by Tyler Moffitt | Oct 31, 2017 | Industry Intel
We’re revealing the top 10 nastiest ransomware attacks from the past year. NotPetya came in on our list as the most destructive ransomware attack of 2017, followed closely by WannaCry and Locky in the number two and three spots, respectively. NotPetya took number one because of its intent to damage a country’s infrastructure. Unlike most ransomware attacks, NotPetya’s code wasn’t designed to extort money from its victims, but to destroy everything in its path.
While NotPetya and WannaCry were first uncovered in 2017, the other ransomware attacks on our top 10 list made their debuts last year. These attacks either continued into 2017 or returned with a vengeance.
This top 10 list underscores the reality of our increasingly connected world—cybercriminals will continue to develop new infections and will capitalize on reliable, successful attack methods.
DESCRIPTION
Starting as a fake Ukrainian tax software update, this ransomware is a variant of an older attack dubbed Petya, except this version uses the same exploit behind WannaCry. Once the software update was applied to devices, hackers used the exploits to spread laterally through networks like a worm. The code used to build NotPetya was not designed to extort money from its victims, but rather to destroy everything it its path. Inception: June 2017; Attack vector: Supply Chain ME.doc and Eternal Blue & Eternal Romance Exploit
DAMAGE REPORT
The ransom originally asked for about $300 in bitcoin, but the system that collected money from victims for decryption keys quickly disintegrated. NotPetya was designed to do as much damage to the Ukrainian infrastructure as possible. Not only did it shut down Ukrainian power plants, banking services, and supermarkets, but NotPetya also infected hundreds of thousands of computers in over 100 countries. Additionally, the ransomware shut down Maersk, the largest shipping container vessel in the world, along with FedEx (causing a reported $300 million in damage). Destruction Zone: 100+ countries
DESCRIPTION
The attackers behind WannaCry used the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers. Initially, the malware propagated via spam emails—including fake invoices, job offers, and other traps—which contained a .zip file that initiated the WannaCry infection. Eternal Blue exploits an older flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution. This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy operating systems like XP. Inception: First appeared in March 2017 but spread in May 2017; Attack vector: Eternal Blue Server Message Block (SMB) Exploit Kit
DAMAGE REPORT
WannaCry was the very first ransomware to take the whole world by storm, infecting several hundred thousand people in a single day. Some reports say the damage could be up to $4 billion. Luckilym a security researcher in England managed to discover a kill switch domain, which was all anyone needed to disable it. Further analysis shows that the kill switch domain has received over 10 million different connections since it was made available, suggesting WannaCry could have been even more destructive. Destruction Zone: 150+ countries
DESCRIPTION
The most popular ransomware of 2016 is still alive and well in 2017. New variants of Locky—Diablo and Lukitus—surfaced this past August using the same the initial phishing email attack vector. The emails contain a zipped attachment with malicious JavaScript that downloads the Locky payload. Most of the emails pose as fake invoices from companies such as Amazon Marketplace and Herbalife. More recently, the ransomware has been spotted using an email distribution campaign with Game of Thrones references in its scripting variables. Inception: February 2016; Attack vector: Spam Email
DAMAGE REPORT
Crowned the king of spam emails, Locky can reach millions of users per day in campaigns. One of the first organizations hit was the Hollywood Presbyterian Medical Center in Los Angeles. The hospital paid the ransom demand of 40 bitcoins (approximately $17,000 at the time) to regain access to their systems. That’s a huge payday for a single attack. Other individual reports reveal the requested amount is typically around 0.5 to 1 bitcoin ($400 to $800). Destruction Zone: United States, United Kingdom, Ireland, Australia, New Zealand, Canada, China, Russia, Japan, Italy, Spain, France, Mexico, south Africa, Sweden, Costa Rica, Puerto Rico, Bulgaria, Serbia, Switzerland, Barbados, Turkey, India, Philippines, Malaysia, Saudi Arabia, Brazil, and more
DESCRIPTION
