“Over the last 12 months, we’ve seen a return to attachments with innocuous macros in them,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint.
“Macro attacks are a sort of Back to the Future moment,” he told TechNewsWorld.
Unlike macro attacks in the past, though, these are sophisticated, multistage sorties.
Opening a Back Door
For example, a target will receive an invoice with blurred text. It’s blurred for security reasons, the target is told, and the person is instructed to click on the image to activate a macro that will clarify it. The target looks at the invoice, then closes it.
All the while, the macro activated to clarify the text downloads another file. That file won’t harm its host — so it won’t raise any alarms from defense systems — but it downloads a third file that will do harm.
“We have reached a level where criminals are burying their code deeper and deeper to prevent gateway systems from finding it,” Epstein said. “Technology has improved to fool the guards at the gate so you can speak to a person who will open the back door for you.”
Order confirmations are also a fertile target for cyberthieves at this time of year.
“If you get an order confirmation for something you don’t think you ordered, don’t click on anything,” Epstein warned. “Every single link in it will infect you.”
Beware of Friendly People
If you can’t remember if you bought something, Epstein advises going to the retailer’s website and entering your confirmation number, or calling the customer support phone number at the website.
“Do not trust the phone number in the confirmation email. Those numbers don’t go where you think they go,” he cautioned.
“If you call the phone number, there will be some very helpful people on the line who will offer to track your order for you. All they need is your credit card number,” Epstein continued.
You’ll also find some friendly folks at the bogus customer service sites popping up at this time of year.
Fraudsters “watch customer service interactions, and as a bank’s or airline’s customer service goes offline for the day, you’ll see a customer service agent coming from a slightly different Twitter or Facebook account reaching out to you and asking, ‘Did that issue get resolved?'” Epstein said.
“Beware of excessively friendly people,” he warned.
A Time for Extortion
Alert scams also are appearing more often. The alerts declare that your computer has been infected with malware and recommend you go to a website or call a toll-free number for assistance. Often, the result is an infected computer, stolen personal information, and an extortion demand that must be paid if you ever want to seen your data again.
“It’s getting more common to pop up an alert on a Web page,” said Andrew Sudbury, CTO of Abine.
“It’s not new, but I feel like I’m seeing it more than I did last year,” he told TechNewsWorld.
Ransomware continues to be popular. With so much shopping being done online, being denied online access unless you cough up some bitcoins to regain control of your computer can be particularly painful at this time of year.
It can be painful for businesses, too.
“There’s been an uptick of extortion against businesses. It’s something that has a lot of momentum to it,” said Joe Loveless, senior security services manager at Neustar.
“These are rogue organizations that contact businesses and say, ‘Pay us X amount in bitcoin and we won’t attack you.’ We saw some recent examples where companies had paid and were attacked anyway,” he told TechNewsWorld
“At this time of year, companies don’t have a lot latency to deal with it, so it can be very problematic,” Loveless added.
Data thieves also are expected to target mobile phones this holiday season.
“There’s this prevailing wisdom out there than a mobile phone is safer. Even apps that are legitimate apps can be compromised if you use the wrong website,” Proofpoint’s Epstein said.
“There are many free apps out there that pretend to be one thing and may do other things,” he added.
“You may want to open your browser and type the developer’s name into a search engine to see if it has a real website, not just a Twitter feed,” Epstein said.
In addition, when you launch an app, a screen will pop up displaying what the app wants permission to do on your phone. Take the time to read that screen, because the app can be asking to do things unrelated to its core functions.
“The classic example is the flashlight app, which, when you install it, wants permission to access your address book,” Epstein noted. “It’s a flashlight app. Why does it want access to your address book?”
Damper on Shopping Sprees
In the brick-and-mortar world this holiday season, consumers using payment cards will have an extra layer of protection. Most of them have been issued cards that have a chip on them to secure transactions performed with the plastic.
“The credit card industry is rolling out more secure physical credit cards, but they’re not doing anything yet for online transactions,” Abine’s Sudbury said.
“If someone steals your credit card number, it’s harder for them to make a physical duplicate of the card and use it at a Sears or Target, but these days, most of the credit card fraud appears to happen online where that chip doesn’t help you at all,” he added.
Some credit card issuers have sought to curb online credit card fraud by allowing users to create one-time-use credit card numbers. They let you generate a number that can be used for a single transaction. If that number is compromised, it doesn’t matter because its value would have been spent.
Those schemes haven’t been very popular because they’re cumbersome to use. Abine offers such a service that is easy to use, but it requires a subscription to the company’s premium service, and each transaction costs $2, which would be a deterrent to anybody planning an online shopping spree.
