Author Archives: Luke Irwin

Anatomy of a spear phishing attack – with example scam

With cyber crime quickly becoming a top priority for organisations, IT admins have felt the pressure to invest in network defences and ensure their systems aren’t breached.

But those measures aren’t much help when criminals use phishing scams to bypass organisations’ defences and hit them where they’re most vulnerable: their employees.

Fraudsters have countless tricks up their sleeve when targeting people for attacks, but perhaps the most dangerous is spear phishing. Let’s take a look at how it works, along with an example to help you spot the clues of an attack.

What is spear phishing?

Spear phishing is a form of email attack in which fraudsters tailor their message to a specific person.

They can gather the information they need to seem plausible by researching the target online – perhaps using Facebook, LinkedIn or the website of the target’s employer – and imitating a familiar email address.

Spear phishing is harder to detect than regular phishing scams, because although messages contain the same clues as any phishing attack, the fact that they are addressed specifically to the target assuages suspicions that they are bogus.

However, other than creating a false sense of security, the attack works in the same way as any other type of phishing scam. The message will either contain an attachment infected with malware or direct the recipient to a malicious website, which might inject malware into the browser or request user credentials through spoofing.


See also:


Proofpoint’s 2019 State of the Phish Report found that 83% of respondents were hit by at least one spear phishing attack in last year. This shows just how hard it is to identify and properly respond to targeted email threats.

An example of a spear phishing email

Here’s an example of a real spear phishing email. You can see the whole message below, followed by a breakdown of the text showing how you can tell that the message is bogus.

Subject: Domain Notification for [website] : This is your Final Notice of Domain

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: [website]

ATT: [name redacted]
[website redacted]
Response Requested By
5 – Nov. – 2018

PART I: REVIEW NOTICE

Attn: [name]

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!

Select Package:
[website link redacted]

Payment by Credit/Debit Card

Select the term using the link above by 5 – Nov. – 2018
[website]

Spotting the signs of spear phishing

Did you see the clues that the email was fake? And what about the tricks the scammer used to make the message look genuine? Let’s take a closer look at the message, beginning with the subject line:

“This is your Final Notice”

Right from the start, the criticality of this email is established in my mind. I’m also concerned as it looks like I’ve missed a previous notice.

“Attention: Important Notice”

The importance of this email has been set.

“Domain Name: [website]”

It’s the correct domain, indicating this email is indeed relevant to me.

“ATT: [name]”

Correct name also; must be legit and specific to me personally.

“As a courtesy”

They’re doing me the service. Sounds decent and generous.

“This letter is to inform you that it’s time to send in your registration.”

Sounding official now and the time pressure is being ramped up. It’s also trying to soften me up to part with personal information.

“Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.”

If I don’t comply quickly (time pressure again), there’s going to be an adverse impact on me and I’ll lose customers. This could potentially hit me in the pocket!

“Search engine registration includes domain name search engine submission.”

They’re going to perform some sort of important-sounding service for me.

“Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.”

Really mixed messages here. An instruction not to “discard” this important “notice” but no pressure, as this isn’t a request for money (“not an invoice”) but just a generous and selfless “courtesy” and “reminder” that will benefit me.

“This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!”

Time pressure cranked up to maximum. No need to think; just act now before it’s too late.

All the above are typical examples of emotional manipulation. This is classic spear phishing.

I didn’t click the link and hand over my payment card details, because it raised all manner of red flags. Instead, I googled the link, which confirmed my suspicions.

Sadly, some would have fallen for it simply through a lack of training and awareness.

Teach your staff to spot phishing emails

You can help educate employees on the threat of phishing and what they can do to mitigate the risk by enrolling them on our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the one above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

You might also benefit from a comprehensive review of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.

It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>

The post Anatomy of a spear phishing attack – with example scam appeared first on IT Governance Blog.

How to recover from a cyber attack

One in three UK organisations fell victim to a cyber attack in 2018, costing £17.8 billion in total.

Your first – obviously valid – thought might be that we all need to get better at preventing security incidents, but it’s not the whole story.

Cyber attacks are so widespread, and criminals’ tactics so varied, that it’s impossible to prevent breaches altogether. That organisations invest the majority of their resources into preventing attacks is the reason attacks are so costly.

The damages would be a lot less expensive if organisations prepared for the inevitability of cyber attacks and implemented an incident response plan to help them respond to and recover from incidents quickly and effectively.

What is an incident response plan?

An incident response plan is a document that outlines the steps an organisation must take following a cyber security incident.

What goes in an incident response plan?

