Criminals will inject malicious code into a legitimate web page to steal a user's data. Typically this technique is used on check-out or payment forms on e-commerce sites.
This type of attack has been employed in the recent Ticketmaster and BA data breaches, but these are only a couple of examples of high profile incidents, it's very likely that there are a huge number of websites which may currently be at risk.
Formjacking can be difficult to detect for both user and vendor. Web pages will look and function the same to the user, and the information entered into a form is still sent through to the vendor. It's only in the background that the attacker is copying the data.
Training and Awareness - in some cases, formjacking requires a user to click on a malicious link or visit a malicious website which will prompt them to fill in sensitive data. It's important that you and your colleagues can recognise when attackers are employing this tactic. Make sure to check that the URLs of websites in the address bar are what they should be (e.g. look for misspellings, numbers instead of letters, irregular domain endings).
Ensure that your firewalls have been correctly configured, so that known suspicious websites are not accessible. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
Where a legitimate website is compromised, it can be very difficult to protect against. Formjacking can be a type of Supply Chain Attack, in that criminals can target companies through the web services that they use. This should serve as a reminder to always do your due diligence when deciding which online services you use, and how you use them. Think about what security measures they have in place e.g. are they Cyber Essentials certified? How would they notify/work with you in the event of a cyber incident?
FOR DEVELOPERS / IT ADMINS
Always integrate security into the development process. Scan internal codebases at different stages of the development cycle for anomalies.
Access Controls - ensure that only employees who need to have the ability to edit important source code can do so.
Strong Content Security Policies - control which domains are allowed to communicate with your website, and how. If done correctly, CSPs can prevent malicious code from sending compromised data to other servers.
Check CiSP! - the Cyber Security Information Sharing Partnership is regularly updated with example code and other Indicators of Compromise (IOCs) to help identify these types of threats.
It’s a common theme in the news ‘Company X has had a security breach and Y customer details have been leaked’
But what does this actually mean?
Cyber Crime is big business and it is believed that through 2017 Cyber Crime may have cost the world around $600 billion. For many of these criminals it is their day job and your data are their pay cheques.
Among many other methods to obtain money, one tactic is for an attacker to infiltrate a business computer network and find personal data stored on their systems. This could be names, email addresses, credit card numbers and details, passwords etc. This information is then uploaded to marketplaces on the Dark Web for other people to buy.
Taken from Experian, below is an estimate on how much your data can be purchased for on the Dark Web:
People purchasing this information can buy specific pieces of information such as a person’s passport details or bulk data with various categories from many different sources.
Other attackers can then use this information to create further attacks, for example someone could find your full name and a password that was used on a breached website. They could then check online for other accounts under the same person’s name, eg Facebook, Linkedin, on-line banking etc. and then try the leaked password on these sites.
How many of us use the same password for multiple site logins?
Therefore, if your data has been leaked and you have been notified of this, you should take all steps necessary to prevent yourself being the next victim.
To find out if your password has been leaked please visit https://haveibeenpwned.com , where you can check your email addresses to see if they are associated with any breaches and also find out what data was leaked.
For any further information please do not hesitate to contact us!
A criminal will create a fake URL (website) which looks like a legitimate and secure website, but is actually set up to steal sensitive information for malicious purposes.
Criminals will attempt to lure users into visiting the fake URL via phishing emails/SMS/social media. Typically, attackers have targeted financial services for a direct profit gain, however they also employ this tactic in many other scenarios.
For example, recently universities in the UK have been targeted by overseas criminal groups. Attackers are using fake phishing websites which then redirect users to real login screens. By doing this, the attackers can then record any login details used, giving them access to online libraries which may include valuable intellectual property.
Make certain that you know how to defend against phishing. For detailed guidance, check out the entry on phishing from the NCSC's Small Business Guide [ https://www.ncsc.gov.uk/guidance/avoiding-phishing-attacks ].
Always check that the URL of the website you are being asked to log into is what you are expecting (look for misspellings or variations of phrasing, and misleading domain endings e.g. 'orguk.com'). Other signs include a website not behaving in a typical way (odd pop-ups, incorrect links, inconsistent content).
Protect your devices by ensuring that all software is frequently being patched and updated. These attacks exploit vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.
Ensure that firewalls have been correctly configured to reduce the ability to visit malicious websites. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
Install and run Antivirus software - make sure that it's updated regularly.
A criminal will identify a website that is frequented by users inside a target organisation, compromise that website, and use it to distribute malicious software to the users.
Watering hole attacks are an example of a supply chain attack, whereby criminals target websites thought to be regularly used by organisations of interest to them. These types of attacks are becoming increasingly successful with the increased use of third party web based services.
A victim may be unaware that malware has been downloaded during their session, this is known as a 'drive by' attack. Alternatively, as they are usually on a trusted site, they may conciously download a file without knowing what it really contains.
