In response to reports indicating the financial services sector in the U.S was hit by cyber attacks last month through a Minebridge backdoor, experts provide an analysis below.
This is obviously a very targeted attack against the financial sector, however it uses attack methods applicable to any industry. The use of tax-related themes in email phishing attacks is very common during the first quarter of the year and continues as resumes and invoices throughout the year. They are designed to fit in with the types of messages we expect to see at this time, which tricks people into letting their guard down. These social engineering tricks are very effective and are being continually refined by cyber criminals.
The best way to defend against these attacks is to teach people how to identify phishing emails that are targeting them. It is also important for organizations to have a process in place for reporting suspected phishing emails when users do spot them. This reporting helps the organization spot trends in attacks that allow them to update their email filters and warn other users about campaigns that are currently targeting the organization. Users should be looking for red flags, such as emails from people they have not communicated with before but act like they have, messages containing attachments that have either an included password or ask to enable macros or enable content.
It’s no surprise that most of these attacks are coming from social engineering attacks. Seventy to ninety percent of all malicious data breaches occur because of social engineering. The most popular attack method for 3 decades remains the most popular attack method. What is changing is the sophistication of the attacks and the sheer criminality. These are full-time professionals working in companies and gangs, with different people with different types of expertise and experience. They often work 9 to 5, get vacation pay, and have to deal with HR issues, just like regular companies. But they are often located across international jurisdictions and so arrests and convictions are fairly rare. There are some efforts like the UN Convention on Cybercrime which are attempting to get more international cooperation, but so far they have been doomed to each nation’s self-interests and politics. For now it looks like the only way to fight these types of attacks is a combination of the best technical controls (e.g. firewalls, anti-malware software, intrusion detection systems, content filtering, etc.) and security awareness training you can afford. No matter what technical controls you put in place there are going to be things, which are increasingly looking more and more sophisticated and realistic, that get by. And when they do, you need your employees to be aware of the different types of threats and tactics those bad things try and how to treat and handle.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics