Your password passing habit may not be as be as harmless as
you think. And yes, that includes Netflix login info too.
That’s one finding to come out of our newly released study of
2020’s Most (and Least) Cyber-Secure States. In this year’s analysis of
the cyber readiness of all 50 U.S. states, and in partnership with Wakefield
Research, we created a “Cyber Risk Hygiene Index” based on 10 metrics meant to
measure individual and state-level cyber resilience against adverse online
events.
Unfortunately for many Americans, two of
those cyber hygiene metrics involved questions about their password habits:
Do you avoid sharing passwords with others?
Do you avoid reusing passwords?
Now, these questions weren’t the only reason no American received a passing grade on our Cyber Risk Hygiene Index, or that no state scored higher than a D, but they didn’t help. In all, the report found that more than one-third (34%) of Americans admit to sharing passwords and login credentials with others. Nearly half (49%) report having more accounts than passwords, meaning passwords are being reused across accounts.
Perhaps even more troubling is the finding that sharing
passwords for streaming services—that famously widespread and supposedly benign
new-age habit—has a worrying correlation: Americans who share passwords for
streaming services (38%) are twice as likely to say they have had their
identity stolen than those who do not (18%).
This is alarming because sharing and reusing passwords is
especially dangerous during this golden
age of phishing attacks. It means that, as soon as a cybercriminal
achieves success in one phishing attack, those pinched credentials are likely
to work for several other popular sites. A single successful phishing
expedition could yield catches on banking sites, credit card applications,
online marketplaces, and in a host of other potentially lucrative instances.
Even by sharing passwords with those a smidge less than
trustworthy—or just careless—you’re increasing your attack surface area. Now
that network of individuals who now have access to your accounts are susceptible
to giving your information away if they take the bait in a phishing attack.
“Instead of giving away the keys to the guest room when you
share passwords, it’s more like giving away keys to the castle if they are
reused across multiple accounts,” says Webroot threat analyst Tyler Moffitt,
“you could begiving away the keys to the whole kingdom if that’s the only
password you use.”
More password facts from the report
Tech
Experts, one of the riskiest categories of users studied in our report, are
more likely to share passwords (66%) than the average American (44%). Clearly,
we at Webroot are in no position to point fingers.
On
brand, 66 percent of so-called “Mile Markers” refrained from sharing passwords,
compared to 63 percent for the average American. This group scored the highest
on our index and is defined by having progressed through life markers such as
earning a degree, owning a home, or having children.
Home-based Very Small Businesses (VSBs) are less
likely to work with a dedicated IT team. As a result, they are more likely to
use their personal devices for work and share passwords. Of these, 71 percent
use the same passwords for home and business accounts, potentially cross
contaminating their work and personal lives with the same security gaps.
By generation, Gen Z is most likely to share
passwords (56%), followed by Millennials (47%), Gen X (33%), and Boomers (19%).
How to address poor password practices
In terms of a personal password policy, it’s important to
set yourself up for success. Yes, it’s true the amount of passwords one is
responsible for can be dizzying, 191 per business according
to one popular study.
That, and the parameters for creating a sound password
seemingly grow more complex by the day. It used to be enough just to have a
password. But now, they must be x characters long, contain one number and one
special characters and so-on… And did we mention we recommend it be a passphrase,
not a traditional password?
You get the gist.
That’s why our single strongest piece of advice to users
looking to upgrade their cyber resilience is to use a password
manager. This allows you to create long, alphanumeric and otherwise
meaningless passwords without the need to keep tabs on them all.
After you’ve created a strong bank of passwords, managed
through a password management service, supplement your security by adding
two-factor authentication (2FA). Measures like 2FA pair your login credentials—something
you know—with something you have, like a biometric feature or a mobile phone. This
will ensure lifting your password (a unique one for each account, no doubt)
isn’t even enough to crack your account.
“Put simply, an account simply isn’t as secure as it could
be without 2FA,” says Moffitt. “And that means your credit card info, home
address, or bank accounts aren’t as safe as they could be.”
No more reusing passwords. And, hopefully, no more sharing passwords. But that part’s up to you. You just have to ask yourself, is Netflix access worth having your identity stolen?
Anyone who has spent late nights scrolling
through their social media feed or grinding on video games knows one thing is true:
Technology can be a good thing, but only in moderation. Like too much of
anything, spending a lot of time on the internet or social media can lead to unhealthy
consequences. Since May is mental health awareness month, we thought it would
be a good time to remind ourselves of the importance finding a healthy balance when
it comes to using technology.