Incident response plans can help organisations identify vulnerabilities in their networks and processes, mitigate the effects of a variety of situations and limit the damage caused by security incidents.

They also help organisations:

  • Spot when a security incident has occurred;
  • Assess the immediate damage;
  • Identify who needs to be made aware of the situation; and
  • Document the steps towards recovery.

Incident response in action

Let’s take a look at a real-life example of an organisation using an incident response plan to recover from a cyber attack.

On 19 March 2019, the aluminium producer Norsk Hydro’s systems were infected with ransomware, but instead of acquiescing to the criminals’ demands, the organisation turned to its incident response procedure.

Norsk wiped its systems and restored clean versions from backups, knowing that its cyber insurance policy would help cover the costs.

Meanwhile, employees from across the organisation were drafted in to ensure operations continued.

The incident cost Norsk about £60 million, but given the organisation’s moral stand against paying a ransom (an approach every organisation should take), it was an exemplary recovery effort.

See also:

Despite having to shut down 40 networks and 22,000 computers, Norsk was able to continue operating, all the while garnering praise from security experts and knowing that profits will bounce back in the coming months.

Let’s compare that to an organisation that had no idea what to do when it suffered a major disruption.

Response efforts found wanting at British Airways

In May 2017, British Airways was reportedly hit by a power surge that shut down its IT systems and caused the airline to ground all its flights for 48 hours. (This is a separate incident to the one that led to the recently announced £183 million fine.)

The airline struggled to respond to the disruption, with one passenger telling the Guardian that the response “felt very improvised, and not very successful at all. It was honestly the angriest place I’ve ever been […] No one knew what was going on, which is why everyone was so miserable.”

Other passengers struggled to contact the airline to reclaim their baggage, while those in Heathrow Airport at the time were told to leave without the bags and collect them later.

Hundreds of people stood around waiting for guidance. Many missed their flights over the coming days – not necessarily because of cancellations but because the airline’s online and in-terminal check-in systems were down. This caused massive queues as staff had to handle huge numbers of requests at check-in desks.

Given British Airways’s reliance on technology, an incident response plan was essential. It would have helped the airline identify the main problems and find suitable solutions.

Don’t have time to create an incident response plan?

If you suffer a data breach before you’ve had time to implement an incident response plan, don’t panic. Our cyber security incident response service provides you with the expert help you need.

With years of cyber security experience, our consultants know how to tackle any type of security incident. They’ll help you identify the source of the compromise, guide you through the response effort and ensure that you return to business as usual.

Find out more >>

The post How to recover from a cyber attack appeared first on IT Governance Blog.

How should you investigate a data breach?

Digital Guardian recently asked a group of cyber security experts what the most important step is following a data breach. Several answered with some variation of ‘find out how it happened’.

This might seem counterproductive: with so much post-breach chaos, from isolating the incident and letting staff know what’s going on to getting back to work and notifying affected individuals, surely it’s a time to be looking forward, not backward.

But as the experts explained, understanding the cause of the incident is an essential part of the incident response process.

So how should you approach a data breach investigation?

The crime scene

Your investigation should begin at the scene of the incident. This might be, for example,the victim’s computer, a web page or a physical space in which documents were compromised.

Senior Vice President and Chair of the Litigation Practice of LEVICK Jason Maloni said that, although “few people care what got you into this situation”, your organisation needs this information so you can communicate how you’re addressing the problem.

You should therefore approach data breaches in the same way police tackle physical crime. You probably don’t have any first-hand experience doing that, but the chances are that you’re familiar with the three core aspects that establish how a crime occurred:

  • Motive: why did the criminal launch the attack? Most breaches are the result of criminals attempting to steal data, but it could have been caused by an employee, either accidentally or maliciously.
  • Means: the tools that were used to commit the crime, such as malware, hacking expertise or access to a user’s login credentials.
  • Opportunity: how and when did the perpetrator commit the attack? Some data breaches can only occur during a small window, such as when vendors release patches for system vulnerabilities, whereas others are persistent threats.

Unlike a criminal investigation, however, there’s a good chance that the culprit wasn’t acting with criminal intent. Many data breaches are accidents caused by employee negligence or process failures.

The scene of the incident will generally provide you with the clues you need to work out – or at least make an educated guess regarding – who was responsible for the breach and how it occurred.

Gathering the evidence

Now you know what to look for, it’s time to identify and interpret those clues.

The most effective method is digital forensics.

This is the collection and interpretation of electronic data in an attempt to “preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events”.

