Phishing Is the Tool, Ransomware Is the Payload: IBM 2022 Threat Intelligence Index

Phishing remains the top tool for criminals targeting businesses, while ransomware has become the most popular form of cyberattack, according to the IBM Security X-Force Threat Intelligence Index 2022. The report, which catalogs attacks recorded between January and December 2021, ahead of a rise in cyber attacks related to the war in Ukraine, offers some sobering statistics for business owners and cyber security professionals.

Phishing Is the Tool, Ransomware Is the PayloadPhishing accounted for 41% of intrusions in 2021

IBM found that phishing was the leading method of compromising security across all industries, and that it accounted for 46% of intrusions at financial institutions. Criminal organizations now offer Phishing as a Service (PhaaS) and have improved their techniques. IBM reported that phishing campaigns that included phone calls were 3 times more effective than non-call phishing campaigns, with a click rate of 53.2% of those targeted. Major technology brands, including Google, Apple and Microsoft were frequently used to create  phishing emails.

There are two concerning trends here. The first is the arrival of phishing as a service. When organized criminals start working on behalf of multiple clients, they can measure their success rates in the same way that legitimate businesses measure their marketing success. This will allow them to evolve strategies faster.

The second is the astounding 53.2% success rate for attacks that included phone calls.. A little persistence from a hacker should not cause your people to fall for the phish. Robust phishing awareness training becomes even more critical in the face of this threat.

Ransomware led all attacks

Ransomware accounted for 21% of attacks IBM observed and was the most common type of attack encountered in 2021. Those attacks escalated in 2022, as Microsoft noted in its Digital Defense Report. Hackers are not simply using ransomware to extort businesses anymore; increasingly, they use it to exfiltrate data and then wipe systems clean, removing all traces of their activity.

Facing a ransomware attack is bad enough, but the new trick for state-sponsored hackers is to simply erase all your business data without ever asking for a payment. In some cases, stolen data gets put up for sale on the Dark Web, while in other cases the damage to your cyber infrastructure is the intended result. The only remedy for this is to back up your data frequently, a process that benefits from the guidance of an experienced Virtual CISO. Even if you have in-house IT support, speaking with an expert on intrusions and recovery can help you develop protocols that will prevent permanent data loss.

Manufacturers were the top target

In a shift from 2020, manufacturing became the most-targeted industry for cyber criminals observed by IBM, moving ahead of financial services and accounting for 23.2% of all attacks. Ransomware was the most common attack unleashed on manufacturers.

There are two possible reasons for cyber criminals to shift their focus to manufacturers. Supply chain disruptions that magnified in the second half of 2021 put enormous pressure on manufacturers to increase production. Criminals are usually looking for a fast, hassle-free payout. Faced with the prospect of days, if not weeks, of downtime to restore systems, manufacturers found themselves in a place where payments were the quickest way to get operations back up to speed. Don’t give in to that temptation, as hackers can and will erase your data after you make that payment, costing both the time to restore operations and the ransom money.

Manufacturing is also a softer target than financial services. Nearly all banks and service providers have robust cyber security and regular anti-phishing training to thwart attacks. Manufacturers may not recognize the risks to their systems as readily and may not have all systems secured. Legacy software and legacy operating systems are a particular vulnerability for this sector. Remember that anything connected to the Internet is a possible path for a cyber attack.

 

New Scam Targets Pay Later Users: What You Need to Tell Your Employees (and Maybe Your Customers)

A new Pay Later scam targets users with fake invoices that deliver funds directly to thieves. Those who have linked a Buy Now, Pay Later account to their PayPal may be at greater risk.

What Is the Pay Later Scam?

Scammers harvest emails to their mailing lists, then create fake invoices like the one below:

Buy now pay later

The invoice appears to come from a legitimate source. The link points to PayPal and seems legitimate because it is a real PayPal link. Scammers created the phony invoice, complete with the stolen Best Buy logo, to trick careless users into sending them money. These scam emails often arrive late in the afternoon or early in the evening, when you may be tired and less focused on specifics. If you were expecting a Best Buy invoice and saw a payment due at 7PM or 8PM, would you click the link? If it pointed to PayPal, would you be more likely to click it? Pay Later scammers are counting on that.

How to Avoid the Pay Later Scam

To avoid the Pay Later scam, remember one of the most basic rules of cyber securityNever click on links in emails. Always go to a company’s website, log in to your account (preferably with two-factor authentication), and complete payments manually. If you want to help PayPal crack down on these scams and encourage them to remove tools that allow scammers to create these fake invoices, you can report it to the PayPal Security Center.

As an extra layer of security, try to avoid associating Pay Later services, such as Affirm, Afterpay or Sezzle, with PayPal accounts or bank accounts. The extra time it takes to put in your information and authorize a transaction, versus simply clicking a link, may be the time you need to recognize a fraudulent invoice. Also try to avoid paying invoices late in the day or when you are distracted.