Social distancing on social media
The global coronavirus pandemic continues to
test our own personal resilience. While most of us are sheltering at home,
we’re also relying more and more on technology for work and staying connected to
family and friends via virtual conferencing and social media. But too much
social media can be a bad thing, too.
Young
people who use social media more than two hours a day tend to rate their mental
health as fair or poor compared with less frequent users.
Occasional
users of social media are almost 3x less likely to be depressed than heavy
users.
People
who restrict social media use to a half-hour a day have significantly lower
depressive and anxiety symptoms.
If you’re someone who finds periods of
abstention reinvigorating, you may want to add a digital detox to go along with
New Year’s resolutions and Sober October.
Data loss blues
When you spend a lot of time on a computer,
it’s only a matter of time before you lose something important. It could be financial
documents, or an album of precious family photos, or maybe a big work
presentation. Worse yet, you could have your entire system taken over by
ransomware. Stressed yet? You’re not alone. We
asked IT pros what they would rather lose than
their data and here’s what they had to say:
Things IT pros
would rather lose than data:
Internet
connection
Cell
service
Internal
organ
Wedding
ring
Robot
lawnmower
Bacon
That’s right. Bacon! Kidding aside, losing
data can be stressful. And many businesses don’t survive after major data loss.
That’s why using strong cybersecurity solutions, like cloud-based antivirus, is
so important, as is backing up the important files and folders on your computer.
Do it for the sake of your data, or do it for the bacon, but just do it! You’ll
thank us.
Technology never sleeps
If you think it’s hard for those just using
technology, think of the people who have to work in technology. If you’ve ever
thought about a career in tech, you better like the night shift. Technology
never sleeps. The best time to perform upgrades or installations is late at
night when most users are offline and there’s less traffic on the network. Want
to launch a new website? Midnight is probably the best time. But all this
late-night system testing and debugging can lead to loss of sleep and, in turn,
an unhealthy dose of stress.
And it’s not just tech pros doing tech things
late at night. If you’re up late scrolling your feed and posting comments, you
may not be sleeping as well as you should. The
blue light from phone screens and computers reduce your
levels of melatonin, which is the hormone that controls your sleep. And lack
of sleep can lead to several harmful side-effects,
including:
Anxiety,
insomnia, depression, forgetfulness
Impaired
thinking and slow reaction time
Increased
risk for heart disease, high blood pressure, stroke and diabetes
Sleep
apnea, low testosterone and decreased sex drive
Skin
lines, dark circles under the eyes, weight gain
So, avoid using tech too close to bedtime if
you can. Reduced stimulation works wonders for good sleep habits. The news will
still be there in the morning.
There’s an app for that
It’s not all doom and gloom when it comes to
technology and mental health. In fact, advancements in health technology are
emerging at a rapid rate. One area of progress is apps that help people with
mental health issues. The
National Institute of Mental Health has identified several
promising trends, including:
Apps
that provide tools for managing stress, anxiety and sleep problems
Cognitive
remediation apps that help people develop thinking and coping skills
Illness
management apps that put trained health care providers in touch with patients
Mindfulness,
meditation and relaxation apps
Resilience online and offline
It’s a measure of our personal resilience when
we’re able to persevere through something as disruptive as coronavirus. Having
social media and the internet can help. But we have to be mindful to avoid
overdoing it. We also have to be careful to protect the digital devices we’ve
come to rely on with appropriate cybersecurity. That’s cyber-resilience. And it
can do wonders for your peace of mind and your overall mental health.
With the recent crash in oil prices, and supply rapidly piling
up, a new spear
phishing campaign has begun targeting executives at several major oil
producers. A massive number of emails started being distributed in late March,
without the telltale signs of amateur phishing like bad spelling and grammar.
Furthermore, the emails appeared to be from a sender with knowledge of the oil and
gas industry. Two documents within the emails posed as bid contracts and
proposal forms but were used to deliver the final payload, a trojan called
Agent Tesla, which is a malware-as-a-service that can perform a variety of
malicious activities on a system.
Several dubious third-party software
affiliates have been spotted distributing a campaign targeting antivirus
users, prompting them to renew their subscription through the affiliate’s link,
thus netting them additional revenue. Most affiliate programs have strict
guidelines as to how the company can promote the affiliated software, and
purposely misleading customers can lead to major penalties. Emails displaying
expiration notices for Norton and McAfee have both been identified. With a
percentage commission, the affiliate could be earning up to 20% of the purchase
price for each fraudulent sale.
