Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

Small Businesses are Counting on Their MSPs this Small Business Saturday

This November 28 may be the most important Small Business Saturday since the occasion was founded by American Express in 2010.

As early as July, nearly half (43 percent) of small businesses had closed at least temporarily, according to a study published in the Proceedings of the National Academy of Sciences. Research also suggests that 30 percent of small businesses expect to exhaust their cash on hand before year’s end. Eighty-eight percent have already spent the funds allocated to them by the U.S. government’s Paycheck Protection Program loan.

While hopes will be buoyed for some by recent positive developments in the search for a vaccine, uncertainty and hard times no doubt still lie ahead. That’s why Webroot encourages advocates and partners to shop small this November 28. For our customers, we aim to be a source of support and sound consultation as we recover together.

Challenges and opportunities for small businesses and MSPs

Many of the small businesses affected by COVID-19 are among Webroot’s clientele. Many more, especially managed service providers, count small businesses as their most important customers. We’ve heard from many who are suffering from lost contracts following office closures, fewer onsite projects, disappearing budgets for business development projects and a general slowdown of new business.

Others are witnessing a shift in the work they do and the services most in-demand. For some, COVID-related challenges have presented opportunities to step up and offer services made necessary by new realities. Unsurprisingly, the already trending adoption of cloud infrastructure has quickened its pace in the age of remote work.

“We’ve had to speed up migrating some clients on-premise file servers to online cloud solutions,” according to Russell Harris, a support engineer and project manager at Maya Solutions Ltd., a UK-based MSP specializing in Apple product support

For David Yates, president of Geeks R Us, a West Coast provider of various technical services, the shift to remote work was the push some of his customers needed to leave physical servers behind.

“A few clients who were reluctant to move to the cloud have now embraced it. This was the impetus that they needed to finally migrate away from on-premise servers,” he said.

Many MSPs have also taken it upon themselves to guide their clients through the transition to remote work, especially in terms of security.

“We’ve had to shift to more cloud, VPN and helping our clients work remotely,” says Nathan Hardester, a telecoms administrator with Whidbey Tech Solutions, a Washington-based MSP.

Cybersecurity education is another opportunity for MSPs looking to help small business clients up their cyber resilience. We know that many office workers are overly confident in their ability to detect a phishing attack, so MSPs should position themselves as educators. Already, in the COVID-era, some are finding themselves do exactly that.

Asked what’s changed at Maya Solutions since the pandemic, Harris responds “needing to provide additional training on online safety due to many working from home on their own devices.”

Making it through together

Many MSPs—often small businesses themselves—rely on their small business clients run for their success. And on this Small Business Saturday, small businesses need us all more than ever. Despite the challenges, there are opportunities for MSPs to step up and guide their clients through the changing way we work.

For more tips on staying cyber resilient through COVID-19 and beyond, stay tuned to our Community threat and check out these tips for MSPs looking to help small businesses bounce back.

Cyber News Rundown: REvil Ransomware Strikes

REvil Ransomware Strikes Hosting Provider

In recent days the web hosting provider Managed.com has been working to recover from a ransomware attack targeting many of their core systems. While the company was able to stop the spread of the attack by shutting down their systems and client websites, it remains unclear what information may have been encrypted and sent elsewhere. The demanded ransom is equal to $500,000 in Monero cryptocurrency and is set to double if not paid in the next week.

Cyberattack Shuts Down Americold Operations

Cold storage provider Americold revealed this week it was forced to shut down many of its systems after discovering evidence of a cyberattack. Some variant of ransomware is thought to be responsible for the attack, which has disabled several customer-facing services and could still be affecting Americold. Fortunately, the company responded quickly and was able to stop the attack from spreading across its network, which could have caused significantly more damage, especially if financial information was accessed.

Ticketmaster Receives Fine for 2018 Data Breach

More than two years after Ticketmaster announced a data breach had compromised a significant amount of customer information, the Information Commissioner’s Office (ICO) has settled on a fine of £1.25 million. The attack was significant because, while multiple organizations warned Ticketmaster of the breach, the company did nothing to resolve the security lapse. Officials also discovered that upwards of 60,000 customer payment cards were used for additional fraudulent activity after the Ticketmaster breach.

Healthcare Remains Easiest Target for Cyberattacks

A recent survey of healthcare organizations found that 73% had computer systems totally unprepared to repel a cyberattack. Attackers are improving their operations rapidly compared to security improvements being implemented by these organizations, even with the increasing year-over-year cybersecurity spending. To make matters worse, pressure put on the healthcare industry by the COVID-19 pandemic has forced many facilities to put security improvements on hold as they deal with increased patient numbers.

Severity of Capcom Breach Continues to Rise

A ransomware attack on Capcom that was initially suspected to not affect customer data has been found to be more severe than first thought. Upwards of 135,000 customers, employees and other individuals with ties to the company may have had sensitive personal information compromised. While Capcom has confirmed that payment data is processed through a third-party and isn’t stored on their systems, internal documents and statements seem to have been compromised by the attack.