Inform Your Employees About Pay Later Scams

If you own or run a business, you should be in the habit of reporting new scams to your employees for two reasons:

  1. Scammed employees are unhappy employees, and unhappy employees are less productive. It can take days to undo the personal financial damage from a scam. Set up a program to provide regular emails to your employees when new scams get reported, both business and personal.
  2. Once someone interacts with a criminal, more criminals show up. Scammers are always hunting for “hot” targets. What begins as an individual attack can escalate into phishing attacks that jeopardize your cyber security.

Should I Tell My Customers About Pay Later Scams?

Imagine the reaction of someone victimized by a Pay Later scam. They are going to blame themselves, but they may also blame everyone else involved, including the business that was spoofed in the scam and the platform that processed the payment. That’s a small amount of damage to a company’s reputation, but those small amounts add up over time.

Larger companies may lack the means to notify every customer of every scam and often are not aware that their identities have been spoofed. Companies should take steps to be both proactive and reactive when scams like this appear.

Proactive means informing your customers at the point of sale and in every email that you will not send them links to pay their bills. (If you are sending links to pay bills, please stop.) Remind customers to always go to your website and log in to complete a financial transaction.

Reactive means alerting customers when scams like Pay Later reach your desk. If customers start complaining about fake invoices or invoices they believed that they paid, it’s time to investigate the source and take action. Reach out to impacted customers and request copies of the emails they received, then send an alert to your customers informing them of the scam and reminding them not to click links in emails. This step may take a little time to complete, but the goodwill it builds will justify the cost.

Cyber Warfare Is Here: Are You Prepared?

When you think about cyber warfare, you probably imagine an underground bunker full of people working computers to try and take down the Pentagon, or to shut down air traffic control. You probably don’t imagine North Korea or Russian agents coming for your small business.

Cyber Warfare Is Here: Are You Prepared?It’s time for that thinking to change. In its 2022 Digital Defense Report, Microsoft reported that nation-state attacks targeting infrastructure rose from 20% of the attacks they detected to 40%. Microsoft cited espionage attacks on NATO countries and attacks on IT firms as areas of higher activity.

What Does Cyber Warfare Look Like?

Cyber warfare is happening right now, every time a nation-state hacker infiltrates an IT backbone or targets a public health provider. Nation-state actors will not “declare cyber war” or announce their intentions. They will simply strike at whatever targets they can compromise, with the intent of causing as much disruption as possible.

What Is a Nation-State Cyber Attack?

Nation-state cyber warfare differs from criminal cyber attacks in two ways. First, the attack is either carried out directly by foreign agents, or by people who get funding, training and infrastructure support from an enemy country.

Cyber criminals can often be stopped with basic cyber security and phishing awareness training, because they’re looking for easy money and easy victims. They use well-known malware and common social engineering techniques to extort their victims.

Cyber warfare is far more sophisticated. It uses techniques and custom-designed software designed to avoid detection, and to prevent common methods of restoring system access. In less-destructive forms, it is a tool to harass and extort an adversary. In more sinister applications, it can silently exfiltrate information that can give an enemy a strategic advantage, such as the ability to delete needed data or take control of mechanical and energy systems.

Why Would a Nation State Attack My Business?

As in any conflict, there are degrees of cyber warfare. In any attack, the following entities are vulnerable:

  • Energy generation, transmission and controls
  • Water utilities
  • Chemical and fuel facilities
  • Public health facilities
  • Telecommunications, including emergency response

The goal of these attacks is to sew chaos. The size of the target does not matter. Most cyber warfare analysts expect big-city infrastructure and large health systems to be primary targets, but nation-state attackers will look to spark terror in any way they can. Opening a dam in a small town or poisoning a water supply will lead to widespread fear, and smaller municipalities may not be as well protected against a cyber attack as urban providers.

In a wider attack, a nation-state will almost certainly target the following:

  • Banking
  • Food processing and distribution, including supermarkets
  • Logistics, including package delivery, rail and trucking
  • Pharmacies
  • Managed service providers
  • Cloud networks
  • Payroll processing

The goal is to cause as much disruption as possible by denying people access to everyday goods and services. Shutting down thousands of websites via an attack on a cloud provider or managed service provider interrupts the flow of goods and services and gets media attention. Shutting down pharmacy computers makes it harder for people to get essential medications. Adversaries want media amplification of their attacks that will make people fearful.

Your (Unexpected?) Role in Cyber Warfare

We tend to think of cyber attacks in terms of breaches, monetary theft or lost access to systems. If you operate a system that has been compromised, it is easy to see that you have been attacked. If your managed service provider, ISP or cloud servers go down, you may be surprised to find out that you are the reason why.

