Cyber Security This Cyber Monday

Holiday gift wish-lists, check. List of cyber-Monday deals, check. Malware installed while surfing the web to find the best deals…huh?

The holiday shopping season usually carries elevated risk – whether shopping at a mall or online. This year, Internet users face sophisticated cyber threats that have been active and evolving for the past year. End users – both at home and on business networks – must be vigilant to protect their identities, accounts, corporate intellectual property, and pocketbooks from being attacked and/or compromised by malware. No one wants to find their identity stolen or bank accounts emptied during the holiday season. A few current popular methods of malware delivery include malicious spam emails, phishing emails, and exploit kits. The first two methods differ only in targeting methods. Spam emails are less targeted than phishing emails, and are the type of message a user is most likely to receive in their home email account. Phishing messages generally target people within an organization or group – members of a financial services industry group or employees of a particular bank are good examples. Spear-phishing is the most targeted methodology and usually leverages information gathered about the targets to guide the message content.

All three of these methods use the same basic social engineering principle: an attacker crafts an email message to entice the recipient to open it. It could be about a package delivery, an invoice for your recent order, or a resume from a potential job applicant. At this time of year any of these topics seem legitimate, however, users must exercise caution and common sense.

Because the attacker uses ‘bait’ that is attractive to most people, they are relying on users clicking on links and opening attachments without critically reviewing the message for legitimacy first. Malware being delivered via these channels includes (but is not limited to): Dridex (banking Trojan that collects credentials from the compromised system); Dyre (banking Trojan that captures credentials); and CryptoWall (ransomware that encrypts all files on the infected system and any mapped shares).

As a recipient, you can help reduce the attacker’s risk of success by:

1. Taking a moment to focus on the email instead of scanning through it. Does it look legitimate? Were you expecting an invoice, delivery notification, etc…?

2. Check the sender email address to see if it appears bogus. (If the sender domain doesn’t match the company, it is a red flag.)

3. Hover over links to see if the text matches the destination URL. Note: on mobile phones you can touch and hold the link to have a box pop up that will show you the link. Press the “cancel” or “back” button to avoid going to the link. If these don’t match up, you are likely in a phishy situation.

4. Use an alternate method to validate the message, such as going directly to the company’s website.

5. Save the attachment and scan with anti-virus software before opening.

The third method for delivery mentioned above is called an exploit kit. Its purpose in life is exactly what it sounds like: to exploit as many systems as possible for the purpose of monetary gain. Exploit kits are used by crimeware gangs (and other actors) to infect susceptible systems when users browse to an infected site. They succeed by targeting plug-in vulnerabilities that are commonly used by end-user’s web browsers, such as Adobe Flash. When a plug-in is out of date, it leaves the user susceptible for exploitation – therefore it is important to either remove plug-ins from your browser (if you do not use/maintain them), or to keep them up to date.

Users most frequently are infected by a website that was compromised or via a malicious ad pushed to an otherwise ‘safe’ website. The latter is affectionately called “malvertising” or a “drive-by-download.” Quaint, right? Probably not if you are the unfortunate victim of this attack.

Users usually are unaware that an exploit kit is firing in the background when this type of attack succeeds. Once the exploit kit successfully compromises a system, it attempts to install malware. Current malware payloads observed include CryptoWall 3.0 and 4.0 (ransomware that encrypts your files - and any files on mapped network shares - then demands payments in BitCoin to decrypt them), TeslaCrypt (more ransomware), Bedep (a click-fraud Trojan that can also redirect the system to download other malware), and Vawtrak (banking Trojan that collects credentials.)

For the tech-savvy, detailed technical examples of the different types of attacks and payloads may be found at the blog Malware Traffic Analysis and through Mr. Duncan’s ISC blog postings found here.

Now the most important part: What can you do to protect both yourself and your organization?

Often the simplest things make the biggest difference when it comes to protecting your data while surfing the Internet. Employing the following strategies will reduce your chance of infection and improve your ability to recover if your system is infected. Even seasoned cyber-security professionals have been known to click on a link from time to time by not paying attention. These strategies will help reduce the chance of infection even if you accidently open the latest phishing message.

1. Patch your operating system. This goes for your computer, laptop, mobile phone, home router, etc…(“devices” going forward.) Make sure you are patched.  Also, for owners of newer cars, check with your automobile manufacturer to ensure there are no outstanding software updates available for your vehicle. [This author had her car stop working one night without notice. The culprit? A software update had not been applied and the old software was not communicating information correctly.]

2. Patch all software that is installed on your devices (Java, Adobe Flash, Silverlight, Office, Internet Explorer, Chrome, Firefox, etc…). Even if your operating system is patched, these other software packages may be vulnerable to exploitation.

3. Use software that automatically checks for any outdated versions, making it easier to know when and what to patch. (Example: Secunia PSI)

4. Use ad-blocking software to prevent websites from automatically loading advertisements.

5. Disable auto-play in your web browser (enable Click-to-Play) so embedded content does not automatically play without your interaction.

6. Run Anti-Virus and Anti-Malware protection on your Internet-accessible devices to identify, detect, and protect your system from known malware.

7. Keep an off-line backup of all critical, important files. For home users this may include tax documents, photographs, emails, and other electronic communications of high importance. For businesses this includes all critical business files.

8. Avoid clicking on links in emails, particularly if they are unsolicited or unexpected.

9. Virus-scan attachments before opening.

We hope you have a happy, safe, and fun holiday season – both in person and on the web!