterwards. Affected patients
have been contacted regarding the breach and stolen information.
Thousands of Customers Exposed in Town Sports Breach
A database containing highly sensitive information belonging
to over 600,000 customers and employees of Town
Sports International was found publicly exposed on the internet. Town
Sports recently filed for bankruptcy and was notified of this breach roughly a
week later. While the company did not publically respond to the findings, the
information secured the following day included everything from physical
addresses to payment card info and other billing data. Past clients of the
fitness chain should be wary of any emails they receive regarding their Town
Sports memberships.
Global Operation Takes Down Major Dark Web Drug Network
In a major collaboration between Europol and other global
intelligence organizations, 179 individuals across six countries have been
arrested in relation to drug
trafficking through Dark Web markets. Officials also revealed that this
bust allowed them to seize $6.5 million in cash and hundreds of kilograms of
illicit drugs. The operation is another setback for anonymous marketplaces allowing
for the buying and selling of illegal goods and services as law enforcement continues
to target rogue online bazaars.
Data from Over 200 Merchants Leaked in Shopify Breach
Data from at least 200 merchants was compromised after an
internal support employee for Shopify
was found to be stealing data. While the data included only basic contact
information on customers and no payment card or social security info was taken,
officials for Shopify are still working to determine the extent of the theft
and if it has further changed hands. The employees involved with this breach
have since been fired and all access to Shopify systems has been revoked to prevent
further incident.
by Justine Kurtz | Sep 28, 2020 | Business + Partners, Managed Service Providers
“Ten years ago, you didn’t see
state actors attacking [small businesses]. But it’s happening now,” warns
George Anderson, product marketing director at Carbonite + Webroot, OpenText
companies.
Sadly, many of today’s managed
service providers who serve small and medium-sized businesses now have to
concern themselves with these very threats. Independent and state-sponsored
hacking groups use sophisticated hacking tools (advanced persistent threats or
APTs), to gain unauthorized access to networks and computers, often going undetected
for months or even years at a time. In fact, according to the 2020 Verizon Data
Breach Investigations Report, cyber-espionage is among the top patterns
associated with breaches targeting businesses worldwide.
These attacks can be difficult
even for highly sophisticated enterprise security teams to detect, stop or
recover from. But all businesses, no matter their size, must be ready for them.
As such, MSPs, themselves ranging in size from a few techs to a few hundred
professionals, may find they need help protecting their SMB customers from APTs;
that’s on top of the consistent onslaught of threats from ordinary, profit-motivated
cyberattackers. That’s where the concept of cyber resilience comes in.
What does cyber resilience look like?
“Being [cyber] resilient – knowing
that even if you’re knocked offline you can recover quickly – is essential for
today’s businesses,” George says.
The reality is that today’s organizations have to accept a breach is pretty much inevitable. Their level of cyber resilience is the measure of the organization’s ability to keep the business running and get back to normal quickly. “It’s being able to absorb punches and get back on your feet, no matter what threatens,” as George put it in a recent podcast with Joe Panettieri, co-founder MSSP Alert & ChannelE2E.
Read
more about how businesses can build a cyber resilient company culture.
How can businesses and MSPs achieve cyber resilience?
Because cyber resilience is about
both defending against attacks and preparing for their inescapability, a major component in a strong resilience
strategy is the breadth of coverage a business has. In particular, having
tested and proven backup and disaster recovery solutions in place is the first
step in surviving a breach. If a business has reliable, real-time (or near
real-time) recovery capabilities, then in the event of an attack, they could
make it through barely skipping a beat.
Now, George has clarified that “no
single solution can offer complete immunity against cyberattacks on its own.”
To reduce the risk of events like data loss from accidental deletion, device
theft or hardware failure, your clients need multiple layers of protection that
secure their devices and data from multiple angles. Here are George’s top data
protection tips:
Ultimately, George says ensuring
business continuity for MSPs and the businesses they serve through
comprehensive cyber resilience solutions is the primary goal of the Carbonite +
Webroot division of OpenText.
