Login
We recently held a valuable conversation (and a great dinner) with about a dozen senior IT security leaders in Atlanta, Georgia. I was fortunate to attend and discuss what plagues them most.
Here are some of their concerns.
Many face considerable change in their business environments – one third of the companies called out the high pace of acquisitions as a source of risk.
Acquisitions draw down information security resources disproportionately. First, IT security must participate in the due diligence phase, prior to the actual acquisition. Under significant time pressure, and strictly bound by the terms of the governing NDA, the InfoSec team must verify the integrity of the target environment’s IT infrastructure. It must render a judgment on the trustworthiness of the underlying procedures, the competence of the support team, the appropriateness of funding and staffing, the effectiveness of policy and awareness training, the fitness of the security technology judged against the changing mission of the target firm, and the accessibility of crucial information. In regulated industries, the acquirer has to review past certifications, audit findings and recommendations, and earlier security events, including how they were handled, and how the organization effectively integrated lessons learned into its updated way of doing business. Some of the attendees reported an acquisition every six weeks over the past two years or more. This pace requires efficient process maturity and open communication among the team members, and ample trust.
Some CIOs reported the challenge of balancing the executive team’s need to know with the managerial desire to optimize team focus on critical initiatives. In the Boardroom and among the C-suite, IT remains a hot topic and IT security is a known vulnerability. This leads some organizations toward micromanaging the IT security team. As we all know, this inappropriate focus has two costs: first, it distracts the Board and the C-suite from their primary missions. Second, it distracts the people doing the job from their task. One effective tactic some adopted is the weekly – or even daily – newsletter. This document provides the status for ongoing projects, notes about top performers, assessment of newly discovered vulnerabilities, and pointers towards effective risk mitigation the leadership team can bring to their respective operational areas. When a Board member has a question for the team, the CISO can intercept it and post a response through the newsletter.
Many CISOs discussed their challenges with BYOD policies. Some mentioned concerns with GDPR impeding their ability to wipe corporate applications and information from employee-owned devices. It’s unclear how to balance that business requirement with privacy concerns for smart phones. With laptops, one approach is to limit corporate access through a locked-down virtual desktop image accessed through a secure VPN. An evil-minded employee could take a picture of the screen, but that attack works on a corporate laptop just as well.
BEC remains a concern, along with phishing attacks leading to possible ransomware infections. One approach is to ignore emails from new domains – those that are less than two months old. This would exclude email from nearly all attackers; anyone legitimately trying to reach an employee will try again in time.
The meeting was quite open and convivial. It was an honor to participate in the discussion, and I look forward to similar meetings in the future. My thanks to the participants!
What do you think? Let me know in the comments below, or message me @WilliamMalikTM!
The post What Worries CISOs Most In 2019 appeared first on .
Whether you’re trying to inform purchasing decisions or just want to better understand the cybersecurity market and its players, industry analyst reports can be very helpful. Following our recent accolades by Forrester and IDC in their respective cloud security reports, we want to help customers understand how to use this information.
Our VP of cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analyst reports.
The post How To Get The Most Out Of Industry Analyst Reports appeared first on .
So you suddenly have a lot of staff working remotely. Telework is not new and a good percentage of the workforce already does so. But the companies who have a distributed workforce had time to plan for it, and to plan for it securely.
A Lot of New Teleworkers All At Once
This event can’t be treated like a quick rollout of an application: there are business, infrastructure, and customer security impacts. There will be an increase of work for help desks as new teleworkers wrestle with remote working.
Additionally, don’t compound the problem. There is advice circulating to reset all passwords for remote workers. This opens the door for increased social engineering to attempt to lure overworked help desk staff into doing password resets that don’t comply with policy. Set expectations for staff that policy must be complied with, and to expect some delays while the help desk is overloaded.
Business continuity issues will arise as limited planning for remote workers could max out VPN licenses, firewall capacity, and application timeouts as many people attempt to use the same apps through a narrower network pipe.
Help Staff Make A Secure Home Office
In the best of times, remote workers are often left to their own devices (pun intended) for securing their work at home experience. Home offices are already usually much less secure than corporate offices: weak routers, unmanaged PCs, and multiple users means home offices become an easier attack path into the enterprise.
It doesn’t make sense to have workers operate in a less secure environment in this context. Give them the necessary security tools and operational tools to do their business. Teleworkers, even with a company-issued device, are likely to work on multiple home devices. Make available enterprise licensed storage and sharing tools, so employees don’t have to resort to ‘sketchy’ or weak options when they exceed the limits for free storage on Dropbox or related services.
A Secure Web Gateway as a service is a useful option considering that teleworkers using a VPN will still likely be split tunneling (i.e. not going through corporate security devices when browsing to non-corporate sites, etc.), unlike when they are in the corporate office and all connections are sanitized. That is especially important in cases where a weak home router gets compromised and any exfiltration or other ‘phone home’ traffic from malware needs to be spotted.
A simple way to get this information out to employees is to add remote working security tips to any regularly occurring executive outreach.
Operational Issues
With a large majority of businesses switching to a work-from-home model with less emphasis on in-person meetings, we also anticipate that malicious actors will start to impersonate digital tools, such as ‘free’ remote conferencing services and other cloud computing software.
Having a policy on respecting telework privacy is a good preventative step to minimize the risk of this type of attack being successful. Remote workers may be concerned about their digital privacy when working from home, so any way to inform them about likely attack methods can help.
Any steps to prevent staff trying to evade security measures out of a concern over privacy are likely a good investment.
Crisis Specific Risks
During any major event or crisis, socially engineered attacks and phishing will increase. Human engineering means using any lever to make it a little bit easier for targets to click on a link.
We’re seeing targeted email attacks taking advantage of this. Some will likely use tactics such as attachments named “attached is your Work At Home Allowance Voucher,” spoofed corporate guidelines, or HR documents.
Sadly, we expect hospitals and local governments will see increased targeting by ransomware due the expectation that payouts are likelier during an emergency.
But Hang On – It Is Not All Bad News
The good news is that none of these attacks are new and we already have playbooks to defend against them. Give a reminder to all staff during this period to be more wary of phishing, but don’t overly depend on user education – back it up with security technology measures. Here are a few ways to do that.
|
|
The post Suddenly Teleworking, Securely appeared first on .
The recent outbreak of COVID-19 has affected peoples’ lives across the globe and has quickly swept through and impacted individuals, families, communities, and businesses around the world. At Trend Micro, our number one priority is to ensure that our employees and their families are as safe as possible, and our thoughts are with those who have been affected by the virus.
Our team has spent a great deal of time reviewing options to ensure both the continued protection of our customers and partners, as well as the physical safety of our employees. We realize this situation remains very dynamic, as information continues to change day-to-day, and as such we will continue to provide updates as we learn more, but in the meantime we remain committed to providing the superior service and support that our customers, partners and suppliers have come to expect of our company throughout this situation.
We know the critical role that Trend Micro plays in your organization to keep your company and employees protected. We have taken several measures to ensure that the COVID-19 crisis does not impact your experience with Trend Micro products or services.
Listed below are several actions that the team has taken to date to not only ensure that our employees are safe, but to continue to deliver business “as usual” during this time:
Safety of Employees
Our number one priority is the health and safety of our employees around the globe. To that measure, we have:
Continuity of Service
We are committed to ensuring that we continue to support the security needs of your organization, including but not limited to:
As an optimistic organization, we believe that because of this unfortunate situation, new ways to work together and incredible innovation will occur and will make us all stronger in the future.
As always, if you have any questions or concerns, please reach out to your local account representative or Trend Micro authorized support contact. We will continue to watch this situation closely, react accordingly and communicate any substantial changes with our customers and partners.
On behalf of everyone at Trend Micro, thank you for trusting us with your business. We wish health and safety to you and your families, employees, and customers.
Sincerely,
Kevin Simzer
Chief Operating Officer
Trend Micro Incorporated
The post A message from our COO regarding Trend Micro’s Customer commitment during the global Coronavirus Pandemic (COVID-19) appeared first on .
The corporate endpoint is a constant battle between cybersecurity white hats and criminal attackers. According to one study from the Ponemon Institute, 68% of organizations were victims of an attack on the endpoint in 2019. The risks and costs associated with undetected threats are immeasurable. Organizations need to detect and respond immediately before any significant damage is done.