Philadelphia Sandwich Chain Faces Data Breach
PrimoHoagies,
a Philadelphia-based sandwich chain, was the unsuspecting victim to a data
breach that went undetected from July 2019 until this February. The breach
affected all online sales during that time period, though no in-store purchase
data was compromised. By April, the company released an official statement
regarding the breach. But the admission came only days before a data security lawsuit
was filed by a customer who had seen fraudulent charges on his credit card.
Decryption Keys for Shade Ransomware Made Available
After nearly five years of operation, the creators of Shade
ransomware have decided to close shop and give out nearly 750,000
decryption keys along with an apology for harm done. While most ransomware
variants tend to purposely avoid Russia and Ukraine, Shade focused specifically
on these two countries during its run. Though the many decryption keys and
master keys have been made public, the instructions for recovering the actual
files are not especially user-friendly and a full decryption tool has not yet
been released.
ExecuPharm Hit with Ransomware Attack
One of the largest pharmaceutical companies in the U.S.
recently suffered a ransomware
attack that not only encrypted their systems but also gain access to a
trove of highly sensitive personal information belonging to thousands of
clients. It is believed that the attack started with in mid-March with phishing
emails targeting specific employees with the widest access to internal systems.
At this time, there is no confirmed decryption tool for the ransomware variant used
and the company has begun contacting affected customers.
A popular military maxim speaks to the need for redundancy and
it goes like this: “Two is one and one is none.” Redundancy is also a key
principle when it comes to cyber-resilience. A popular rule in data protection and
disaster recovery is called the 3-2-1
backup rule. IT pros often borrow from military strategies when approaching
cyber-resilience, including a strategy known as “defense in depth.”
Defense in depth is a useful framework for protecting IT environments. It acknowledges that hackers will often use evasive tactics or brute force to overrun the outer-most layer of defense. So, multiple layers of defense are necessary – or defense in depth – to anticipate and mitigate lost ground. Cyber-resilience is a very high priority for businesses. So, we put together these five tips for improving cyber-resilience based on a defense-in-depth approach.
Tip #1: Sharpen perimeter defenses
Cybercriminals are getting better at using evasive tactics
to circumvent company firewalls and antivirus. Some of these evasive tactics
include file-based, file-less, obfuscated and encrypted script attacks. To
counter these tactics, we’re rolling out a new shield technology to detect,
block and remediate evasive attacks much faster and more effectively than
before. Webroot®
Evasion Shield stops attacks that elude other endpoint protection
solutions. Cloud-based threat intelligence further increases resilience at the
perimeter.
Tip #2: Strengthen the first line of defense – people
The primary vector for malware distribution is phishing
attacks. While cybercriminals find increasingly deceptive ways to trick
employees into downloading malicious code, not enough businesses are countering
by educating their workforces about identifying suspicious activity. With
employees being the weakest link in the cyber-security chain, the solution is regular
security
awareness training, with phishing simulations and courses on best practices
for identifying and reporting suspicious activity.
Tip #3: Secure your DNS connection
The domain name system (DNS) is what allows internet traffic
to find your website. But DNS protocols were not designed for security. In
fact, they’re highly vulnerable to cyberattacks, including cache poisoning,
DDoS, DNS hijacking, botnets, Command-and-Control (C&C) and man-in-the-middle
attacks. A cloud-based
DNS security solution enables businesses to enforce web access policies and
stop threats at the network’s edge before they ever hit the network or
endpoints.
Tip #4: Create and deploy a backup strategy
Redundancy is essential for cyber-resilience. Businesses must
consider a scenario where malware circumvents outer defenses. Since detecting
and remediating malware infections can be time-consuming, it’s important to
have copies of files and data for business continuity. Scheduled
backup with file versioning is necessary for mitigating malware infections
and other forms of data loss. The scheduling feature is crucial since leaving
it up to users exposes backup policy to human error.
Tip #5: Test recovery strategy regularly
Backup and recovery go hand-in-hand. And backup is only
effective if it enables rapid recovery with minimal disruption. It’s important
to test disaster recovery practices and procedures before you experience a live
disaster scenario. Disasters come in different shapes and sizes, so it’s
important to test simple file and folder recovery as well as large-scale system
restore. Also, some systems are more critical than others. Tier-one systems (the
most critical) need high levels of uptime, approaching 100%. This traditionally
requires a secondary data center that is very costly to acquire and maintain.