6 Tips for a More Cyber-Secure Holiday Season

In any other year, many of us would be gearing up for airline travel, big family dinners, cocktail hours or potlucks with friends, and much more. But with all the challenges this year has brought in terms of how we work and connect during a global pandemic, I’m guessing all our plans look a little different than we thought they would.

Since most of us are now online more than ever before for work, school, personal connection, shopping, etc., it’s critical that take extra steps to keep our digital selves safe. With that in mind, we’ve put together a list of 6 (ish) tips to help you and your family stay safe online this holiday season, no matter how or where you celebrate it.

1. Watch out for an increase in scam emails and websites

What follows are just a few of the ways scammers may target you this holiday season. We recommend you install easy-to-use tools such as Fakespot, which is an add-on that protects consumers by detecting fraudulent product reviews and third-party sellers in real time, to help you avoid the fakes.

  • Flash sale alerts
    During the holidays, the number of promotional emails you receive is likely to go up as online stores run flash sales. With that in mind, scammers are likely to up their game, mimicking legitimate offer emails and websites in the hopes that your desire for a sweet deal will pay out for them. Use extra caution and don’t click anything in an offer email. Go to the retailer’s official website (type it directly into your browser instead of clicking a link in an email) to help ensure you’re shopping securely.
  • “Free” gift cards
    You may get offers for “free” gift cards to online retailers, such as Amazon, Walmart or Target. Remember: very little in life is free. This is another way that criminals may try to trick you into downloading malware or exposing sensitive information that they can use to steal your money or identity.
  • Fake “missed delivery” notices
    Since 94% of people are shopping online more or about the same as they were pre-pandemic, fake package notifications are another way that cybercriminals may target you. If you receive an email or text message about a missed delivery, be sure to double-check the details, such as the shipper (for example, maybe you’re only expecting a Prime or USPS delivery, so a FedEx notification should throw a red flag), the tracking numbers, etc. And, of course, don’t click or download anything in the text or email message itself
  • Discounts so deep they can’t be real
    If you see an ad or email for a high-ticket item that suddenly costs less than 10% of the regular retail price, it’s practically guaranteed to be 100% fake. Let’s face it: there’s just no way you’re going to get real Ray-Bans for the low, low price of $24.99.

2. Use caution with your charitable donations

It’s the giving season and, thanks to the pandemic, natural disasters, and other current events, there are plenty of people in the world who could use a little extra help. Good on you for contributing to the public good! Unfortunately, not even charities are sacred to scammers, and they will take advantage of your desire to help others.

It’s critical to do your research! We recommend you visit trusted organizations, like Charity Watch, to learn more about the charities you’ve chosen and their efficiency, governance and accountability before committing money. Additionally, be suspicious of aggressive pitches including multiple calls and emails or tactics that require immediate donation. Lastly, never pay by gift card of wire transfer. Use a credit card instead, as it’s easier to track and recover fraudulent transactions.

3. Research your smart devices

When we say “smart devices,” we don’t just mean things like Alexa or Google Home. There are internet-enabled fridges that tell you when you’re low on groceries, let you hear and speak to someone at your front door, function as a baby monitor, and even tell you when your laundry’s done. There are also smart thermostats, garage door openers, light fixtures, and so much more. All of these gadgets form a network of connected devices known as the Internet of Things (IoT). And each one could potentially let a hacker into your home network.

Be selective when it comes to purchasing connected smart home and IoT devices. Choose reputable brands that include security, such as the ability to change passwords and perform firmware updates. Cheaper knockoffs of name brand devices might be easier on your wallet, but they are often designed without security in mind. Additionally, since the business model for knockoffs is typically to turn a profit as quickly as possible, there’s no guarantee the device manufacturer will even be around in a year or two to send out security updates or offer support if your device malfunctions

4. Secure any new tech toys right away

Get a cool new gadget in the family gift swap? (Or buy something awesome just for yourself? Don’t worry, we won’t tell the kids.) Protect that tech investment by installing security right away. It’s not the most exciting thing to do with a new toy, but it’ll help make sure you get to enjoy it without worrying about malicious actors joining in on the fun

5. Use reputable video chatting services to connect with loved ones

When planning your virtual holiday get-togethers, use trusted video conferencing providers like Zoom, who have paid close attention to security issues this year and adapted product defaults to enable safer user experiences. Also, be cautious of any websites that request permissions from your browser to access your camera and microphone. If you get one of these notifications, close out of your browser. Do not engage with the permissions request in any way

6. Remember the basics

We’ve said it before, we’ll say it again. Good online habits are your best defense – and it really doesn’t take much effort to keep yourself and your family safe

  • Use strong, unique passwords for all your accounts and don’t share them. Length is strength, so passphrases are a good help.
  • Install virus protection on all your devices and keep it up to date.
  • Use a secure cloud backup.
  • Connect to the internet using a VPN, even on your home network (and especially if transmitting sensitive info, like credit card numbers or online banking details.)
  • Keep your device operating systems up to date so you have the latest patches against exploits.
  • Don’t enable macros. Ever. If a document or website asks you to enable macros or hidden content or “allow access”, just don’t do it. There are very few legitimate reasons for documents or websites to request these permissions.
  • Keep a close eye on your financial accounts and look out for any fraudulent activity.

