by Dr. Grigorios Fragkos, VP Cybersecurity
In this article we will see how cybercriminals combine attack tactics in order to infiltrate businesses. All staff in an organisation, including the CEO and the board of directors, need to be not only aware of the emerging threats currently been seen in the wild, but also be cyber-aware and ready to defend against these current threats.
More specifically, in 2015 we saw mobile devices becoming a backdoor to organisations, the rise of DDoS extortion attacks and a number of cases where the executives of businesses were specifically targeted for fraud. The threat landscape is constantly expanding and becoming more complicated.
Mobile devices and their attack surface
Every organisation uses mobile technology, and many are allowing staff to use their own devices under a Bring Your Own Device (BYOD) scheme. With the increased use of mobile technology, and the limited protections often applied to them, these devices have become the key element in targeted and untargeted cyber-attacks.
Mobile devices not only contain our personal and business information, but they are broadly undefended which can allow them to be used as a backdoor into corporate networks. If a device is infected/compromised, a cybercriminal could;
- Extract Information such as application data and private communications.
- Turn on the microphone and eavesdrop into conversations.
- Turn on the camera.
- Track the device location.
- Send emails and text messages impersonating the user.
- Alter the security settings of the devices and hold the information for ransom.
There has been an increase in compromised mobile devices which are being used in Distributed Denial of Service attacks (DDoS), without the knowledge of the device owner. Cybercriminals are always targeting the lowest hanging fruit and mobile devices combined with untrained staff, broadens their attack surface. The steps that can be taken to minimise the risk of mobile and BYOD based attacks include:
- Enforcing PIN/password controls to access mobile phone and tablet devices.
- Implement a Mobile Device Management solution to control company data held on mobile and BYOD devices.
- Where available, require users to install and run company approved anti-virus solutions on mobile and tablet devices.
- Prohibit the use of jail-broken or rooted devices.
DDoS Extortion is an attack that is on the rise. In a DDoS extortion attack, a business typically receives an email that states that unless a fee is paid (about 50 Bitcoin), a DDoS attack will be launched. In some cases, the email arrives after the DDoS attack has started, claiming that it will stop only if the ransom is paid (or reduced if a portion of the ransom is paid).
A recent example was ProtonMail, which had to pay a ransom to stop a DDoS attack that had been launched against them. How far a business can trust extortionists and cyber-criminals is questionable. After ProtoMail had paid the ransom, a new DDoS attack was launched, claiming it was not originating from the same group.
“DD4BC” is the name of the group behind the extortion that claims it can launch attacks up to 400-500 Gbps and can last from a few hour or even whole days. Another criminal group which calls itself the “Armada Collective” has been emailing online businesses demanding thousands of dollars in Bitcoins. The email send to targeted business reads as the following:
If a business receives an email containing the threat of DDoS for ransom, it should be prepared to react. Do not ignore the threat and make sure you are able to:
- Report the incident to the relevant e-crime unit (in Ireland – An Garda Siochana; In UK – National Fraud & Cyber Crime Reporting Centre).
- Take guidance from law enforcement; Do not pay any ransom demands before you have contacted the law enforcement agencies.
- Prepare your incident response team.
- Review your business continuity plan and business recovery plan.
- Ensure that your anti-DDoS defending mechanisms can cope; contact your ISP and/or a DDoS protection reseller for activating a protection plan.
- Notify any key stakeholders and affected parties.
- Make sure Internet facing services are patched & configured securely. Consider if there are any services you could turn off to minimise the attack surface.
CEO Fraud is another attack vector that is growing. Here, the CEO is personally targeted by the cyber criminals. In some cases, spoofed emails are sent to employees and other third-parties pretending to be from the CEO.
Usually, these emails have urgent requests to send payments. Cyber criminals tend to focus their efforts on compromising the CEO’s email as it will give them access to all services he/she is using. Once they gained access, they look for other passwords and may also infect the CEO’s PC with malware.
Once the cybercriminals have access to the CEO’s accounts and emails, they tend to instruct Finance to make payments to a number of accounts. These accounts may be in bitcoin or belong to fake businesses. CEO fraud is unlikely to set off spam traps, as these are targeted phishing scams that are not mass e-mailed.
To be proactive to such threat, the business needs to include the CEO in any security assessments being performed and they must be involved in any security awareness training program. In addition, businesses should:
- Ensure all staff uses secure and unique passwords for accessing their accounts.
- Implement two-factor authentication (2FA) where possible.
- Have an agreed procedure on how urgent and direct requests for payments are made and how these are cross-checked and authorised.
- Provide cybersecurity awareness training for ALL staff.
- If the business becomes victim of such attack make sure the incident is reported to your financial institution and it is known to the e-crime unit (in Ireland – An Garda Siochana; In UK – National Fraud & Cyber Crime Reporting Centre)
Do not make the headlines
The types of attacks discussed in this article have been on the increase throughout 2015, and businesses need to be able to defend themselves against them. Most attacks can be prevented by implementing standard security controls including:
- Good access control practices including use of strong passwords, and implementation of two factor authentication for all remote access.
- Effective patch management and use of secure configuration for all corporate systems; disable any unnecessary ports, protocols and services.
- Development of an incident response plan, and assign an incident response team trained in how to respond to a range of incidents.
- Implementation of Mobile Device Management for mobile and BYOD users.
- Delivery of cybersecurity awareness training to all staff, including the CEO and Board of Directors.
- Assess the effectiveness of the cybersecurity awareness training across all business, by testing your incident response plan.
All these attacks are discussed within the 2020 whitepaper, published by the International Cyber Security Protection Alliance (ICSPA) as part of their Project 2020 initiative. The project’s aim is to anticipate the future of cybercrime. Effectively, this will enable governments, businesses, and citizens to prepare themselves for the challenges and opportunities of the coming decade.
Furthermore, Project 2020 comprises a range of activities that includes threat reporting, scenario exercises, guidance on policies and capacity building; valuable resources for any business looking to protect themselves from Cyber threats.
Want know more? Request a call back.
If you are a merchant that requires technical or PCI DSS help, please click here