In order to do this, CISOs must look beyond the endpoint to also include email, servers, cloud workloads and networks. This is the value of Trend Micro’s XDR platform. We heard feedback on this strategy recently, as Trend Micro was named a Leader in The Forrester Wave: Enterprise Detection and Response, Q1 2020.
Under fire and over-stretched
Enterprise IT security teams are under unparalleled pressure. On one hand, they’re bombarded with cyber-attacks on a massive scale. Trend Micro detected and blocked over 52 billion such threats in 2019 alone. On the other hand, they’re facing a range of continuously evolving black hat tools and techniques including fileless malware, phishing, and supply chain attacks, that could lead to data theft and service outages. The stakes couldn’t be higher, thanks to an ever-tightening regulatory regime. All of this must be done with workforce challenges: the current cyber skills shortage for North American firms stands at nearly 500,000 workers.
These are the kinds of challenges facing Trend Micro customer MedImpact Healthcare Systems, the largest privately held pharmacy benefit manager (PBM) in the US. Processing more than one million healthcare claims daily, MedImpact must protect two primary data centers, three call centers staffed 24/7, and multiple private network routing centers — all to the strict compliance requirements of HIPAA, PCI DSS and other regulations.
As Frank Bunton, VP, CISO for MedImpact knows, effective endpoint detection and response (EDR) is vital to modern organizations. “EDR accelerates the threat analysis process so we can get to the solution faster,” says Bunton. “Speed to resolution is critical because we see attacks every day on just about every network.”
But MedImpact is similar to a lot of other organizations today in that it also appreciates the need to go beyond the endpoint for critical cross-layer detection and response. “XDR gives us the added confidence that our organization is protected on all fronts. If an endpoint detects a problem, it automatically uploads the suspect object to a tool that analyzes that problem and fixes it. By the time we are aware of an issue, the issue is resolved. There is no way we could manage this much information without extended security automation,” says Bunton.
The future is XDR
This is where XDR comes in. It has been designed to look not just at endpoint detection and response, but also to collect and correlate data from across the organization, including: email, endpoint, servers, cloud workloads, and networks. With this enhanced context, and the power of our AI and expert security analytics, the platform is able to identify threats more easily and contain them more effectively.
This matters to organizations like MedImpact, whose key challenge was “finding security solutions that could communicate with each other and share valuable data in real time.” XDR has visibility across the entire IT environment to detect earlier and with more confidence. It provides a single source of the truth and delivers fewer higher-fidelity alerts to enhance protection and maximize limited IT resources.
But don’t just take our word for it. Forrester gave us a perfect score for product vision, security analytics, performance, market presence and much more. “Trend Micro has a forward-thinking approach and is an excellent choice for organizations wanting to centralize reporting and detection with XDR but have less capacity for proactively threat hunting,” the report concluded.
To find out more… check out the Forrester report on leaders in this space.
Learn more from MedImpact’s success story.
The post Riding another wave of success for our multi-layered detection and response approach appeared first on .
Working from home? How do you keep your employees cyber-safe and cyber-secure? How do you protect your reputation, profit, and cash flow when you depend on your IT infrastructure as never before?
The National Cyber Security Alliance is hosting a series of webinars for small business owners, and we’re proud to support this effort with guest speakers to share our threat intelligence and security expertise.
The topics will help small companies deal with the challenges of COVID-19. The agenda is at https://staysafeonline.org/event_category/cybersecure-my-business/.
Here’s a quick overview of each session and why it might benefit your organization to tune in.
Telework Cybersecurity Best Practices – April 7: Many small business owners rely on face-to-face meetings with their teams. But, social distancing and work-from-home directives interrupt that way of doing things. In this session, we’ll discuss how to adjust your business to deal with a remote workforce. For some managers, not seeing every member of the team can be unsettling. We’ll talk about ways to overcome that barrier. For many organizations, using remote tools can put an extra burden on your IT gear and staff. We’ll talk about alternatives to lighten that load. And for most organizations, the new way of working can expose new and different information security vulnerabilities. We’ll offer some good practices to reduce your exposure.
Guest speakers from Trend Micro will be Greg Young and Ed Cabrera.
Spring has Sprung! Time for a Digital Spring Cleaning – April 14: One way to cut down on IT resource use is to get rid of unnecessary stuff. This webcast will suggest tactics to reduce the burden on your infrastructure. You will learn about cleaning up your storage, getting off unnecessary email lists, improving your – and your customers’ – privacy, and lowering your attack profile by getting rid of stale applications and services.
E-Commerce Security During COVID-19 – April 21, 2020: Businesses that rely on foot traffic are pivoting to on-line offerings. Restaurants support demand with delivery or curbside pick-up, which both put a strain on your IT resources. Unfortunately, the bad guys are exploiting weaknesses in on-line ordering and payment systems. We’ll talk about measures small businesses should consider to protect their reputation, cash flow, and profits during this transition.
Guest speakers from Trend Micro will be myself and Mitchel Chang.
How to Avoid COVID-19 Scams – May 5, 2020: Bad guys are trying to make money off Covid-19 worries. In this session, Lesley Fair, a Senior Attorney with the Bureau of Consumer Protection at the Federal Trade Commission talks about different kinds of scams and what to do about them, hopefully before anyone gets conned, and what steps you can take if you think you might have gotten stung. Ths session will be repeated on May 26.
Guest speakers from Trend Micro will be myself and Jon Clay.
What Are Phishing, Vishing and Smishing? How Can I Protect My Small Business From These Threats? – May 12, 2020: This session will discuss attacks that can arrive through email, messages, and video chats. Small businesses are targets as well as big firms and the public at large – the bad guys are going anywhere they can to make a (dishonest) buck. You’ll help your employees and customers protect themselves with some good advice, practices, and tools.
Mitchel Chang will be a guest panelist.
How to Avoid COVID-19 Scams – May 26, 2020: A second session of the May 5 discussion. This time Jon Clay and Myla Pilao will be guest speakers from Trend Micro.
Telework Cybersecurity Best Practices – June 9, 2020: A second session of the April 7 event. Greg and Ed will give a repeat performance attendees.
Each session starts at 2:00 PM Eastern time. NCSA will record each session, but you should register to listen in and ask questions live. While the information is tuned to meet the needs of small businesses, individuals at larger organizations, and the general public, will find good ideas and helpful hints an tips to stay safe and cope with this challenging time. We hope to see you soon.
What do you think? Let me know in the comments below or @WilliamMalikTM
The post NCSA Small Business Webinar Series appeared first on .
Dear Customers,
Together, we are facing a truly unprecedented situation and we have all had to adapt to the new reality. The global coronavirus pandemic is affecting our families, our communities, our organizations – indeed, it affects our perspective and way of life. As you certainly have too, at Trend Micro we have been busy over the past few weeks ensuring our employees are safe while also delivering uninterrupted service and protection for our customers. We have made it a priority to help organizations around the globe strengthen their security and ensure business continuity while so many of their employees work remotely.
As a global company with headquarters in Japan, we have been exposed to COVID-19 from the very early days when it first erupted in Asia. We have seen the massive impact this novel coronavirus has had on all of us: from social distancing, to families being separated, illness and even death. Our thoughts and prayers go out to everyone who has been impacted by the virus, directly or indirectly.
The safety of our employees is our first priority and for the last few weeks the vast majority of our employees are all working from home – all 7,000 across 60 countries. It is heartwarming to see the different activities teams have launched to stay connected while being apart: virtual happy hours or morning coffee meetings, online sports classes to stay fit together, movie watching nights and even remote karaoke. I sometimes feel that we are more connected now than ever before.
In the midst of these difficult times, we have also seen the amazing power of positivity and kindness around the world. I am very touched and proud of how our employees, our Trenders, are stepping up even more than usual to engage in acts of generosity and community support. A few examples include:
We have also seen Trenders donating some of their accrued paid vacation days to colleagues who might need additional time off to take care of family. There have been thousands of such acts of kindness – likely many more that I’m not even aware of. Knowing the passion of our employees, I know that there are new activities being organized and happening at this exact moment.
In this same spirit, it is very important to me – as well as the entire executive team – that we do the right thing for our employees and our customers during these difficult times, rather than focusing solely on what’s best for our bottom line. We intend to retain all of our employees, and are working to ensure that our teams that work on commission will continue to have a steady income, no matter how business goes. We know that not every company is as fortunate as we are, and many family members of our employees are out of jobs, so our executives have also committed to reducing their salaries if necessary, to ensure that every employee will receive company bonuses for the first half of 2020. If we protect our Trend Micro family, our Trend Micro family can protect and care for their communities.
