Login
I’m sure you’ve seen them — emails or messages that sound alarming and ask you to act quickly. We live in a digital world that produces hundreds of messages and alerts every day. It’s often hard to determine the validity of a suspicious message or phishing email. Whether you are an administrator, or an end-user, it can be overwhelming to accurately identify a malicious message. When in doubt, here are some questions you should ask yourself:
Is the message from a legitimate sender?
Do I normally receive messages from this person?
If there’s a link, can I tell where it’s sending me?
Attackers continue to evolve their methods, and they’re highly educated on the defenses they come up against in the wild. They’ll craft messages that do not involve any traditional indicators of compromise, such as domains, IP address, or URL links. They’ll also start their attacks by sending messages as an initial lure to establish trust, before sending an email with altered invoice or one claiming to be a helpless employee attempting to get their payroll fixed.
Phishing is a socially-based attack type, one where the threat actors focus on human behavior. When these attacks target organizations, there are multiple levels of attack at play. One that focuses on behavioral patterns and workflow, and the other centers on the victim’s emotional boundaries, such as targeting their desire to help others. You see this pattern frequently in Business Email Compromise (BEC) attacks.
Below, we’ve placed an example of a lure, which will test the victim to see if there is a means to quickly establish trust. Here, the threat actor is pretending to be the Chief Financial Officer (CFO) of the victim’s organization. If the lure is successful, then the threat actor will progress the attack, and often request sensitive records or wire transfers. Notice that in the email headers, the person pretending to be the CFO is using a Gmail account, one that was likely created just for this attack. The message is brief, stresses importance and urgency, and requests assistance, playing on the victim’s workflow and desire to help an executive or someone with authority.
The example below is a simplified one, to be sure, but the elements are legitimate. Daily, emails like this hit the inboxes of organizations globally, and the attackers only need to locate a single victim to make their efforts payout.
In the FBI / IC3 2021 Internet Crime Report, there were nearly 20,000 Business Email Compromise complaints filed, with an adjusted loss of nearly 2.4 billion dollars. While spoofing the identity of an executive is certainly one way to conduct a BEC attack, the FBI says that threat actors have started leveraging the normality of hybrid-work to target meeting platforms to establish trust and conduct their crimes. When successful, the funds from the fraudulent wire transfers are moved to crypto wallets and the funds dispersed, making recovery harder.
So as an end user what can you do to protect your organization? Be mindful anytime you receive an urgent call to action, especially when the subject involves money. If your workflow means that you regularly receive these types of requests from the specific individual, verify their identity and the validity of the request using another channel of communication, such as in person or via phone. If you do validate their identity via the phone, take care to avoid calling any numbers listed in the email.
Cisco Secure Email helps stop these types of attacks by tracking user relationships and threat techniques. These techniques often include account takeover, spoofing and many more. Using an intent-based approach allows Secure Email to detect and classify business email compromises and other attacks, so administrators are empowered to take a risk-based approach to stopping these threats.
Find out more about how Cisco Secure Email can help keep your organization safe from phishing.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims' Windows PCs, is evolving to support extortionware.…
A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties.…
pic-1200
Sponsored Post Shifting workloads and applications to the cloud is on every forward-thinking CIO's wish list. It is also their worst nightmare. If they get it right, they've helped to transform and modernize their organization's operations and everyone's happy. If they get it wrong, it's a different story, made much worse if a seriously expensive data breach is involved.…
On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users.
Jay Pinho is a developer who is working on a product that tracks company data, including hiring. Pinho has been using LinkedIn to monitor daily employee headcounts at several dozen large organizations, and last week he noticed that two of them had far fewer people claiming to work for them than they did just 24 hours previously.
Pinho’s screenshot below shows the daily count of employees as displayed on Amazon’s LinkedIn homepage. Pinho said his scraper shows that the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop:
The number of LinkedIn profiles claiming current positions at Amazon fell 33 percent overnight. Image: twitter.com/jaypinho
As stated above, the number of LinkedIn profiles that claimed to work at Apple fell by approximately 50 percent on Oct. 10, according to Pinho’s analysis:
Image: twitter.com/jaypinho
Neither Amazon or Apple responded to requests for comment. LinkedIn declined to answer questions about the account purges, saying only that the company is constantly working to keep the platform free of fake accounts. In June, LinkedIn acknowledged it was seeing a rise in fraudulent activity happening on the platform.
KrebsOnSecurity hired Menlo Park, Calif.-based SignalHire to check Pinho’s numbers. SignalHire keeps track of active and former profiles on LinkedIn, and during the Oct 9-11 timeframe SignalHire said it saw somewhat smaller but still unprecedented drops in active profiles tied to Amazon and Apple.
“The drop in the percentage of 7-10 percent [of all profiles], as it happened [during] this time, is not something that happened before,” SignalHire’s Anastacia Brown told KrebsOnSecurity.
Brown said the normal daily variation in profile numbers for these companies is plus or minus one percent.
“That’s definitely the first huge drop that happened throughout the time we’ve collected the profiles,” she said.
In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.
A day after that second story ran, KrebsOnSecurity heard from a recruiter who noticed the number of LinkedIn profiles that claimed virtually any role in network security had dropped seven percent overnight. LinkedIn declined to comment about that earlier account purge, saying only that, “We’re constantly working at taking down fake accounts.”
A “swarm” of LinkedIn AI-generated bot accounts flagged by a LinkedIn group administrator recently.
It’s unclear whether LinkedIn is responsible for this latest account purge, or if individually affected companies are starting to take action on their own. The timing, however, argues for the former, as the account purges for Apple and Amazon employees tracked by Pinho appeared to happen within the same 24 hour period.
It’s also unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
On this point, Pinho said he noticed an account purge in early September that targeted fake profiles tied to jobs at cryptocurrency exchange Binance. Up until Sept. 3, there were 7,846 profiles claiming current executive roles at Binance. The next day, that number stood at 6,102, a 23 percent drop (by some accounts that 6,102 head count is still wildly inflated).
Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, suggested another explanation for the recent glut of phony LinkedIn profiles: Someone may be setting up a mass network of accounts in order to more fully scrape profile information from the entire platform.
“Even with just a standard LinkedIn account, there’s a pretty good amount of profile information just in the default two-hop networks,” Weaver said. “We don’t know the purpose of these bots, but we know creating bots isn’t free and creating hundreds of thousands of bots would require a lot of resources.”
In response to last week’s story about the explosion of phony accounts on LinkedIn, the company said it was exploring new ways to protect members, such as expanding email domain verification. Under such a scheme, LinkedIn users would be able to publicly attest that their profile is accurate by verifying that they can respond to email at the domain associated with their current employer.
LinkedIn claims that its security systems detect and block approximately 96 percent of fake accounts. And despite the recent purges, LinkedIn may be telling the truth, Weaver said.
“There’s no way you can test for that,” he said. “Because technically, it may be that there were actually 100 million bots trying to sign up at LinkedIn as employees at Amazon.”
Weaver said the apparent mass account purge at LinkedIn underscores the size of the bot problem, and could present a “real and material change” for LinkedIn.
“It may mean the statistics they’ve been reporting about usage and active accounts are off by quite a bit,” Weaver said.
The concept of zero trust is not a new one, and some may even argue that the term is overused. In reality, however, its criticality is growing with each passing day. Why? Because many of today’s attacks begin with the user. According to Verizon’s Data Breach Investigations Report, 82% of breaches involve the human element — whether it’s stolen credentials, phishing, misuse or error.
Additionally, today’s businesses are hyper-connected, meaning that — in addition to your employees — customers, partners and suppliers are all part of your ecosystem. Couple that with hybrid work, IoT, the move to the cloud, and more emboldened attackers, and organizational risk increases exponentially.
Adopting a zero trust model can dramatically reduce this risk by eliminating implicit trust. It has become so crucial, in fact, that several governments including the U.S., UK and Australia have released mandates and guidance for how organizations should deploy zero trust to improve national security.
However, because zero trust is more of a concept than a technology, and so many vendors use the term, organizations struggle with the best way to implement it. At Cisco, we believe you should take a holistic approach to zero trust, starting with what you have and adding on as you identify gaps in your defenses. And while layers of protection are necessary for powerful security, so is ease of use.
Zero trust plays a major role in building security resilience, or the ability to withstand unpredictable threats or changes and emerge stronger. Through zero trust, the identity and security posture of users, devices and applications are continuously checked and verified to prevent network intrusions — and to also limit impact if an unauthorized entity does gain access.
Organizations with high zero trust maturity are twice as likely to achieve business resilience.
– Cisco’s Guide to Zero Trust Maturity
Eliminating trust, however, doesn’t really conjure up images of user-friendly technology. No matter how necessary they are for the business, employees are unlikely to embrace security measures that make their jobs more cumbersome and time-consuming. Instead, they want fast, consistent access to any application no matter where they are or which device they are using.
That’s why Cisco is taking a different approach to zero trust — one that removes friction for the user. For example, with Cisco Secure Access by Duo, organizations can provide those connecting to their network with several quick, easy authentication options. This way, they can put in place multi-factor authentication (MFA) that frustrates attackers, not users.
Cisco Secure Access by Duo is a key pillar of zero trust security, providing industry-leading features for secure access, authentication and device monitoring. Duo is customizable, straightforward to use, and simple to set up. It enables the use of modern authentication methods including biometrics, passwordless and single sign-on (SSO) to help organizations advance zero trust without sacrificing user experience. Duo also provides the flexibility organizations need to enable secure remote access with or without a VPN connection.
During Cisco’s own roll-out of Duo to over 100,000 people, less than 1% of users contacted the help desk for assistance. On an annual basis, Duo is saving Cisco $3.4 million in employee productivity and $500,000 in IT help desk support costs. Furthermore, 86,000 potential compromises are averted by Duo each month.
La-Z-Boy, one of the world’s leading residential furniture producers, also wanted to defend its employees against cybersecurity breaches through MFA and zero trust. It needed a data security solution that worked agnostically, could grow with the company, and that was easy to roll out and implement.
“When COVID first hit and people were sent home to work remotely, we started seeing more hacking activity…” said Craig Vincent, director of IT infrastructure and operations at La-Z-Boy. “We were looking for opportunities to secure our environment with a second factor…. We knew that even post-pandemic we would need a hybrid solution.”
“It was very quick and easy to see where Duo fit into our environment quite well, and worked with any application or legacy app, while deploying quickly.” – Craig Vincent, Director of IT Infrastructure and Operations, La-Z-Boy
Today, Duo helps La-Z-Boy maintain a zero trust framework, stay compliant, and get clear visibility into what is connecting to its network and VPN. Zero trust helps La-Z-Boy secure its organization against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.
As mentioned, zero trust is a framework, not a single product or technology. For zero trust to be truly effective, it must do four things:
Many technology companies may offer a single component of zero trust, or one aspect of protection, but Cisco’s robust networking and security expertise enables us to provide a holistic zero trust solution. Not only can we support all the steps above, but we can do so across your whole IT ecosystem.
Modern organizations are operating multi-environment ecosystems that include a mix of on-premises and cloud technologies from various vendors. Zero trust solutions should be able to protect across all this infrastructure, no matter which providers are in use. Protections should also extend from the network and cloud to users, devices, applications and data. With Cisco’s extensive security portfolio, operating on multiple clouds and platforms, zero trust controls can be embedded at every layer.
Depending on where you are in your security journey, embedding zero trust at every layer of your infrastructure may sound like a lofty endeavor. That’s why we meet customers where they are on their path to zero trust. Whether your first priority is to meet regulatory requirements, secure hybrid work, protect the cloud, or something else, we have the expertise to help you get started. We provide clear guidance and technologies for zero trust security mapped to established frameworks from organizations like CISA and NIST.
Much of our Cisco Secure portfolio can be used to build a successful zero trust framework, but some examples of what we offer include:
All of our technologies and services are backed by the unparalleled intelligence of Cisco Talos — so you always have up-to-date protection as you build your zero trust architecture. Additionally, our open, integrated security platform — Cisco SecureX — makes it simple to expand and scale your security controls, knowing they will work with your other technologies for more unified defenses.
As Italy’s leading insurance company, Sara Assicurazioni requires complete visibility into its extended network, including a multi-cloud architecture and hybrid workforce. The company has adopted a comprehensive zero trust strategy through Cisco Secure.
“Our decentralized users, endpoints, and cloud-based servers and workloads contribute to a large attack surface,” says Paolo Perrucci, director of information and communications technology architectures and operations at Sara Assicurazioni. “With Cisco, we have the right level of visibility on this surface.”
“The main reason we chose Cisco is that only Cisco can offer a global security solution rather than covering one specific point…. Thanks to Cisco Secure, I’m quite confident that our security posture is now many times better because we are leveraging more scalable, state-of-the-art security solutions.” – Luigi Vassallo, COO & CTO, Sara Assicurazioni
To learn more, explore our zero trust page and sign up for one of our free zero trust workshops.
Watch video: How Cisco implemented zero trust in just five months
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Microsoft has confirmed one of its own misconfigured cloud systems led to customer information being exposed to the internet, though it disputes the extent of the leak.…
APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app
The post Domestic Kitten campaign spying on Iranian citizens with new FurBall malware appeared first on WeLiveSecurity
The Biden administration is pushing ahead with its drive to add cyber security labeling to consumer Internet of Things (IoT) devices, and may join other nations in adopting the scheme pioneered by Singapore.…
Sponsored Feature The concept behind Confidential Computing isn't new – organisations have been using hardware-assisted technology to encrypt and decrypt data for a while now. But fresh impetus from the Confidential Computing Consortium , new technology, and greater reliance on off prem public clouds to host and process sensitive information is prompting a more widespread re-evaluation of its benefits.…
Updated Australian health insurer Medibank has revealed it's been contacted by a group that claims to have its customers' data and is threatening to distribute it.…
This week, the US government's Cybersecurity and Infrastructure Security Agency (CISA) expanded its ever-growing list of vulnerability in industrial control systems (ICS) and critical infrastructure technology.…
New York regulators continue turning the screws on organizations with slapdash computer security.…
Verizon has notified some prepaid customers that their accounts were compromised and their phone numbers potentially hijacked by crooks via SIM swaps.…
It's just as you suspected: your Gen Z and millennial coworkers just aren't taking cybersecurity at work seriously enough. …
Cyber-diplomats from around the world say they want the internet to be safe, secure, and free of interference. Of course, they believe it's the fault of other nations that the internet is not safe, secure or free of interference.…
A proof-of-concept exploit has been published detailing a spoofing vulnerability in Microsoft Azure Service Fabric. The flaw allows attackers to gain full administrator permissions and then perform any manner of malicious activity.…
Webinar The individual memory of a bee is the repository for one facet of the collective memory of the beehive - the hive mind. Working together each bee feeds into the collective consciousness of the hive to optimize the production of the very best honey.…
In the first step of our doxxing research, we collected a list of our online footprint, digging out the most important accounts that you want to protect and obsolete or forgotten accounts you no longer use. Because the most recent and relevant data is likely to live in the accounts you use regularly, our next step will be to review the full scope of what’s visible from these accounts and to set more intentional boundaries on what is shared.
It’s important to note here that the goal isn’t to eliminate every trace of yourself from the internet and never go online again. That’s not realistic for the vast majority of people in our connected world (and I don’t know about you, but even if it was I wouldn’t want to!) And whether it’s planning for an individual or a giant organization, security built to an impossible standard is destined to fail. Instead, we are shifting you from default to intentional sharing, and improving visibility and control over what you do want to share.
Before making changes to the settings and permissions for each of these accounts, we’re going to make sure that access to the account itself is secure. You can start with your email accounts (especially any that you use as a recovery email for forgotten passwords, or use for financial, medical, or other sensitive communications). This shouldn’t take very long for each site, and involves a few straightforward steps:
The best way to prevent a breached password from exposing another account to attack is to use a unique password for for every website you visit. And while you may have heard previous advice on strong passwords (along the lines of “eight or more characters, with a mix of upper/lower case letters, numbers, and special characters”), more recent standards emphasize the importance of longer passwords. For a great explanation of why longer passwords work better than shorter, multi-character type passwords, check out this excellent XKCD strip:
A password manager will make this process much easier, as most have the ability to generate unique passwords and allow you to tailor their length and complexity. While we’re on the topic of what makes a good password, make sure that the password to access your password manager is both long and memorable.
You don’t want to save or auto-fill that password because it acts as the “keys to the kingdom” for everything else, so I recommend following a process like the one outlined in the comic above, or another mnemonic device, to help you remember that password. Once you’ve reset the password, check for a “log out of active devices” option to make sure the new password is used.
MFA uses two or more “factors” verifying something you know, something you have, or something you are. A password is an example of “something you know”, and here are a few of the most common methods used for an additional layer of security:
If you want to know more about the different ways you can log in with strong authentication and how they vary in effectiveness, check out the Google Security Team blog post “Understanding the Root Cause of Account Takeover.”
Before we move on from passwords and 2FA, I want to highlight a second step to log in that doesn’t meet the standard of strong authentication: password questions. These are usually either a secondary prompt after entering username and password, or used to verify your identity before sending a password reset link. The problem is that many of the most commonly-used questions rely on semi-public information and, like passcodes, are entered on the same device used to log in.
Another common practice is leveraging common social media quizzes/questionnaires that people post on their social media account. If you’ve seen your friends post their “stage name” by taking the name of their first pet and the street they grew up on, you may notice that’s a combination of two pretty common password questions! While not a very targeted or precise method of attack, the casual sharing of these surveys can have consequences beyond their momentary diversion.
One of the first widely-publicized doxxings happened when Paris Hilton’s contact list, notes, and photos were accessed by resetting her password using the password question, “what is your favorite pet’s name?”. Because Hilton had previously discussed her beloved chihuahua, Tinkerbell, the attacker was able to use this information to access the account.
Sometimes, though, you’ll be required to use these password questions, and in those cases I’ve got a simple rule to keep you safe: lie! That’s right, you won’t be punished if you fib when entering the answers to your password questions so that the answers can’t be researched, and most password managers also include a secure note field that will let you save your questions and answers in case you need to recall them later.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 