This is no longer the case. Disaster recovery
as a service reduces the cost of standing up a secondary environment. It
also allows for frequent testing of disaster recovery protocols. Businesses
should test once a quarter – or at least once a year – to ensure systems are cyber-resilient
when necessary.
To get started on the road to cyber resilience, take a fee trial here.
Last month, the City of Torrance, California fell victim to
a ransomware attack that shut down many of their internal systems and demanded
100 Bitcoins to not publish the stolen data. Along with the roughly 200GB of
data it stole from the city, the DoppelPaymer
ransomware also deleted all local backups and encrypted hundreds of
workstations. At this time, it’s uncertain whether the City of Torrance has
chosen to pay the ransom, as the malware authors seem to have diligently removed
any means for the City to recuperate on their own.
Malicious Packages Hidden Within Popular File Repository
Over 700 malicious packages have been discovered within the RubyGems
main program and file repository. These originated from just two accounts and
were uploaded over a single week period in late February. Between them, the
many packages have a combined download number of over 100,000, most of which
included a cryptocurrency script that could identify and intercept cryptocurrency
transactions being made on Windows® devices. While this isn’t the first time malicious
actors have used open source file repositories to distribute malicious payloads,
this infiltration of an official hub for such a long period of time speaks to
the lack of security within these types of systems.
Maze Ransomware Targets Cognizant ISP
Late last week, the Maze
Ransomware group took aim at New Jersey-based internet service provider,
Cognizant, and took down a significant portion of their internal systems. The
attack occurred just a day after the removal of a dark web post that offered access
to an IT company’s systems for $200,000. It had been listed for nearly a week.
While Cognizant has already begun contacting its customers about the attack, the
true extent of the damage remains unclear.
COVID-19 Scams Net $13 Million
The Federal Trade Commission recently released statistics on
the number of complaints they’ve received specifically related to the COVID-19
pandemic: it’s over 17,000 in just a three-month period. While this number is
assuredly less than the actual number of COVID-19
related scams, these reported complaints have resulted in a sum of over $13
million in actual losses, ranging from fraudulent payments to travel
cancellations and refunds. Additionally, the FTC was able to catalogue over
1,200 COVID-19 related scam calls reported by people on the Do Not Call list.
Customer Data Stolen from Fitness App
A database belonging containing 40GB of personally
identifiable information on thousands of customers of the fitness app, Kinomap,
was found unsecured. Containing a total of 42 million records, the database remained
accessible for nearly 2 weeks after the company was informed. It was only
secured at last after French data protection officials were notified. Kinomap
API keys were also among the exposed data, which would have allowed malicious
visitors to hijack user accounts and steal any available data.
Did you know there are three primary types of hacker—white hats, black hats, and grey hats—and that there are subcategories within each one? Despite what you may have heard, not all hackers have intrinsically evil goals in mind. In fact, there are at least 300,000 hackers throughout the world who have registered themselves as white hats.
Also known as ethical hackers, white hats are coders who test internet systems to find bugs and security loopholes in an effort to help organizations lock them down before black hat hackers, i.e. the bad guys, can exploit them. Black hats, on the other hand, are the ones we’re referring to when we use words like “cybercriminal” or “threat actor.” These are hackers who violate computer security and break into systems for personal or financial gain, destructive motives, or other malicious intent.
The last of
the three overarching types, grey hat hackers, are the ones whose motives are,
well, in a bit of a grey area. Similar to white hats, grey hats may break into
computer systems to let administrators know their networks have exploitable
vulnerabilities that need to be fixed. However, from there, there’s nothing
really stopping them from using this knowledge to extort a fee from the victim
in exchange for helping to patch the bug. Alternatively, they might request a
kind of finder’s fee. It really depends on the hacker.
So, hackers can be
“good guys”?
Yes, they
absolutely can.
In fact, there’s even an argument that black hats, while their motivations may be criminal in nature, are performing a beneficial service. After all, each time a massive hack occurs, the related programs, operating systems, businesses, and government structures are essentially shown where and how to make themselves more resilient against future attacks. According to Keren Elezari, a prominent cybersecurity analyst and hacking researcher, hackers and hacktivists ultimately push the internet and technology at large to become stronger and healthier by exposing vulnerabilities to create a better world.
White hat hackers, also known as ethical hackers, are cybersecurity defenders who use their skills to protect organizations from cyber threats. They might just be your friendly IT colleague. White hat hackers conduct penetration tests (often known as pen testing) and vulnerability assessments to identify security weaknesses that could be exploited by malicious hackers. With a deep understanding of cyber threats, white hat hackers help organizations strengthen security measures, develop more secure systems, and ensure the safety of digital assets. Their work is crucial in maintaining the integrity and confidentiality of sensitive information. Ethical hacking is a respected field within the IT industry, and white hat hackers are often sought after for their expertise in safeguarding cyber environments.
Why do they hack?
The shortest, simplest answer: for the money.
While white and grey hat hackers have altruistic motives in mind and, at least in the former group, are invested in ensuring security for all, the fact of the matter is that there’s a lot of money to be made in hacking. The average Certified Ethical Hacker earns around $91,000 USD per year. Additionally, to help make their products and services more secure, many technology companies offer significant bounties to coders who can expose vulnerabilities in their systems. For example, Apple offered a reward of $1.5 million USD last year to anyone who could hack an iPhone to find a serious security flaw. There are even groups, such as HackerOne, which provide bug bounty platforms that connect businesses with ethical hackers and cybersecurity researchers to perform penetration testing (i.e. finding vulnerabilities). Multiple hackers on the HackerOne bug bounty platform have earned over $1 million USD each.
And for
black hats, theft, fraud, extortion, and other crimes can pay out significantly
more. In fact, some black hats are sponsored by governments (see the
Nation-State category below).
You mentioned
subtypes. What are they?
As with many groups, there’s a wide range of hacker personas, each with different motivations. Here are a few of the basic ones you’re likely to encounter.
Script
Kiddies
When you picture the stereotypical
“hacker in a hoodie”, you’re thinking of a Script Kiddie. Script Kiddies are
programming novices who have at least a little coding knowledge but lack
expertise. Usually, they get free and open source software on the dark web and
use it to infiltrate networks. Their individual motives can place them in black,
white, or grey hat territory.
Hacktivists
Ever hear of a group of hackers called
Anonymous? They’re a very well-known example of a hacktivist group who achieved
notoriety when they took down the CIA’s website. Hacktivists are grey hat
hackers with the primary goal of bringing public attention to a political or
social matter through disruption. Two of the most common hacktivist strategies
are stealing and exposing sensitive information or launching a denial of
service (DDoS) attack.
Red
Hats
Red hats are sort of like grey hats, except their goal is to block, confound, or straight-up destroy the efforts of black hat hackers. Think of them like the vigilantes of the hacker world. Rather than reporting breaches, they work to shut down malicious attacks with their own tools.
Green Hats
Green hat hackers are hackers who are new to the hacking world. They lack the skills and knowledge of their fellow black or white hat hackers. But they cause just as much damage as black hat hackers, as they try to hone their hacking skills. Sadly, most of the time, green hat hackers cannot fix what they break.
Nation-State
Remember earlier in this post when we
mentioned that some black hats are sponsored by governments? That would be this
group. Nation-state hackers are ones who engage in espionage, social
engineering, or computer intrusion, typically with the goal of acquiring
classified information or seeking large ransoms. As they are backed by
government organizations, they are often extremely sophisticated and well
trained.
Malicious
Insiders
Perhaps one of the more overlooked threats to a business is the malicious insider. An insider might be a current or former employee who steals or destroys information, or it might be someone hired by a competitor to infiltrate an organization and pilfer trade secrets. The most valuable data for a malicious insider is usernames and passwords, which can then be sold on the dark web to turn a hefty profit.
What are your next steps?
Now that you
better understand the hacker subtypes, you can use this information to help
your organization identify potential threats, as well as opportunities to
actually leverage hacking to protect your business. And if you haven’t already,
check out our Lockdown
Lessons, which include a variety of guides, podcasts, and webinars designed
to help MSPs and businesses stay safe from cybercrime.
“One of the
things about working in internet technology is nothing lasts forever… [Students]
come to me and they say, ‘I want to do something that has an impact 20, 50, or
100 years from now.’ I say well maybe you should compose music because none of
this technology stuff is going to be around that long. It all gets replaced.”
-Paul Mockapetris, co-inventor of the domain name system (DNS)
As foresighted as he may have been, the DNS inventor Paul
Mockapetris got one thing wrong in a retrospective interview
about his contribution to internet history. Namely, some aspects of technology
do have at least 20-year staying power. In this case, his own invention: the
domain name system.
But DNS, just three
years shy of its fortieth birthday, is on the cusp of a major reimagining.
One that could enhance the privacy of business and private users alike for some
time to come. According to some experts, it may even be worthy of the title
“DNS 2.0.”
