STE WILLIAMS

Debbie Walkowski contributed to this article. 

When Tina Brown and Phil Demarco decided to sell their home in New Jersey and purchase a new home in Colorado last December the last thing they expected was to receive a phony email from their realtor instructing them how and where to wire-transfer the closing funds.

Brown and Demarco were lucky. Their suspicions raised, they called their realtor, who told them she had sent no such email. The couple immediately notified the title company of the fraud.  

In this case, timing and some healthy skepticism saved Brown and Demarco from what is commonly known as a business email compromise (BEC) attack. In their case, the attackers tried to pull off their scam a few days too early but the New Jersey sale hadn’t closed yet. Had it closed the day the couple forwarded the wiring instructions to the title company, they would have lost everything.

“The scary part is how convincing the email was because it consisted of a carefully crafted thread of emails back and forth between our loan officer, title company, and our realtor,” said Brown. “And all of the names, addresses, phone numbers, and signature blocks were correct. Of course, as it turned out, the messages were all fake.”

How Scammers Are Succeeding
To pull off this type of scam, scammers need information about a pending real estate sale. They often get it by breaking into the email account of one or more of the parties involved. When attackers can’t break into email accounts, they spoof email addresses instead. Being technically savvy consumers, Brown and Demarco did some digging and discovered the scammers had used one of many questionable online email services — in their case, one run by a group of hackers in Germany — to impersonate all parties involved and make the emails untraceable.

Scammers often make their emails more convincing by either phishing the intended victim first, or adding details gathered from syndicated real estate websites that include information about a property from the multiple listing services and social media sites. If scammers don’t know the exact closing date of a real estate deal, no problem. It’s typically 30-45 days after the buyer has accepted an offer, and that’s easy for scammers to determine if they’re monitoring a property.

How Widespread and Impactful Is It?
Despite many regional and national news outlets covering BEC attacks, it seems to be growing. Brown and Demarco’s realtor, Christine Miller, said, “We had heard about it but hadn’t experienced it. Now, suddenly it’s gotten really bad.”

An attorney for the Colorado Association of Realtors agreed, explaining that the emails are more convincing now with their involved conversation threads and personalized details. They also have far fewer telltale grammar and spelling errors we have come to expect in email scams. Miller adds, “We’re informing all our clients of this scam and ensuring they understand that we never send wire instructions by email, nor does the title company.”

This particular home-buying scam is just one variant of  BEC, which can include any scam targeting businesses that regularly perform wire transfer payments. The Internet Crime Complaint Center (IC3), a multi-agency task force that includes the FBI, has been tracking all types of BEC scams since 2013. In the US and internationally between October 2013 and December 2016, there were over 40,000 incidents that totaled $5.3 billion in “exposed dollar loss” — that is, dollars actually stolen and attempted stolen.

Steps to Defend Against BEC 
Real estate firms and title companies, at the very least, should warn their clients of the prevalence and sophistication of this scam and advise clients to be on the lookout for it. Additionally, they can help clients by ensuring they understand the exact closing process, the parties involved, the manner in which they will be contacted, etc. Clients who have any doubts should be encouraged to call the known, legitimate phone numbers of agents and other representatives, especially regarding settlement funds or wire transfers.

In general, all organizations should conduct security awareness training about all types of scams, including email fraud, phishing, social engineering techniques, and malware. Here are a few tips to pass on to users:

• Scrutinize all email carefully, especially as scammers up their “grammar game” and use social engineering to customizing messages for specific victims.
• Never click on embedded links.
• Open attachments only when they are requested or expected.
• Beware of email messages that include statements of urgency, content that seems out of character for the sender, or restrictive instructions such as “reply only to this email.”
• Never click “Reply” when in doubt about the legitimacy of an email. Instead, use “Forward” and type the recipient’s known, legitimate email address in the To: field.