Typically, the malware used will be a Remote Access Trojan, which will enable the attacker to gain remote access to a target system to then perform a number of functions e.g. reconnaisance / exfiltrating data / distributing other malware.
Watering Hole attacks are a type of Supply Chain attack, so it's important that both your new and existing suppliers are evaluated for their cyber risk. Consider contractual clauses focused on security, and challenge your suppliers to practice and develop processes for reacting to compromise or data breaches. Note: Cyber Essentials accreditation is a good indicator for a supplier's reputation.
Protect your devices and network by ensuring that everything is frequently being patched and updated. Watering Hole attacks exploit bugs and vulnerabilities, so it is crucial that you are using the latest versions of any software you have, and apply security patches promptly.
Network Security - ensure that your firewalls and any other security products have been correctly configured to monitor and filter web traffic effectively. Monitoring your network for abnormalities is especially key to detecting malicious behaviour. If you are not responsible for this, ask your IT manager/provider to confirm this is being done.
Threats that result from the actions of an employee, former employee, or stakeholder. Insider threats can be intentional or unintentional.
Significant damage can be caused to a company from anyone who has, or at one time had, access to confidential or proprietary information. Insiders have knowledge and understanding of internal processes and structures, making it easier for them to cause incidents. As they already have access to company systems and physical, it can also be much harder for those incidents to be detected; this is a good example of why a company cannot rely solely on security software to detect threats.
If an insider is actively seeking to harm a business, then they may use their login credentials to steal customer data or Intellectual Property, sabotage data or applications, or even expose sensitive email conversations which could cause reputational damage. These types of actors could be acting on personal motives (financial, emotional, or political), for a competitor, or under direction from other malicious parties e.g. extortion attempts.
The unintentional insider threat can be just as damaging. Although there may be no intent to do harm, employees often make mistakes, they can have their accounts compromised, and they can also be socially engineered by attackers to enable malicious actions. Unfortunately, the majority of security incidents can be traced back to human error in some capacity.
Implement good hiring policies - make sure staff are vetted to a suitable degree. This should extend to third-party vendors, sub-contractors and other partners.
Review firing policies - this includes revoking user access to systems before employees are informed that they are being let go, escorting them off premises, and changing any login credentials that they might know of.
Use the principle of 'Least Privilege', which maintains that employees should only have access to data which they need for their role. Reducing the number of privileged staff means fewer staff who can conduct malicious activity, fewer accounts to be hacked, and fewer people to make high profile mistakes. With this in mind, it's important to update employee privileges when they change jobs, so they don't retain access to unnecessary and sensitive data.
Segregation of duties - although you should reduce the number of privileged staff as outlined above, it's also good practice to make sure that business sensitive processes require more than one person to complete them. This can reduce fraud, error, and overreliance on single employees.
Monitor user action. There are software solutions which monitor work sessions and network performance to detect abnormal user behaviour - this can be an option for organisations who have the budget and need to put this in place. Alternatively, if this isn't a suitable option, use the information available to you to observe how staff operate. It may be good practice to analyse business performance at certain times e.g. when certain employees are away on leave/busy financial periods etc.
Implement regular cyber security training - this should cover all manner of threats, including social engineering and associated attacks such as Phishing/Spear Phishing/Business Email Compromise/CEO Fraud. Build a healthy working environment which encourages open communication. Not only can this reduce the likelihood of employees becoming malcontent, but staff will be more ready to discuss any security concerns they might have around their own work and that of others.
A type of phishing attack where criminals impersonate senior executives, or departmental authority figures, in order to socially engineer victims into sending financial or other sensitive information to the attacker.
There are various methods involved in BEC. One method attackers may employ is to use malicious software kits to gain access to a company's webmail exchange service. Once they have this access, they can then intercept invoices and alter payment details, or pose as senior employees to authorise transfers to fraudulent accounts.
Other methods include designing an email to look as authentic as possible. For example, a fraudster may register a domain which looks very similar to a pre-existing legitimate one, and attempt to solicit fraud using associated email accounts. This was raised in a recent ActionFraud report regarding university suppliers. The report highlighted how attackers are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.
These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.
- Educate and train staff to be aware of and recognise BEC.Consider running simulated BEC/phishing exercises.
- Agree secure processes between employees internally and externally for your organisation to confirm certain purchases. Consider segregating duties, and make certain that employees know their responsibilities with regard to these processes.
- Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
- If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
- Check any correspondence and documents for inconsistencies in spelling, grammar and content – this can be a sign that fraudsters are at work.
- Install and frequently update antivirus and anti-malware software to protect against malicious software.
