Weekly Threat Report - 19th July 2019
Scale of Magecart attacks growing
Magecart is targeting unprotected AWS S3 buckets, used to store uploaded data including card details. It has reportedly compromised over 17,000 websites since April.
The success in Magecart’s infection numbers come from what the RiskIQ study labels its ‘shotgun approach’. Rather than targeting uniquely weak or profitable S3 buckets, its developers have opted to focus on spread, hitting as many domains as possible.
Despite the comparative-randomness of the attacks, the report suggested that the group behind Magecart ‘likely ended up getting their skimmer on enough payment pages to make their attack lucrative.’
The NCSC has published a blog post discussing the risks associated with leaving sensitive data exposed in unprotected AWS S3 buckets. We also recommend policies that organisations can implement to make it easier to be secure.
TrickBot malware develops new email infection capacity
A recent report from cyber security company Deep Instinct has revealed that the Trickbot malware has returned with a new variant, ‘TrickBooster’ which attacks individual’s email accounts.
TrickBot, a piece of malware circulating since 2016, was designed to access online accounts with the goal of obtaining Personally Identifiable Information (PII) which can be used to facilitate identity fraud.
The new TrickBooster variant of the infection, according to the Deep Instinct report, ‘harvests email credentials and contacts from a victim’s address book, inbox, outbox, it can send out malicious spam emails from the victim’s compromised account, and finally, can delete the sent messages from both outbox and the trash folder, so as to remain hidden from the user’.
TrickBooster has reportedly infected 250 million individual’s email accounts, including those linked with major email providers.
The NCSC has previously published an advisory suggesting how best to recognise, protect and mitigate the Trickbot malware. It has also published suggestions about how best to tackle email-based phishing attacks, like the type present in the new TrickBooster variant.
2019 ACD report highlights progress in protecting UK cyberspace
The 2019 Active Cyber Defence (ACD) report was released earlier this week showing real progress protecting UK citizens and dissuading criminals.
The report, published by the NCSC and its Technical Director Ian Levy, shared impressive figures for 2018 including:
takedown of 22,133 phishing campaigns hosted in UK delegated IP space, totalling 142,203 individual attacks
14,124 UK government-related phishing sites removed
number of phishing campaigns against HMRC continued to fall dramatically – with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018
number of takedowns of fraudulent websites was 192,256 with 64% of them down in 24 hours
the number of individual web checks run increased with a total of 111,853 advisories issued direct to users
Whilst the numbers are positive, there is still plenty to achieve with these latest figures offering a strong foundation in which to improve the NCSC’s ACD programme.
“While this and other successes are encouraging, we know there is more to do,” said Ian Levy.
“We would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that together we can further protect UK citizens.”
The 2019 report is available now to download and digest, but Ian Levy has also written a blog post offering some more narrative around the report.