I understand these times are difficult and while we are celebrating acts of kindness and positivity, many of our friends and families are struggling with health issues and other concerns. Our hearts go out to all those who are affected, to our healthcare workers and all essential employees who help keep our lives going. We thank you from the bottom of our hearts.
Please stay safe – and stay at home!
Kind regards,
Eva Chen
The post Letter from the CEO: A time of kindness and compassion appeared first on .
Editor’s note: While this topic isn’t entirely security-specific, Trend Micro leader William Malik, has career expertise on the trending topic and shared his perspective.
——
There was a provocative report recently that the Governor of New Jersey told reporters that the state of New Jersey needed COBOL programmers. The reason was that the number of unemployment claims had spiked, and the legacy system running unemployment claims had failed. That 40-year-old system was written in COBOL, so the conclusion was that the old language had finally given out. Hiring COBOL programmers would let the State update and modernize the application to handle the increase in load.
This might be the problem, but it probably is not. Here’s why.
From these points, we learn the following lessons.
Software Doesn’t Wear Out
Logic is indelible. A computer program is deterministic. It will do exactly what you tell it to do, even if what you tell it to do isn’t precisely what you meant it to do. Code never misbehaves – but your instructions may be incorrect. That’s why debugging is such a hard problem.
Incidentally, that’s also why good developers usually make lousy testers. The developer focuses her mind on one thing – getting a bunch of silicon to behave. The tester looks for faults, examines edge conditions, limit conditions, and odd configurations of inputs and infrastructure to see how things break. The two mindsets are antithetical.
Once a piece of software has been in production long enough, the mainline paths are usually defect free. In fact, the rest of the code may be a hot mess, but that stuff doesn’t get executed so those defects are latent and do not impact normal processing. Ed Adams published a report in 1984 titled “Optimizing Preventative Service for Software Products” (https://ieeexplore.ieee.org/document/5390362, originally published in the IBM Journal of Research and Development, v 28, n 1). He concluded that once a product has been in production for a sufficient time, it was safer to leave it alone. Installing preventative maintenance was likely to disrupt the system. Most IT organizations know this, having learned the hard way. “If it ain’t broke, don’t fix it” is the mantra for this wisdom.
As a corollary, new software has a certain defect rate. Fixes to that software typically have a defect rate ten times greater. So if a typical fix is large enough, you put in a new bug for every bug you take out.
Computers Are Constrained
All computers have constraints. The relative amount of resources mean some computers are better for some workloads than others. For mainframes, the typical constraint is processing power. That’s why mainframes are tuned to run at 100% utilization, or higher. (How do you get past 100% utilization? Technically, of course, you can’t. But what the measurements are showing you is how much work is ready to run, waiting for available processing power. The scale actually can go to 127%, if there’s enough work ready.)
Different types of computers have different constraints. Mainframes run near 100% utilization – the CPU is the most expensive and constrained resource. PCs on the other hand never get busy. No human can type fast enough to drive utilization above a few percent. The constrained resource on PCs is typically disk storage. That’s why different types of computers do better at different types of work. PCs are great for user interface stuff. Mainframes are perfect for chewing through a million database records. By chance we developed mainframes first; that’s not an indictment of either type, Both are useful.
Computers Can Run Out of Resources
Any IT infrastructure has a design point for load. That is, when you put together a computer you structure it to meet the likely level of demand on the system. If you over-provision it, you waste resources that will never be used. If you under-provision it, you will not meet your service level agreements. So when you begin, you must know what the customers – your users – expect in terms of response time, number of concurrent transactions, database size, growth rates, network transaction load, transaction mix, computational complexity of transaction types, and so on. If you don’t specify what your targets are for these parameters, you probably won’t get the sizing right. You will likely buy too much of one resource or not enough of another.
Note that cloud computing can help – it allows you to dynamically add additional capacity to handle peak load. However, cloud isn’t a panacea. Some workloads don’t flex that much, so you spend extra money for flexibility for a capability that you can provide more economically and efficiently if it were in-house.
Add Capacity in Balance
When I was in high school our physics teacher explained that temperature wasn’t the same as heat. He said “Heat is the result of a physical or chemical reaction. Temperature is simply the change in heat over the mass involved.” One of the kids asked (snarkily) “Then why don’t drag racers have bicycle tires on the back?” The teacher was caught off guard. The answer is that the amount of heat put into the tire is the same regardless of its size, but the temperature was related to the size of the area where the tire touched the road. A bicycle tire has only about two square inches on the pavement, a fat drag tire has 100 square inches or more. So putting the same amount of horsepower spinning the tire will cause the bicycle tire’s temperature to rise about 50 times more than the gumball’s will.
When you add capacity to a computing system, you need to balance related capacity elements or you’ll be wasting money. Doubling the processor’s power (MHz or MIPS) without proportionately increasing the memory or network capacity simply moves the constraint from one place to another. What used to be a system with a flat-out busy CPU now becomes a system that’s waiting for work with a queue at the memory, the disk drive, or the network card.
Adding Staff Makes Things Worse
Increasing any resource creates potential problems of its own, especially of the system’s underlying architecture is ignored. Fore the software development process (regardless of form) one such resource is staff. The book “The Mythical Man-Month” by Fred Brooks (https://www.barnesandnoble.com/w/the-mythical-man-month-frederick-p-brooks-jr/1126893908) discusses how things go wrong.
The core problem is adding more people require strong communications and clear goals. Too many IT projects lack both. I once was part of an organization that consulted on a complex application rewrite – forty consultants, hundreds of developers, and very little guidance. The situation degenerated rapidly when the interim project manager decided we shouldn’t waste time on documentation. A problem would surface, the PM would kick off as task force, hold a meeting, and send everybody on their way. After the meeting, people would ask what specific decisions had been reached, but since there were no minutes, nobody could be sure. That would cause the PM to schedule another meeting, and so on. Two lessons I learned concerns meetings:
When you add staff, you must account for the extra overhead managing the activities of each person, and establish processes to monitor changes that every participant must follow. Scrum is an excellent way of flattening potentially harmful changes. By talking face to face regularly, the team knows everything that’s going on. Omit those meetings or rely on second-hand reports and the project is already off the rails. All that remains is to see how far things go wrong before someone notices.
In Conclusion …
If you have a computer system that suddenly gets a huge spike in load, do these things first:
If you are unable to resolve the capacity constraints with these steps, examine the programs for internal limitations:
Note that if you do not have (or cannot find) the relevant documentation, you will need to examine the source code. At this point, you may need to bring in a small set of experts in the programming language to recreate the relevant documentation. Handy hint: before you start working on the source code, regenerate the load modules and compare them with the production stuff to identify any patches or variance between what’s in the library and what’s actually in production.
Bringing in a bunch of people before going through this analysis will cause confusion and waste resources. While to an uninformed public it may appear that something is being done, the likelihood is that what is actually being done will have to be expensively undone before the actual core problem can be resolved. Tread lightly. Plan ahead. State your assumptions, then verify them. Have a good plan and you’ll work it out. Remember, it’s just ones and zeros.
What do you think? Let me know in the comments below, or @WilliamMalikTM.
The post “We Need COBOL Programmers!” No, You Probably Don’t appeared first on .
Small business owners are getting a special deal on their online protection through a partnership between McAfee and Visa. With new ways of working creating online opportunities and risks for small business owners, McAfee and Visa have come together to offer comprehensive protection for a changed business landscape.
Designed to help you minimize costs and unexpected interruptions to your business, McAfee® Security for Visa cardholders provides award-winning antivirus, ransomware, and malware protection for all your company devices including PCs, smartphones, and tablets on all major platforms. Visa Small Business cardholders automatically save up to 40% with a 24-month package and up to 60% with a 12-month offer.
Safety features include:
McAfee’s security savings bundle is also part of Visa’s commerce in a box initiative, which has launched in six U.S. cities (D.C., Detroit, Atlanta, Miami, Los Angeles and Chicago). This program features a curated selection of offers, discounts, and bundles from Visa’s Authorize.net and Visa partners designed to help small businesses with what they need to move their business forward digitally — from accepting digital payments and building an eCommerce site to marketing to their audience in new ways and providing online marketing tools to run and protect their business.