Not only will the new PIN-and-chip, or EMV, cards offer online shoppers no additional protection, but many real-world shoppers won’t get any addition protection either, since 70 percent of businesses aren’t EMV compliant.
“For every provider that doesn’t have one of the new credit card machines, they’re still reading track data the old way and they’re susceptible to being defrauded the old way,” said Alex Heid, chief of research at SecurityScorecard.
Clinging to old technology is a problem throughout the retail industry, SecurityScorecard noted in a report released last week.
Retailers continue to rely on legacy software systems and misconfigured Web applications to process transactions and store customer data, the report said.
For retail, legacy Web application technologies are in frequent use on large networks, with many still having checkout processes powered by ColdFusion, Classic ASP and PHP, it continued. Attackers know the vulnerabilities for these technologies well.
“One hundred percent of the Web applications that were examined from every retailer had some pretty serious issues,” Heid observed.
“The next big breach of retailers will probably come through their Web applications,” he said. “They’re buying appliances to try and mitigate that, but an obfuscated attack with enough time could worm its way through.”
- Nov. 23. Wilderness Hotel and Golf Resort in the Wisconsin Dells reveals a data breach affecting patrons who used their payment cards at the resort between March 9 and June 8.
- Nov. 23. Pearson VUE announces that malware has compromised its credential management system. The attack affected a limited number of users, and the intrusion didn’t compromise any Social Security or payment card information, the company said. Pearson customers include Cisco and F5.
- Nov. 24. Amazon sends an email to an undisclosed number of users informing them their passwords have been reset because they may have been compromised.
- Nov. 24. U.S. Federal Trade Commission files an appeal of Administrative Court Judge D. Michael Chappell’s decision to reject the agency’s complaint against LabMD for failure to adequately protect its customers’ data, resulting in its illegal exposure.
- Nov. 24. A fifth teenager is arrested in the UK in connection with data breach at TalkTalk. The breach accessed details of 28,000 obscured payment card accounts and 21,000 bank accounts, as well as email addresses, names and phone numbers of 1.2 million customers.
- Nov. 24. The U.S. Air Force is investigating how classified data appeared in a Forbes magazine story about a dispute among the department,Boeing and Lockheed Martin over a contract to build a next-generation, long-range bomber, Reuters reports.
- Nov. 24. Former Sony Vice President Amy Heller files a lawsuit against her former employer and others alleging negligence, defamation, invasion of privacy and intentional infliction of emotional distress. She has been unable to land a job since leaving Sony because of a false report made public in a data breach at the company, she says. The report accuses her of stealing a $90 computer mouse.
- Nov. 24. Lahey Hospital and Medical Center agrees to pay $850,000 to the U.S. Health and Human Services Office for Civil Rights to settle a case involving HIPAA violations connected to the theft of a laptop with the protected health information of 599 people on it.
- Nov. 25. An extortionist calling himself “Hacker Buba” has been leaking onto the Internet account information of customers of a bank located in the emirate of Sharjah for more than a week, Gulfnews.com reports. Buba vows to keep leaking account information until he’s paid $3 million in bitcoin.
- Nov. 27. Swiss court convicts, in absentia, Herve Falciani, 43, who leaked confidential information from a Swiss subsidiary of HSBC that set off a worldwide wave of tax evasion probes. He has refused to leave his native France to appear before the Swiss tribunal. The court sentenced Falciani to five years in prison.
- Nov. 27. VTech Holdings announces an unauthorized party accessed its Learning Lodge app store database on Nov. 14. The company did not reveal the extent of the breach, but the personal information of almost 5 million parents and more than 200,000 kids were exposed, Motherboard reported.
Upcoming Security Events
- Dec. 4. Privacy & Europe: Debating the “Right to be Forgotten,” Trans-Atlantic Data Flows, and the World’s Toughest New Privacy Laws. Noon ET. Harvard Law School campus, Wasserstein Hall, Room 2009. RVSP to Harvard University Berkman Center for Internet & Society required.
- Dec. 7-9. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd. South, Las Vegas. Registration: $2,695; public sector, $2.225.
- Dec. 8. Threat Hunting with Bro, Sqrrl and Reservoir Labs. 2 p.m. ET. Webinar sponsored by Sqrrl and Reservoir Labs. Free with registration.
- Dec. 9. How Do You Really Know if Your DDoS Protection Solution Will Stop a DDoS Attack? 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
- Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.
- Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
- Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.