Fortunately, this story had a happy ending for Brown and Demarco but for many others it does not. With this particular scam, timing is everything. Potential victims should immediately contact the financial institution handling the wire transfer. In addition, they should report the crime to the FBI, and file a complaint with the Internet Crime Complaint Center and the Federal Trade Commission.

Get the latest application threat intelligence from F5 Labs.

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/deconstructing-a-business-email-compromise-attack/a/d-id/1331380?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Florida, Michigan, New Hampshire, Nevada, and Ohio each earned either C or D averages in their cybersecurity posture, according to new data from a security ratings firm.

SecurityScorecard in its annual report on US, state, and local government-sector security studied the states’ state of security in endpoint, IP reputation, network, and patching, and found them seriously lacking. Florida and Ohio earned a C grade overall; New Hampshire, Nevada, and an undisclosed city in Michigan each scored a D average; and one unnamed county in Florida scored a C, while one in Ohio earned a D.

The grading system is based on SecurityScorecard’s benchmarking platform, which aggregates data from millions of sensors across the Internet that gather and analyze public-facing security postures of IP addresses and identifiable software versions and services, and then maps them to organizations, including browser versions and patching cadence. “We’re looking at what a hacker would look it” online, says Alex Heid, chief research officer at SecurityScorecard. The firm analyzed the security posture of 655 government agencies, each of which had more than 100 public-facing IP addresses.

Among the systems spotted in the analysis were state and local voter registration systems, many of which run older legacy software that contains common Web vulnerabilities such as SQL injection and remote code execution bugs, Heid says. But even if a malicious hacker were to detect and hack into one of those systems, it wouldn’t necessarily affect the voting process, he says, even if he or she changed some names and information, because those systems typically have backups and lots of redundancy.

“The bigger risk is an innocuous Web app compromise on a server that is then used to pivot to the rest of the network behind the firewall,” Heid notes. “If the voter registration server is on the same server as the county court system payments,” for example, that would be exposed, he says.

The states’ grades are based on a snapshot in time for the government agencies’ security postures and doesn’t necessarily mean those states are poorly secured or that any states with A’s are secure. “It’s fluid and indicates how they are doing at that time,” he says. “Everyone has vulnerabilities and exploitable conditions. It’s measured based on how quickly they respond to those conditions.”

The fact that New Hampshire barely passed with a D doesn’t mean elections held there are more hackable, for example, so the grades don’t mean much in terms of the security of the 2018 elections, he says.

Dam Webcam
Among the exposed systems SecurityScorecard’s study found was a city power plant server sitting on the public Internet that was accessible via a Web browser. “You see the dam’s Web cam, and there’s a big red button that says ‘open dam,'” he says. The company contacted the site so it could remedy the exposure, he says.

Overall, government agencies score lower than most other sectors in endpoint security, network security, and patching cadence, according to the findings.

“Government has a lower grade, similar to university systems. It’s not that they are bad at security,” but more that governmental organizations typically have older systems in place and require more layers of approvals or patching and other updates, he says.

Related Content:

• US Federal Spending Bill Includes $380 Million for Securing Election Systems
• DEF CON Rocks the Vote with Live Machine Hacking
• Healthcare Suffers Security Awareness Woes
• Government Cybersecurity Performance, Confidence Bottoms Out

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/us-election-swing-states-score-low-marks-in-cybersecurity/d/d-id/1331397?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Large, high-bandwidth university networks have become fertile ground for cryptomining activity by criminals and students, who are taking advantage of their free access to cash in on the crypto boom.

Automated threat management provider Vectra recently analyzed attack behavior patterns and trends from a sample of 246 of its enterprise customers across 14 industries, and it found that a startling 60% of all cryptocurrency mining detections occurred in higher-education networks.

In comparison, the entertainment and leisure sector, which ranked second, accounted for just 6% of all detections; the financial sector, often thought to be a popular target, had just 3%.

University networks — with their high-bandwidth capacities and large volume of students with relatively unprotected systems — make for an attractive target for cryptomining activity, says Chris Morales, Vectra’s head of security analytics.