This attack is the ultimate form of Remote Desktop Protocol (RDP) compromise. RDP is one of the most common ways to deploy ransomware because cybercriminals can compromise administrator accounts and systems that control entire organizations. As CrySis encrypts a computer, it also removes all of the automatic backups, so users can’t use them to restore files. Inception: First detected in February 2016; took a few months to spread; Attack vector: Remote Desktop Protocol (RDP)
DAMAGE REPORT
Initially CrySis demanded between $455-$1,022 in bitcoin. On three separate occasions, verified decryption keys have been release for CrySis, most recently in May 2017. Destruction Zone: United States, Canada, France, Australia, Vietnam, Mexico, Italy, Russia, Portugal, Spain, Serbia, Puerto Rico, South Africa, India, China, Russia, Turkey, New Zealand, Philippines, Malaysia, Saudi Arabia, Brazil, and more
DESCRIPTION
Arriving via fake shipping invoice emails, Nemucod, once opened, downloads malware and encryption components stored on compromised websites. Nemucod would have been crowned most malicious spam email if Locky hadn’t reignited in August. Inception: Historically, the hackers behind Nemucod teamed up with Teslacrypt, which was huge in 2015 and 2016; in 2017, they made their own ransomware variant; Attack vector: Spam Email
DAMAGE REPORT
Those infected with Nemucod receive a ransom note demanding $300 in bitcoin in exchange for the safe return of their files. Destruction Zone: United States, United Kingdom, Ireland, France, Spain, Germany, Greece, Portugal, Poland, Belgium, Netherlands, Norway, Sweden, Japan, India, China, Russia, Turkey, Serbia, Mexico, Australia, New Zealand, Philippines, Malaysia, Saudi Arabia, Brazil, and more
DESCRIPTION
Like Locky, new variants of Jaff ransomware continue to be distributed. Jaff leverages phishing emails and bears characteristics associated with other successful malware. While Jaff may not have garnered the level of attention WannaCry received, the techniques used in its distribution put it in an exclusive club; one whose recent membership includes both Dridex and Locky. Inception: May 2017; Attack vector: Spam Email
DAMAGE REPORT
Initial bitcoin ransom payments asked for 2 bitcoins ($3,700). Destruction Zone: United States, United Kingdom, Australia, Canada, Ireland, France, Spain, Greece, Germany, Portugal, Poland, Belgium, Netherlands, Norway, Sweden, Japan, India, China, Russia, Mexico, New Zealand, and more
DESCRIPTION
To distribute this ransomware, cybercriminals hack legitimate websites to add JavaScript code. Visitors to the sites receive a pop-up prompt to update their Chrome browsers, if they want to continue viewing the page. Downloading the "Chrome Font Pack" infects the users’ system. This attack is named after the Russian word for "spore." Inception: January 2017; Attack vector: Bogus Front Pack Update in a Browser Message
DAMAGE REPORT
Unique to Spora are different purchases that can be made depending on the particular needs of the victim. Via the well-crafted ransom payment site, victims can restore their first two files (free!); restore additional files ($30); decrypt their files ($79); buy immunity from future Spora infections ($50) and remove all Spora-related files after paying the ransom ($20). Note: the prices reflected are from Spora’s inception. Destruction Zone: United States, United Kingdom, Canada, France, Italy, Poland, Mexico, Serbia, Turkey, Singapore, Japan, South Africa, Botswana, Netherlands, Niger, Bangladesh, Philippines, Malaysia, Saudi Arabia, Brazil, Portugal, Germany, Ireland, Spain, Hungary, Belarus, Vietnam, Belgium, and more
DESCRIPTION
Cerber has effectively utilized multiple attack vectors via RDP and spam emails. However, Cerber also distributes ransomware-as-a-service (RaaS). Through this “service,” cybercriminals package up ransomware and then give other criminals the tools to distribute as they see fit. The author of Cerber takes a 30% cut of the profits. Inception: March 2016; has been making several reappearances since its debut, most recently this October; Attack vector: Remote Desktop Protocol (RDP), Spam Email, RaaS
DAMAGE REPORT
One of the latest incarnations of Cerber will steal cryptocurrency and passwords from victims, providing an additional means of profit on top of the bitcoin ransom demands (between $300 and $600). Destruction Zone: United States, United Kingdom, Ireland, Canada, Singapore, South Africa, France, Italy, Japan, Chile, India, Australia, China, Germany, Malaysia, Greece, Sweden, Botswana, Turkey, Hungary, Spain, Norway, Serbia, and more
DESCRIPTION