This is where cyber warfare becomes every online organization’s responsibility. Nation-state attackers continually probe for weaknesses and novel ways to get at essential online infrastructure. Everyday things that many business and developers do can be opportunities for foreign adversaries.

  • Posting source code on GitHub or other online repositories. We recently explained how that led to Federal sanctions against a U.S. executive. Posting source code can expose passwords and pathways to adversaries.
  • Launching new apps or forms without thorough testing. Nation-state attackers have a catalog of known software vulnerabilities and near-unlimited resources to find websites that have those vulnerabilities. You could be the crack in the door that gives an adversary the access needed to take down an ISP or managed services provider.
  • Insufficient online monitoring. The antivirus program will not stop a nation-state attacker, who is using new methods of attack that the software does not recognize. In the most sophisticated attacks, adversaries embed their code in system software so that it looks normal to any scanner. Dark Web monitoring is sometimes the most reliable way to identify these vulnerabilities.

Every business and organization that publishes or maintains a website, whether you collect information or not, is a potential target of nation-state cyber warfare. You could have an unexpected and unwanted role in the next attack, because the United States does not prioritize the role individuals play in cyber security. Major targets may have significant defenses against nation-state attackers, but they also have necessary connections to the World Wide Web. This is like building a massive wall to protect a town but leaving a tiny hole for the wastewater to flow downstream. Enemies will find that hole, find a way to get into it and run wild once they are on the other side.

We often discuss cyber security in terms of business interruption and liability. Those are still significant concerns, but with determined nation-state attackers continually working to find new methods of attack, we need to consider how individual vulnerabilities could escalate into a local or national emergency.

Protect Now specializes in cyber security and compliance for small businesses. We provide affordable VCISO support, cyber security training and Dark Web monitoring. Call us at 1-800-658-8311 or contact us online to speak to a cyber security expert.

Prevent Apple ID Phishing Scams

Apple owners have noticed something very weird: they are becoming victims of a scam using Apple IDs. Once they give up the IDs, scammers can sometimes get access to their Apple account. Here’s how it works: People get a text that says their Apple ID is going to expire, and they are asked to click a link. When they do, the scam occurs because they unknowingly give up their ID and password to a scammer. It’s not rocket science, but it’s an easy and smart scam.

There are some ways to determine if a message is a scam. First, your Apple ID isn’t going to expire, ever. Apple will occasionally request you log into your account, they will occasionally lock your account, and they will occasionally make things difficult because well, they are Apple and they and you are a big target. As long as you are not responding to and clicking links in text messages or emails then you aren’t going into the scammers rabbit hole. Only engage in Apple ID requests on your Apple device in the settings menu or in your browser preferably on a laptop or desktop when logging directly into Apple’s website.

Beyond Apple ID scams, always look for anything weird like misspelled words or grammar that seems off. Messages that make promises that you will win something, or create a sense of urgency, like “you must do this now,” are also very sketchy. Honestly, any text that you get from a number that is not recognizable is probably a scam. If you think a text from a company might be legit, give the business a call.

This is a really tricky scam as it seems very real, and it is fairly simple for scammer to pull off.

As you can see from the above screen shots, it is not easy to choose which of the photos is the real Apple ID request and the fake one. Keep in mind that the fake one only comes up if you click a link in a text. However, that same pop-up to sign in will generally only come from activity in your settings menu iTunes iMessage FaceTime etc.

First, take a deep breath. Instead of blindly filling out your information every time you get a password request, and be sure of the source of that request. To do this, hit the home button, and then touch “Settings.” Look at iTunes, iMessage, and FaceTime. When you enter each of them, if your account needs authenticating, you will see a pop-up. This is a legitimate one.

Your Apple ID Doesn’t Expire and other Facts 

News flash – as previously stated, your Apple ID will not expire. Even if you forget your password, your username, or you haven’t used it in years, your ID is active.

Another thing you should know is that if you use two-factor authentication, you should use it with your Apple ID. This prevents most phishing scams that use “authentication.”

You also might want to consider taking a screen shot of any scam message your get and report it to Apple by sending it to imessage.spam@apple.com. You can also use the “Report Junk” option if you get an iMessage from someone who is not a contact. This also sends the info directly to Apple. Mind you, I don’t do this. I don’t have the time. And there are millions of other people doing it.

If you get a scammy message from SMS (the green message) and or the iMessage (the blue message,) you can report those, too. Or just delete it and reported as junk so you don’t get it again. But, if you are inclined, you will have to do that via the FTC website. Major mobile phone providers including Verizon, T-Mobile, and AT&T also allow customers to forward messages to 7726.

As of today, this password scam is out there, and it’s easy enough for people to create others, so use caution…and don’t forget to set up Apples two-factor authentication and account to recovery details.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.