“We want to up the advocacy and
stop attacks from happening as much as we possibly can. At
the same time, when they
inevitably do happen, we want to be able to help MSPs recover and limit lost
time, reputation damage, and financial impact so businesses can keep
functioning.”
To learn more about cyber
resilience, click here.
by Mit Patel | Sep 24, 2020 | Business + Partners, Managed Service Providers
Guest blog by Mit Patel, Managing Director
of London based IT Support company,
Netstar.
In this article, Webroot sits down with Mit
Patel, Managing Director of London-based MSP partner, Netstar, to discuss the
topic of remote work during a pandemic and tips to stay cyber resilient.
Why is it important to be cyber resilient, specifically when working remote?
It’s always important to be cyber
resilient, but a lot has changed since the start of the COVID-19 lockdown that needs
to be taken into consideration.
Remote work has posed new problems for
businesses when it comes to keeping data secure. Since the start of lockdown,
there has been a significant increase in phishing scams, ransomware attacks and
malicious activity. Scammers now have more time to innovate and are using the
widespread anxiety of coronavirus to target vulnerable people and businesses.
Moreover, the sudden shift in working
practices makes the pandemic a prime time for cyber-attacks. Employees can no
longer lean over to ask a colleague if they are unsure about the legitimacy of
an email or web page. Instead, they need to be confident in their ability to
spot and avoid potential security breaches without assistance.
Remote work represents a significant change
that can’t be ignored when it comes to the security of your business. Instead,
businesses need to be extra vigilant and prioritise their cyber resilience.
What does cyber resilience mean to you?
It’s important to differentiate between
cyber resilience and cyber security. Cyber security is a component of cyber
resilience, referring to the technologies and processes designed to prevent
cyber-attacks. Whereas, I believe cyber resilience goes a step further,
referring to the ability to prevent, manage and respond to cyber threats. Cyber
resilience recognises that breaches can and do happen, finding effective
solutions that mean businesses recover quickly and maintain functionality. The
main components of cyber resilience include, training, blocking, protecting,
backing up and recovering. When all these components are optimised, your cyber
resilience will be strong, and your business will be protected and prepared for
any potential cyber threats.
Can you share some proactive methods for staying cyber resilient when working remote?
Absolutely. But it’s important to note that
no solution is 100% safe and that a layered approach to IT security is necessary
to maximise protection and futureproof your business.
Get the right
antivirus software. Standard antivirus software
often isn’t enough to fully protect against viruses. Businesses need to
consider more meticulous and comprehensive methods. One of our clients, a
licensed insolvency practitioner, emphasized their need for software that will
ensure data is protected and cyber security is maximised. As such, we
implemented Webroot SecureAnywhere
AnitVirus, receiving excellent client feedback, whereby the client stressed
that they can now operate safe in the knowledge that their data is secure.
Protect your network. DNS Protection is a critical layer for your cyber resilience
strategy. DNS will protect you against threats such as malicious links, hacked
legitimate websites, phishing attacks, CryptoLocker and other ransomware
attacks. We have implemented DNS Protection
for many of our clients, including an asset management company that wanted to
achieve secure networks with remote working capability. In light of the current
remote working situation, DNS Protection should be a key consideration for any
financial business looking to enhance their cyber resilience.
Ensure that you
have a strong password policy. Keeping your
passwords safe is fundamental for effective cyber resilience, but it may not be
as simple as you think. Start by making sure that you and your team know what
constitutes a strong password. At Netstar, we recommend having a password that:
- Is over 10 characters long
- Contains a combination of
numbers, letters and symbols
- Is unpredictable with no
identifiable words (even if numbers or symbols are substituted for letters)
You should also
have different passwords for different logins, so that if your security is
compromised for any reason, hackers can only access one platform. To fully
optimise your password policy, you need to consider multi-factor
authentication. Multi-factor authentication goes a step further than the
traditional username-password login. It requires multiple forms of
identification in order to access a certain email account, website, CRM etc. This
will include at least two of the following:
- Something you know (e.g. a
password)
- Something you have (e.g. an ID
badge)
- Something you are (e.g. a
fingerprint)
Ensure that you
have secure tools for communication. Collaboration
tools, like Microsoft Teams, are essential for remote working. They allow you
to communicate with individuals, within teams and company-wide via audio calls,
video calls and chat.