- Consider employing DMARC - a free email authentication solution from the Global Cyber Alliance (online setup can be found at https://dmarc.globalcyberalliance.org)
- Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at www.actionfraud.police.uk or call 0300 123 2040).
With the release of Chrome 68 this week, Google is now taking steps to make the web safer and is marking all websites that are not HTTPS as ‘Not Secure’
With a HTTP site there is no SSL Certificate to encrypt your connection to the web server therefore anything sent over a HTTP connection is in plain text. Passwords, names, addresses, personal and bank details etc. are not encrypted giving an attacker the opportunity for to intercept this information.
So, if your website is still running as HTTP, any of your visitors that are using Google Chrome will be warned with a ‘Not Secure’ message when visiting your website.
By upgrading to HTTPS you also get the added benefit of Google algorithms favouring your website so that your Google ranking will be higher!
If you need more information please give us a call on 01460 271055
IoT devices are any physical devices that are able to connect to and communicate over the internet. This connectivity allows new opportunities for cyber criminals.
IoT devices such as cameras, home sensors, and even baby monitors have become hugely popular. Unfortunately, security has been an after thought for many manufacturers and consumers. Here are some threats related to IoT devices that you should be aware of.
Weak passwords, and a lack of two factor authentication on many devices can make it easy for an attacker to gain access to your devices.
Lack of Encryption
Unencrypted data, possibly even passwords being sent over the air with no protection (a recent story involved IoT lightbulbs doing just this between each other).
Are cameras showing weak points? Employee screens? Stock levels? An attacker could leverage this for malicious purposes.
Insecure software / hardware / firmware
Some devices are unable to receive updates with security patches. Or, it may be that manufacturers simply do not release updates. This is a huge vulnerability. Similarly, if device credentials are hard coded in (i.e. unable to be changed), then if these are ever exposed then it becomes much easier for an attacker to compromise that device, as well as potentially other devices on that network.
Do you have ports open that shouldn't be? Could the device be compromised to conduct DDoS attacks?
As many organisations want to support mobile, team-oriented and non-routine ways of working, an increasing number of them are looking for assistance in adopting digital workplace technology. A recent Gartner, Inc. survey concluded that only 7 percent to 18 percent of organisations possess the digital dexterity to adopt new ways of work (NWOW) solutions, such as virtual collaboration and mobile working.
Not surprisingly they found that the youngest age group (18-24) are the most likely adopters of NWOW closely followed by the oldest (55-74). The group that were at the low point of the adoption dip (35-44), potentially feeling fatigued with the routines of life as middle age approaches. They were most likely to report that their jobs are routine, have the dimmest view of how technology can help their work, and are the least interested in mobile work.
It seems that the days of snow are finally behind us and that big golden thing in the sky has made an appearance.
It’s time to enjoy the warmer temperatures but have you thought about the effect that the temperature has on your IT Equipment?
You may have seen this error on your Phone or Tablet from time to time and you should always take measures to cool it as soon as possible.
If you are out in the sun get it into the shade and allow it to cool as extended periods of heat can cause faster deterioration of the internal components and shorten the life of the battery. Mobile devices should be kept between 0°C and 35°C
In your server room you run similar risks as extended periods of heat give you a much higher risk of system failure and downtime.
A server should be kept running at between 20°C and 24°C and dangerous temperatures are classed as anything higher than 30°C
If your server room is beyond this limit installation of an air conditioning unit should be considered.
With a Blueloop Packaged Services Agreement we can monitor the temperature for you and take appropriate and safe shut-down action in extreme cases.
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unathorised disclosure of, or access to, data.
The reported number and scale of data breaches has continued to increase, with recent examples such as Dixons Carphone and PageUp as examples of larger organisations being exposed. Associated threats are many, including the potential for a number of various frauds using the actual data gained from the breach, or the media awareness around the breach (e.g. phishing/vishing/smishing attempts from attackers masquerading as employees of the affected company, or regulatory authorities etc.).
If an organisation suffers a data breach, then the consequences can be dire. Financial damages can now include hefty fines from the ICO for non-compliance, and the reputational damage can be incredibly difficult to recover from.
The techniques used in many cases are often not particularly advanced. Examples include exploiting unpatched vulnerabilities or spear-phishing, and a large number of incidents have been caused by third party suppliers failing to secure data properly. This highlights the importance of getting basic technical, and procedural security measures right.
A major hardware distributor was the victim of a network intrusion whereby suspects had gained access to the backend of their .eu and .iu domains, through a vulnerability with the company’s webserver. It is believed that the suspect identified the type of webserver which the domains were hosted on using security scanning software tools such as Nmap or Metasploit. Once the type of webserver had been identified, the criminals would have ascertained that the company used the Magento ecommerce payment platform, which is used to manage their online financial transactions. Unfortunately, the Magento software which they use was vulnerable to cross site scripting (XSS), an attack type which we discuss below. This particular vulnerability had been present for over 6 months, and had not been patched.
