Keep Yourself Safe, Keep Us All Safe
October 4th, 2023
You may recall news reports in early June 2023, regarding the hack of the MOVEit file transfer software by a ransomware extortion group based in Russia, known as “Cl0p” but more commonly referred to as “Clop”. Keeping in mind that the vast majority of ransomware instances are not publicly reported, in order to avoid both embarrassment of the victims and attention for the perpetrators, this one was disclosed for a number of reasons. For one, it was widespread, affecting a diverse group of victims that included the U.S. Department of Energy and other federal agencies, Johns Hopkins University and the Johns Hopkins Health System, the University System of Georgia, CalPERS (the California Public Employees’ Retirement System), the Province of Nova Scotia, Shell Oil, British Airways, the BBC, and the state motor vehicle departments in Oregon and Louisiana. A second reason was that Clop publicized the victims of its exploit on the dark web. Whether or not you had ever previously heard of MOVEit, software that is widely used by companies and organizations around the world to share sensitive data, you may very well have used similar file transfer products such as WeTransfer and Dropbox.
In the MOVEit instance, the hackers exploited a previously unknown vulnerability in the software, gaining access to users’ files before the software could be patched. This is what is referred to as a zero-day exploit, when software engineers have “0” days to patch a vulnerability prior to its exploitation. What made this extortion a bit atypical was the fact that the perpetrators did not follow the usual pattern of locking down victims’ computers until a ransom was paid, but instead threatening to release sensitive data that had been accessed unless their ransom was paid, as always, in the form of Bitcoin or another cryptocurrency. According to the latest information published by Palo Alto Networks, which monitors ransomware payment trends, the average ransom demand rose to $2.2 million in 2021, with the average payment rising to $541,010.
The Value of Your Personal Data
Ransoms are one thing, but the stolen data may be even more profitable when sold on the dark web. Let’s very conservatively presume that a hack discloses the private data of 5 million users. According to Privacy Affairs, an organization that monitors and compiles lists of prices for personal information when sold online, the following are just a few examples of the going prices for everything from social media logins to credit card accounts.
- Credit card details, account balance up to $5,000: $110
- Credit card details, account balance up to $1,000: $70
- Stolen online banking logins, with a minimum balance of $2000 on account: $60
- Stolen online banking logins, with a minimum balance of $100 on account: $40
- Cloned Visa, MasterCard or American Express account with PIN: $20
- USA hacked credit card details with CVV: $15
- 50 Hacked PayPal account logins: $120
- Hacked Gmail account: $60
- Hacked Facebook or Instagram account: $25
- Hacked Twitter account: $20
- US eBay account: $20
- Netflix account, 1-year subscription: $20
- Hacked Spotify account: $10
- 10 million USA email addresses: $120
Clearly, these international thieves are playing a numbers game. Although the hackers in the MOVEit incident exploited a software vulnerability, the majority of breaches occur as the result of human error. Most typically, those errors involve unwarily responding to a phishing scam, carelessly clicking on a link, or using the same (usually weak) password on multiple sites. Many phishing scams appear legitimate because they utilize data from earlier corporate hacks. For example, if an email service provider has been hacked, its subscriber list will have been compromised, leading to subscribers receiving suspicious emails. Because nobody wants their email service to be disrupted, many people will quickly comply with a request to divulge further personal information.
One of my clients recently received an email, indicating that his email account had been compromised, requiring him to click on a link to confirm his username and password. He did so, without a second thought, then had his email account disabled two days later because it was being used to send out massive amounts of spam, effectively turning his computer into a zombie device. When his password was reset and his account access restored, he received another email, no doubt from the same perpetrators who had lost access to his account, asking him to click on a highly suspicious link in order to “cancel the requested deactivation” of his account. Clearly, they were hoping that lightning would strike the same victim twice. Now you can see why a single hacked Gmail account sells for $60 on the dark web!
Take Precautionary Measures
I have said it before, and let me say it again, that we all need to be highly vigilant before clicking on links in an unsolicited email. If that email contains spelling mistakes or grammatical errors, you can be assured that it did not originate from the company whose graphics have been “borrowed” in order to enhance credibility. Hover over any links, and you will see how they go to some highly suspicious URLs. In addition, take the time to set up and utilize multi-factor authentication on every online account that involves either payments or passwords. Then be sure that you always use a secure and unique password for each site. Many of us tend to “recycle” our passwords, a truly lazy habit. In those instances, a hacked password on one account could lead to hacked access to multiple accounts, falling victim to what is referred to as a “stuffing” attack.
If you would like to learn more about the very serious nature of these online threats, I highly recommend a reading of “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth, a cybersecurity journalist for The New York Times and an advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). This is a difficult book to put down (so you may want the audio book version), and it will keep you awake at night.
This post was written by Peter Pelland
Tags: cyber security, hackers, multi-factor authentication, personal data, personal privacy, phishing scams, ransomware Posted in Cyber Security, Uncategorized |
You Think It Can’t Happen to You?
July 4th, 2021
If you are aware of ongoing
news events, you know about the recent online cyberattacks at big companies
like Colonial Pipeline and JBS. In both instances, ransomware was involved.
