CS Mar-Apr 2020

More documents

Recommendations

Info

Coronavirus scam SPOOF ATTACK UNLEASHED THE CORONAVIRUS IS CONSTANTLY IN OUR THOUGHTS, AS ITS GLOBAL IMPACT SPREADS. AND IT'S PROVING ANOTHER MEANS FOR HACKERS AND ATTACKERS TO GET INSIDE ORGANISATION'S SECURITY DEFENCES Dr Hayleigh Bosher, Lecturer in Intellectual Property Law at Brunel University London. @BosherHayleigh Sam West, Security Engineer, Libraesva. @smljsphwst The Coronavirus has received extensive media attention, much of which has been seen to strike fear and panic. Now hackers, spammers and fraudsters have used this as an opportunity to launch new attacks. This article - authored by Dr Hayleigh Bosher, a lecturer in Intellectual Property Law at Brunel University London, and Samuel West, a security engineer for Libraesva - walks readers through a real-life attack to show how and why they work, what to look out for and what can be done to stop the hackers. Libraesva, a UK- and Italy-based security software vendor, recently discovered targeted phishing and whaling campaigns based around the Coronavirus outbreak. Phishing is, of course, the fraudulent practice of sending emails that pretend to be from recognisable companies, in order to get individuals to reveal personal information, such as passwords or credit card numbers, and then siphon funds from an organisation. Whaling, meanwhile, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO. An email spoof, purporting to be a letter written by the director of Milan University, and sent from a University of Bologna compromised account, is a clear example of a whaling email received and blocked by Libraesva. The email reveals how the attackers pretended to be the director, warning internal users of the outbreak of Coronavirus and what steps to take to prevent further spread. In this case, the hacker was able to change the code of the email to make it appear to be sent from a trusted sender - the director himself. Unlike a typical whaling attack that asks immediately for transfer or funds, this hacker, taking advantage of the fear around Coronavirus, asks readers to download a guide to stop the disease. TRUSTED SOURCE The interesting thing about this attack is that the underlying sender of the email is trusted by the university, gaining the confidence of the receiving email server technology. The email states, on many occasions, the dangers of the virus 2019- nCoV as a respiratory epidemic and makes a call to action for readers to quickly look at the attached document, which is a simple docx file with a link. However, once a reader clicks to access the document, the hacker has set up a fake Office 365 login page, which requires users' login and passwords to see the document. Once 'Download File' is selected, the motivation of the hacker and the scam becomes clear, asking for university user login details and passwords. The risks are very high. Hackers can sell the credentials that they obtain or use them to ex-filtrate even more data. They could also log in as a staff member and use that to send further malicious emails, which is how this email was able to be sent in the first place. BUT ISN'T THIS ILLEGAL? Yes, of course, this type of activity is illegal. Most countries around the world have laws against this type of cybercrime. In the EU, there is the convention of Cybercrime and, in the UK, we have the Computer Misuse Act. These regulations make it illegal to 24 computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk
Coronavirus scam interfere with the functioning of a computer. There are also laws against fraud and the GDPR, which protects data, and this would come into play because of the data the hackers obtained illegally. The problem is that these hackers are difficult to locate, as they often use technological measures to ensure that they are not traceable. WHAT ELSE CAN WE DO ABOUT IT? This example was located and prevented through Libraesva's email security software and management. It was observed that the spoofed sender of the email was on a compromise protection list, known in the industry as 'BEC - Business Email Compromise', so additional checks were undertaken. The email was sent using an email address of another university, after that person was successfully hacked. Using Libraesva's Adaptive Trust Engine's relationship monitoring, we saw that the trust between these two universities was quite high. But the trust between the two individual users was low; we didn't let the organisational trust get in the way of understanding the true nature of the email. The third indicator was that the email came externally to the Milan University users, which doesn't make any sense, as all emails from the director will 99% of the time come via the internal route, meaning this is obviously fake. The coronavirus is an opportunity for hackers to take advantage of the fear to scam people, business and universities. It is important to be aware of these risks and take the necessary precautionary action. Using the above indicators, Libraesva has built a dedicated technology to halt these kinds of attacks and make sure your IT team employ some Email Security, as this is the main way that threats and malicious activity can get into your organisation. Growth of the virus in China and other countries (graph courtesy of the World Health Organisation) EMAIL LANDSCAPE AND THE CORONA VIRUS Since 17 February, Libraesva have been carefully monitoring the situation with the Coronavirus and the effect it is having on email, looking into the change of the email content, the behaviour of users and even the changing threat landscape. In the top graph, right, supplied by the World Health Organisation, can be seen the growth of the virus in China and other countries. By paying close attention to the ‘Other Countries’ graph, it is possible to compare the infection rate to the second graph, showing the amount of legitimate communication around the virus in a similar timeframe. When comparing the two data sets, it can be seen that the curve is almost identical, with the more legitimate communication growing at the same rate as the infections are. This clearly indicates that the concern and communication between organisations is effectively rising at the same rate as the infections are growing. After looking at the clean email, in comparison to the infections, it's possible to see how the malicious email and threat attempts are changing, too. The graphic, bottom right, demonstrates how the malicious attempts on Libraesva users have increased at the same rate, meaning not only are the threat actors using the virus to their advantage, but also that end users are discussing the issue more. One of the key aspects of a successful attack is the degree to which such incidents are talked about and the anxiety they generate amongst other users - and this is the perfect example of that happening. Shown here is the growing communication taking place, by email, about the Coronavirus. Rising number of malicious attempts on Libraesva users, as threat actors seek to use the virus to their advantage. www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2020 computing security 25
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6 and 7: editor's focus RICH VEIN OF POSSIBI
Page 8 and 9: expert insights WHY CYBERSECURITY P
Page 10 and 11: 2020 predictions MORE 20/20 VISIONS
Page 12 and 13: 2020 predictions Mike Riemer, Pulse
Page 14 and 15: expert view CEOS IN THE FIRING LINE
Page 16 and 17: data management THE PLOT THICKENS W
Page 18 and 19: data management All of this potenti
Page 20 and 21: cybersecurity and ISPs WORLD-WIDE M
Page 22 and 23: fraud & cybercrime CYBERCRIME FIGUR
Page 26 and 27: GDPR BREACHED - AND TOTALLY UNAWARE
Page 28 and 29: encryption systems THE QUANTUM CRYP
Page 30 and 31: expert insights THE INTELLIGENT APP
Page 32 and 33: product review CLOUD PROTECTION FOR
Page 34 and 35: expert insights ESSENTIAL BUILDING
Page 36: Shearwater Group plc is an award-wi

CS Mar-Apr 2020

Create successful ePaper yourself

Delete template?

Save as template?