Slovenians Arrested in Targeted Phishing Operation…
In case you had not noticed, banks are still where the money is, and so even in the digital age they still represent a primary target for the criminally inclined.
The Slovenian national Computer Emergency Response Team (SI-CERT) reports that as many as five individuals have been arrested for their roles in a suspected cybercrime ring that has been pilfering money from banks.
The new modus operandi these day of course is not to physically rob the bank itself, but to infect the clients with malware, which is what the accused did to the tune of over two million Euros – a pretty good haul representing a significant number of victims.
Authorities began looking into the situation in 2012 after receiving reports from several companies that they had experienced unexplained fund losses. The investigation revealed a spear-phishing campaign was targeting the firms’ accounting staff with emails allegedly from a government authority or another banking institution, and – you guessed it – the emails had attachments that included a malicious remote access tool.
“The trojan horse that was attached to the e-mail message contacted its controlling server that frequently changed network location. After installing the RAT component (Remote Administration Toolkit) on the victim computer, miscreants would observe the activity on the infected system,” SI-CERT reports.
“With stolen credentials and in the case where the victim did not remove the smart card containing the bank-issued certificate from the reader after use, the doors to the company’s bank accounts were left open to the criminal gang. The attacks usually happened on Fridays or the day before a national holidays. This left enough time for the attackers to queue bank transfer orders unobserved during weekends and holidays, provided that the victim did not shut down the computer or remove the smart card from the reader.”
People, just stop blindly opening attachments and clicking on every link to come across, please…
Small Businesses, Big Security Concerns…
Picking up were the last blip ended, Eric Chabrow if ISMG had a good writeup about how the majority of small to medium sized businesses have little to no idea which way is up when it comes to cybersecurity, and that is putting it nicely.
The issue cam to a head in testimony before the House Small Business Subcommittee on Health and Technology which was examining the effects of targeted attacks on SMBs.
“When you incorporate a new business, there are a lot of steps people know they need to go through, and not one of them is cybersecurity. That’s an afterthought completely, so you already start off behind,” said McAfee’s Phyllis Schneck in testimony. This is not just a technology problem, this is a people problem, so a lot of emphasis [should be placed] on the training and education.”
The problem is also one of perceived exposure, as study after study has shown that SMBs just don’t think they are big enough to be targeted by cyber criminals, which in and of itself makes them a prime target because the perpetrators have return-on-investment concerns just like any other business, and they tend to gravitate towards the lowest hanging fruit.
According to subcommittee Chairman Chris Collins, almost 80% of small businesses mistakenly think they are somehow immune from cyber-attacks, despite widespread reports in the media that indicate otherwise. “Many of these firms have a false sense of security and believe they are immune from a possible cyber-attack. This is clearly a gap in education and resources,” Collins said.
Aside from the lack of awareness on the part of SMBs where threats are concerned, the hodgepodge of breach notification laws across the country makes dealing with a data loss event that much more difficult, according to the Computing Technology Industry Association Da Shapero.
“The current patchwork of state data breach laws imposes duplicative costs and undue burden on SMBs. With our increasingly mobile economy, these laws are getting even more complicated to understand since it is not always clear what state a data breach may have actually occurred in, which can be different from where a consumer may reside, Shapero said in testimony. “The creation of a national framework for data breach notification can go a long way toward reducing costs and eliminating barriers to entry for SMB firms.”
As would a consolidated effort to share relevant threat information without compromising the autonomy of businesses or inadvertently exposing more vulnerabilities, which is a whole big can of worms itself.
Any way you slice it, more education and better policies are needed pronto.
In a nice segue carrying on from the last two news blips, Stacy Collette at ComputerWorld has a good piece on employee awareness efforts where security is concerned, but the twist this time is that it is up to the security pros to do a better job at communicating the security agenda in order to get employees to comply.
Well, maybe “comply” was not the best term here, according to Intel’s Malcolm Harkins, who says that if employees are well informed, they will tend to make good decisions – pollyannaesque, but I’m willing to wager it is statistically a better road to go down than the one that leads to the “uniformed” employee.
“Compliance is necessary, but it’s not sufficient,” said Harkins, who advocates less “compliance” and more “commitment” from staff in regards to protecting sensitive data. “If they’re committed to doing the right thing and protecting the company, and if they’re provided with the right information, [then] they’ll make reasonable risk decisions.”
Julie Peeler of (ISC)2 notes that security awareness needs to be proactive, not passive, and requires buy-in from the top levels of corporate leadership. “Security training is not a one-time event. It has to be integrated throughout the entire organization, and it has to come from the top,” Peeler said.
So what are the top five tips for comprehensive infosec commitment throughout the company? Here is what Collett recommends based on the input of experts in the field:
- Put Threats Into Context: FUD won;t do it, you have to present rational arguments to make headway in awareness
- Go Phishing, Internally: Sometimes a real-time exercise makes the point best – so try a phishing exercise to see who takes the bait
- Protect to Enable: Basically, connect security efforts to the core business objectives so that they make sense
- Share Your Company’s Hack History: Show the troops some data on the level of active threats, attacks, and breaches
- Help the Business Do Its Job: As part of the security team, be conscious that your policies do not inhibit the ability of employees to do their jobs
Images courtesy of ShutterStock