The Problem with DNS Today
While DNS has evolved significantly in the more than 35
years since originally conceived, the skeletal structure remains much the same.
DNS
is the internet’s protocol for translating the URLs humans understand into the
IP addresses machines do.
The problem is that this system never meant to consider
privacy or security. With DNS today, requests are made and resolved in
plain text, providing intrusive amounts of information to whomever may be
resolving or inspecting them. That is most likely an internet service provider
(ISP), but it may be a government entity or some other source. In authoritarian
countries, governments can use this information to prosecute individuals for
visiting sites with outlawed content. In the United States, it’s more likely to
be monetized for its advertising value.
“The problem with DNS is it exposes what you’re doing,” says
Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s
DNS requests, I can see when they work, when they don’t, how often they use
Facebook, the Sonos Speakers and Google Nests on their network, all of that.
From a privacy perspective, it shows what on the internet is associating with
me and my network.”
This can be especially problematic in terms of home routers.
Whereas business networks tend to be relatively secure—patched, up-to-date, and
modern—”everyone’s home router tends to be set up by someone’s
brother-in-law or an inexperienced ISP technician,” warns Barnett. In this
case, malicious hackers can change DNS settings to redirect to their own
resolvers.
“If you bring a device onto this network and try to navigate
to one of your favorite sites, you may never wind up where you intended,” says
Barnett.
In the age of COVID-19, it’s becoming an even bigger problem
for employers. With a larger workforce working from home than perhaps ever
before, traditional defenses at the network perimeter no longer remain.
“To maintain resilience,” says Barnett, “companies need to
extend protection beyond the business network perimeter. One of the best ways
to do that is through DNS protection that ensures requests are resolved through
a trusted resolver and not a potentially misconfigured home network.”
DoH: The Second Coming of DNS
In response to these concerns, DNS over HTTPS (DoH) offers a
method for encrypting DNS requests. Designed by the Internet Engineering Task Force,
it leverages HTTPS privacy standard to mask these requests from those who may
seek to use the information improperly. The same encryption standards used by
banks, credit monitoring services, and other sites dealing in sensitive
information display to prove their legitimacy is also used with DoH.
It does this by effectively ‘wrapping’ DNS requests with the
HTTPS encryption protocols to ensure the server you connect with is the server
you intended to connect with and that no one is listening in those requests,
because all the traffic is encrypted.
“It makes sure no one is messing with a user by changing the
results of a request before it’s returned,” says Barnett.
In addition to improving privacy around device
usage—remember any internet-connected device needs to “phone home”
occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled
attack methods. This includes DNS spoofing, also called DNS hijacking,
whereby cybercriminals redirect a DNS request to their own servers in order to
spy on or alter communications. By encrypting this traffic, it essentially
becomes worthless as a target.
So, while the domain name system has served the internet and
its users well for decades, the time may have come for a change.
“The creators of DNS, in their wildest dreams, imagined the
system may be able to accommodate up to 50 million domains. We’re at 330
million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to
evolve. It’s been a great tool, but it wasn’t designed with privacy or security
as a priority. DoH represents the logical evolution of DNS.”
Toward A DoH-Enabled Future
Several major tech players,
like Mozilla with its Firefox browser, have already made the leap to using
DoH as its preferred method of resolving requests. Many companies, however,
would prefer to retain control of DNS and are concerned about applications
making independent rogue DNS requests. Losing this control can compromise
security as it limits the ability of a business to filter and process these
requests.
As application creators strive for better privacy for their
users and business always look improve security, a balance must be found. By
limiting whether applications can enable DoH, Webroot®
DNS Protection has designed its agent to retain control of DNS requests,
and while also running each request through Webroot’s threat intelligence
platform, both privacy and security is improved.
It’s next release, expected in the coming months, will be
fully compatible with the new DoH protocol in service to the security and
privacy of its users.
Florida City Sees Lasting Effects of Ransomware Attack
Nearly three weeks after the City of Jupiter,
Florida suffered a ransomware attack that took many of their internal
systems offline, the city has yet to return to normal. City officials announced
they would be working to rebuild their systems from backups, rather than paying
any ransom, and were able to get their main website up and running again, along
with many essential services. The timing of the attack couldn’t have been
worse, as most of the City’s staff were under lockdown and unable to access compromised
machines in a quick and safe manner.