CryptoMix is often distributed through RDP but also through exploit kits such as malvertising, in which victims click an infected ad to a hacked shopping site that attacks their device’s system. CryptoMix can also hide on flash drives, so if a user inserts a flash drive from an infected system into another, the infection spreads. Inception: March 2016; Attack vector: Remote Desktop Protocol (RDP) and Exploit Kit
DAMAGE REPORT
This ransomware is one of the few that doesn’t use payment portal on the dark web. Instead, users must wait for the cybercriminals to email them instructions, usually demanding a hefty Bitcoin ransom (5 bitcoin, or approximately $3,000). Destruction Zone: United States, United Kingdom, Ireland, New Zealand, Australia, Canada, Italy, Singapore, Turkey, Serbia, Greece, South Africa, India, Mexico, Chile, Ukraine, China, Germany, Malaysia, Japan, Sweden, Botswana, Spain, Hungary, Portugal, Norway, Iran, Russia, Israel, and more
DESCRIPTION
Jigsaw ransomware, named for the iconic character from the Saw film franchise, distributes via spam email and deletes a victim’s files every hour and each time the infection process starts until the ransom is paid. Inception: April 2016; Attack vector: Spam Email
DAMAGE REPORT
Every hour, Jigsaw Ransomware deletes victims’ files until the pay the ransom (prices ranging from $20-$200). After the initial infection, when the ransomware is restarted after process termination or a reboot, Jigsaw will delete a thousand files from the victim's computer.
Destruction Zone: United States, United Kingdom, Ireland, Italy, Canada, Australia, New Zealand, Singapore, Serbia, Japan, Turkey, South Africa, Niger, France, Greece, Mexico, India Chile Bangladesh, Philippines, Malaysia, Saudi Arabia, Brazil, Botswana, Poland, Netherlands, Russia, Ukraine, and more
To view our Top 10 Nastiest Ransomware infographic, click here.
Not sure how to protect yourself online? Read our safety tips.
by Connor Madsen | Oct 27, 2017 | Industry Intel
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Fake Crypto Exchange Apps Found on Google Play Store
After being available on the Google Play store for nearly a month, several phishing apps that were spoofing cryptocurrency exchanges have been removed. Unfortunately, they had been installed up to 5000 unique times by unwitting users. While this isn’t the first time we’ve seen phony crypto exchange apps in an app store, they are becoming more regular, and increasingly difficult to identify.
Reaper Botnet on Track to Be Largest in History
A new botnet called Reaper has been spotted controlling nearly two million unique IoT devices, and is continuing to grow. The infection spreads relatively quietly, like a worm, and uses known vulnerabilities within internet-connected devices to increase its reach. The botnet has yet to be used for any known DDoS attacks, and it appears to be more concerned with growth than high-profile attacks.
Microsoft Office Vulnerability Leaves Users Defenseless
As more and more attention is focused on infections from malicious email attachments, an exploit has been found in a decades-old data exchange system used in all Microsoft Office programs that could allow similar attacks to remain unnoticed. The exploit is based on the data exchange protocols used to send data between Office apps and could be used to trigger malware without user interaction. Unfortunately, Microsoft is unlikely to perform any major patches to resolve the issue, since they could break the data protocols needed by each app.
Customer Info Breach at Major Cosmetics Company
Recently, a security firm found two publicly accessible databases containing sensitive information for nearly 2 million Tarte Cosmetics customers. The data consisted mostly of payment and other sensitive information for any online customers from the last decade, and may have also fallen victim to a ransomware attack during the period that it was unsecured. Fortunately, Tarte was quick to take both databases offline after being informed of the indiscretion.
Bad Rabbit Ransomware Invades Media Outlets
Over the past week, multiple media outlets from Eastern Europe to Japan have been experiencing a ransomware attack, dubbed Bad Rabbit by researchers. The variant shares some of its code with Petya, the ransomware that caused widespread damage earlier this year. Bad Rabbit seems to propagate through fake Flash updates and uses Mimikatz to obtain credentials from infected devices.
by Austin Castle | Oct 26, 2017 | Home + Mobile
The U.S. electrical grid is in “imminent danger” from cyberattacks according to a report from the U.S. Energy Department released earlier this year. Such an attack would put much of the infrastructure that we rely on for public safety and basic services in jeopardy—electricity, water, healthcare, and communications systems, among others.