XSS is a code injection attack whereby an attacker can inject malicious scripts (payloads) into a legitimate website or web application, which are then executed by an end user. The xss would have given the suspect(s) access to the backend of their ie and eu domains, and from there the suspects had brute forced an old admin account which had lain dormant for 2 years. This would have been relatively easy to do, as the account had a weak password.
In total, 138 customers were affected with compromised banking details, which were used in secondary fraud. The investigation identified the route of compromise and also a number of IP addresses, with the suspects using multiple VPN companies to remotely access the victim’s network.
The investigation team was able to trace the malicious file back to a server in Eastern Europe, who had contacted the company using encrypted instant messaging and making payment through the cryptocurrency Bitcoins (BTC).
Through extensive open source enquires and engagement with international law enforcement partners we were able to identify details of the organised crime group behind the attacks and provided this intelligence to overseas law enforcement for them to develop the intelligence and take proactive action against the suspect(s) identified. This investigation highlights the effective intelligence sharing between international agencies to tackle cyber crime on a global scale.
ITIL (formerly an acronym for Information Technology Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. This process is adopted here at Blueloop for our customers.
Recent publicity regarding poorly implemented system upgrades for the banking industry clearly demonstrates that upgrade and system improvements need to be well planned and tested in a live ‘pilot’ before implementation. Using ITIL’s industry standard for both IT project delivery and IT support provide suitable controls and measures for organisations in a professional and efficient manner.
Why risk business disruption when there are industry tools for IT service to protect your business?
Type of attack where security flaws or vulnerabilities are introduced into equipment, hardware, software, or services before they are supplied to, or used by, a target.
Supply chain attacks can be used for a number of purposes, including breaching confidential data, stealing login credentials for further attacks, or even supplying defective equipment to prevent a service from being useable (a denial of service).
One example saw attackers compromise legitimate websites through website builders used by creative and digital agencies. The criminals utilised a redirect script to send people to a malicious domain they owned, where malware was downloaded and installed by users who were browsing legitimate websites.
Ongoing servicing, support, or updates may provide criminals with an opportunity to interfere with a supply chain.
GDPR How was it for you? Did the sky fall in?
After the email bombardment and mixed messages that we have all experienced about GDPR, it’s time to take a
step back and reflect on a very sensible campaign that the Information Commissioners Office (ICO) has launched, called “Your Data Matters”.
Their brief is a very straightforward one; “increase public trust and confidence in the way personal data is handled”.
This comes at a time when our confidence on how this data is handled is at low ebb, with a recent Direct Marketing Association (DMA) study showing that 86% of consumers would like more control of how data is held and processed.
The ICO campaign has cross-industry support from companies such as PwC, Sainsbury’s, and the BBC.
Find out about your personal data rights and how to find advice concerning its use by third-parties by visiting https://ico.org.uk/your-data-matters/
Five minutes well spent.
Organisations consider data management and security to be a simple nightly backup but Veeam believe there are 5 steps to data security nirvana and traditional backup is just the first.
- Backup: Back up all workloads and ensure recoverability of data loss or attack
- Aggregation: Manage data backup and recoverability across multiple environments with an aggregated view of SLA compliance
- Visibility: Deliver monitoring, resource optimisation, capacity planning, and built-in intelligence to improve
multiple environment data management
- Orchestration: Move data to the best location across multiple environments to ensure business continuity,
compliance, security, and optimal use of resources with an orchestration engine, that enables disaster recovery
(DR) plans to be automatically and non-disruptively executed, tested, and documented
- Automation: Veeam's idea of nirvana in which data becomes self-managing, via data analysis,
pattern recognition, and machine learning, and so automatically backed up, migrated to ideal locations, secured during anomalous activity, and recovered instantaneously
We are not at the Automation stage yet but it's good to set our sights high.
Blueloop work with Veeam to provide resilient data and system management solutions.
SOUTH WEST POLICE
Regional Crime Unit
A form of phishing where a specific person is deliberately targeted with an email typically containing personal information, purporting to be from a reputable source.
Spear Phishing emails have the same end goal in mind as regular Phishing attacks - they are designed to make a potential victim interact with the email in some way, usually through clicking on a link or attachment. However, they are generally much more difficult to recognise, as the authors include highly relevant information which adds legitamacy to the correspondence.
As an example, criminals often masquerade as vendors and email financial workers with attached invoices relating to recent orders that a company may have placed. Once the attachment is opened, malicious code is executed which can trigger various actions - such as stealing passwords, running cryptojacking software, or taking command of a computer to use in a future botnet for a DDoS attack.
For more information https://www.swrocu.org.uk/cyber.aspx
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.