Hackers Breach San Francisco International Airport
Late last Month, Russia-based hackers attempted to breach
the internal networks of San
Francisco International Airport using a simple injection script to obtain
employee credentials. By forcing the use of the SMB file-sharing protocol, the
hackers could quickly grab the usernames and hashed passwords, which would then
allow them to deploy any number of malicious payloads or access extremely
sensitive information. Shortly after the attack was detected and subsequently ended,
the IT staff issued a forced password reset for all staff in hopes of
minimizing any further damage.
Critical Exploits Patched by Microsoft
Recently, Microsoft
patched three zero-day exploits that could allow remote code execution, privilege
increases, and even creating new accounts with full OS permissions. Two of the
patched flaws related to the Adobe Type Manager Library and were functional on
multiple Windows® operating systems, but performed different tasks based on the
environment in which they were deployed.
DDoS Suspect Arrested in Netherlands
Two Dutch government websites that were created to
distribute information related to the COVID-19 pandemic fell victim to a DDoS
attack for several hours. Dutch authorities, who have been heavily involved
in many cybersecurity operations, have arrested at least one suspect and shut
down 15 sites offering DDoS services. Hopefully, the shutdowns will help reduce
the number of these types of attacks going forward.
RagnarLocker Takes Down Portuguese Energy
One of the largest energy providers in Europe, Energias
de Portugal (EDP), became the victim of a ransomware attack that used the
RagnarLocker variant. In exchange for the estimated 10TB of data stolen during
the attack, attackers demanded a ransom of $10.9m to be paid in cryptocurrency.
The authors behind RagnarLocker have already begun posting segments of the
stolen data to their main website, along with the promise to release the rest
and make their entire client list aware of the breach, if the ransom isn’t met.
One of the most notable findings to come from the Webroot
2020 Threat Report was the significant rise in the number of active
phishing sites over 2019—a 640% rise, to be exact. This reflects a
year-over-year rise in active phishing sites, but it’s important to keep this
(dangerous) threat in context.
“Of all websites that host malicious content, phishing
historically has been a minority,” says Webroot Security Analyst Tyler Moffitt.
“While it’s growing quite a bit and a significant threat, it’s still not a
large percentage of the websites being used for malicious content. Those would
be things like botnets or malware hosting.”
This traditional low instance rate is likely one
explanation—or at least a portion of an explanation—that’s led to such a gaudy
increase in the number of active sites.
Here are three other factors that may have contributed to
the rise.
The diversification of attacks
Since first being described in a 1987 paper, phishing attacks have diversified considerably. While it was once reliably email-based with a broad scope, it now entails malware phishing, clone phishing, spear phishing, smishing, and many more specialized forms. Inevitably, these strains of attack require landing pages and form fields in for users to input the information to be stolen, helping to fuel the rise in active phishing sites.
Spear phishing—a highly targeted form of phishing requiring cybercriminals study their subject to craft more a realistic lure—has turned out to be a lucrative sub-technique. This has likely contributed to more cybercriminals adopting the technique over mass-target emails pointing to a single source. More on profitability later.
After years of studying phishing data, it’s clear that the
number of active phishing sites rises predictably during certain times of the
year. Large online shopping holidays like Prime Day and Cyber Monday inevitably
precipitate a spike in phishing attacks. In another example, webpages spoofing
Apple quadrupled near the company’s March product release date, then leveled
off.
Uncertainty also tends to fuel a rise in phishing sites.
“Not only do we always see a spike in phishing attacks
around the holidays,” says Moffitt, “It also always happens in times of crisis.
Throughout the COVID-19
outbreak we’ve followed a spike in phishing attacks in Italy and smishing
scams promising to deliver your stimulus check if you click. Natural
disasters also tend to bring these types of attacks out of the woodwork.”
The year 2019 was not without its wildfires, cyclones, and
typhoons, but it’d be safe to suspect the number of phishing sites will grow
again next year.
Short codes and HTTPs represent more phishing opportunities
for cyber criminals. Malicious content is now often hosted on good domains (up
to a quarter of the time, according to our Threat Report). Short codes also have
the unintended consequence of masking a link’s destination URLs. Both these
phenomena make it more difficult to identify a phishing attack.
“All of sudden these mental checks that everyone was
told to use to sniff out phishing attacks, like double-checking URLs, no longer
hold,” says Moffitt.
Profitability
Let’s face it, this is the big one. The rise in popularity
of shared drives makes it more likely that any single phishing success will
yield troves of valuable data. Compromising a corporate Dropbox account could
easily warrant a six-figure ransom, or more, given the looming threat of GDPR
and CCPA compliance violations.