The tendency by students to use untrusted sites to download illegal movies and music, for instance, make their systems easy targets for hosting cryptomining software. The free access to the Internet and electric power that is available to students is another factor.

“Cryptocurrency mining converts electricity to monetary value by using computational resources,” Morales says. “This is very expensive to accomplish without a free source of power and a lot of computing resources with minimal security controls that are exposed to the Internet.”

University networks fit the bill and are ideal pastures for “cryptojackers” and for those looking to earn money performing cryptomining from their dorm rooms using their own personal systems, he says. “Even at the current value of $9,000 per bitcoin, it remains a lucrative temptation for both attackers and students with free electricity they can convert into monetary value.”

Because the data Vectra collects is anonymized, it is hard to tell for sure to what extent students are engaged in cryptomining activity. “[But] we do know there is a mix of students and attackers performing cryptomining in university networks,” based on information from university customers, Morales says.

Unlike corporate networks, which have strict security controls for curbing cryptocurrency mining, universities have few of the same measures. At best, they can advise students on how to protect themselves, help them clean infected systems, and create awareness of phishing emails, suspicious websites, and online ads, he says.

Vectra’s data showed systems that were part of or connected to university networks had considerably more malicious behavior overall — like command and control communications, botnet activity, and lateral movement — than systems in other sectors.

Attacker behavior volumes, at 3,715 detections per 10,000 devices, was nearly 25% higher on university networks than on systems in the engineering industry, the sector with the second highest volume of malicious activity (2,918 detections per 10,000 devices).

Command and control activity in higher-education environments, at 2,205 detections per 10,000 devices, was nearly five times the industry average of 460 detections per 10,000 devices. Botnet activity accounted for 151 detections per 10,000 devices, compared with the industry average of 33 detections.

Attacker Behaviors

Vectra’s data, gathered from some 4.5 million customer devices and workloads, adds to numerous other data sets over the years showing higher-education networks to be among the most poorly secured against threats compared with any other sector.

The data also showed what attackers generally tend to do once they gain access to a system or network. “Most security teams have in-depth knowledge of the techniques an attacker uses to get through the prevention layer,” Morales says. “[Vectra’s report] provides insight into the attacker behaviors they need to detect in order to stop active attacks in real time.”

On average, organizations in Vectra’s study had 818 devices exhibiting malicious behavior over a one-month period. Command and control activity accounted for the highest proportion of attack behaviors detected on compromised systems. In most cases, such activity represents the first stage of an attack, Morales says.

Other common malicious activities that Vectra detected included lateral movement, reconnaissance, data exfiltration, and botnet activity. Vectra’s data showed that systems that are part of a botnet are being used in a variety of malicious ways, the most common of them being to serve ads. The vendor found that about 8% of the botnets are being used in bitcoin mining, while barely 2% are being used in distributed denial-of-service attacks.

“To me, the biggest point I noticed is that ransomware is not the biggest threat we are facing,” Morales says.

Related Content:

• Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises
• Why Cryptocurrencies Are Dangerous for Enterprises
• Number of Sites Hosting Cryptocurrency Miners Surges 725% in 4 Months
• 7 Ways to Protect Against Cryptomining Attacks

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/university-networks-become-fertile-ground-for-cryptomining-/d/d-id/1331399?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Tech support scams last year resulted in $15 million in losses last year, an increase of 86% over 2016, according to the FBI Internet Crime Complaint Center (IC3).

The IC3 received 11,000 complaints by victims of tech support fraud last year, most of whom were in the US. But victims in 85 countries have reported incidents to the agency. These scams typically involve a criminal claiming to provide customer, security, or technical support, but instead aim to steal money from the victim. 

“This type of fraud continues to be a problematic and widespread scam,” the IC3 said in an alert published today. “As this type of fraud has become more commonplace, criminals have started to pose as government agents, even offering to recover supposed losses related to tech support fraud schemes or to request financial assistance with ‘apprehending’ criminals.”