When it comes to
cyber resilience, it’s essential that your team know what is expected of them.
You should utilise collaboration tools to outline clear remote working guidance
to all employees. For example, we would recommend discouraging employees from
using personal devices for work purposes. The antivirus software installed on
these devices is unlikely to be of the same quality as the software installed
on work devices, so it could put your business at risk.
Furthermore, you
need to be confident that your employees can recognise and deal with potential
security threats without assistance. Individuals can no longer lean across to
ask a colleague if they’re unsure of the legitimacy of something. They need to
be able to do this alone. Security
awareness training is a great solution for this. It will teach your team
about the potential breaches to look out for and how to deal with them. This
will cover a range of topics including, email phishing, social media scams,
remote working risks and much more. Moreover, courses are often added and
updated, meaning that your staff will be up to date with the latest scams and
cyber threats.
Implement an effective backup and disaster recovery strategy
Even with every
preventive measure in place, things can go wrong, and preparing for disaster is
crucial for effective cyber resilience.
In fact, a lot of
companies that lose data because of an unexpected disaster go out of business
within just two years, which is why implementing an effective backup and
disaster recovery strategy is a vital layer for your cyber resilience strategy.
First, we advise storing
and backing up data using an online cloud-based system. When files are
stored on the cloud, they are accessible from any device at any time. This is
particularly important for remote working; it means that employees can collaborate
on projects and access necessary information quickly and easily. It also means
that, if your device is wiped or you lose your data, you can simply log in to
your cloud computing platform and access anything you might need. Thus, data
can easily be restored, and you’re protected from potential data loss.
Overall, disaster
recovery plans should focus on keeping irreplaceable data safe. Consider what
would happen to your data in the event of a disaster. If your office burned
down, would you be confident that all your data would be protected?
You should be
working with an IT support partner that can devise an effective and efficient
disaster recovery plan for your business. This should set out realistic
expectations for recovery time and align with your insurance policy to protect
any loss of income. Their goal should be to get your business back up and
running as quickly as possible, and to a high standard (you don’t want an IT
support partner that cuts corners). Lastly, your IT support provider should regularly
test your strategy, making sure that if disaster did occur, they could quickly
and effectively restore the functionality of your business.
What else should fellow MSPs keep in mind during this trying time?
In the last four years, cyber resilience
has become increasingly important; there are so many more threats out there,
and so much valuable information that needs protecting.
We have happy clients because their
machines run quickly, they experience less IT downtime, and they rarely encounter
viruses or malicious activity. We know that we need to fix customers’ problems
quickly, while also ensuring that problems don’t happen in the first place.
Innovation is incredibly important to us, which is why we’ve placed a real
focus on proactive client advisory over the last 24 months.
That’s where a strong cyber resilience
strategy comes into play. MSPs need to be able to manage day-to-day IT queries,
while also focusing on how technology can help their clients grow and succeed
in the future.There is plenty of advice around the nuts and bolts of IT
but it’s the advisory that gives clients the most value. As such, MSPs should ensure
they think like a customer and make technological suggestions that facilitate
overall business success for their clients.
by Justine Kurtz | Sep 23, 2020 | Business + Partners, SMBs
Phishing has been around for ages
and continues to be one of the most common threats that businesses and home
users face today. But it’s not like we haven’t all been hearing about the
dangers of phishing for years. So why do people still click?
That’s what we wanted to find out when we conducted our most recent survey. We checked in with thousands of office workers across seven different countries to get a global perspective on phishing and people’s individual click habits. Then we partnered with Dr. Prashanth Rajivan, assistant professor at the University of Washington, to gain a deeper understanding of phishing and those habits, as well as how things have shifted during COVID-19 in our new report: COVID-19 Clicks: How Phishing Capitalized on a Global Crisis.
In this blog post, we’ve summarized this comprehensive report and included tips for how to stay safe, but we strongly encourage you to check out the full writeup.
Why do people still click?
3 in 10 people worldwide clicked a phishing link in the past year. Among Americans, it’s 1 in 3.
According to Dr. Rajivan, what we need
to consider is that human beings aren’t necessarily good at dealing with
uncertainty, which is part of why cybercriminals capitalize on upheaval (such
as a global pandemic) to launch attacks.
“People aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making, or, in this case, clicking what you shouldn’t.”
– Prashanth Rajivan, Ph.D.
Tip # 1
- For businesses: Ensure workers have clear distinctions between work and personal time, devices, and obligations. This helps reduce the amount of uncertainty that can ultimately lead to phishing-related breaches.
- For individuals: Hackers often exploit security holes in older software versions and operating systems. Update software and systems regularly to help shut the door on malware.
Has phishing increased since COVID-19 began
At least one in five people have received a phishing email related to COVID-19.
There’s no doubt that the global COVID-19 pandemic has changed a lot about how we live and work. According to our survey, 54% of workers spend more time working from home than they did before the pandemic. With more people connecting to the internet outside of corporate networks and away from the watchful eyes of IT teams, it’s to be expected that cybercriminals would take advantage.
“[We’ve seen] massive spikes […] in phishing URLs targeting COVID-related topics. For example, with more people spending time at home, use of streaming services has gone up. In March alone, we saw a 3000% increase in phishing URLs with ‘youtube’ in the name.
– Grayson Milbourne, security intelligence director, Carbonite + Webroot, OpenText Companies
Regardless, the majority of people surveyed still think they are at least the same level of prepared or more prepared to spot phishing email attempts, now that they’ve spent more time working from home
“People are taking increased physical safety measures in the pandemic, including mask wearing, social distancing, more frequent hand-washing, etc. I think this heightened level of precaution and awareness could cause people to slightly overestimate their overall safety, including their safety regarding online threats.”
– Prashanth Rajivan, Ph.D.
Tip #2
- For
businesses: Know your risk factors
and over prepare. Once you’ve assessed the risks, you can create a
stronger data breach response plan.
- For individuals: Stay on your toes. By being vigilant
and maintaining a healthy dose of suspicion about all links and attachments in
messages, you can significantly decrease your phishing risk.
People say they know better. Do they really?
81% of people say they take steps to determine if an email message is malicious. Yet 76% open emails and click links from unknown senders.
When we asked Dr. Rajivan why these numbers don’t line up, he said the difference is between knowing what you should do and actually doing it
“There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails.”
– Prashanth Rajivan, Ph.D.
Tip #3
- For
businesses: Back up data and ensure
employees can access and retrieve data no matter where they are. Accidents
happen; what matters most is being able to recover quickly and effectively. Don’t
forget to back up collaboration tools too, such as Microsoft® Teams and the
Microsoft® 365 suite.
- For individuals: Make
sure important data and files are backed up to secure cloud storage or an
external hard drive. In the case of a hard drive, make sure it’s only connected
while backing up, so you don’t risk backing up infected or encrypted files. If
it’s a cloud back up, use the kind that lets you to restore to a specific file
version or point in time.
What’s the way forward?
All over the world, workers say that in order to be better prepared to handle cyberattacks, they need more education.
According to global respondents, more knowledge and better understanding is key for stronger cyber resilience. The top three things people everywhere said would help them better prepare themselves to handle cyber threats like phishing were: knowing which tools could help prevent an attack, knowing what to do if you fall victim to an attack, and understanding the most common types of attacks.
Dr. Rajivan points out that, if businesses are asking individuals to make changes to their own behavior for the greater safety of all, then they need to make it clear they are willing to invest in their people.
“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”
– Prashanth Rajivan, Ph.D.
Tip #4
- For
businesses: Invest in your people. Empower
your people with regular training to help them successfully avoid scams and
exercise appropriate caution online.
- For individuals: Educate yourself. Even if your company provides training, Dr.
Rajivan recommends we all subscribe to cybersecurity-related content in the
form of podcasts, social media, blogs, and reputable information sources to
help keep strong, cyber resilient behavior top-of-mind.
Want more details on click habits and shifting risks during COVID-19?
Read our full report, COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, to start building out your cybersecurity education today. And be sure to check back here on the Webroot blog for the latest in news in phishing prevention.
by Kyle Fiehler | Sep 22, 2020 | Home + Mobile
People’s fears and fantasies about artificial intelligence predate
even computers. Before the term was coined in 1956, computing pioneer Alan
Turing was
already speculating about whether machines could think.
By 1997 IBM’s Deep Blue had
beaten chess champion Gary Kasparov at his own game, prompting hysterical
headlines and the game Go to replace chess as the symbolic bar for human vs.
machine intelligence. At least until 2017 when Google’s AI platform AlphaGo ended human
supremacy in that game too.
This brief run through major milestones in AI helps
illustrate how the technology has progressed from miraculous to mundane. AI now
has applications for nearly every imaginable industry including marketing,
finance, gaming, infrastructure, education, space exploration, medicine and
more. It’s gone from unseating Jeopardy! champions to helping us do our taxes.
In fact, imagine the most unexciting interactions that fill
your day. Those to-dos you put off until it’s impossible to any longer. I’m
talking about contacting customer support. AI now helps companies do this
increasingly in the form of chatbots. The research firm Gartner tells
us consumers appreciate AI for its ability to save them time and for providing
them with easier access to information.
Companies, on the other hand, appreciate chatbots for their
potential to reduce operating costs. Why staff a call center of 100 people when
ten, supplemented by chatbots, can handle a similar workload? According
to Forrester, companies including Nike, Apple, Uber and Target “have
moved away from actively supporting email as a customer service contact
channel” in favor of chatbots.
So, what could go wrong, from a cybersecurity perspective,
with widespread AI in the form of customer service chatbots? Webroot principal
software engineer Chahm An has a couple of concerns.
Privacy
Consider our current situation: the COVID-19 crisis has forced
the healthcare industry to drastically amplify its capabilities without a
corresponding rise in resources. Chatbots can help, but first they need to be
trained.
“The most successful chatbots have typically seen the
data that most closely matches their application,” says An. Chatbots
aren’t designed like “if-then” programs. Their creators don’t direct them. They
feed them data that mirrors the tasks they will expected to perform.
“In healthcare, that could mean medical charts and
other information protected under HIPAA.” A bot can learn the basics of English
by scanning almost anything on the English-language web. But to handle medical
diagnostics, it will need to how real-world doctor-patient interactions unfold.
“Normally, medical staff are trained on data privacy
laws, rules against sharing personally identifiable information and how to
confirm someone’s identity. But you can’t train chatbots that way. Chatbots have
no ethics. They don’t learn right from wrong.”
This concern is wider than just healthcare, too. All the
data you’ve ever entered on the web could be used to train a chatbot: social
media posts, home addresses, chats with human customer service reps…in unscrupulous
or data-hungry hands, it’s all fair game.
Finally in terms of privacy, chatbots can also be gamed into
giving away information. A cybercriminal probing for SSNs can tell a chatbot,
‘I forgot my social security. Can you tell it to me?’ and sometimes be
successful because the chatbot succeeds by coming up with an answer.
“You can game people into giving up sensitive information,
but chatbots may be even more susceptible to doing so,” warns An.
Legitimacy
Until recently chatbot responses were obviously potted, and
the conversations directed. But they’re getting better. And this raises
concerns about knowing who you’re really talking to online.
“Chatbots have increased in popularity because they’ve
become so good you could mistake them for a person,” says An. “Someone who is
cautious should still have no problem identifying one, by taking the
conversation wildly off course, for instance. But if you’re not paying
attention, they can be deceptive.”
An likens this to improvements in phishing attempts over the
past decade. As phishing filters have improved—by blocking known malicious IP
addresses or subject lines commonly used by scammers, for example—the attacks
have gotten more subtle. Chatbots are experiencing a similar arms-race type of
development as they improve at passing themselves off as real people. This may
benefit the user experience, but it also makes them more difficult to detect.
In the wrong hands, that seeming authenticity can be dangerously applied.
Because chatbots are also expensive and difficult to create,
organizations may take shortcuts to catch up. Rather than starting from
scratch, they’ll look for chatbots from third-party vendors. While more
reputable institutions will have thought through chatbot privacy concerns, not
all of them do.
“It’s not directly obvious that chatbots could leak
sensitive or personally identifiable information that they are indirectly
learning,” An says.
Chatbot security and you – what can be done?
1. Exercise caution in conversations
Don’t be afraid to start by asking if a customer service rep
is a real person or a bot. Ask what an organization’s privacy policy says about
chat logs. Even ask to speak with a manager or to conduct sensitive exchanges
via an encrypted app. But regardless, exercise caution when exchanging
information online.
“It used be any time you saw a web form or dialogue
box, that heightened our caution. But nowadays people are publishing so much
online that our collective guard is kind of down. People should be cautious
even if they know they’re not speaking directly to a chatbot,” An advises.
In general, don’t put anything on the internet you wouldn’t
want all over the internet.
2. Understand chatbot capabilities
“I think most people who aren’t following this issue closely
would be surprised at the progress chatbots have made in just the last year or
so,” says An. “The conversational ability of chatbots is pretty
impressive today.”
GPT-3 by OpenAI is “the largest language model ever created
and can generate amazing human-like text on demand,” according to MIT’s Technology
Review and you can see what it can do here. Just knowing what
it’s capable of can help internet users decide whether they’re dealing with a
bot, says An.
“Both sides will get better at this. Cybersecurity is always
trying to get better and cybercriminals are trying to keep pace. This
technology is no different. Chatbots will continue to develop.”
by Connor Madsen | Sep 21, 2020 | Industry Intel
Magecart Launches Largest E-commerce Attack to Date
Roughly 2000 e-commerce sites were compromised in the latest
Magecart
campaign targeting an out-of-date version of Magento software. It’s believed an
additional 95,000 sites that haven’t patched to the latest Magento version could
also be targeted by the payment skimming malware. The campaign began last
Friday and by Monday had stolen data from over 1,900 stores serving tens of
thousands of customers.
Staples Delivery System Responsible for Data Breach
Nearly two weeks after being contacted by a cybersecurity
firm regarding their use of unsecured VPN servers, Staples
has released a statement about a data breach that stemmed from a flaw in their delivery
systems. Because Staples’ delivery tracking system required only an order
number to pull up the entire order summary, customers were able to enter any
number around their own order and access payment and other sensitive
information belonging to other Staples customers. While the company has since
resolved the flaw, it seems they have not yet contacted victims whose
information was exposed.
Staffing Firm Suffers Second Ransomware Attack in 2020
Artech
Information Systems, a global IT staffing firm, has recently fallen victim
to their second ransomware attack of the year. Following a January attack by
the REvil ransomware group, which released a small portion of company data
after not receiving a ransom payment, Artech has now been infiltrated by the
MAZE group, likely using a prior backdoor to the systems. Secondary ransomware
attacks typically stem from improper resolution of the initial attack that
leaves a system an easy target for another group.
Misconfigured Elasticsearch Exposes Over 100,000 Razer Customers
A security researcher found an unsecured Elasticsearch
cluster late last month containing highly sensitive information for over
100,000 Razer
customers. The exposed data contained personally identifiable information and order
details with everything but the actual payment card data. Fortunately, Razer
was quick to resolve the issue after being notified and set up an email worried
customers could contact for more information.
SunCrypt Ransomware Targets University Hospital New Jersey (UHNJ)
Over 240GB of data was allegedly stolen from the University
Hospital New Jersey after a SunCrypt ransomware attack. The attack was
likely initiated against university systems shortly after a TrickBot infection
last month compromised systems. The owners of SunCrypt have already released
1.7GB of the stolen data, which equates to roughly 48,000 documents containing
highly sensitive personal information on patients and employees.