Just last week, an email was sent to energy and industrial firms by the DHS and FBI warning of hacking groups targeting critical infrastructure in the “energy, nuclear, water, aviation, and critical manufacturing sectors.”
Great power, great responsibilty
While the networked technology behind this infrastructure empowers our society, it also exposes us to new risks. Most people are aware of the cyber threats facing our personal mobile devices, home computers, and smart appliances. But the risks to public safety on a larger scale are less well known. Commitment to securing this brave new world is critical if we are to avoid serious public safety problems.
Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world.
Ransomware attacks—when cybercriminals hack a computer, encrypt the files and hold them hostage—pose a particularly dangerous threat for public infrastructure. It is estimated that ransomware has resulted in billions of dollars of losses in the last year alone, according to our June 2017 Quarterly Threat Trend Report.
Already this year, we’ve seen several major ransomware attacks on government entities, including counties, cities and multiple police departments leading to major disruptions in services like emergency response times, video surveillance and emergency radio transmissions.
In June, an infamous cyberattack dubbed NotPetya hit Europe, affecting workplaces and public domains. This attack mirrored its predecessor named Petya (a type of ransomware), except this new incarnation used “EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack.” It also differed from other popular ransomware attacks by denying user access and attacking low-level structures on the disk. This Petya-based attack targeted employees at one of the world’s largest advertising agencies, as well as oil companies, shipping companies and banks. A new ransomware attack that emerged this week named Bad Rabbit also appears to be linked to the NotPetya attack.
As advanced threats such as ransomware continue to evolve in sophistication, they present a more imminent threat to the systems and services we rely on for public safety. Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world.
Get tips on becoming a more proactive and prepared citizen with our “One Wrong Click” infographic.
by Connor Madsen | Oct 20, 2017 | Industry Intel
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Swedish Trains Schedule Gets Derailed by Cyber Attack
In the last week, several computer systems belonging to the Sweden Transportation Administration were subjected to multiple DDoS attacks that forced the agency to halt some trains and delay others. While they were able to bring the services back online within a few hours, the delays affected transportation schedules for the remainder of the days. Unfortunately, the effects of the attacks were still noticeable within the transportation systems for several days, as the schedules all needed readjustment to accommodate their customers.
Adobe Flash Affected by Zero-Day Exploit
Researchers this week discovered a zero-day exploit within Adobe Flash Player that was used to install FinSpy, a malicious software used to steal user information. The software was hidden in an infected Word document, which the user received via email. FinSpy surveillance software is sold worldwide, but is often used maliciously to gain financial or political power through information gathering and extortion. Fortunately for Adobe Flash users, the latest update patches the exploit and is readily available from Adobe’s site.
Adult Themes Infest Roblox Computer Game
The open-source nature of games like Roblox can enable users to make custom additions to the game and make their experience their own. However, some users choose to take advantage of the system and abuse it. Unfortunately, many of the game’s younger user-base has recently been subjected to Nazi propaganda and other adult content. The vendors of such mods are usually banned from the servers, only to return a short while later.
IoT Takes Major Hit with Krack Attacks
Recently, a vulnerability was found within the WiFi encryption currently in use by hundreds of millions of IoT devices around the world. Fortunately, the vulnerability has been patched by dozens of vendors for quite some time now. However, there are still some devices that won’t likely receive an update in the near future: security cameras, routers, and other household wirelessly connected “things”.
Oracle Updates Large Number of Critical Patches
In their latest update, Oracle pushed out more than 250 different patches for bugs across hundreds of products. Some of the most critical patches involve SQL injection vulnerabilities in their E-Business Suite, which could be used maliciously to steal or alter sensitive financial data. Another area that received multiple patches was the Java Platform, which had 20 unique exploits that were available remotely without any user authentication.
by Connor Madsen | Oct 13, 2017 | Industry Intel
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Rigzone Founder Caught Stealing Data
Over the last few months, officials have been piecing together the case against Rigzone founder, David Kent. After selling the Rigzone domain several years ago, Kent used several backdoors he’d implemented to access account information for over 700,000 customers, which he then attempted to sell back to Rigzone. By setting up several dummy accounts, Rigzone staff determined the specific IP address Kent used and apprehend him.
Criminals Hack Eastern Europe Bank for Millions
In the last year, banks in several Eastern European countries have seen a drastic rise in fraudulent charges at ATMs that have allowed hackers to make off with nearly $40 million dollars. Attackers start by manipulating the banks overdraft protection and setting up proxies to allow accomplices in other countries withdraw massive quantities of money from separate accounts. In addition to spoofing the overdraft system, the attackers also installed remote access software on bank computers to enable further intrusion to the institution’s systems.
Multiple Accenture Servers Left Exposed Online
A security researcher recently discovered four servers belonging to Accenture that were left publicly accessible on the internet for an undisclosed length of time. These servers contained data on thousands of Accenture’s clients, though the company’s statement on the issue assured customers that all data was from a retired system that contained no current data. Fortunately, server logs show that the researcher was the only unauthorized user to access them, which should help Accenture’s IT staff sleep a little better.
Latest Apple OS Gives Actual Password instead of Password Hint
A bug within Apple’s latest macOS, High Sierra, could allow a local attacker to request a password hint but receive the actual password. This bug occurred due to an issue with Apple’s file management system, which would have asked users to input a password hint in case they forgot their credentials. Unfortunately, the bug caused the hint request to display the legitimate password instead. Luckily for High Sierra users, Apple was quick to release a patch that fixed the issue.
Healthcare Service Records Found Online
Kromtech researchers discovered an unsecured Amazon S3 bucket belonging to a US healthcare services company that contained information on at least 150,000 patients. Although the company secured the server as soon as they were notified of this security oversight, it’s unclear how long the bucket was freely accessible.
by Austin Castle | Oct 12, 2017 | Home + Mobile
Over the last year, a handful of cyberattacks have made news headlines and affected families. High-tech toy maker Spiral Toys was the victim of a particularly cunning hacking scheme. The maker of CloudPets stuffed animals reportedly exposed more than two million private voice recordings and the login credentials of 800,000 accounts. While these “smart toys” are part of a wave of internet-connected devices providing fun and memorable experiences, they are also exposing millions of users to cyber threats. These toys may appear harmless on the surface, but their vulnerability to attack should be kept top-of-mind by any parent.
Educate your family
One of the best ways to ensure your children maintain a safe online presence is to start the conversation around the potential risks they face in our increasingly connected world early on.
When it comes to online safety, the U.S. Department of Homeland Security recommends looking for “teachable moments” that arise naturally during day-to-day computer use. For example, if you get a phishing message, show it to your kids so they can identify similar messages in the future and recognize they are not always what they seem.
BBC reported that “children aged five to 16 spend an average of six and a half hours a day in front of a screen compared with around three hours in 1995, according to market research firm Childwise.” With the amount of time kids and teens spend in front of a computer screen daily, and with hacking and cybercriminals becoming more advanced and sophisticated, it’s more important than ever to teach kids how to be cyber savvy.
One of the best ways to ensure your children maintain a safe online presence is to start the conversation around the potential risks they face in our increasingly connected world early on.
Tips for your cyber savvy kids
In addition to using tools like Webroot’s Parental Controls, CISO Gary Hayslip summarizes a few safety tips:
- Don’t give out financial account numbers, Social Security numbers, or other personal identity information unless you know exactly who’s receiving it.
- Remember to also protect other people’s information as you would your own.
- Never send personal or confidential information via email or instant messages as these can be easily intercepted.
Find more tips to keep your family safe online, wherever they connect.
by Connor Madsen | Oct 6, 2017 | Industry Intel
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Yahoo Breach Expands to All 3 Billion Users
In a recent statement, Yahoo announced that its 2013 breach, which took nearly 4 years to investigate, has impacted all 3 billion of their site’s unique users. Along with this recent update, the company is still reeling from a separate 2014 breach, which holds the dubious title of 2nd largest data breach to date. This update to the total affected users isn’t surprising, given that the original breach left questions as to why some accounts were compromised, while others remained untouched and showed no signs of malicious activity.
Facebook Under Fire After Russia-Based Ads Overwhelm Users
Recently, Facebook founder Mark Zuckerberg issued an apology for the site’s lack of action in stopping Russian advertisements and fake news articles, which have been circulating heavily since the 2016 election season. His statement goes on to promise that additional safeguards will be implemented to ensure Facebook can continue to be a safe platform for users to voice their opinions.
