Weekly Threat Report - 19th January 2018
Report's are drawn from recent open source reporting, see the latest report here:.
NCA and Trend Micro partnership leads to conviction
A man responsible for creating two crypting services has pleaded guilty in court following a joint investigation by the National Crime Agency (NCA) and Trend Micro.
Goncalo Esteves pleaded guilty on three charges on Monday 15 January 2018 and will be sentenced in February.
Esteves was responsible for creating two crypting services (Cryptex Reborn and Cryptex Lite). These were designed to modify a program, such as malware, so that it avoids detection from common antivirus software. In addition, Esteves ran the Counter Antivirus service reFUD.me, allowing users to test whether their sample program was detected by known antivirus products.
It should be noted that although these services were not malware themselves, they were enablers of cyber criminal activity. By advertising on known criminal forums and discussing their use, it was shown that Esteves knew that they were being exploited by criminals. As a result of this operation, these services have been taken down.
In 2015, the NCA and Trend Micro signed a Memorandum of Understanding to work with each other to help tackle cyber crime. This cooperation extends beyond this operation and illustrates the key role that industry has in tackling, what can be, a highly technical criminal threat.
The NCSC is committed to working closely with industry in order to help us achieve a greater understanding of the cyber security environment. The government’s forthcoming flagship cyber security event - CyberUK 2018 - will bring together over 2,000 cyber security leaders and professionals across the UK, including representatives from both government and industry.
Typosquatting is still big business
Typosquatting (also known as cybersquatting or url hijacking) is the deliberate act of registering misspelt popular website domains, to capitalise on internet users accidently typing incorrect characters for a website address into the address bar of a web browser.
Instead of visiting the correct website, users will be taken to an alternative website intended for a variety of malicious purposes, including the theft of personal information, fraud and the installation of malicious software.
A recent study by cyber security company Sophos found that typosquatting is still a huge industry and there are a significant number of fake domains registered, including sites targeting users of popular websites such as Google, Facebook, Twitter, Microsoft and Apple. Specifically, it was found that 80% of all possible one-character variants of Facebook, Google, and Apple website domains are registered.
The issue of typosquatting is not new but can seriously impact individual users as well as businesses, organisations and government websites across the globe.
Although there are solutions including the legitimate purchase of common misspelt domains as part of brand protection, this could amount to hundreds of possible domain name variants which might not be practical or cost effective, particularly for small businesses.
Individual users are advised to double check their url spellings before accessing a website. It is also advisable to bookmark favourite websites and, if in doubt, check url spellings in a popular search engine to make sure they are correct.
Netflix “brandjacking” highlights increasing sophistication of phishing campaigns
A “brandjacking” phishing campaign aimed at Netflix subscribers was identified by cyber security experts in recent weeks.
The campaign utilised multiple phishing techniques. Subscribers received emails requesting that login details and credit card data be updated via a portal. Once the details were entered the subscriber was shown a fake verified by VISA page and then redirected to the real Netflix login page. The Greek letter chi was used in place of the ‘x’ in Netflix in some emails to subscribers, but otherwise the branding and style of the emails and portal appeared authentic.
Phishing campaigns are becoming increasingly sophisticated. An open source report found cyber criminals are hacking into sites with a valid website security certificate and replacing the content with the site they are seeking to imitate.
There are a number of email anti-spoofing measures outlined on the NCSC website that can help prevent phishing email attacks from reaching users in the first place.