“A few years ago, most of the targets were financial targets
like PayPal and Chase,” according to Moffitt. “But now they are tech
targets. Sites like Facebook, Google, Microsoft, and Apple. Because shared
drives offer a better return on investment.”
Even for private individuals, shared drives are more bang
for the buck. Credentials which can easily lead to identity theft can be sold
on the dark web and, given the rampant
rates of password re-use in the U.S., these can be cross-checked against
other sites until the compromise spirals.
Finally, phishing is profitable as an initial entry point.
Once a cybercriminal has accessed a business email account, for instance, he or
she is able to case the joint until the most valuable next move has been
determined.
“It’s a really lucrative first step,” says Moffitt.
Don’t take the bait
Installing up-to-date antivirus software is an essential first
step in protecting yourself from phishing attacks. Features like Webroot’s
Real-Time Anti-Phishing Shield can help stop these attacks before a user has
the chance to fall for it. Continual education is equally as important. Webroot
data shows that ongoing phishing simulations can lower
click-through rates significantly.
Despite the intent of ensuring safe transit of information
to and from a trusted website, encrypted protocols (usually HTTPS) do little to
validate that the content of certified websites is safe.
With the widespread usage of HTTPS protocols on major
websites, network and security devices relying on interception of user traffic
to apply filtering policies have lost visibility into page-level traffic.
Cybercriminals can take advantage of this encryption to hide malicious content on
secure connections, leaving users vulnerable to visiting malicious URLs within supposedly
benign domains.
This limited visibility affects network devices that are
unable to implement SSL/TLS decrypt functionality due to limited resources,
cost, and capabilities. These devices are typically meant for home or small
business use, but are also found in the enterprise arena, meaning the impact of
this limited visibility can be widespread.
With 25% of malicious URLs identified by Webroot hosted within
benign domains in 2019, a deeper view into underlying URLs is necessary to
provide additional context to make better, more informed decisions when the
exact URL path isn’t available.
Digging Deeper with Advanced Threat Intel
The BrightCloud® Web Classification and Web Reputation
Services offers technology providers the most effective way to supplement
domain-level visibility. Using cloud-based analytics and machine learning with
more than 10 years of real-world refinement, BrightCloud® Threat Intelligence services
have classified more than 842 million domains and 37 billion URLs to-date and can
generate a predictive risk score for every domain on the internet.
The Domain Safety Score, available as a premium feature with
BrightCloud® Web Classification and Reputation services, can be a valuable
metric for filtering decisions when there is lack of path-level visibility on
websites using HTTPs protocols. Even technology partners who do have
path-level visibility can benefit from using the Domain Safety Score to avoid
the complexity and compliance hurdles of deciding when to decrypt user traffic.
The Domain Safety Score is available for every domain and
represents the estimated safety of the content found within that domain,
ranging from 1 to 100, with 1 being the least safe. A domain with a low score
has a higher predictive risk of having content within its pages that could
compromise the security of users and systems, such as phishing forms or
malicious downloads.
Using these services, organizations can implement and
enforce effective web policies that protect users against web threats, whether
encrypted through HTTPs or not.
Devising Domain Safety Scores
As mentioned, a Domain Safety Score represents the estimated
safety of the content found within that domain. This enables better security
filtering decisions for devices with minimal page-level visibility due to
increasing adoption of HTTPS encryption.
How do we do it?
BrightCloud uses high-level input features to help determine
Domain Safety Scores, including:
Domain attribute data, including publicly
available information associated with the domain, such as registry information,
certificate information, IP address information, and the domain name itself.
Behavioral features obtained from
historical records of known communication events with the domain, gathered from
real-world endpoints.
A novel deep-learning architecture employing
multiple deep, recurrent neural networks to extract sequence information,
feeding them into a classification network that is fully differentiable. This
allows us to use the most cutting-edge technology to leverage as much
information possible from a domain to determine a safety score.
Model training using a standard
backpropagation through time algorithm, fully unrolling all sequences to
calculate gradients. In order to train such a network on a huge dataset, we
have developed a custom framework that optimizes the memory footprint to run
efficiently on GPU resources in a supercomputing cluster. This approach allows
us to train models faster and iterate quickly so we can remain responsive and
adapt to large changes in the threat landscape over time.
A secure connection doesn’t have to compromise your privacy.
That’s why Webroot’s Domain Safety Scores peek below the domain level to the
places where up to a quarter of online threats lurk.