Hackers Prove You Can Game the Gamers
In the past week, R6DB, an online stat tracking service for the popular game Rainbow Six Siege was shut down after several servers were wiped completely due to a cyber-attack. The attackers accessed the database remotely, as it was left unsecured during a recent data migration that hadn’t yet concluded. Unfortunately for many players, their information is completely gone, while company officials are still working to restore what information they can.
Apple’s About-Face
Face ID, the iPhone X’s highly-touted biometric device locking system, has been found to be less than secure in several scenarios. Some of the vulnerabilities relate to young users whose facial features may change as they age, and siblings with similar facial features being able to spoof the security measure. Fortunately, Face ID isn’t the only security precaution on the new device, as it will still require a passcode to be set.
NFL Player Data Found on Unsecure Server
Recently, researchers discovered that an unsecured database belonging to the NFL Players Association contained records on over 1,100 individual players and agents. The compromised data included everything from players’ personal info to team contracts and payee information. Even more worrisome, a ransom note with a bitcoin address was found among the data, though it appears the data itself wasn’t leaked to Dark Web sellers. Fortunately, the database was secured shortly after researchers notified the NFLPA, though no response was received from the association regarding the incident.
by John vonStein | Oct 3, 2017 | Home + Mobile
“I use a Mac, so I don’t need to worry about malware, phishing, or viruses.” Many Mac users turn a blind eye to cybersecurity threats, often noting that most scams and attacks occur on PCs.
However, within the last few years, there has been a noted uptick in spyware (a type of software that gathers information about a person or organization without their knowledge), adware (software that automatically displays or downloads advertising material), and potentially unwanted applications (PUAs) on Macs and iOS devices.
While Macs are known to have strong security features, they are by no means bullet proof. In a recent interview with CSO Magazine, Webroot Vice President of Engineering David Dufour noted, “Many of these incidents are occurring through exploits in third-party solutions from Adobe, Oracle’s Java and others, providing a mechanism for delivering malicious software and malware.” Even the most internet-savvy users should be sure to install antivirus software on their Mac products.
Security tips for safe browsing on a Mac
Traditionally, because the Windows operating system is more widely used around the world, it is also more highly targeted by cybercriminals. However, Apple devices running macOS are still vulnerable to security threats, and protecting them should be a priority for anyone who owns them. Check out the following security recommendations to help ensure safety wherever you connect with your Mac, in addition to having an up-to-date antivirus installed:
- Try using a VPN
VPN stands for “virtual private network” and is a technology that adds an extra level of privacy and security while online, particularly when using public WiFi networks, which are often less secure. This recent Refinery29 article illustrates the benefits of VPNs for your work and personal life.
- Secure your browser
You may be tempted to ignore messages about updating your browsers, but the minute an update is available, you should download and install it. This is good advice for all software being run on any devices—desktop, laptop, or mobile.
- Secure backup
Be sure to regularly backup your computer and iOS devices so you can easily retrieve your data in case you get locked out of your device.
- Use a strong login password
Use a unique combination of numbers and letters to password-protect your Mac. This is good advice in general for all of the passwords you create. For an added security step, check out the Webroot Password Manager tool to make it easier to manage and organize your passwords.
by Connor Madsen | Sep 29, 2017 | Industry Intel
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Showtime Site Found Using Cryptocurrency Miner
Following the discovery last week that ThePirateBay has been using a Monero miner to experiment with revenue alternatives for the site, researchers have found that both Showtime.com and ShowtimeAnytime.com have embedded code for similar cryptocurrency mining. The code itself runs only while the user is on the site, and ceases once they navigate away. The main concern, however, was the high CPU usage users experienced. The script in question was removed after several days of testing, but Showtime has yet to comment on their implementation of the crypto-miner or its intended outcome.
Massive Stash of Credit Card Info Linked to Sonic Breach
In the past few days, researchers have found a trove of credit card data that could be tied to a recent breach at Sonic, the popular drive-in restaurant. The data is organized by the location of each card, and currently contains nearly 5 million unique card numbers and related info. While Sonic has not yet determined the cause of the breach, they have been working with their credit processing company to identify the compromised store locations and implement credit monitoring for affected customers.
Big Four Accounting Firm Breached
Deloitte, one of the world’s largest accounting firms, suffered a cyberattack that exposed sensitive emails to criminals. Researchers believe hackers gained access to the email system via an administrative account without 2-factor authentication. The attack appears to have only affected a limited number of the firm’s clients, though actual figures are still unknown. Unfortunately, Deloitte’s security is severely lacking overall. With any luck, this breach will be the impetus they need to step up their protection practices.
Irish National Teachers’ Organisation Hacked
A recent Irish National Teachers’ Organisation breach may affect up to 30,000 current and retired teachers across the Republic of Ireland and Northern Ireland. While the breach doesn’t appear to have been data-oriented, the compromised systems contained massive quantities of teacher information. Fortunately, both payroll data and user passwords were not exposed, as they are stored in an alternate location. With enforcement of the EU’s General Data Protection Regulation (GDPR) on the horizon, breaches like these will likely become very costly for victim companies.
Vehicle Tracking Data Available Online
In the last two weeks, researchers found an unsettling number of account records belonging vehicle tracking service SVR Tracking had been left completely unsecured online. The data includes account credentials and vehicle identification information for roughly 500,000 unique accounts. While it’s unclear how long the data was publicly available, SVR secured the server within several hours of being notified of the discovery.
by Emily Cacic | Sep 27, 2017 | Home + Mobile
Another day, another phishing attack. From businesses to consumers, phishing attacks are becoming a more widespread and dangerous online threat every year. One wrong click could quickly turn into a nightmare if you aren’t aware of the current techniques cyber scammers are using to get access to your valuable personal information.
A phishing attack is a tactic cybercriminals use to bait victims with fake emails that appear to come from reputable sources. The attackers’ goal is to lure the user into opening an attachment, clicking on a malicious link, or responding with private information. These phony emails have become alarmingly realistic and sophisticated. A scam may come in the form of a banking inquiry, an email from a seemingly official government agency, or even a well-known brand with whom you’ve done business—maybe you even pay them a monthly subscription fee.
If you do take the bait, you’ll likely be directed to a malicious website, where you’ll be prompted to enter your account login details, a credit card number, or worse yet, your social security number. The end goal of these phishing attacks is solely to steal your private information.
According to the Webroot Quarterly Threat Trends Report, the first half of 2017 saw an average of more 46,000 new phishing sites being launched every single day, making it the number-one cause of cybersecurity breaches. As hackers devise new phishing tactics, traditional methods of detecting them quickly become outdated.
One of the most popular tricks criminals use to avoid detection is the short-lived attack. The Quarterly Threat Trends Report also revealed that these attacks, where a phishing site is live on the internet for as short as 4 to 8 hours, are seeing a continued rise. Short-lived attacks are so hard to catch because traditional anti-phishing techniques like black-lists are often 3-5 days behind, meaning the sites have already been taken down by the time they appear on the list.
You’re probably already aware of the primary phishing-avoidance tip: do not click on suspicious links or unknown emails. But, as the state of phishing becomes even more advanced, how can you best spot and avoid an attack?
Lesser-known phishing giveaways
Webroot recommends keeping an eye out for the following:
- Requests for confidential information via email or instant message
- Emails using scare tactics or urgent requests to respond.
- Lack of a personal message or greeting. Legitimate emails from banks and credit card companies will often include a personalized greeting or even a partial account number or user name.
- Misspelled words or grammatical mistakes. Call the company if you have suspicions about an email you’ve received.
- Directions to visit websites with misspelled URLs, or use of , which precede the normal domain (something like phishingsite.webroot.com).
Stay ahead of cybercriminals
If an email in your inbox does seem suspicious, here are a few things you can do:
- Contact the service or brand directly via another communication channel (i.e., look up their customer support phone number or email address), and ask them to verify whether the content of the email is legitimate.
- Avoid providing any personally identifiable information (PII) electronically, unless you are extremely confident the email is from the stated source.
- If you do click a link from an email, verify the site’s security before submitting any information. Make sure the site’s URL begins with “https” and that there’s a closed lock icon near the address bar. Also, be sure to check for the site’s security certificate.
