Pelland Blog

Keep Yourself Safe, Keep Us All Safe

October 4th, 2023

You may recall news reports in early June 2023, regarding the hack of the MOVEit file transfer software by a ransomware extortion group based in Russia, known as “Cl0p” but more commonly referred to as “Clop”. Keeping in mind that the vast majority of ransomware instances are not publicly reported, in order to avoid both embarrassment of the victims and attention for the perpetrators, this one was disclosed for a number of reasons. For one, it was widespread, affecting a diverse group of victims that included the U.S. Department of Energy and other federal agencies, Johns Hopkins University and the Johns Hopkins Health System, the University System of Georgia, CalPERS (the California Public Employees’ Retirement System), the Province of Nova Scotia, Shell Oil, British Airways, the BBC, and the state motor vehicle departments in Oregon and Louisiana. A second reason was that Clop publicized the victims of its exploit on the dark web. Whether or not you had ever previously heard of MOVEit, software that is widely used by companies and organizations around the world to share sensitive data, you may very well have used similar file transfer products such as WeTransfer and Dropbox.

In the MOVEit instance, the hackers exploited a previously unknown vulnerability in the software, gaining access to users’ files before the software could be patched. This is what is referred to as a zero-day exploit, when software engineers have “0” days to patch a vulnerability prior to its exploitation. What made this extortion a bit atypical was the fact that the perpetrators did not follow the usual pattern of locking down victims’ computers until a ransom was paid, but instead threatening to release sensitive data that had been accessed unless their ransom was paid, as always, in the form of Bitcoin or another cryptocurrency. According to the latest information published by Palo Alto Networks, which monitors ransomware payment trends, the average ransom demand rose to $2.2 million in 2021, with the average payment rising to $541,010.

The Value of Your Personal Data

Ransoms are one thing, but the stolen data may be even more profitable when sold on the dark web. Let’s very conservatively presume that a hack discloses the private data of 5 million users. According to Privacy Affairs, an organization that monitors and compiles lists of prices for personal information when sold online, the following are just a few examples of the going prices for everything from social media logins to credit card accounts.

  • Credit card details, account balance up to $5,000: $110
  • Credit card details, account balance up to $1,000: $70
  • Stolen online banking logins, with a minimum balance of $2000 on account: $60
  • Stolen online banking logins, with a minimum balance of $100 on account: $40
  • Cloned Visa, MasterCard or American Express account with PIN: $20
  • USA hacked credit card details with CVV: $15
  • 50 Hacked PayPal account logins: $120
  • Hacked Gmail account: $60
  • Hacked Facebook or Instagram account: $25
  • Hacked Twitter account: $20
  • US eBay account: $20
  • Netflix account, 1-year subscription: $20
  • Hacked Spotify account: $10
  • 10 million USA email addresses: $120

Clearly, these international thieves are playing a numbers game. Although the hackers in the MOVEit incident exploited a software vulnerability, the majority of breaches occur as the result of human error. Most typically, those errors involve unwarily responding to a phishing scam, carelessly clicking on a link, or using the same (usually weak) password on multiple sites. Many phishing scams appear legitimate because they utilize data from earlier corporate hacks. For example, if an email service provider has been hacked, its subscriber list will have been compromised, leading to subscribers receiving suspicious emails. Because nobody wants their email service to be disrupted, many people will quickly comply with a request to divulge further personal information.

One of my clients recently received an email, indicating that his email account had been compromised, requiring him to click on a link to confirm his username and password. He did so, without a second thought, then had his email account disabled two days later because it was being used to send out massive amounts of spam, effectively turning his computer into a zombie device. When his password was reset and his account access restored, he received another email, no doubt from the same perpetrators who had lost access to his account, asking him to click on a highly suspicious link in order to “cancel the requested deactivation” of his account. Clearly, they were hoping that lightning would strike the same victim twice. Now you can see why a single hacked Gmail account sells for $60 on the dark web!

Take Precautionary Measures

I have said it before, and let me say it again, that we all need to be highly vigilant before clicking on links in an unsolicited email. If that email contains spelling mistakes or grammatical errors, you can be assured that it did not originate from the company whose graphics have been “borrowed” in order to enhance credibility. Hover over any links, and you will see how they go to some highly suspicious URLs. In addition, take the time to set up and utilize multi-factor authentication on every online account that involves either payments or passwords. Then be sure that you always use a secure and unique password for each site. Many of us tend to “recycle” our passwords, a truly lazy habit. In those instances, a hacked password on one account could lead to hacked access to multiple accounts, falling victim to what is referred to as a “stuffing” attack.

If you would like to learn more about the very serious nature of these online threats, I highly recommend a reading of “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth, a cybersecurity journalist for The New York Times and an advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). This is a difficult book to put down (so you may want the audio book version), and it will keep you awake at night.

This post was written by Peter Pelland

You Think It Can’t Happen to You?

July 4th, 2021

If you are aware of ongoing news events, you know about the recent online cyberattacks at big companies like Colonial Pipeline and JBS. In both instances, ransomware was involved. Colonial Pipeline reportedly paid $4.4 million in ransom, after shutting down the delivery supply of gasoline, diesel, heating oil and jet fuel across much of the eastern United States, causing a spike in prices that you have paid at the pump. In the case of JBS, the meat processing network across the United States, Canada and Australia has been affected, with the impacts being felt by consumers at grocery stores and supermarkets. It has not yet been disclosed at the time of this writing what ransom, if any, was paid by JBS, but it joins a wave of ransomware attacks against businesses and organizations since the start of the year that includes Molson Coors, E & J Gallo Wines, Kia Motors USA, and the District of Columbia Police Department. Most victims prefer to keep their companies’ identities anonymous for obvious reasons.

Lest you think that these attacks only target big businesses and our national infrastructure, think again. Also recently, a ransomware attack targeted the Steamship Authority, the Massachusetts transportation entity that runs the primary transportation network that connects Woods Hole on Cape Cod with the islands of Martha’s Vineyard and Nantucket, disabling its reservation system. You may be seeing a connection there that suggests that the tourism industry is more vulnerable than you may have imagined.

According to Cybercrime Magazine, the fact is that a new business will be targeted by a ransomware attack every 11 seconds in 2021. The primary points of entry are vulnerable software (generally the result of a failure to apply security patches or the installation of apps than are either unsecure or intentionally contain malware) and email phishing. According to Fortinet, 1 in 3,000 emails sent to businesses and that pass typical security filtering, contain malware that includes ransomware. The average downtime for a business that has been attacked is 19 days, and the average ransom paid is nearly $250,000.00. An attack on a small business would have a smaller ransom, but could you afford to pay $25,000.00 or be unable to access your reservation system for days on end? A large percentage of these ransoms are covered by cybersecurity insurance, for businesses that carry that coverage. The ransoms always require payment using cryptocurrency, making the perpetrators totally untraceable other than generalities regarding their country of origin.

Although it is true that the reports that we see covered by the national news media involve larger organizations where the impacts are more broadly disruptive, smaller businesses are generally far more vulnerable and even more likely to be targeted. The recent surge in employees working from home, where security standards are usually less stringent, has also contributed to the proliferation in attacks. The smaller your company, and the more personally associated you are with that business, the more likely you are to be an easy target. If you are one of the hundreds of millions of people with an account on either Facebook or LinkedIn, your personal data has already been stolen since the start of this year and is being freely distributed on the Dark Net. That data likely includes your name, address, email address, phone number and more. There is a connection between these data breaches and the phishing emails and scam phone calls that you receive.

One common point of entry in recent weeks has been email that allegedly comes from your email service provider, claiming that your email account has been put on hold pending some sort of “verification”. While writing this, one of my clients forwarded me one such email that she had just received. The “verification” link was a cryptic 200-character URL based in India. How many people, through either carelessness, naivety, or a sense of panic over the thought of losing their email access, will click on those links?

Email service providers are getting far more vigilant about trying to stop malicious emails before they reach your inbox, but it is a frustratingly endless task. Users get upset if legitimate emails they either send or receive are falsely flagged. One of the large email service providers that my company uses for many our clients’ email accounts found itself blacklisted by Microsoft about a month ago, after a single user had sent out an email with malicious content. As a result, thousands of subsequent legitimate messages were not reaching their intended recipients with either Outlook or Hotmail email addresses. Then yesterday, an email account for one of our clients was automatically disabled after she had sent out an email to a couple hundred seasonal campers with a Microsoft Word document attached, a risky violation of typical email terms and conditions. She was unaware that Word documents are frequently used to harbor malware and that this would trigger a red flag.

In other instances, we have clients who ask us to set up email accounts for every new employee, typically designating a weak password to be used. We reluctantly follow instructions, but include a link to Security.org’s HowSecureIsMyPassword.net website, which can show that the designated password could be cracked by any computer in a day or less.

When it comes to employee email accounts, the questions you should ask yourself are:

  1. Does this employee actually need his own email account?
  2. Are you prepared to pay the costs and disruption to your business if your network is breached as the result of using a weak password?
  3. Are you prepared to pay a ransom because a minimum wage employee with little or no training in cybersecurity standards clicks on a malicious link?
  4. Do you give every employee a key to your front door and access to your cash register?

Ignoring these concerns comes at your own peril. Would you leave your car unlocked on a city street, maybe with the windows open, and maybe even with the keys left on the seat? If your car would be stolen, you would only have yourself to blame; however, if the car was then used to intentionally drive into a crowd of people, you would be guilty of criminal negligence. Another example would be somebody working the night shift at a convenience store, having a handgun for security and leaving it on the counter. That would be an invitation for an armed robbery and potential injuries or deaths.

If you would never think of doing anything as careless as either of those two examples, why would you use a weak password, or use the same password for multiple purposes? Using the same password to access more than one email account or online application is like leaving those keys on the seat of your unlocked automobile, except that the key ring including the keys to every other vehicle that you own, the front door to your office, and the front door to your home. You think it can’t happen to you? Think again!

This post was written by Peter Pelland