How Phishing Costs Your Brand’s Reputation

Phishing Cost

Protect Your Brand

 

How Phishing Costs Your Brand’s Reputation

 

What happens when you lose your customers’ trust?

Successful brands are built on trust. You’ve spent years building your brand and earning your customers’ trust. Don’t leave your brand equity vulnerable to an attack that could cost you your current and future customers.

 

Your Brand Is At Risk

 

It’s with good reason that, according to Frost & Sullivan, 71% of security executives consider “protecting their brand” as their top priority. Each year, hundreds of brands are targeted by cyber criminals who are launching targeted phishing attacks. According to the most recent Anti-Phishing Working Group (APWG) Phishing Attack Trends Report, the number of brands targeted for phishing attacks reached the highest levels on record last year.

Phishing attacks happen, but can they happen to you? They most certainly can. In fact, there are an ever-increasing amount of high profile attacks reported in the press on a regular basis. Brands who possess customer data that is considered highly desirable to hackers are bigger targets for phishing attacks, but any brand doing business online is at risk.

 

Brand Damage: The Cost of Phishing to Your Brand

 

When a brand is attacked, there both are quantitative and qualitative repercussions. The cost of a phishing attack that affects 500 customer accounts can reach upwards of $1.4 million, when you account for the direct financial loss of funds to the cyber criminal plus the strain on internal resources to manage and investigate the crisis. That’s the immediate financial hit that you can expect, but there are long-term costs too – your reputation.

When your customers fall victim to an attack on your brand, consumer perception is that it’s all your fault. Once your brand is targeted, your customers are 42% less likely to do business with you in the future.

This sentiment applies even if the consumer doesn’t fall victim to releasing credentials. Simply receiving a phishing email is enough to write you off. Thus your brand can be assumed as “guilty by association”. When a consumer is targeted via a phishing attack directed at your brand, the consumer has a negative experience that he/she associates with your brand. Negative experiences will certainly not increase shareholder value.

Adding further insult to injury, the media often takes note of the situation, cementing consumer perception that doing business with you is a risk. While perhaps not fair, your brand becomes caught up in the associated downward spiral. Consumers, fearful of identity theft, choose your competitor.

 

Be the Brand Consumers Trust

 

It all comes down to trust.

In many ways, you are the brand that consumers trust. You have a proven track record of delivering quality products and/or services to your customer base. But, cybercriminals are using that same strength and equity of your brand to carry out their mission.

In today’s world, your success as a brand is determined in part, by your ability to protect the safety of your customers. Building a security infrastructure that will allow your customers to do business with you safely is crucial when it comes to keeping and expanding your customer base.

Via Malcovery

read more

New Data Illustrates Reality Of Widespread Cyberattacks

All retailers, healthcare & pharmaceutical firms in new study suffered cyber attacks in the first half of 2014, FireEye found.

Some 96% of organizations across 20 different vertical industries suffered some form of cyber attack in the first half of last year.

Advanced malware attacks — typically associated with cyber espionage or other targeted attack campaigns — made up nearly 30% of cyber intrusions at 1,200 companies, according to new data from FireEye collected from its network and email sensors that sit behind traditional security systems.

All organizations in agriculture, auto and transportation, education, and retail that were monitored in a trial deployment by the security firm suffered breaches during January and June of last year.

Dave Merkel, CTO of FireEye, says the findings in this random sampling of organizations underscore how the bad guys are relentlessly going after information from their victims but the victim organizations aren’t keeping pace with attackers.

“One issue is outmoded thinking that ‘I bought this magic widget 5 to 10 years ago, and it’s somehow relevant today.’ But the bad guys are innovating … and [companies] need to continue to innovate” with their security strategies and tools, he says.

It’s not just about security technology or products, either, he says. “You have to bring expertise to the problem. The bad guy is a person; the malware is a tool. So you can’t just buy technology, plug it in, and solve all ills,” Merkel says. “At the end of the day, you are playing cat-and-mouse with an increasingly professional person who’s making a living taking your stuff … There’s still a human element that has to be engaged actively in your defense.”

Meanwhile, FireEye found the industry with the biggest increase in advanced malware attacks was law, with twice the number of such attacks since the previous year.

And the industry with the lowest percentage of attacks getting past its security perimeters was aerospace and defense, with 76% of the companies getting hit. “While the number is unacceptably high, it is significantly lower than other industries. One possible explanation: many firms in this sector, long a target of advanced state-sponsored attacks, have beefed up their cyber defenses. But as the data shows, most of these defenses continue to fail,” said the FireEye report.

Via DarkReading

read more

Domain Spoofing

Frustrated-Computer-User

This is the high season for e-mail spoofing where cyber criminals pretend to be your bank, retailer or other business attempting to get your private information, steal your identity or install a virus on your computer. These spoof e-mails range from crude attempts to very convincing. Good spoofs can fool the casual, or even the spoof aware user. Especially vulnerable, are the older folks that don’t use computers too much and may be too trustful on the www. Let’s take a look at a few spoof examples and give you some tips to protect yourself and pass on to your those you think may be unaware.

E-mail Spoofing Examples

(from crude to pretty damn good)

 

Here is a bad spoofing job that I would hope no one would fall for.

cvs

Notice the logo is obviously cut and pasted from a website and the crudeness of the formatting. Those two things should immediately set off alarm bells. You should always look at the “From” line. Notice in this case they didn’t even take the time to spoof the cvs.com domain. Dead giveaway and time to hit the spam and delete buttons.

 

Here is another in the same category.

fedex

It shouldn’t fool anyone given the addresses in the “From” and “Return-path” lines do not look like FedEx business addresses.

 

The next is a SouthWest Airlines spoof that some more time was spent on (but not much).

southwest

At least they put “southwest” in the domain name on the “From” line. They also included a better looking logo but the addresses in the “From” and “Return-path” are certainly suspect and don’t look like something Southwest would use. Also notice that in the URL line that want me to click, my name is not formatted correctly. I think Southwest marketing has my information and would format it a bit better. One way to really make sure is to hover over the URL they want you to click (but please don’t click on it). When you hover over this one, at the bottom left of my email client it shows me that if I clicked on this URL it would go to http://www.poweredsouthwest.com/judca/dictatorialness/surprized/trailbalzers/citator.php

Definitely not legit. [I left out a part of it just so no one reading this would copy and paste it into a browser. Not sure why someone would do that but…]

 

 

The previous two examples were simplistic and hopefully no one would be fooled but they get better. Here is one I got that looked like it came from American Express and I just about clicked on it.

amex 1

I was in a hurry and didn’t look at the Return-path and was just about to click to get my “safe key” when I noticed a weird path when I hovered over the “here” URL. This one just about got me.

 

 

Another from American Express (seem to get a lot of these).

amex 2

The “From” line looks good and the “Return-path” line looks confusing enough that someone may click what looks like a proper URL. There are three giveaways on this one. First hovering over the https://www.americanexpress.com/ URL exposes that it would actually go to http://www.estibasideko.com/disney/grubbed.html. Second, I got this same email three times within minutes of each other with the name in the upper right changed. And third, I know from past experience that American Express does not send e-mails to me when they see irregular activity, they phone me. That being said, someone not used to the online world (our older generation for example) might be tricked.

 

Another dead giveaway but also one that can be potentially deadly to your computer is when the email comes with an attachment like the following.

amazon

Notice the attachment is “.zip” file. Beyond the fact that the return-path is wrong, any email sent to you with a “.zip” file attached that you were not expecting can inject malware into your computer when clicked. Delete it immediately. This goes for attachments that end in “.exe” or “.php” etc.

 

I could show many more examples as I seem to now be getting them everyday but you get the point. Any major company you do business with is being spoofed and the cyber criminals are getting good at it. I get them claiming to be Facebook, Paypal, Walgreens, Wells Fargo, Citibank, ADT, Intuit, Adobe etc. All companies I do business with so they seem on the surface to be something I would expect.

How to protect yourself from spoofing

So what do you do to thwart these attempts? Here is a list of seven tips to help you protect yourself.

1 – Never use e-mail. That would certainly protect you but not too realistic since e-mail is still the most used method for communications so let’s move on to #2.

2 – Never open an attachment to an e-mail that you are not expecting. I am not referring to the e-mail from your friend with a picture (.jpg) attached. Almost all legitimate e-mails from businesses do not include attachments. Of course, if your accountant has told you that they will be sending over a document attached to an e-mail, it is probably okay.

3 – Install anti-virus software that scans your e-mail for attached viruses. This will not protect you from spoofing scams that get you to click an URL but is good (not perfect) protection against malware that could infect your computer.

