Holiday Grab Bag

Cyber Security Holiday ‘Grab Bag’

When I sat down and began brainstorming a topic for this blog, I had a hard time settling down on just a single idea.  There are so many cyber security incidents taking place, and many of them can be avoided.  We will talk about that here.  So, instead of just covering a single topic in this blog, I decided that in the spirit of this time of year I am covering “grab bag” of topics.  So, without further ado, let’s get started…

Staying (Cyber) Safe this Holiday Season

The Holiday season is a time of year that many people anxiously await.  You can also group cybercriminals into the ”anxiously awaiting the holidays” mix.  During the holidays, online shopping booms. 

Given global restrictions due to COVID-19, more than 70 percent of Americans will avoid in-person shopping. Online shopping this year is the ‘new normal’.  So, what does this mean from a cyber security perspective?  Increased opportunities for malicious actors trying to get your information!  They are the real Grinches!

Crafting campaigns themed around online orders, holiday donations, issues with order payment, shipping notifications, coupons and rewards, this is nothing new for cybercriminals. Each campaign is designed to trick the user into providing information. They target login details for an online retailer or bank account info, and other forms of valuable information.  With the increase in online shopping, this also increases the number of potential victims for these cybercriminals to exploit. 

Cyber Security Tips for the Holidays

As it is the season of giving, allow us to give some tips on how to avoid becoming a victim. Remember that it all comes down to this: Awareness

  1. Take the time to investigate any unexpected emails
    • Does the sender look legitimate? Have I gotten other emails from this sender for this retailer?
    • Do not click URLs directly in the email, instead visit the site directly to view any messages for your account.
    • What type of information is being requested of me? Are they making it seem urgent?
  2. Enable Multi-Factor authentication on accounts
  3. Avoid clicking on any unexpected links sent via a text message or social media
  4. Do not provide any account information over the phone unless you initiated the contact and it is a verified number for the retailer.
  5. If you are unsure, contact the retailer directly!

Take the extra time to diligently inspect any unexpected emails. It may just save you a lot of time, money, and patience!

Wait…wasn’t iPhone and Apple “Privacy”?

Do you remember those Apple commercials a few months back driving home the point of how much Apple values privacy and by extension so does their iPhone product? If you ask me the advertising campaign was great. It’s always comical seeing the actors divulge their fake private information to anyone in the general vicinity. 

What if I told you that your privacy could potentially go out the window as an iPhone user due to a recently discovered Wi-Fi hack?

Google Project Zero discovered a new exploit in some iPhones and other iOS devices. The exploit allows an attacker to take complete control of the device over Wi-Fi. This is due to a weakness in an Apple developed protocol.  Doing so would allow the attacker to view all messages (text and email) and photos on the devices.  It could potentially even have allowed the cybercriminal to take control of your phone’s microphone and camera.

Fortunately, there have been no reports of this exploit being utilized in the wild. More good news, it was patched by Apple back in May.  However, as they state in the report itself, it is scary to think about the exploits these bad actors develop. Especially considering potential ramifications if successfully carried out.

*Hey Siri, play “Ironic” by Alanis Morissette

Baltimore County Public Schools Hit with Ransomware

Chalk it up as another tough blow for education this year.  The COVID-19 pandemic has already forced schools to adapt and switch to remote learning in a lot of cases.  This itself makes it difficult on schools.  Now imagine adding a crippling ransomware cyber security incident on top of that.

Just before Thanksgiving the Baltimore County Public School system gets hit by a “catastrophic” ransomware attack. The attack brought online learning for 115,000 students to a halt.  If you read my last blog, you might be familiar with the strain of ransomware that hit this school system.  It appears, although not confirmed, that the Ryuk ransomware is the strain that hit this school system in a hugely unfortunate way. 

Minimal details have been made public as to how the attack was pulled off, but as in other Ryuk cases an unaware user and a nefarious phish have likely struck again.  This strain has already been responsible for $61 million in ransom payments so far in 2020.

The warning signs were there as cyber security audits in Baltimore districts raised a number of security concerns.  The security audits stated risk within security of their systems historically, yet insignificant action addressing those concerns materialized.

Fortunately, the school district reports they do not believe that any data is compromised or stolen resulting from the attack.

Regardless of sector, it is time to recognize that everyone is a target.  Absolutely everyone.

Our Cyber Security Advice: Don’t Pay It Forward

It’s about this time of the year where we see industry expert cyber security predictions for the following year.  One trend that continues to rear its ugly head is Business Email Compromises (BEC) attacks. These damaging attacks continue to be a favorite amongst cybercriminals.

A BEC attack is a scenario where an attacker attempts to defraud an organization through email. They do it by impersonating a trusted party.  The end goal of the attacker is to trick the target into providing payment or sensitive information. 

One of the tactics commonly used by an attacker is creating an auto-forwarding rule in the compromised account’s inbox.  After the initial compromise of the account, the attacker may setup this auto-forward rule to exfiltrate emails to an email address they own. They target emails with keywords such as ‘payment’, ‘invoice’, ‘money’, etc. in the body or subject of the email.  This is a technique that is hard to detect without proper alerting in place.

Once the attacker has one of these rules in place, they monitor forwarded emails, striking at the opportune moment (ex. “Unpaid Invoice” in a subject line) to inject themselves into a conversation, typically using a “typosquatted” domain registered by them (Ex. M1crosoft.com instead of Microsoft.com).  Once they inject themselves into the conversation, they try tricking the unfortunate recipient into making payment to a different bank account controlled by the attacker. They might ask the victim to provide some other kind of sensitive information as well.

Preventing a BEC Attack

To prevent this type of attack the first step is having a cyber security aware user base that can pick up on the warning signs of the initial phishing email.  However, as we are all humans, sometimes we make mistakes.  In this case the necessary controls, both technical and procedural, can reduce or eliminate the chances of this attack successfully being pulled off. 

From a technical standpoint, I believe the ability for employees to have the ability to auto-forward messages externally should be disabled.  Not only does this provide outside attackers an opportunity to exfiltrate emails if they are able to compromise an account, it also creates additional opportunity for insider threats.  From a procedural standpoint it is paramount that a company has secondary cyber security controls in place to detect and combat fraudulent requests.

According to the FBI, in 2019 BEC attacks accounted for $1.77 billion dollars in losses.  In 2020, the number of BEC attempts has increased tremendously and is becoming a more preferred attack method among cybercriminals.  A few steps can prevent your company from contributing to the billions of dollars already lost because of this type of attack.

Cyber Security Predictions: Quick Hitter

As 2020 winds down we see industry leaders sharing their predictions for security in 2021.  I won’t go into any predictions here, but below are some reports from a few industry leaders that made accurate predictions in the past:

Is your organization Cyber Aware?  How many of these risks could impact your organization?

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.