The scam comes via phone calls, search engine ads, pop-up messages, locked screen messages, and phishing emails, the agency said. “Some recent complaints involve criminals posing as technical support representatives for GPS, printer, or cable companies, or support for virtual currency exchangers.” 

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/fbi-ic3-tech-support-scam-losses-rose-86--in-2017/d/d-id/1331401?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

WannaCry is still around and aerospace giant Boeing is the latest victim. In a flurry of activity on Wednesday, Boeing found itself infected, analyzed the infection, contained and cleaned the affected systems, and returned to normal operations.

According to an internal notice sent from Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, an infection at the company’s North Charleston facility warranted an “all hands on deck” response to the problem. While there were initial concerns that the malware might have reached production process control computers, forensics showed that not to be the case.

In the final analysis, the company said that the infection was limited to a small number of systems and that production and delivery of airplanes and components was not affected. A Boeing representative issued a statement saying that the attack was limited to computers in the commercial airplanes division and that the military and services units were not affected.

In a statement to the press, Mounir Hahad, head of Juniper Threat Labs at Juniper Networks noted that WannaCry’s infection mechanism can easily lie dormant and undetected on computers that have not been protected and patched. “Many systems may have been infected by WannaCry last year, but did not display any symptoms due to the presence of the ‘kill switch’ domain. But, as soon as an infected computer is rebooted in an environment where it does not have access to the Internet, it will resume the infection process.”

In Boeing’s case, their representative states that the WannaCry infection incident has ended with no significant damage to the company.

For more, read here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/wannacry-re-emerges-at-boeing/d/d-id/1331404?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On March 23, the United States Justice Department unsealed an indictment against nine attackers operating out of Iran, believed to be working on behalf of the Iranian government. The indictment outlined the tools and techniques used, who was targeted, what the attackers were after, and how successful they were in compromising their targets.

More importantly, we learned that the defendants are purported to have run an incredibly successful campaign over a five-year period using fairly simple techniques to gain access to a variety of primarily academic targets. The indictment does not discuss anything related to exploits, compromised computers, malware, or any other technical tools or techniques commonly associated with breaches. It appears that the attackers were able to accomplish all of their objectives using a combination of tailored spearphishing messages utilizing open source information from the Internet and automated password spraying. Their end goal appears to be to gain control of the user accounts of individuals in order to harvest intellectual property. Let’s dig in.

Campaign Scope
According to the newly unsealed indictment, these attackers conducted “coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States based universities…176 universities located in 21 foreign countries…at the behest of the Government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).” These attacks have been ongoing since approximately 2013.

The attackers also targeted a number of federal and state agencies, including the United Nations, the Federal Energy Regulatory Commission, and two state governments (Hawaii and Indiana), as well as private organizations ranging across almost a dozen different business verticals, from biotechnology to stock image sales. According to the indictment the attackers were able to compromise five agencies, 47 private sector companies, and two nongovernmental organizations (NGOs).

According to the indictment, the group attacked not one but two private organizations that deal in online automobile sales and a company that specializes in food and beverages — companies that likely never considered that they’d be the target of attackers working for the Iranian military. The reality is that nation-state-sponsored attackers are not just looking for state secrets but also intellectual property (IP) or personally identifiable information. As such, all organizations need to take appropriate precautions to protect themselves and follow best practices — such as strong password policies and multifactor authentication — for security.

Attacker TTPs
According to the indictment, the hackers used tools, techniques, and procedures (TTPs) commonly associated with advanced persistent threat actors to compromise the accounts of university professors. They started with reconnaissance of their targets using open source information from the Internet, focusing on academic interests and publications. They then followed up with tailored spearphishing emails from external email addresses, or from other compromised victims’ email in-boxes. The objective of these spearphishing messages was to use social engineering to trick the professors into entering their credentials (in this case, username and password) into an attacker-controlled website masquerading as a legitimate domain.