4 – Always look at the full “From line” and “Return-path” as this is usually an immediate giveaway. If you do not see the “Return-path” look at the settings on your e-mail client and check the view option to see the full header.

5 – Do not click on the URL in an e-mail unless you are absolutely sure that the e-mail is legitimate. If unsure, instead of clicking, type in the URL of the business into your browser so you are go to their site and not a look-alike that has been setup by hackers.

6 – If you do click on the url and it takes you to a site that asks you to “verify” your credentials by entering your account information, stop immediately. Look at the url in the address bar of your browser. It is probably not the company url you thought you were at. Exit that site and type in the url of the business you were intending to visit.

7 – Use your intuition. If it doesn’t look quite right it probably isn’t and you should mark as spam and delete. If there is something really urgent that a business is trying to get in contact with you about, they will ask again or call you.

 

read more

Inside Illegal Underground Hacking Markets

Researchers at Dell SecureWorks released an update to 2013 research on black hat markets, noticing a number of noteworthy trends beyond the theft of personal credentials such as passports, driver’s licenses, working Social Security numbers and even utility bills as a second form of authentication.

Criminal gangs are also marketing their services, differentiating themselves based on respective service levels and guarantees on stolen data.

“It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” the report said.

That doesn’t mean criminals operating online have abandoned the long-profitable stolen credit card as a revenue stream. Premium cards, including fullz, have gone up in price on average of $5 from 2013, selling at about $30; fullz is hacker slang for a full collection of stolen credentials, including name, address, phone number, email addresses, dates of birth, Social Security numbers, bank account numbers, credit card numbers and banking credentials.

While the price of individual credit card numbers remains flat or dropped from last year, the price for fullz on a U.S. victims is up to $30, while U.K, Australia, Canada, EU and Asia fullz are up to as high as $45 per record.

Premium Master Card and Visa cards that work worldwide and include Track 1 and 2 data are selling for $35 and $23 respectively, Dell SecureWorks said. Premium cards are classified Black, Platinum, Gold and others by credit card companies. Dell researchers said the number of data breaches has made cards plentiful on the underground, yet prices have not deflated, in particular for non-U.S. cards. One underground site, Dell SecureWorks said, claimed to possess 14 million U.S. cards, 294,000 from Brazil and 342,000 from around the world.

While online fraud remains a constant, the inclusion of identity kits, Dell SecureWorks said, are being used for in-person scams, including loan applications, check fraud and more. A new identity, which includes a scan of a working Social Security card, name and address nets $250 undergound—the valid utility bill will cost you an extra $100, Dell SecureWorks said. A counterfeit non-US passport, meanwhile, can fetch as much as $500.

Training tutorials, on the other hand, run the gamut from basic instruction on selling stolen credit cards to others on running exploit kits, spam, phishing and DDoS campaigns.

“These tutorials not only explain what a Crypter, Remote Access Trojan (RAT) and exploit kit is but also how they are used, which are the most popular, and what hackers should pay for these hacker tools,” the report said.

Many of these services also come with “satisfaction guarantees,” Shear and Stewart said. Carders are offering in some cases 100 percent guarantees stolen cards are still valid and have not been canceled. “All dead ones will be replaced,” the report quotes the site.

Malware continues to sell well in the underground, Dell SecureWorks said. Remote access Trojans are selling for less than last year, however, ranging from $20 to $50 for notorious RATS such as DarkComet, down considerable from as high as $250 a year ago. A number of free RATs have flooded the market, Dell SecureWorks said, deflating prices.

“Hackers are looking for a RAT that is easily available for purchase or to use for free and which they can run through a Crypter (a program which encrypts malware, making it FUD or fully undetectable to Anti-Virus and Anti-Malware programs),” the report said.

As for exploit kits, Nuclear and Sweet Orange seem to fetch the best prices with Sweet Orange going for $450 for a weekly lease to as high as $1,800 for a month.

See more at: Threatpost

read more

Phishing scam that penetrated Wall Street

Advanced tactics raise the bar on spearphishing attacks, making them harder to spot.

A malicious dialog that tricks high-profile targets into giving their Outlook credentials to attackers.
FireEye

 

Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.

FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will inject a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success.

E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns. Witness the following:

Subject: employee making negative comments about you and the company

From: [name]@[compromised company’s domain]

I noticed that a user named FinanceBull82 (claiming to be an employee) in an investment discussion forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions. I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropriate channels before making his post. The link to the post is located here (it is the second one in the thread):

http://forum./redirect. php?url=http://%2fforum%2fequities%2f375823902%2farticle.php\par

Could you please talk to him?

Thank you for the assistance,
[name]

FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known.

“Our visibility into FIN4’s activities is limited to their network operations,” FireEye researchers Barry Vengerik, Kristen Dennesen, Jordan Berry, and Jonathan Wrolstad wrote. “We can only surmise how they may be using and potentially benefiting from the valuable information they are able to obtain. However one fact remains clear: access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage.”

Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients. The attackers used a compromised account belonging to the advisory firm to compromise the company, which FireEye identified only as Public Company A.

“After news of the possible acquisition was made public, Public Company A’s stock price varied significantly,” Monday’s report stated. “It is likely the FIN4 used the inside information they had to capitalize on these stock fluctuations.”

FireEye

Many phishing campaigns are relatively easy to spot because the e-mail lures contain grammatical errors or embed malicious files that are readily detected by most antivirus. The FIN4 operations, by contrast, are notable for their organization, persistence, and familiarity of the organizations being targeted. In many respects, the operation resembles those of so-called advanced persistent threats (APTs) in which government-allied hackers case the networks of corporations, government agencies, and non-governmental organizations. Cyber criminals’ embrace of APT tactics and techniques in financially motivated online criminal activity is one of the trends researchers from fellow security firmKaspersky Lab expect to see increase in the coming year.

The FIN4 campaigns were ongoing at the time Monday’s report was being written. FireEye recommends firms protect themselves by disabling the execution of VBA scripts unless there is a strong need for them. FireEye also recommends administrators monitor their networks for computers that connect to TOR servers, since that’s another way attackers attempt to cover their tracks. Additionally, admins can check to see if employees have connected to any one of nine Internet domains known to be used to funnel insider information. Of course, the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics.

read more

Phishing mails and websites could blank out your bank account

Fake wire transfer request e-mails is now seen as a growing trend

Symantec has recently seen a spam campaign involving fake wire transfer request e-mails which is now seen as a growing trend. The purpose of this type of email is very simple—to get the recipient to process a payment for non-existent goods or services by way of a wire or credit transfer. The scammers send an email to a target recipient usually pretending to be from the CEO or a senior executive of an organization. The scammers will usually send the fake wire transfer emails to employees working in the finance department of a company, as those employees will have the ability to action payment requests.

Another tactic the scammers use is registering domains very similar to the target domain. For example, if a scammer was targeting a user at exampledomain.com they might register the domain exampledoma1n.com or exaampledomain.com. So for example, you might receive an email sent to you at yourname@exampledomain.com from CEO@exaampledomain.com. The reason for this is that when a recipient replies to the email the scammer is hoping they might not notice the slight difference in the domain and think it’s from a trusted sender.

During our analysis, we noticed that the scammers are sending the emails out on the same day that they are registering the domains. This is likely in the hope that they can extract payment before the domain is reported and suspended.

Figure 1. Fake payment request supposedly from a senior executive

Many of the fake wire transfer emails contain a PDF document (see Figure 1) which contains the credit transfer instructions.

Figure 2. PDF document containing credit transfer instructions

However, we have also seen examples of these scam emails being sent with no attachments and just one line of text (see Figure 3). This version of the scam requires the email recipient to reply to the message; the scammers will then forward on the payment details.

Figure 3. Fake payment request

We have also seen variants where the scammers spoof the “From” address to make it look as though the email is coming from a company executive, even though the true sender’s address is different. The “Reply-To” address, usually a webmail address, can be seen when the user clicks reply.

Figure 4. Email header with spoofed ‘From’ address and webmail ‘Reply-To’ address

If you receive a wire transfer request that seems out of the ordinary, always check that the sender is who they say they are. Ask yourself: is it normal procedure for your CEO to decide that you’re the best (or only) person to help in that situation?

Check the email headers to see where the email has originated from.

If you receive an email with a thread that you’ve supposedly been sent before, check with the person who has supposedly sent the email. Reply to the sender but obtain their email address using your company’s address book in your email client.

If you have any suspicions about an email requesting a wire transfer, investigate it further before proceeding with the request.

Source: Deccan Chronicle.

read more