Here’s wishing you a safe and cyber-secure holiday season! Keep an eye on the Webroot Blog and the Webroot Community for more tips and news on the latest cyber threats.

What’s the deal with security product testing anyway?

It’s common for savvy online shoppers to check third-party reviews before making an online purchasing decision. That’s smart, but testing the efficacy of security software can be a bit more difficult than determining if a restaurant had decent service or if clothing brand’s products are true to size.

So, with the arguably more significant consequences of antimalware testing, how can shoppers be sure that the product they choose is up to the task of protecting their family from malware? Which reviews are worthy of trust and which are just fluff?

Red flags in antimalware testing

Grayson Milbourne is the security intelligence director at Webroot and actively involved in improving the fairness and reliability of antimalware testing. While acknowledging that determining the trustworthiness of any single test is difficult, some factors should sound alarm bells when looking to honestly evaluate antimalware products.

These include:

The pay-to-perform model

In any test, the humans behind the product being evaluated have a vested interest in the performance. How far they go to influence those results, however, varies. One extreme way to positively influence results is to fund a test designed for your product to succeed. Often, the platform on which a test appears can be a sign of whether this is the case.

“YouTube tests are almost always commissioned,” warns Milbourne. “So, if you see things on YouTube, know that there is almost always someone paying for the test who’s working the way the test comes out. I try to avoid those.”

If only one product aces a test, that’s another sign that it may have been designed unfairly, maybe with the undisputed winner’s strengths in mind.

Every vendor acing a test

Tests in which all participants receive high scores can be useless in evaluating product efficacy. Because we know catching malware is difficult, and no single product is capable of doing it effectively 100 percent of the time, tests where every product excels are cause for concern.

“If every product aces the test, maybe that test is a little too easy,” says Milbourne. No product is perfect, so be wary of results that suggest so.

Failing to test in “the big picture”

No one piece of software can stop all the threats a user may face all of the time. But many vendors layer their preventative technologies—like network, endpoint and user-level protection—to most effectively protect against cyberthreats.

“Testers are still very worried about what happens when you encounter a specific piece of malware,” says Milbourne. “But there’s a lot of technology focused on preventing that encounter, and reactive technology that can limit what malware can do, if it’s still unknown, to prevent a compromise.”

In addition to how well a product protects an endpoint from malware, it’s also important to test preventative layers of protection which is lacking in 3rd party testing today.

The problem with the antimalware testing ecosystem

For Milbourne, the fact that so few organizations dedicated to efficacy testing exist, while the number of vendors continues to grow, is problematic.

“There are about five well-established third-party testers and another five emerging players,” he says. But there are well over a hundred endpoint security players and that number is growing.”

These lopsided numbers can mean that innovation in testing is unable to keep up with both innovation in security products as well as the everchanging tactics used by hackers and malware authors to distribute their threats. Testing organizations are simply unable to match the realities of actual conditions “out in the wild.”

 “When security testing was first being developed in the early 2000s, many of the security products were almost identical to one another,” says Milbourne. “So, testers were able to create and define a methodology that fit almost every product. But today, products are very different from each other in terms of the strategies they take to protect endpoints, so it’s more difficult to create a single methodology for testing every endpoint product.”

Maintaining relationships in such a small circle was also problematic. Personal relationships could easily be endangered by a bad test score, and a shortage of talent meant that vendors and testers could bounce between these different “sides of the aisle” with some frequency.

Recognizing this problem in 2008, antimalware vendors and testing companies came together to create an organization dedicated to standardizing testing criteria, so no vendor is taken off guard by the performance metrics tested.

The Anti-Malware Testing Standards Organization (AMTSO) describes itself as “an international non-profit association that focuses on addressing the global need for improvement in the objectivity, quality and relevance of anti-malware testing methodologies.”

Today, its members include a number of antivirus and endpoint security vendors and testers, normally in competition against one another, but here collaborating in the interest of developing more transparent and reliable testing standards to further the fair evaluation of security products.

“Basically, the organization was founded to answer questions about how you test a product fairly,” says Milbourne.

Cutting through the antimalware testing hype

Reputation within the industry may be the single most important determinant of a performance test’s trustworthiness. The AMTSO, which has been working towards its mission for more than a decade now, is a prime example. Its members include some of the most trusted names in internet security and its board of directors and advisory board are made up of seasoned industry professionals who have spent entire careers building their reputations.

While none of this is to say there can’t be new and innovative testing organizations hitting the scene, there’s simply no substitute for paying dues.

“There are definitely some new and emerging testers which I’ve been engaging with and am happy to see new methodologies and creativity come into play, says Milbourne, “but it does take some time to build up a reputation within the industry.”

For vendors, testing criteria should be clearly communicated, and performance expectations plainly laid out in advance. Being asked to hit an invisible target is neither reasonable nor fair.

