Threat Assessment

You will have noticed – because we told you! – that October was cybersecurity month. Looking at this month’s newsletter, we think it might have worked. There’s less to warn you about this month, which must surely mean that we collectively scared the criminals off for a bit. Here’s hoping.

1. Firstly, the latest brands being used by email scammers, based on a quarterly review by Checkpoint. We think it’s good to know which emails you might need to be particularly aware of: and it’s no reflection on the brands, whose names are being taken entirely in vain. In order, the companies most being impersonated are

1. DHL (22% of phishing attacks globally)

2. Microsoft (16%) 

3. LinkedIn (11%) 

4. Google (6%) 

5. Netflix (5%) 

6. WeTransfer (5%) 

7. Walmart (5%)

8. WhatsApp (4%)

9. HSBC (4%)

10. Instagram (3%)

 

2. Browser in browser attacks are an increasing trend to be aware of. We first heard about this a few months ago… once you land on a fake webpage, a pop up appears inviting you to login. Why is this different? Well, pop ups are far easier to fake. It’s easy to show a genuine website address on a pop up window, and users are far more likely to trust a pop up than they are a whole new tab that opens. Below is a quick example of what we mean, courtesy of https://mrd0x.com/browser-in-the-browser-phishing-attack/


The take away message is, beware of popups. This month, attacks on users of the gaming platform Steam used this tactic successfully. We see this becoming an increasing way to fool users. How do you spot the difference, now that you can’t be looking out for a fake website address?  Well, unless a real browser page that pops up, these fakes won’t resize, and you can’t move them beyond the browser window onto your desktop. So now you know. For those wanting more information about the tactic, this article sets out some of the detail relevant to the Steam campaign.

3. Increasingly, the cyber security world has been highlighting the risk of so-called ‘supply chain’ attacks, where a criminal tries to compromise a piece of software which is used by multiple businesses. Maximum reward, for minimum effort. This month a report by Sonatype suggested that the problem is big, and growing: we think you need to be aware of it. They found 88,000 malicious open-source packages, an increase of around 750% over three years. They also found that although 68% of people thought they were using safe sources, a random sample showed that the same percentage were actually using products known to be vulnerable. What does this mean for you? In simple terms, limit your software to what you need. If you have the resources and the ability, do what you can to make sure whatever you do us is from a trusted and trustworthy source. The National Cyber Security Centre produced updated guidance this month regarding supply chain cyber security, which is focused at medium to large businesses, and which may be of help in this regard. You can either search for it in your browser – it’s easy to find - or follow this link.

4. A quick word on training. This month saw the release of a genuinely fascinating report (we though so, anyway) about people’s attitudes and behaviours relating to cyber security. Cybsafe’s “Oh Behave!” report can be found via your browser or this link. We already knew that over 80% of breaches are down to human factors. But based on this pretty extensive survey, we can also say that 58% of people who had received training said they were better at recognising phishing messages, and 45% used better passwords. It does pose the question about what your business or charity has done to train your people this year. If the answer is ‘nothing’ then you’re out of excuses. We put together a blog on our website’s news section some while back, showing the free stuff you can access… from a half hour of e-learning to face to face support from your local force. Or our student team can put on something bespoke at minimal cost. Come to us if you need support, but please don’t ignore the problem.

5. Low-rent scams. A month or two back we showed you an email which said that it was from a IT security provider and that your IT department wanted you to give them access to your machine so they could run some checks. Inevitably, someone will have fallen for it. This month, we spotted an even better message… essentially, it went like this. “You’ve been hacked. We’re going to leak all your data. You need to pay us some money, or we’ll destroy your company.” No-one would ever fall for this , would they? We think it’s worth mentioning that not all cyber crime is intensely technical: you just need to have your wits about you.

6. Finally, this month’s breaches of note. As we said, it’s been cybersecurity month. And whilst there have been a few breaches (aren’t there always) we don’t think there’s anything significant enough to raise here, for pretty much the first time since we started these newsletters. Nice to end on a high!

We know many of our members are seriously considering Cyber Essentials, especially as it is increasingly needed for tenders. We recorded a conversation with Neil Furminger, the Cyber Essentials (CE) manager from IASME to share with you.

By popular request this is being put out as a podcast for all those who missed it the first time around and for those of you who asked to share it with others. 

This episode is just the start of your journey explaining all about CE and how you can achieve it, the free tools available to help you and what resources you look to for support. 

We'd love to see you at the South Gloucestershire Business Show on Nov 9 and 10th. We're taking part in a discussion 'Informed Cyber Decisions' on both days so please do book your tickets and come along.