Banks in Russia today were the target of a massive phishing campaign that aimed to deliver a tool used by the Silence group of hackers. The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector. The fraudulent emails purported to come from the Central Bank of Russia (CBR) and contained a malicious attachment. The message body lured the recipients to open the attachment in order to check the latest details on the “standardization of the format of CBR’s electronic communications.” Corin Imai, Senior Security Advisor at DomainTools: “This is an example of a phishing campaign at its…
ISBuzz Team
Following the news that some experts have warned that further cyber-attacks on the NHS are ‘inevitable’. Jake Moore, Cyber Security Specialist at ESET UK: “For an organisation like the NHS, keeping your entire systems safe and secure is not an easy task. For most companies it’s a simple case of funds & resource, but sadly in this case it’s not that easy. However it’s not all bad – knowing you need to do more and actively working towards it is a plus. We often hear tales of “attacks” on the NHS, but we need to understand that outbreaks like WannaCry were not direct attacks,…
A recent report by Gemini Advisory has revealed, three years after the US EMV migration deadline passed, card fraud has continued to rise. Of more than 60 million payment cards stolen in the past 12 months, chip-enabled cards represented a staggering 93%. These results directly reflect the lack of US merchant compliance with the EMV implementation. Simon Armstrong, VP Products at Entersekt: “In the payments space there will always be an arms race between the groups providing and implementing payment systems against those who seek to find vulnerabilities to exploit. The statistics shown here can be seen as evidence that the rate of adoption of new security mechanisms by issuers and merchants is…
A new report* by the Opus and the Ponemon Institute reveals that 61 percent of US companies surveyed said they have experienced a data breach caused by one of their vendors or third parties. What is even more alarming is that 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months and only 37 percent indicate that they have sufficient resources to manage third-party relationships. Chris Olson, CEO at The Media Trust: “Consumer data is money and companies in general have lots of it. That data is also increasingly vulnerable to misuse…
The news broke yesterday that Voxox, a San Diego, California-based communications provider, left a database containing at least 26 million text messages, including password reset links, 2FA codes, shipping notifications and more exposed without a password. The exposure to personal information, phone numbers and 2FA codes in near-real-time could have put countless accounts at risk of hijack. Some websites only require a phone number to reset an account to meaning that this process could take just seconds. IT security experts commented below. Jacob Serpa, Product Marketing Manager at Bitglass: “It does not take much for outsiders to find unsecured databases and access…
Japan’s new cybersecurity minister has ‘never used a computer’–claiming to have delegated to staff and secretaries since he was 25. This is especially interesting because his duties include overseeing cyber-defense preparations for the 2020 Olympic Games in Tokyo. In addition, Sakurada allegedly struggled to answer a follow-up question about whether USB drives were in use at the country’s nuclear power stations. With the total cost of cybercrime committed expected to cost global businesses over $2 trillion by 2019, this revelation has raised concern, and the impact could weigh on Japan’s state of cybersecurity. Two cybersecurity experts have commented on the incident below.…
Following the news that that high-end retailer Nordstrom is in the process of notifying its employees their data may have been compromised in a breach, please see below comments from Martin Jartelius, CSO of Outpost24. Martin Jartelius, CSO at Outpost24: “It looks like this incident relates to a contractor unintentionally, or intentionally, incorrectly handling confidential employee information. This highlights the need for organisations to treat all employees as a potential risk and ensure security steps are taken to minimise the risks when incidents like these happen. There is also a considerable amount of time which has passed from the detection…
The Dutch branch of the French film production and distribution company Pathé has lost over 19 million euros to BEC scammers, Dutch News reported. Information about how the scammers pulled it off has been gleaned from court documents relating to an unfair dismissal lawsuit brought against Pathé France by Edwin Slutter, the Dutch branch’s former chief financial officer. Commenting on the news and offering advice are the following security professionals: Javvad Malik, Security Advocate at AlienVault: BEC or CEO scams are very common tactics used by criminals. Because there is no malware, it relies purely on tricking the recipient. Therefore, employees should receive training in…
In response to the news that a team of nine academics has revealed today seven new CPU attacks, which are variations on Meltdown and impact AMD, ARM, and Intel CPUs to various degrees, please see below comments from Cody Brocious, researcher at HackerOne. Cody Brocious, Researcher at HackerOne: “As long as speculative execution is performed in processors, this type of bug will continue to be discovered. It’s impossible to perform operations without side-effects on a hardware level, and abstractions that pretend such operations are side-effect-free and always going to cause security issues.”
Shadow IT — the use of IT systems within an organization without the knowledge or approval of corporate IT — has long been an issue for businesses across industries. From risking the unauthorized leaking of proprietary information to exposing unintended attack vectors to hackers, shadow IT can subvert the efforts of an IT department to keep a company’s systems secure. Now, with the newly imposed regulations of General Data Protection Regulation (GDPR) and more legislation on the horizon, the fallout of an uncontrolled shadow poses an even greater risk — fines up to four percent of a businesses’ revenue in…