“Every organization should have the chance to look at and provide feedback on a tests’ methodology because malware is not a trivial thing to test and no two security products are exactly alike. Careful review of how a test is meant to take place is crucial for understanding the results.”

Ultimately, the most accurate evaluation of any antimalware product will be informed by multiple sources. Like reviews are considered in aggregate for almost any other product, customers should take a mental average of all the trustworthy reviews they’re able to find when making a purchasing decision.

“Any one test is just one test,” reminds Milbourne. “We know testing is far from perfect and we also know products are far from perfect. So, my advice would be not to put too much stock into any one test, but to look at a couple of different opinions and determine which solution or set of solutions will strengthen your overall cyber resilience.”

Cyber News Rundown: Flood of Phony IRS Emails

Phony IRS Emails Flooding Inboxes

Upwards of 70,000 inboxes have been receiving spam claiming to be from the IRS threatening legal action for late or missing payments. Most recipients are Microsoft Office 365 users and have been receiving threats of lawsuits to, wage garnishment and even arrest. These spoofing scams have risen in popularity in recent years, but have mixed results since many users are familiar with the tactic.

Pakistani Airlines Network Access for Sale

Researchers found a listing for full admin access to the Pakistan International Airlines network on multiple dark web forums earlier this week. The current asking price is an incredibly low $4,000, considering the amount of information that could be used for malicious activities. The hackers claim to have 15 databases, each with many thousands of records, including passport data and other highly sensitive personal information on passengers and employees alike. It is believed that this group has been responsible for at least 38 other sales of network access in the past five months.

Zoom Enhances Security at Heed of FTC

Following a settlement with the FTC, the video communication service Zoom is being forced to upgrade its overall security after it was found that they weren’t implementing the end-to-end encryption the business touted. It was also discovered that encryption of recorded video calls often did not take place and regular security testing of security measures did not occur, endangering user privacy for personal video calls and chats.

Mashable Database Compromised

The online media outlet Mashable confirmed it had suffered a cyberattack on its systems, and that the attacker had already published some of the stolen data, this weekend. Fortunately, Mashable also confirmed the stolen data was from a system that was no longer in use. The company has also begun contacted affected customers and informing them to be wary of suspicious emails and to forward them to Mashable for further investigation.

Millions of RedDoorz Records for Sale

Roughly 5.8 million user records belonging to the hotel booking platform RedDoorz were found for sale on a hacker forum. These records were likely the the result of a cyberattack targeting RedDoorz in September, though the company firmly stated no financial information was compromised. After viewing a sample of the stolen data, however, it was discovered that a significant amount of extremely sensitive information belonging to customers who may have stayed at any of their 1,000 properties across Southeast Asia had been published.

Employee Spotlight: From Building Code to Building Teams

Webroot is a dynamic team of hard-working individuals with diverse backgrounds. One of those hard-working individuals is Ben Jackson, Senior Manager of Software Development, Engineering. Ben started off building pages in HTML. Now he leads high-performing teams and helps develop architectures from his home in the UK. We sat down with Ben to find out how he got into software and where he sees the biggest growth opportunities.

What were you doing before working at Webroot?

I worked at a Smart Meter manufacturer in the UK on their manufacturing systems and had a short stint at a big UK retailer called Next working on their retail website.

What brought you to Webroot?

The opportunity to work on some really cool tech, and the people and culture really attracted me.

What is your role in the company?

I am a Senior Software Development Manager for the Sky Services and Efficacy tools.

How did you get into software development?

I took a shine to it from an early age when I was trying to find something to do for a career back at school. I started with the most basic HTML web page in my spare time by copying the code from a textbook into notepad and saving it as an html file to see it run. I have never looked back.

What are the primary coding languages you specialize in?

Microsoft .net framework technologies with languages such as C#. I can use Visual Basic but I’m not a huge fan, and also Java.

What are the advantages of those languages and how do they manifest themselves in your work?

C# is in the core of what we do as a team. All our applications are in the Microsoft .net framework stack, and through the use of .net core in a lot of our new projects, we can run our code on any operating system, making it very easy to deploy, such as in Linux or Docker containers.

What parts of your job require you to think outside of strictly writing code, for example, system architecture, use cases, etc.?

Most of my job requires me to think outside of writing code, especially working with other engineering teams, product management, and helping design the architecture of some of our decoupled systems.

What are your proudest accomplishments as a software engineer?

I have contributed to and led numerous software projects in my career that I am very proud of, but my proudest achievements are in building teams that work together to deliver something special and noteworthy in terms of how the team collaborated together, especially my current team.

Where do you think the future of software development is headed?

It is tricky to say as direction changes all the time and people have such differing opinions, but I feel it will certainly be the continuation of the cloud (Amazon Web Services, Microsoft Azure and Google Cloud) being king. The management of the infrastructure to run applications will further be detached from the developer so that they will just be writing the code and handing it over to the cloud to deploy, scale and manage for you automatically. Serverless architectures will become more of the norm, I think.

War Games or The Matrix?

War Games! It was released the year before I was born, but I have grown up with it through watching re-runs.

What else do you like to do besides coding?

I am a big football (soccer) and sports fan and try to watch as much as I can. I used to play 11-a-side football as a goalkeeper every Saturday for a local team until my recent retirement to spend more time with my two children, who are my biggest focus now outside of work.

Any personal details or stories you’d like to share?

I once appeared on a Portuguese news channel while at a friend’s stag (bachelor party). I was dressed as a pirate, doing the iconic scene from the film Titanic at the front of a fishing boat as it came into the harbor. For some reason, a news crew interviewed us and ran it on the early evening news with the Titanic theme song by Celine Dion playing in the background. I have no idea why they found us so interesting!

Want to find out about job opportunities at Webroot? Visit our careers page.

Getting to Know Cloudjacking and Cloud Mining Could Save Your Business

A few years back, cryptojacking and cryptomining emerged as relatively low-effort ways to profit by hijacking another’s computing resources. Today, cloudjacking and cloud mining capitalize on similar principles, only by targeting the near infinite resources of the cloud to generate revenue for attackers. Knowing this growing threat is key to maintaining cyber resilience.

Enterprise-level organizations make especially attractive cloudjacking targets for a few reasons. As mentioned, the computing power of cloud networks is effectively limitless for all but the most brazen cybercriminals.

Additionally, excess electricity consumption, one of the most common tipoffs for smaller scale cryptojacking attacks, often goes unnoticed at the scale large corporations are used to operating. The same goes for CPU.

Careful threat actors can also throttle back the amount of resources they’re ripping off—when attacking a smaller organization, for instance—to avoid detection. Essentially, the resources stolen at any one time in these attacks are a drop in the Pacific Ocean to their largest targets. Over time, though, and depending on particulars of a usage contract, the spend for CPU used can really add up.

“Hackers have definitely transitioned away from launching ransomware attacks indiscriminately,” says Webroot threat analyst Tyler Moffitt. “It used to be, ‘everybody gets the same payload, everyone has the same flat-rate ransom.’

“That’s all changed. Now, ransomware actors want to go after businesses with large attack surfaces and more pocketbook money than, say, grandma’s computer to pay if they’re breached. Cloud is essentially a new market.”

High-profile cloudjacking incidents

Arguably the most famous example of cloudjacking, at least in terms of headlines generated, was a 2018 attack on the electric car manufacturers Tesla. In that incident, cybercriminals were discovered running malware to leech the company’s Amazon Web Service cloud computing power to mine cryptocurrency.

Even with an organization of Tesla’s scale, the attackers reportedly used a throttling technique to ensure their operations weren’t uncovered. Ultimately, they were reported by a third-party that was compensated for their discovery.  

More recently, the hacking group TeamTNT developed a worm capable of stealing AWS credentials and implanting cloudjacking malware on systems using the cloud service. It does this by searching for accounts using popular development tools, like Docker or Kubernets, that are both improperly configured and running AWS, then performing a few simple searches for the unencrypted credentials.

TeamTNT’s total haul remains unclear, since it can spread it’s ‘earnings’ across multiple crypto wallets.  The fear though, now that a proven tactic for lifting AWS credentials is out in the wild, is that misconfigured cloud accounts will become prime targets for widespread illicit cloud mining.

SMBs make attractive targets, too

Hackers aren’t just launching cloudjacking attacks specifically against storage systems and development tools. As with other attack tactics, they often see MSPs and small and medium-sized businesses (SMBs) as attractive targets as well.

“Several attacks in the first and second quarters of 2019 involved bad actors hijacking multiple managed service providers,” says Moffitt. “We saw that with Sodonakibi and GrandCrab. The same principles apply here. Hacking a central, cloud-based property allows attackers to hit dozens and potentially hundreds of victims all at once.”

Because smaller businesses typically share their cloud infrastructure with other small businesses, compromising cloud infrastructure can provide cybercriminals with a trove of data belonging to several concerned owners.

“The cloud offers an attractive aggregation point as it allows attackers access to a much larger concentration of victims. Gaining access to a single Amazon web server, for instance, could allow threat actors to steal and encrypt data belonging to dozens of companies renting space on that server hostage,” says Moffitt. 

High-value targets include confidential information like mission-critical data, trade secrets, unencrypted tax information or customer information that, if released, would violate privacy laws like GDPR and CCPA.

Some years ago, smaller businesses may have escaped these cloud compromises without too much disruption. Today, the data and services stored or run through the cloud are critical to the day-to-day even for SMBs. Many businesses would be simply crippled should they lost access to public or private cloud assets.

The pressure to pay a ransom, therefore, is significantly higher than it was even three years ago. But ransoms aren’t the only way for malicious actors to monetize their efforts. With cloud mining, they can get right to work making cryptocurrency while evading notice for as long as possible.

How to protect against cloudjacking and cloud mining

Moffitt recommends using “versioning” to guard against cloudjacking attacks. Versioning is the practice of serializing unalterable backups to prevent them from being deleted or manipulated.

 “That means not just having snapshot or history copies—that’s pretty standard—since with ransomware we’ve seen actors encrypt all of those copies. So, my suggestion is creating immutable backups. It’s called versioning, but these are essentially snapshot copies that can never be edited or encrypted.”

Moffitt says many service providers have this capability, but it may not be the default and need to be switched on manually.

Two more tactics to adopt to defend against cloud jacking involve monitoring your configurations and monitor your network traffic. As we’ve seen, capitalizing on misconfigured AWS infrastructure is one of the more common ways for cybercriminals to disrupt cloud services.

Security oversight of devops teams setting up cloud applications is crucial. There are tools available that can automatically discover resources as soon as they’re created, determine the applications running on the resource and apply appropriate policies based on the resource type.

By monitoring network traffic and correlating it with configuration data, companies are able to spot suspicious network traffic being generated as they send work or hashes to public mining pools that are public and could help identify where mining is being directed. 

There tends to be a learning curve when defending against emerging attacks. But if businesses are aware of how cloud resources are manipulated by threat actors, they can be on guard against cloudjacking by taking a few simple steps, increasing their overall cyber resilience.

Cyber News Rundown: Maze Ransomware Shuts Down

Maze Ransomware Group Ends Operations

A press release issued this week announced the end of the Maze ransomware group’s data theft operations. In the release, the Maze authors revealed their motives behind one of the most successful ransomware campaigns to date, and why they chose to finally shut down their massive project. It also stated the Maze team was working to expose the major security holes key industries fail to address, though their methods created many victims.  

Magecart Targets International Gold Retailer

Nearly three months after a data breach caused by a Magecart attack struck the international precious metals retailer, JM Bullion has finally released an official statement to customers. After identifying unauthorized activity on their systems in the mid-July, the company went on to find that their systems had been compromised since February by Magecart payment card-skimming software. The company has yet to acknowledge why took so long to discover the breach or why it failed to follow GDPR regulations by immediately contacting affected customers.

Ryuk Remains Top Player Throughout 2020

With ransomware continuing its stay at the top of the cyberthreat throne, Ryuk variants have been responsible for over a third of all ransomware attacks in 2020 alone or roughly 67 million attacks. Ryuk has been around for over two years, but found much greater success this year after being found responsible for only 5,100 attacks in 2019. Ransomware attacks grew 40 percent over last year, to nearly 200 million as of Q3.

Cannabis Site Leaves Database Exposed

An unsecured database belonging to cannabis website GrowDiaries and housing over 3.4 million user records was found to be accessible last month. The data included 1.4 million user passwords that were encrypted using MD5 hashing, which is known to be easily unlocked by cybercriminals. Nearly a week after being informed of the database GrowDiaries properly secured it from public access, though it remains unclear how long it was accessible or who accessed it during that time.

Mattel Reveals Ransomware Attack

Following a July ransomware attack, Mattel has finally issued an official statement regarding the overall damage. The company has confirmed that no data was stolen during the attack, which was quickly identified by their security, and many systems were taken offline to prevent any damage or theft occured. The ransomware attack was likely perpetrated by TrickBot, as it’s known for concentrating on large organizations and leaving them exposed for some encrypting variant to follow.

The Importance of Mobile Security for Safe Browsing

Mobile devices have become an indispensable part of our lives. By the time we’re teenagers, we’re already tethered to technology that lives in our pockets and connects us to a network far larger than we ever imagined possible. Because of the way we interact with our phones, it knows our likes, curiosities and vulnerabilities, in addition to our passwords, financial data and most closely held secrets. This seemingly infinite amount of data also makes our mobile devices highly attractive targets for malicious actors. That’s why it’s critical to protect phones from threats.

A successful attack on your phone could compromise your personally identifiable information (PII), banking accounts and even your professional life or the success of your business. Just like you lock the doors of your house when you go away, or your storefront after business hours, you should take care to secure the entry points that cybercriminals use to gain access to the data on your phone.

WiFi and Mobile APP threats

The convenience and ubiquity of public WiFi and mobile apps are also their greatest weakness. With unsecured public WiFi, you can never be sure if you’re connecting directly to a secure hotspot or to a hacker, who is stealing your information and relaying it to another malicious actor. Before you connect to an unfamiliar public WiFi network, follow these best practices to reduce the chances of compromising yourself:

  • Use a virtual private network (VPN) instead – VPN is highly recommended for all business communications. VPN keeps your network and Wi-Fi communications encrypted, which makes it much harder for hackers to access.
  • Disable sharing on all apps – While you may be comfortable sharing your location with apps when you’re on a secure connection, consider disabling it in system preferences or settings when you’re connecting to public WiFi.
  • Verify all public WiFi networks – Hackers can easily set up a public WiFi that looks like it’s owned by the proprietor. Before you connect to “Java House Guest WiFi,” ask someone behind the counter the exact name of their WiFi network.
  • Plug Bluetooth vulnerabilities – Hackers often use Bluetooth connections to infect or steal files. This puts personal data at risk when using Bluetooth. These attacks involve using the device for phone calls or text messages, or using Bluetooth functionality to find deeper vulnerabilities in the phone system or to steal data stored on the phone. Similar exploits exist for Apple users through the AirDrop feature. The best way to plug theses vulnerabilities is to turn off Bluetooth or AirDrop when not in use, keep your software up to date, only pair with trusted devices and use a VPN to encrypt your data and hide your identity.
  • Disable auto-join for open networks – Public WiFi networks are ideal environments for a range of cybersecurity attacks, including rogue networks, man-in-the-middle attacks, viruses, and snooping or sniffing. To prevent the likelihood of these attacks, remote users should turn off Wi-Fi auto-connect settings for public WiFi networks.

With more than 120 million Android users, Android malware continues to be a real and increasingly common threat. Google has already pulled a large number of malicious apps from the Play store. But the open nature of the Android operating system makes it an easy play for hackers. The year 2020 has been a particularly risky one for mobile app users. A few of the more dangerous mobile threats in circulation include:

  • Joker – Since 2019, Joker has been stealing credit card information and banking credentials by simulating other legitimate apps.
  • CryCryptor – Based off the open-source ransomware CryDroid, this mobile variant has been spotted masquerading as a COVID-19 tracing app.
  • EventBot – This malicious app abuses accessibility features to steal user data, and reads and steals SMS messages to bypass two-factor authentication.
  • Dingwe – This modified remote access tool is capable of controlling a device remotely. Samples have been found impersonating as COVID-19 tracing apps.

Many of these malicious operators use various tricks to evade detection. Since Android devices can come with hundreds of apps pre-installed, there’s a high potential for security gaps that a malicious app maker could exploit.

#1 Defense Measure: Update the OS

One of the major vulnerabilities with Android devices is outdated software. More than 40% of Android devices are using an OS version older than v9. This makes them more vulnerable to malicious applications.

Webroot® Mobile Security can help improve your mobile defenses without impacting your browser speed. It allows you to browse, shop, search, bank or use social networks, all while blocking malicious websites that try to steal your personal information. Webroot® Mobile Security includes proactive identity protection features, which block malicious sites that try to steal your personal info or harm your device. With Webroot® Mobile Security, you can hide your digital footprint and your browsing history through private browsing mode.

Cyber News Rundown: Flash Banned from Windows

Adobe Flash Being Uninstalled on Windows Systems

Following its September announcement, Microsoft has released an update that removes Adobe Flash from Windows 10 systems and prevents reinstallation. It should be noted that this update only removes the version of Adobe Flash that comes bundled with Windows 10. Internet browser extensions and stand-alone installs of the software will remain unaffected by this update. Should the user want to re-install Adobe Flash on an updated system, they must either revert to a point prior to the update or perform a fresh install of Windows 10.

Gunnebo Suffers Critical Data Breach

Officials for Gunnebo, a Swedish security firm, have revealed that they were victims of a data breach in August. Researchers also discovered an 18GB file confirmed to contain customer information stolen from Gunnebo. The compromised data was uploaded to a public server after Gunnebo refused to pay a ransom, exposing roughly 38,000 sensitive files.

Finnish Health Center Hacked

It was recently revealed that the Finnish psychotherapy center Vastaamo suffered a ransomware attack that compromised highly sensitive patient data belonging to thousands of individuals. After refusing to pay a 40 Bitcoin ransom, the attackers began publishing the stolen data on the dark web. While officials have yet to determine when the breach occurred, they have been contacting victims about the stolen data since October 21.

Customer Accounts at UK Restaurant Chain Breached

Recent technology changes at restaurants and other public establishments like touchless methods of interaction have left UK restaurants open major security flaws. One such flaw has been exploited at UK restaurant chain Nando’s, with several customer accounts affected. By accessing previous account logins and using credentials that were stolen in prior cyberattacks, hackers have been able to create fraudulent orders. The company has since confirmed that, though they themselves weren’t the target of the breach, they will compensate any customers who are fraudulently charged.

Ryuk Suspected in Major Steelcase Attack

International furniture maker Steelcase was forced to take its systems offline following a ransomware attack that began late last week. It is believed that the attack used the highly active ransomware variant, Ryuk, though this has yet to be confirmed by Steelcase. By shutting down the remaining unaffected systems, Steelcase hopes it was able to stop the spread of encryption before irreparable damage was caused.

Employee Spotlight: Nurul Mohd-Reza, Customer Retention Specialist

Nurul Mohd-Reza knows how to empathize with the customers she serves. Her work with marginalized groups as a college student, she says, helped prepare her for when the pandemic turned many of her customers’ businesses upside down last March.

Here she discusses what she’s learned after just 10 months in the industry and provides some advice for those looking to dive headfirst into something new.

Tell us a little bit about your career background. How did you get to where you are today?

I started working at Webroot back in January, so my time here hasn’t been long. For most of my collegiate career I worked in the Division of Student Affairs at CU Boulder, focusing specifically on leadership and development. I served as a student advisor to university officials and local businesses. And so, as time went on, I became very interested in the dynamic between people and business. From there, I knew I wanted to dive deeper into this realm but was unsure on how to get started. So after college I began working in healthcare operations.

I believe what got me interested in this career path was when I attended Denver Start Up Week, which was a phenomenal experience. It opened my eyes to the unfamiliar world of customer success. Seeing how companies used technology and data to proactively understand their customer persona, and on top of that, scale engagements to fit their customer’s needs was truly insane. I thought what better way of molding my interests than being on the front lines serving as an advocate between people and product.

And how did you land at Webroot specifically?

It’s a funny story. I had come across this position and halfway through filling out the application I thought I might not be well-equipped for the role, so I actually ended up not finishing the application. And then a recruiter reached out to me and said they were interested in starting a conversation. It was unconventional, but I’m very grateful she reached out because it gave me an opportunity to explain my transition and why I wanted to make that jump into tech. 

From there, I ended up interviewing here at Webroot and it was a great experience overall. Being early on in my career, I knew I wanted to work in an environment that obviously fostered growth, professionally and personally. After speaking with my current boss, I was very optimistic about the trajectory of Webroot, as well as the vision for Customer Success and this team specifically.

What are your core responsibilities as a customer retention specialist?

I would say my time is split between two main responsibilities. My primary role is to oversee the renewal process for a subset of SMBC contracts projected for the quarter. On the other hand, we are a customer facing role. So handling business customer inquiries as they arise. This involves everything from advising customers on certain buying decisions to providing in-product guides.

However, we are starting to shift our focus on how to effectively connect with customers throughout their lifecycle. Previously, we’ve concentrated on the renewal period which is 90 days before expiration. Now, we’re starting to expand our scope and engage with customers to create those smooth onboarding workflows, as well as push early-on adoption of the product. 

At the end of the day, it’s really about strategy—how do we effectively educate and guide the customer to build depth behind the product in hopes of retaining that relationship for the long haul.

What would you say has been the most significant challenge of your career so far?

I think one of the most significant challenges was switching to an industry I’d never worked in before. The learning curve was steep in terms of familiarizing myself with the products we offer, our workflow with all the various systems we use, and the dynamic relationships between our various partners.

In Customer Success, it’s not simply about securing renewals. The process involves having to solve roadblocks in order to help a customer achieve their goal. We have to work with a range of departments to solve issues the customer is facing—whether it be from a product standpoint or a billing redundancy. So being able to learn each player’s role and then manage those relationships was obviously a challenge to begin with. It’s exciting, though. It keeps you on your feet and you get to meet a lot of new people from diverse backgrounds. 

Another obvious challenge was COVID-19. I had only been working in the office for about two months when the pandemic hit. Learning how to onboard remotely was new and something I had to juggle with most definitely.

What skills do you feel have carried over well from your work in public affairs?

I believe Customer Success is focused on building relationships with our customers—which to my advantage was a valuable skill I carried over from my work in public affairs. In this role, it’s very important to enjoy solving problems and addressing issues head-on. You have to be incredibly flexible and create some sense of fluidity in the midst of a growing que of customer requests.

In my previous role, I worked with marginalized communities to combat an array of social issues. So learning how to communicate with empathy, while also moving with focus and intent was crucial and very much transcends into my current role now.

Do you have a favorite part of the job after 10 months with the company?

I’m optimistic about being able to refine the customer journey. I believe the beauty behind Customer Success is it’s still an unknown territory. Everywhere you look, companies have a different way and methodology on how they interact with the customer. Not to mention, the type of technology and automation coming into play is fascinating.

In addition to that, our team is fairly new, which gives us a range of autonomy to create the structure and the formatting that we believe will best deliver value to our customers throughout their lifecycle. Although we are now part of a 15,000-person organization, it still feels like a start-up environment. We are constantly working to strategize and envision how we want the customer experience to evolve. To me, it’s very exciting to be at the intersection of all these moving parts. 

Any advice for someone in your same situation, looking to cross over into the tech industry?

Well, given my experience, I’d say don’t doubt your capabilities. No experience is wasted experience. Even if you might not be the absolute perfect fit for a position, you have a breadth of skills you’ve developed over the past couple of years that will help mold you into whatever new role you’re interested in.

I believe one of the best pieces of advice I was ever given was don’t close a door on yourself before the opportunity even presents itself. By saying you can’t do this, or you don’t have the skills for that, you’ve already blocked out all these great possibilities. So be open to new experiences and don’t hold back.

To see what positions are available for you at OpenText, visit our careers page here.

The Nastiest Malware of 2020

For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.

For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.

But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.

Here are a few of nastiest characters and a breakdown of how they can work together.

  • Emotet botnet + TrickBot Trojan + Conti/Ryuk ransomware
    There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

    Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
  • Ursnif Trojan + IcedID Trojan + Maze ransomware
    Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
  • Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware

Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.

As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.

The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.

  • Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
  • CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
  • Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
  • QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.

Combine protections to combat combined attacks.

If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.

  • Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
  • Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
  • Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
  • Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.

Discover more about the 2020’s Nastiest Malware on the Webroot Community.