Digital forensic investigation requires a combination of technological tools and an expert understanding of how to use them.


Find out how you should respond to a data breach >>


In recent years, digital forensics has become more effective and accessible to organisations. However, it’s still unaffordable or impractical for many, so you might be forced to rely on more hands-on investigative techniques.

Fortunately, most IT departments have the necessary tools to unearth vital clues. Log files are key, as they will show you who accessed or modified files and their IP address.

You should also interview relevant employees to find out if they know anything about the breach. This might be to verify information from log files or to ask questions about their team’s processes, which you can use to identify anything out of the ordinary.

Whether you use digital forensics or manual investigation, you should be able to find the cause of the breach within a few hours, enabling you to progress to the recovery process.

What should you do when you’re under attack? 

When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.

Find out more >> 

The post How should you investigate a data breach? appeared first on IT Governance Blog.

How to handle a ransomware attack

So, your computer screen has been hijacked by criminals who are demanding money to return your systems. Now what?

That’s a question more organisations are having to ask themselves nowadays, with at least 55 ransomware attacks reported in the first half of 2019.

Many victims feel forced to pay up, because it’s the quickest and least expensive way to get back to business as usual. However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry.

But what’s the alternative? Take a look at our seven-step guide to find out.

1. Prepare for an attack by backing up your data

The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information. That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.

Because you are continuously creating new files and amending old ones, backups should be performed regularly.

You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made. The more frequently things are added or amended, the more often you should back them up.

Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.

2. Identify that the attack is ransomware

Don’t assume that the person who has spotted the attack knows that it’s ransomware.

The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.. This means you could be wasting valuable time identifying the problem.

You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents. That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.


See also:


3. Disconnect infected devices from the network

Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.

This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.

4. Notify your employees

Employees will quickly notice that something is amiss. Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.

Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry. Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?

That’s why you should explain the situation to your employees as soon as possible. Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.

Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can. For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.

5. Photograph the ransom note

You can use this as evidence of the attack when submitting a police report.

This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.

If you don’t already have cyber insurance, it’s worth considering. Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.

You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.

6. Find out what kind of ransomware it is

Identifying the ransomware strain used in the attack might save you a lot of time and effort. Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.

The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it. Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.

7. Remove the ransomware from your device

If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection. Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.

But what if it’s the real thing?

Fortunately, that’s not much more complicated. The safest way to remove ransomware is to restore your infected devices to factory settings. You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.

If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.

Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.

Once your computer has been restored, you can transfer the duplicate files back onto your device. Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.

However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.

What should you do when you’re under attack? 

When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.

Win the war on cyber crime

You can find out more about the steps you should take to defend yourself from cyber attacks by enlisting in Operation Cyber Secure.

This five-week boot camp drills you on the ways you can prepare for and respond to ransomware, phishing, insider threats and a variety of other security incidents.

By signing up, you’ll receive a free copy of the Cyber Security Combat Plan, which outlines the defence measures you should take to protect your organisation from cyber attacks.

You’ll also receive weekly emails that provide more information on the direction you should take to meet those steps.

Enlist now >>

The post How to handle a ransomware attack appeared first on IT Governance Blog.

7 tips for preventing ransomware attacks

The threat of ransomware isnt going away – in fact, it’s worse than ever, with 28 reported attacks in the past three months. 

That’s not a surprise, given how often victims pay fraudsters to free their infrastructure from the crippling malware. Experts urge organisations not to negotiate with criminal hackers, yet many – like the governments of Riviera Beach, Florida, and nearby Lake City – feel compelled to meet their demands. 

Those two cases resulted in payouts of more than $1 million (£800,000), which outraged the cities’ citizens. 

Unfortunately, the alternative can be a lot more costly, as Norsk Hydro discovered. The aluminium producer, which refused to pay for a decryptor to restore its systems after suffering a ransomware attack in March, recently announced that the decision has so far cost £60 million in lost productivity. 

Norsk knew that playing hardball with the criminals would have severe consequences, but it believed that was preferable to paying money that would fuel the cyber crime industry. 

Not every organisation will be confident enough in its long-term security to make the same choice, but we doubt any victim is happy to pay a ransom either. The only alternative is to pump resources into your defences to try to avoid being attacked in the first place. 

That’s a tough ask – the number of recent infections shows how hard it is to avoid attacks – but there are some essential steps you can take. 

