Weekly Threat Report - 22nd June 2018
Report's are drawn from recent open source reporting, see the latest report here:
Football or Phishing?
At least two phishing campaigns are taking advantage of this year’s football World Cup.
Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.
Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.
In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).
The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:
Example 1: www. thisisarealwebsite .org.com
Example 2: www. thisisarea|website .org.com
The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.
The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
Is your device earning money for cyber criminals?
Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.
Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.
This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.
In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.
Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.
To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.
Attackers target cryptocurrency software
On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.
An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.
Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.
Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.
The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.
The NCSC has issued guidance on 2FA, password management, mitigating the threat of malwareand identity authentication.
The NCSC website also maintains a general guide on measures to improve security online.
Good cyber hygiene can help fend off LokiBot
Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.
Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.
LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.
Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.
Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.
Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.
National Cyber Security Centre Threat Reports