To compromise private sector targets, the attackers utilized the technique of password spraying, in which, as described in the indictment, the defendants “first collected lists of names and email accounts associated with the intended victim company through open source internet searches. Then, they attempted to gain access to those accounts with commonly-used passwords.…” According to the indictment, password spraying was the technique used against a number of federal and state agencies, as well as NGOs.

Neither of these techniques are particularly new or novel, but they have proven to be consistently effective. In the case of the universities, tailored spearphishing messages directing victims to fake login pages is difficult for defensive security (or “blue”) teams to prevent. A critical control here would be to add a second authentication factor (also called multifactor authentication or MFA) for all logins, which would render the stolen username/password credentials much less valuable. It’s important to enforce MFA across all accounts and not just selectively because attackers will usually find the weak link if one exists.

The attackers also purportedly utilized email forwarding rules to forward all sent and received messages from the victim mailbox to mailboxes they controlled. This is important because even if a victim organization later deployed MFA controls to prevent access to the in-box itself, the attackers would still have access to the contents of the victim’s in-box and the communications of the victim. Also, if the victim organization decided to allow an email one-time pass  as a secondary authentication factor, the email-forwarding rules would have allowed the attackers to regain access.

Preventing password spraying requires a well-thought-out and consistently enforced password policy as well as using a second factor of authentication. Using MFA reduces the inherent risk of having a “guessable” password by requiring a second level of user verification, such as a push verification or one-time passcode that is not easy to guess or bypass. However, for organizations where MFA is not implemented or not globally implemented, enforcing a strong password policy is a must.

Results: $3.4 Billion Worth of Stolen IP
The indictment makes several statements that describe the ultimate effectiveness of this campaign. Specifically, it alleges:

• Theft of approximately 31.5TB of academic data and intellectual property valued at $3.4 billion
• Successful compromise of approximately 320 universities globally
• Control over the user accounts and/or email in-boxes of 8,000 professors (out of over 100,000 targeted, or a success rate of approximately 8%)
• Successful compromise of 47 private organizations globally, as well as two NGOs
• Successful compromise of five state or federal agencies in the US

In addition to turning over the stolen data to the IRGC, the attackers also sold the stolen intellectual property to third parties as well as access to the accounts of professors, which could then be used to access private university computer systems.

Based on stats from the indictment, the attackers were allegedly able to compromise a new victim organization on an almost weekly basis for over five years, with very little variation in TTPs or targeting. They ran a focused and seemingly very successful campaign over an extended period of time.

Lessons Learned
In this case, attackers were able to gain control over numerous identities who had access to extensive intellectual property and then maintain control over those identities for an extended period of time. These organizations sustained significant damage without any internal systems or networks being accessed.

Password-based, single-factor authentication is no longer a sufficient access control to systems containing sensitive or private information, a fact that is widely known but continues to be a huge weakness for organizations. In fact, in June 2017 NIST published a new set of password guidelines that support additional controls. They recommended that organizations ban commonly used passwords that are often compromised by password spraying. NIST also states outright that passwords are insufficient and must be supported by MFA.

Bottom line? Organizations need to adopt a comprehensive security strategy that covers not only physical assets like data centers or servers but also online identities and the user accounts that make up those identities. As for this group, it’s likely that as long as their TTPs stay effective they will continue to compromise additional targets. The indictment itself is more of a political statement and doesn’t significantly affect their ability to operate.

Related Content:

• DoJ Indicts 9 Iranians for Hacking into Hundreds of Universities, FERC, Dept. of Labor, Others
• Destructive and False Flag Cyberattacks to Escalate
• 8 Nation-State Hacking Groups to Watch in 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Cameron Ero is a security engineer based in San Francisco, currently working with Okta as part of their detection and response team. He has previously been a member of several blue teams including the Mandiant CIRT and the FireEye advanced detection team. Cameron is an … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/deconstructing-the-doj-iranian-hacking-indictment/a/d-id/1331403?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple