Connect with us

Market Research

Hotel Brands in Dubai May Be Putting Customers at Risk of Email Fraud

Published

on

Proofpoint has released research identifying that only 17% of hotel brands in Dubai have implemented the recommended and strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection, which prevents cybercriminals from spoofing their identity and reduces the risk of email fraud. This may leave travellers visiting Dubai open to email fraud from 83% of the hotel chains.

Despite this, encouragingly, the analysis revealed that almost two-thirds of the hotel brands analysed have taken initial steps to protect their customers from email fraud, with 63% publishing a DMARC record. The lack of a DMARC record makes companies potentially more susceptible to cybercriminals spoofing their identity and increases the risk of email fraud targeting their customers. Reject is the strictest and recommended level of DMARC protection, a setting, and policy that blocks fraudulent emails from reaching their intended target.

Emile Abou Saleh, Regional Director, Middle East, and Africa at Proofpoint, said, “The hospitality sector has worked hard to build consumer confidence in the aftermath of COVID-19, rigorously implementing health and safety protocols and accelerating technology adoption to improve the guest experience. However, as our research shows, a majority of hotel brands in Dubai could be doing more to prioritise cybersecurity and ensure their customers are less vulnerable to email fraud. This is crucial given that email remains the number one threat vector for cybercriminals.”

The UAE and Dubai’s hospitality industry is preparing for surging demand, amidst the lifting of travel curbs from the US, UK, and Saudi Arabia, and the start of the six-month Expo 2020 in early October 2021. Sensing a prime opportunity from increased demand, cybercriminals may capitalise on the potential increase in email communications to try and trick hotel guests with phishing emails.

DMARC, which is an email validation protocol designed to protect domain names from being misused by cybercriminals, authenticates the sender’s identity before allowing the message to reach its intended designation. It verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.

“While hotels have started to implement smart technology solutions to elevate the guest experience and offer personalized services, they should also prioritize deploying adequate email protection and inbound threat blocking capabilities (including deploying DMARC email authentication protocols) to make the hospitality experience better for all,” concluded Emile Abou Saleh.

Cyber Security

Malware Exploits Microsoft’s e-Signature Verification to Target 2,000+ Victims in 111 Countries, and Counting

Published

on

Check Point Research (CPR) has seen a new malware campaign exploiting Microsoft’s digital signature verification to steal sensitive information of victims. Named ZLoader, the malware is a banking trojan that uses web injection to steal cookies, passwords, and any sensitive information. ZLoader has been known to deliver ransomware in the past and came unto CISA’s radar in September 2021 as a threat in the distribution of Conti ransomware. During the same month, Microsoft said ZLoader operators were buying Google keyword ads to distribute various malware strains, including Ryuk ransomware. Today, CPR is publishing a report that details the resurgence of ZLoader in a campaign that has taken over 2,000 victims in 111 countries. CPR has attributed the campaign to the cybercriminal group MalSmoke.

Infection Chain

  1. The attack begins with the installation of a legitimate remote management program   pretending to be a Java installation
  2. After this installation, the attacker has full access to the system and is able to upload/download files and also run scripts, so the attacker uploads and runs a few scripts that download more scripts that run mshta.exe with file appContast.dll as the parameter
  3. The file appContast.dll is signed by Microsoft, even though more information has been added to the end of the file
  4. The added information downloads and runs the final Zloader payload, stealing user credentials and private information from victims

Victims
So far, CPR has documented 2170 unique victims. Most victims reside in the United States, followed by Canada and India.

Attribution
CPR believes that the cybercriminals behind the campaign are Malsmoke, given a few similarities with previous campaigns.

Disclosure
CPR updated Microsoft and Atera of its findings.

Kobi Eisenkraft, Malware Researcher at Check Point Software said, “People need to know that they can’t immediately trust a file’s digital signature. What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information from users. We first began seeing evidence of the new campaign around November 2021. The attackers, whom we attribute to MalSmoke, are after the theft of user credentials and private information from victims. So far, we’ve counted north of 2,000 victims in 111 countries and counting. All in all, it seems like the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. I strongly urge users to apply Microsoft’s update for strict Authenticode verification, It is not applied by default”

Safety Tips

  1. Apply Microsoft’s update for strict Authenticode verification. It is not applied by default.
  2. Do not install programs from unknown sources or sites.
  3. Do not press on links or open unfamiliar attachments that you get by mail.
Continue Reading

Cyber Security

New Survey Shows Growing Crisis of Trust with Microsoft and Legacy IT Vendors

Published

on

CrowdStrike has announced the release of the 2021 CrowdStrike Global Security Attitude Survey, conducted by independent research firm Vanson Bourne. The report highlights ransomware payout demands and extortion fees are massively increasing, while trust in legacy IT vendors have dipped and organizations are in fact getting slower at detecting cybersecurity incidents.

“The survey presents an alarming picture of the modern threat landscape, demonstrating that adversaries continue to exploit organizations around the world and circumvent outdated technologies. Today’s threat environment is costing businesses around the world millions of dollars and causing additional fallout,” said Michael Sentonas, chief technology officer at CrowdStrike. “The evolving remote workplace is surely accentuating challenges for businesses as legacy software like Microsoft struggles to keep up in today’s accelerated digital world.”

“This presents a clear clarion call that businesses need to change the way they operate and evaluate more stringently the suppliers they work with,” added Sentonas. “The threat landscape continues to evolve at a frightening pace and it’s obvious that modern organizations need a cloud-native, holistic end-to-end platform approach to tackle and remediate threats in a swift manner.”

Recent attacks such as Sunburst and Kaseya have once again brought supply chain attacks to the forefront as evidenced by 63% of respondents admitting their organization is losing trust in legacy vendors, like Microsoft, due to frequent security incidents against these previously trusted technology suppliers.

The issue is so widespread that more than 3 out of every 4 respondents (77%) have suffered a supply chain attack. It’s clear that swift action and newer technologies will be required by businesses looking to increase their cyber resiliency.

  • 45% of respondents had experienced at least one supply chain attack in the past 12 months.
  • 64% of respondents cannot claim that all their software suppliers have been vetted in the last 12 months
  • 84% of respondents are fearful of supply chain attacks becoming one of the biggest cybersecurity threats in the next three years

Survey data indicates that ransomware attacks are continuing to prove effective, with average ransomware payments increasing 62.7% in 2021 (from $1.1 million in 2020 to $1.79 million in 2021). Not only that, organizations are almost universally getting hit with “double extortion,” when threat actors not only demand a ransom to decrypt data, they additionally threaten to leak or sell the data unless the victims pays more money. Survey data shows that 96% of organizations that paid a ransom were forced to pay additional extortion fees, costing businesses on average $792,493. Additional notable findings include the following:

  • 66% of respondents’ organizations suffered at least one ransomware attack in the past 12 months
  • More than half (57%) of businesses did not have a comprehensive ransomware defense strategy in place
  • The average ransomware payment was $1.34 million in EMEA and $2.35 million in APAC and $1.55 million in the US
  • The average ransom payment increased by 63% in 2021 to $1.79 million (USD), compared to $1.10 million (USD) in 2020. CrowdStrike Intelligence has observed the average ransom demand from attackers is $6 million. While attackers aren’t getting quite the amounts they are seeking, they are still earning massive payouts. CrowdStrike attributes this to companies understanding both the threat and their exposure, and their ability to negotiate with attackers.

CrowdStrike encourages organizations to strive to meet the 1-10-60 rule, where security teams demonstrate the ability to detect threats within the first minute of an intrusion, investigate and understand the threat within 10 minutes, and contain and eradicate the threat within 60 minutes. In today’s remote-first digital world, organizations continue to face massive challenges in detecting security incidents, as evidenced by eye-opening survey data.

  • On average, respondents estimated it would take 146 hours to detect a cybersecurity incident, from 117 hours in 2020.
  • Once detected, it takes organizations 11 hours to triage, investigate and understand a security incident and 16 hours to contain and remediate one
  • 69% of respondents said that their organization suffered an incident because of staff working remotely

In the 2021 Threat Hunting Report, CrowdStrike’s Falcon OverWatch reported that eCrime threat actors are able to move laterally across an organization’s network in an average of 92 minutes. This paints a sharp contrast between the capabilities of today’s swift attackers and defenders who are increasingly slowed down by high volumes of alerts and tools that lack integrated workflows. Only CrowdStrike provides customers with the powerful fusion of world-class technology combined with elite threat hunting and human expertise that is mandatory to see and stop today’s most sophisticated threats.

Continue Reading

Market Research

Ransomware, Initial Access Brokers, Carding – Group-IB Presents Report on Trending Crimes

Published

on

Group-IB has presented its research into global cyber threats in the report Hi-Tech Crime Trends 2021/2022 at its annual threat hunting and intelligence conference, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020–H1 2021, Group-IB researchers analyze the increasing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend manifests itself in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Scammers also band together in clans to automate and streamline fraudulent operations. Conversely, individual cybercrimes such as carding are in decline for the first time in a while.

For the 10th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors. For the first time, the report was divided into five major volumes, all with a different focus: ransomware, the sale of access to corporate networks, cyber warfare, threats to the financial sector, and phishing and scams. The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 seek to prevent damage and downtime for companies worldwide.

Unwanted guests: over 1,000 accesses to corporate networks were offered for sale in the darknet
One of the underlying trends in the cybercrime arena is a sharp increase in the number of offers to sell access to compromised corporate networks. The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which gathers even deleted information from cybercriminal underground forums.

This segment of the cybercriminal underground has a relatively low entry barrier. Poor corporate cyber risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers. In H2 2019–H1 2020, the Group-IB Threat Intelligence team detected only 86 active brokers. In H2 2020–H1 2021, however, this number skyrocketed to 262, with 229 new players joining the roster.

Most companies affected belonged to manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and commerce (7%). In the review period, the number of industries exploited by initial access brokers surged from 20 to 35, which indicates that cybercriminals are becoming aware of the variety of potential victims.

The geography of initial access brokers’ operations has also expanded. In H2 2020–H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to compromised networks — they account for 30% of all victim companies in H2 2020–H1 2021, followed by France (5%), and the UK (4%).

In the Middle East alone, the total cost of all the accesses to the region’s companies available in the underground rose by 37% in the review period and totaled $247,836. Most of the accesses on the sale belonged to organizations from the United Arab Emirates (24%), which was followed by Israel (13%) and Turkey (13%), and Saudi Arabia (12%), and Iran (12%).

One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own.

Lock, Lock Who’s There? Corporansom
The unholy alliance of initial access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were released on DLSs (Data Leak Sites) over H2 2020–H1 2021. This is an increase of an unprecedented 935% compared to the previous review period when data relating to 229 victims was made public.

Thanks to the Threat Intelligence & Attribution system, Group-IB researchers were able to trace how the ransomware empire has evolved since it appeared. Group-IB’s team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive ransomware strains.

Over the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is a 19% increase compared to the previous period. During the review period, the cybercriminals mastered the use of DLSs, which are used as an additional source of pressure on their victims to make them pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019–H1 2020.

It is noteworthy that in the first three quarters of this year, ransomware operators released 47-percent more data on the attacked companies than in the entire 2020. Taking into account that cybercriminals release the data on only about 10 percent of their victims, the actual number of ransomware attack victims is dozens more. The number of companies that opt for paying the ransom is estimated at 30%.

Having analyzed ransomware DLS in 2021, Group-IB analysts concluded that Conti became the most aggressive ransomware group, which made public information about 361 victims (16.5% of all victim companies whose data was released on DLS), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Last year’s Top 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).

Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).

In the Middle Eastern region at least 50 organizations fell prey to ransomware attacks so far in 2021. To compare, in 2020, the data on 27 companies in the Middle Easter region was released on DLS, which is an increase of 85%. In the current year, the majority of publicly known ransomware attack victims in the Middle East originated from Turkey (20%), the United Arab Emirates (18%), Saudi Arabia (18%), Israel (10%), and Iran (6%).

The Scamdemic
Another cohort of cybercriminals actively forging partnerships over the review period were scammers. In recent years, phishing and scam affiliate programs have become highly popular. The research conducted by Group-IB revealed that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. In the reporting period, the threat actors who took part in such schemes pocketed at least $10 million in total. The average amount stolen by a scam affiliate program member is estimated at $83.

Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.

Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East. This is exemplified by Classiscam: an automated scam-as-a-service designed to steal money and payment data. Group-IB is aware of at least 71 brands from 36 countries impersonated by affiliate program members. Phishing and scam websites create by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).

Carding: The Joker’s Last Laugh
Over the review period, the carding market dropped by 26%, from $1.9 billion to $1.4 billion compared to the previous period. The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down. Meanwhile, the average price of a bank card dump fell from $21.88 to $13.84, while the maximum price surged from $500 to $750.

An opposite trend was recorded on the market for the sale of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs): their number soared by 36%, from 28 million records to 38 million, which amongst others can be explained by the higher number of phishing web resources mimicking famous brands during the pandemic. The average price for text data climbed from $12.78 to $15.2, while the maximum price skyrocketed 7-fold: from $150 to an unprecedented $1,000.

The Middle East stuck to the global trend and showed the carding market drop of 49% in the review period: it decreased from $47.6 million in H2 2019 – H1 2020 to $24.4 million in H2 2020 – H1 2021. The total number of bank cards belonging to the bank customers in the Middle East offered for sale over the examined period totaled 1,546,842, which is a 34-percent decline compared to the previous review period, when 2,353,854 bank card records were offered.

This was accompanied by the increase in the average price of text card data from $8.95 to $14.09 and a dramatic drop in the price of a dump from $69.82 to $22.91.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.