Colonial Pipeline reportedly paid $4.4 million in ransom, after shutting down
the delivery supply of gasoline, diesel, heating oil and jet fuel across much
of the eastern United States, causing a spike in prices that you have paid at
the pump. In the case of JBS, the meat processing network across the United
States, Canada and Australia has been affected, with the impacts being felt by
consumers at grocery stores and supermarkets. It has not yet been disclosed at
the time of this writing what ransom, if any, was paid by JBS, but it joins a
wave of ransomware attacks against businesses and organizations since the start
of the year that includes Molson Coors, E & J Gallo Wines, Kia Motors USA,
and the District of Columbia Police Department. Most victims prefer to keep
their companies’ identities anonymous for obvious reasons.
Lest you think that these attacks only target big businesses and our national infrastructure, think again. Also recently, a ransomware attack targeted the Steamship Authority, the Massachusetts transportation entity that runs the primary transportation network that connects Woods Hole on Cape Cod with the islands of Martha’s Vineyard and Nantucket, disabling its reservation system. You may be seeing a connection there that suggests that the tourism industry is more vulnerable than you may have imagined.
According to Cybercrime
Magazine, the fact is that a new business will be targeted by a ransomware attack
every 11 seconds in 2021. The primary points of entry are vulnerable software
(generally the result of a failure to apply security patches or the
installation of apps than are either unsecure or intentionally contain malware)
and email phishing. According to Fortinet, 1 in 3,000 emails sent to businesses
and that pass typical security
filtering, contain malware that includes ransomware. The average downtime for a
business that has been attacked is 19 days, and the average ransom paid is
nearly $250,000.00. An attack on a small business would have a smaller ransom,
but could you afford to pay $25,000.00 or be unable to access your reservation
system for days on end? A large percentage of these ransoms are covered by
cybersecurity insurance, for businesses that carry that coverage. The ransoms
always require payment using cryptocurrency, making the perpetrators totally
untraceable other than generalities regarding their country of origin.
Although it is true that the
reports that we see covered by the national news media involve larger
organizations where the impacts are more broadly disruptive, smaller businesses
are generally far more vulnerable and even more likely to be targeted. The
recent surge in employees working from home, where security standards are
usually less stringent, has also contributed to the proliferation in attacks. The
smaller your company, and the more personally associated you are with that
business, the more likely you are to be an easy target. If you are one of the
hundreds of millions of people with an account on either Facebook or LinkedIn,
your personal data has already been stolen since the start of this year and is
being freely distributed on the Dark Net. That data likely includes your name,
address, email address, phone number and more. There is a connection between these
data breaches and the phishing emails and scam phone calls that you receive.
One common point of entry in
recent weeks has been email that allegedly comes from your email service
provider, claiming that your email account has been put on hold pending some
sort of “verification”. While writing this, one of my clients forwarded me one
such email that she had just received. The “verification” link was a cryptic
200-character URL based in India. How many people, through either carelessness,
naivety, or a sense of panic over the thought of losing their email access,
will click on those links?
Email service providers are
getting far more vigilant about trying to stop malicious emails before they reach
your inbox, but it is a frustratingly endless task. Users get upset if legitimate
emails they either send or receive are falsely flagged. One of the large email
service providers that my company uses for many our clients’ email accounts
found itself blacklisted by Microsoft about a month ago, after a single user
had sent out an email with malicious content. As a result, thousands of
subsequent legitimate messages were not reaching their intended recipients with
either Outlook or Hotmail email addresses. Then yesterday, an email account for
one of our clients was automatically disabled after she had sent out an email
to a couple hundred seasonal campers with a Microsoft Word document attached, a
risky violation of typical email terms and conditions. She was unaware that
Word documents are frequently used to harbor malware and that this would
trigger a red flag.
In other instances, we have
clients who ask us to set up email accounts for every new employee, typically
designating a weak password to be used. We reluctantly follow instructions, but
include a link to Security.org’s HowSecureIsMyPassword.net
website, which can show that the designated password could be cracked by any
computer in a day or less.
When it comes to employee
email accounts, the questions you should ask yourself are:
- Does this employee actually need his own email account?
- Are you prepared to pay the costs and
disruption to your business if your network is breached as the result of using
a weak password?
- Are you prepared to pay a ransom because a
minimum wage employee with little or no training in cybersecurity standards
clicks on a malicious link?
- Do you give every employee a key to your
front door and access to your cash register?
Ignoring these concerns
comes at your own peril. Would you leave your car unlocked on a city street,
maybe with the windows open, and maybe even with the keys left on the seat? If
your car would be stolen, you would only have yourself to blame; however, if
the car was then used to intentionally drive into a crowd of people, you would
be guilty of criminal negligence. Another example would be somebody working the
night shift at a convenience store, having a handgun for security and leaving
it on the counter. That would be an invitation for an armed robbery and
potential injuries or deaths.
If you would never think of
doing anything as careless as either of those two examples, why would you use a
weak password, or use the same password for multiple purposes? Using the same
password to access more than one email account or online application is like
leaving those keys on the seat of your unlocked automobile, except that the key
ring including the keys to every other vehicle that you own, the front door to
your office, and the front door to your home.
You think it can’t
happen to you? Think again!
This post was written by Peter Pelland
Tags: ransomware Posted in Cyber Security |
|