Top tips for defending against ransomware 

  1. Beware of MSPs (managed service providers). Criminals are increasingly targeting MSPs as weak spots where they can deploy ransomware. You should ensure that any organisation you work with has adequate security measures in place.
  2. Regularly back up your systems. This enables you to wipe your systems in the event of a ransomware attack and restore previous, accessible versions of your information. 
  3. Apply patches as soon as they are released. Vendors often release updates that fix vulnerabilities that could be exploited. As soon as a patch is announced, criminals are alerted about the weaknesses, so you need to address the issues as soon as possible. 
  4. Enable software features that reduce or prevent malicious software from affecting a machine,e.g.exploit protection settings. 
  5. Purchase antivirus solutions that can detect ransomware and alert IT to the attack.
  6. Deploy firewalls that use blacklists of known command and control centres that are updated through security feeds to prevent malware contacting the criminals who planted it to get instructions or encryption keys, or download additional malicious modules.  
  7. Prepare for social engineering attacksMany ransomware infections begin with staff opening phishing emails that contain infected attachments. You should teach employees how to spot and respond to malicious emails. 

What should you do when you’re under attack? 

If your defences have fallen short and you find yourself under attack, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process. 

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help. 

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual. 

Find out more >> 

The post 7 tips for preventing ransomware attacks appeared first on IT Governance Blog.

75% of organisations have been hit by spear phishing

Phishing scams aren’t as compelling as some of the more sophisticated attacks that you read about. But their prosaic nature is part of what makes them so concerning.

After all, every unusual email you receive could be a phishing scam, whether it’s an account reset message from Amazon or a work request from your boss.

And evidence shows that attacks like this will happen regularly and in incredibly convincing ways. For example, Proofpoint’s Understanding Email Fraud Survey has found that 75% of organisations had been hit by at least one spear phishing email in 2018.

Spear phishing is a specific type of phishing attack in which criminals tailor their scams to a specific person. They do this by researching the target online ­– often using information from social media – and by imitating a familiar email address.

For example, if the target works at ‘Company X’, the attacker might register the domain ‘connpanyx’ (that’s c-o-n-n-p-a-n-y-x rather than c-o-m-p-a-n-y-x), hoping that the recipient won’t spot the difference.

You might think that would be easy enough to notice, but scammers are adept at hiding the signs of their scams.

Sustained threat of spear phishing

Proofpoint’s report found that 41% of organisations suffered multiple attacks in a two-year span, suggesting that those that fell victim once were likely to do so again.

It also found that only 40% of organisations have full visibility into email threats, meaning those organisations are being targeted regularly and simply aren’t aware of the scale of the threat.


See also:


Commenting on the report, Robert Holmes, vice president of email security products at Proofpoint, said:

“Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically impersonate people in authority for maximum impact.

“These and other factors make email fraud, also known as business email compromise (BEC), extremely difficult to detect and stop with traditional security tools. Our research underscores that organizations and boardrooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat.”

Phishing is a top concern

Clearswift’s Cyber Threatscape report also highlights the threat of phishing. The information security organisation polled 600 decision makers and 1,200 employees in the UK, US, Germany and Australia, and found that 59% of respondents said phishing was their biggest concern.

Phishing was the number one risk in all four regions, beating out the threat of employees’ lax attitudes (33%), the vulnerability of removable devices (31%) and failure to remove login access from ex-employees (28%).

According Dr Guy Bunker, senior vice president of products at Clearswift, this report “highlights that businesses need to change the way they’re approaching the task of mitigating these risks”.

“The approach should be two-fold, focused on balancing education with a robust technological safety net. This will ultimately help ensure the business stays safe,” he adds.

How can you prevent phishing attacks?

There are several ways you can address the risk of phishing. The first is to conduct staff awareness courses to educate employees on how phishing scams work and what they can do to mitigate the risk.

These courses should be repeated annually to refresh employees’ memories and maintain a workplace culture that prioritises cyber security.

You may also benefit from a thorough re-evaluation of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.

It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>


A version of this blog was originally published on 9 April 2018.

The post 75% of organisations have been hit by spear phishing appeared first on IT Governance Blog.

Japan’s government hacks citizens’ IoT devices

Earlier this year, the Japanese government launched a campaign in which it hacked into citizens’ IoT (Internet of Things) devices to see how secure the technology is.

The plan was to compile a list of devices that use simple, default passwords and pass it on to authorities and relevant Internet service providers to help achieve better security.

It’s a noble cause – anyone who wants to address information security should be commended – but the plan seems excessive and perhaps even dangerous.

What’s the big idea?

Starting in March, employees at the National Institute of Information Communications Technology were allowed to use default passwords to try to break into Japanese consumers’ IoT devices.

The test has encompassed more than 200 devices, including things like routers, webcams and Internet-connected appliances.

Once the test is complete, the government will tell the IoT providers about their vulnerabilities and instruct them to address the issues.

You can understand Japan’s eagerness to address IoT security. The Ministry of Internal Affairs and Communications reported that two thirds of all cyber attacks in 2016 were aimed at such devices.

Meanwhile, the country is preparing for next year’s Tokyo Olympics, which will almost certainly be targeted by criminal hackers, as sports events have become a hotbed of cyber crime.

The England football team was one of several warned about cyber attacks during the 2018 World Cup (although the only breach was caused by a journalist), those watching this year’s Super Bowl and Cricket World Cup online were warned about identity theft, and the 2018 Winter Olympics website was disrupted following a malware attack.

It therefore makes sense to get ahead of the problem and address security vulnerabilities as a matter of urgency. But surely there’s a better way than deliberately hacking citizens.

Hacking Peter to pay Paul

There are several things to be concerned about with the Japanese government’s plan. For one, it’s an awful lot of risky work for minimal results.

Almost every IoT provider has vulnerabilities, and they should be conducting regular penetration tests and vulnerability scans to detect them. The government survey is in all likelihood simply repeating this process – except it’s doing it in a clumsily intrusive way.

After all, if an employee hacks a customer’s account, it’s a privacy breach. It doesn’t matter if the attack was done as part of a security survey; it’s still someone accessing information that they shouldn’t.

And who’s to say the employee who breaks into the account is well-intentioned? Insiders are one of the biggest security threats, because it’s tempting not to misuse sensitive information given how valuable it is and how easily it’s perceived as a victimless crime.

But there’s an even bigger security risk. The government publicly announced that it would be compiling a list of known vulnerabilities. What are the chances that criminal hackers are going to target the government to access this information?

With a comprehensive list of IoT vulnerabilities in Japan and their protocols for password-creation, fraudsters could cause devastating damage.

Outraged

The survey has sparked outrage in Japan, with citizens asking why the government didn’t simply send a security alert reminding users to strengthen their passwords.

The solution isn’t as simple as that – there are other threats than simply password strength (such as default passwords and the requirements to change them) – but the complaints are along the right lines.

A less highly publicised approach, like a security alert alongside a committee meeting with IoT providers, would have been a less conspicuous solution. Citizens would be reminded to address their password security and the government would have been able to advise IoT providers on the way they should be tackling cyber security concerns.

Subscribe to our Weekly Round-Up to receive the latest cyber security news and advice >>

The post Japan’s government hacks citizens’ IoT devices appeared first on IT Governance Blog.

What is angler phishing?

Many of us live out whole lives on Facebook, Twitter, Instagram and LinkedIn, publicising our thoughts, interacting with friends, strangers and businesses, and keeping abreast of current affairs.

But all that activity has made social media a breeding ground for a new form of cyber attack known as angler phishing.

What is angler phishing?

Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.

This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.

Here’s an example:

angler phishing

Making complaints on social media puts pressure on organisations to resolve the issue promptly.

Organisations often respond more quickly to issues raised on social media, as it provides an opportunity for good PR.

Most responses are along the same lines as our example: the organisation asks the customer to provide their personal details, so it can verify the issue and respond appropriately.

Unfortunately, cyber criminals have exploited this by spoofing corporate accounts and intercepting customer queries.


Find out more about phishing >>


They use account handles that mimic legitimate sites ­– like ‘@dominoscustomercare’, for example – search for customer complaints directed at the legitimate site and respond.

Eagle-eyed individuals might notice that the response came from a different account than the one they messaged, but it’s not uncommon for a big company to direct customer complaints to a dedicated account.

But more often than not, people see that the response comes from an account with the organisation’s name and logo and don’t notice the difference.

The fraudster will then ask the customer to direct message them their account details (as many genuine organisations do) or direct them towards what is supposedly a customer support page but is in fact a malicious site, which steals personal information or infects the customer’s device with malware.

Phishing email protection

Many social media users know very little about angler phishing. That’s bad news for organisations, given how often employees browse social media during their lunch breaks or quiet periods.

After all, it only takes one person clicking a bogus link to infect the organisation’s systems.

That’s why it’s important to teach your staff how to spot scammers’ bait. Our Phishing Staff Awareness Course teaches you everything you need to avoid every type of attack, from social media scams to email- and SMS-based threats.

Find out more >>


A version of this blog was originally published on 19 June 2017.

The post What is angler phishing? appeared first on IT Governance Blog.