The post Small Businesses Save Up to 60% in McAfee and Visa Partnership appeared first on McAfee Blogs.
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.
KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”
A copy of the phishing message included in the PayPal.com invoice.
While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.
Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.
Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:
“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”
Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:
The phony PayPal invoice, which was sent and hosted by PayPal.com.
The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.
I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.
PayPal said in a written statement that phishing attempts are common and can take many forms.
“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”
It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.
Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?
The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
Related tags
I’m sure you’ve seen them — emails or messages that sound alarming and ask you to act quickly. We live in a digital world that produces hundreds of messages and alerts every day. It’s often hard to determine the validity of a suspicious message or phishing email. Whether you are an administrator, or an end-user, it can be overwhelming to accurately identify a malicious message. When in doubt, here are some questions you should ask yourself:
Is the message from a legitimate sender?
Do I normally receive messages from this person?
If there’s a link, can I tell where it’s sending me?
Attackers continue to evolve their methods, and they’re highly educated on the defenses they come up against in the wild. They’ll craft messages that do not involve any traditional indicators of compromise, such as domains, IP address, or URL links. They’ll also start their attacks by sending messages as an initial lure to establish trust, before sending an email with altered invoice or one claiming to be a helpless employee attempting to get their payroll fixed.
Phishing is a socially-based attack type, one where the threat actors focus on human behavior. When these attacks target organizations, there are multiple levels of attack at play. One that focuses on behavioral patterns and workflow, and the other centers on the victim’s emotional boundaries, such as targeting their desire to help others. You see this pattern frequently in Business Email Compromise (BEC) attacks.
Below, we’ve placed an example of a lure, which will test the victim to see if there is a means to quickly establish trust. Here, the threat actor is pretending to be the Chief Financial Officer (CFO) of the victim’s organization. If the lure is successful, then the threat actor will progress the attack, and often request sensitive records or wire transfers. Notice that in the email headers, the person pretending to be the CFO is using a Gmail account, one that was likely created just for this attack. The message is brief, stresses importance and urgency, and requests assistance, playing on the victim’s workflow and desire to help an executive or someone with authority.
The example below is a simplified one, to be sure, but the elements are legitimate. Daily, emails like this hit the inboxes of organizations globally, and the attackers only need to locate a single victim to make their efforts payout.
In the FBI / IC3 2021 Internet Crime Report, there were nearly 20,000 Business Email Compromise complaints filed, with an adjusted loss of nearly 2.4 billion dollars. While spoofing the identity of an executive is certainly one way to conduct a BEC attack, the FBI says that threat actors have started leveraging the normality of hybrid-work to target meeting platforms to establish trust and conduct their crimes. When successful, the funds from the fraudulent wire transfers are moved to crypto wallets and the funds dispersed, making recovery harder.
So as an end user what can you do to protect your organization? Be mindful anytime you receive an urgent call to action, especially when the subject involves money. If your workflow means that you regularly receive these types of requests from the specific individual, verify their identity and the validity of the request using another channel of communication, such as in person or via phone. If you do validate their identity via the phone, take care to avoid calling any numbers listed in the email.
Cisco Secure Email helps stop these types of attacks by tracking user relationships and threat techniques. These techniques often include account takeover, spoofing and many more. Using an intent-based approach allows Secure Email to detect and classify business email compromises and other attacks, so administrators are empowered to take a risk-based approach to stopping these threats.
Find out more about how Cisco Secure Email can help keep your organization safe from phishing.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
puppi-car-1200
Attackers specifically craft business email compromise (BEC) and phishing emails using a combination of malicious techniques, expertly selected from an ever-evolving bag of tricks. They’ll use these techniques to impersonate a person or business that’s well-known to the targeted recipient and hide their true intentions, while attempting to avoid detection by security controls.
As a result of the requisite expertise needed to combat these complex attacks, email security has traditionally been siloed away in disparate teams and security controls. Practitioners are buried under an ever-growing pile of RFCs, requiring extensive domain-specific knowledge, unending vigilance, and meticulous manual interventions, such as tweaking trust levels and cultivating allow/block lists with IPs, domains, senders, and vendors.
Cisco Secure Email Threat Defense is leading the industry forward with a major shift, elevating email security into a new era; where administration will consist of merely associating specific business risks with the appropriate due diligence response required to remediate against them.
Email Threat Defense has introduced a new Threat Profile that provides the customer with deep insights into the specific business risks of individual email threats and the confidence to act quickly. This new visualization is powered by a new patent-pending threat detection engine. This engine leverages intelligence distilled from Talos global-scale threat research across a massive volume of email traffic into machine learning, behavioral modeling, and natural language understanding.
The detection engine granularly identifies specific underlying threat techniques utilized in the message by the attacker. The identified techniques provide the full context of the threat message as the supporting foundation for the engine to determine threat categorization and the specific risk to the business. These malicious Techniques, together with the threat category and specific business risk, are used to populate the Threat Profile.
Each message’s Threat Profile is identified in real-time, automatically remediated per policy, and surfaced directly to the operator in the message detail views, providing deep contextual insights into the attacker’s intent and the associated risks to the business. As part of a larger Extended Detection and Response (XDR) strategy, the actionable intelligence in Email Threat Defense is integrated with the wider enterprise orchestration of security controls via SecureX, easing the operational burden by decreasing your mean time to remediation (MTTR).
Email Threat Defense delivers a distinct understanding of malicious messages, the most vulnerable targets within the organization, and the most effective means of protecting them from phishing, scams, and BEC attacks. With a clean design and core focus on simplifying administration, Email Threat Defense deploys in minutes to strengthen protection of your existing Microsoft 365 Exchange Online platform against the most advanced email threats.
For more information, visit the Cisco Secure Email product pages, read the Email Threat Defense data sheet, and view the demo video below.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Imagine this: Your CEO sends you an email asking for your help transferring $5,000 to a new vendor for an urgent project. You make the transfer, only to find out later that the email was actually from an imposter, and that money is now in the hands of cybercriminals. Oops, right? crickets
Business Email Compromise (BEC) is a type of cybercrime that involves compromising or imitating legitimate business email accounts to carry out fraudulent transactions or steal sensitive information. The goal of a BEC attack is typically to trick the victim into transferring money, clicking on a malicious link, or disclosing sensitive information such as login credentials. BEC attacks can have a devastating impact on organizations of all sizes and in all industries, making it essential for businesses to be aware of the threat, understand the business risk, and take the necessary steps to protect themselves.
According to the latest FBI IC3 report, BEC is “one of the most financially damaging online crimes” and in 2021 was accountable for $2.4 Billion in adjusted losses for businesses and consumers.
One of the most common types of BEC attacks is called impersonating or email spoofing. By pretending to be a trusted colleague or business partner to gain the victim’s trust, the attacker uses social engineering techniques to trick the victim into clicking on a link or attachment in an email that contains malware, takes the victim to a malicious website, and has them transfer funds or change payment information.
BEC attacks can be very sophisticated and are difficult to detect. Many times, what the end-user sees on their email client does not represent the true email address of that sender, or it shows one that has been spoofed.
Typically, the attacker tries to impersonate someone in the organization with enough authority to not be questioned about what he/she is asking to be done.
As with everything in security, to be able to succeed in stopping BEC attacks, additional security layers & techniques should be implemented. There are several options to mitigate or reduce the number of successful BEC attacks. Creating a list of the people who will be likely to be impersonated will provide the best results. Usually, with names from the CxO level, this is known as a High Impact Personnel list. It will be used along with other security analysis engines to make sure any impersonated/spoof emails, along with other threats, get stopped and will not reach the end user.
The Cisco Secure Email Threat Defense solution leverages hundreds of detection engines that utilize state-of-the-art artificial intelligence/machine learning and natural language processing to convict messages from the most creative attackers! On top of this, our customers can define their High Impact Personnel list, and together with the other detection engines, will be able to not only block malicious messages but also understand the reasons and categories of why a message is being convicted as malicious.
In summary, Business Email Compromise (BEC) is a serious threat to organizations of all sizes and in all industries. To protect against BEC attacks, businesses should implement multiple techniques including identifying their High Impact Personnel for their organization, educating employees about the threat, and relying on reporting to understand who is being targeted most frequently so their security policies can be adjusted.
See how Secure Email Threat Defense identifies specific business risk factors to protect your organization.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS