IT Security: Learn about current COVID-19 security trends and issues, and what firms can do to improve cyber security within their organisation
COVID-19 Cyber Security Webinar Transcript
Facilitator: So I see we have a few people joined us, so welcome everyone. It’s just turned 11 o’clock, so we’re going to get going with the webinar. Totality Services wanted to produce a range of webinars and this is the first. The reason we wanted to do this is to empower our clients with better technical knowledge across a range of relevant and business-critical subjects to help you whilst working from home.
So just a little bit of housekeeping first, the webinar is being presented by Adon Blackwood, he’s a security engineer at Mimecast. Many of you will be familiar with them, but those that are not, Mimecast keep over 30,000 businesses in the U.K. safe from malicious attacks. That gives them great insight into where and how the attacks are happening and we thought it would be a great idea to produce a webinar so you can all be aware of the threat landscape currently, what to look out for an how to stay safe.
So I’ll hand over to Adon now, your microphones should be muted automatically, but please feel free to ask questions via the chat function. We’ll have a Q&A session at the end and we’ll pick out an answer at that time. Lastly, we really hope you find this interesting and look forward to your feedback following today. So thank you and over to Adon.
Presenter: Perfect. Thanks very much. Good morning everyone, thank you for joining today’s webinar. So as mentioned with a lovely intro there, my name’s Adon Blackwood, and I’m one of the engineers here at Mimecast. So a lot of the work I’ve been doing over the last few weeks has really pertained to the outbreak of Covid-19 and how that’s affecting organisations, especially around cyber security-based threats. So that’s the focus of today’s session. We’ve got quite a lot to cover, starting with phishing in emails and what that threat landscape looks like. We’ll be talking about the origins of phishing, malware, viruses etc and then of course how attackers are exploiting that attack surface via Covid-19.
The second part of that is of course focusing on impersonation attacks, very specific and very tailored, and I’ll give you some tips and tricks on what to look out for. Then we’ll delve into cyber hygiene. So what you need to be concerned about and what you need to focus on whilst we’re all working from home, and that’s going to be covering off web-based attacks and also mobile phone-based attacks. The fourth part of this will cover off some trends that we’ve seen in the industry, typically what our threat intel department have actually looked into and some of the research they’re doing to combat this threat. Then finally, we do have a Q&A session at the end, so if you do have any questions that come to mind, I would heavily encourage that you put those in the chat window or consolidate those towards the end of the webinar and then we’ll cover those off.
So let’s delve straight into it, and we’ll start with e-mail. Of course businesses can’t operate without e-mail, there has of course been an increase in the usage of e-mail considering everyone is working from home and collaboration is much more tricky now because you don’t have the ability to get up and go and speak to your colleague as if they were buying desk. So the core thing that we need to bear in mind here is that attackers know that e-mail is important and 94 percent of data breaches start with something as simple as a phishing e-mail, so a very, very big stat. But let’s talk about e-mail itself, because there are multiple attack points when it comes to e-mail and cyber criminals know this, especially with current affairs and what’s going on with Covid-19.
So we’ll start with viruses. Very simple, everyone’s probably used to what they are, or have probably had one on their machines in the past and the way be combated this in the industry was creating virus engines, actually going out and developing software that looks for what we call a virus signature. Stamping the way that the virus looks and being able to identify that when performing a scan. The main thing we need to bear in mind here is that a virus engine needs to have seen the virus in the industry before so we can give it a signature, and will touch on why that’s important in just a moment.
The other part is the evolution of viruses into malware. So malware is much more sophisticated and I think some people are familiar with the term Trojan Horse, a document or a file that’s disguised to be something that’s clean and useful for the end user but is actually malicious. We’ll delve into spam. So everyone will have received spam via e-mail, and most people classify this as unsolicited mail and of course that’s the main thing we need to bear in mind, but when you combine the ability to send e-mails in bulk, unsolicited e-mails in bulk with, malware and viruses, then you have quite a dangerous attack.
Then we’ve seen things evolve into phishing emails that have malicious links. Everyone has probably seen these before but the reason these are particularly dangerous is because it just takes a simple click of a link to infect your machine. So although the e-mail will come in and you’d assume there is no harm in clicking the link, it could do just something as simple as installing malware and spyware on your machine, so monitoring what you do, the kind of keystrokes that you put into your keyboard whilst you’re working away or it could be even more dangerous and take you to a malicious site, a site that prompts you to put in your username and password to of your banking website or your e-mail account and your background attackers are copying that information, essentially grabbing your username and password. That’s something you call credential harvesting.
The final part of that is impersonation. So an attacker going away and doing some form of research and understanding who your colleagues are by looking at your company website, maybe your MDs are listed on there or trading through LinkedIn to understand what your network looks like and then sending you a very sophisticated e-mail that looks like it’s come from a legitimate source coercing you into maybe sending money or sending sensitive information or sharing a password as an example. The core point to note here is that all of these attack points are delivered via e-mail. So there’s lots of things that we need to think about.
But of course, impersonation is one of the ones that we’re seeing that’s the most prevalent attack at the moment. And the reason this is quite sophisticated is there is no malicious link or an attachment in some of these emails. Sometimes it’s just text. So in the case of a virus, a virus engine looks for viruses. It looks for a signature that it’s seen before. But in an impersonation attack, there isn’t one. And then when it comes to phishing links, we do have engines and software that scans links to see if they’re dangerous or not but if the email has no link, there’s nothing to scan, so pretty much just looking at text.
So how do we capture a dangerous attack that doesn’t have a malicious payload in it, doesn’t have an attachment or a link inside? Well there’s a couple of things we can focus on, and the first thing we want to flag up is an internal username or screen name. So this is the scenario where you receive an external e-mail that has the same first and last name as a colleague of yours, one of your employees that works alongside you. And this should be something that you’re focusing on and looking at when you receive external emails. If it’s come from a source you’ve not received before but the screen name matches, you should be suspicious of that, perhaps give that colleague a quick phone call and verify if they’ve sent that e-mail.
At the moment, everyone is working from home. So the likelihood of someone sending you an e-mail from their personal e-mail address should be low. The other things we want to focus on are the actual domain itself. So we see a lot of attacks which we call copycat domains where an attacker goes away and registers a domain that looks very similar to your company’s domain. A great example of this would be the domain Mimecast.com, so my actual work e-mail address. But an attacker could go away and swap out that ‘i’ in Mime and replace that for the character ‘1’, and at a glance it looks very, very similar but could be tricky to spot if you are very busy and you’re working through your emails quickly.
So these are the methods that attackers are using but it goes beyond just swapping out characters in the normal alphabet. Sometimes we see attacks where people use non-Western characters such as the “i” in the Cyrillic alphabet. So the ‘i’ in the Russian alphabet is swapped out often and replaced. And that’s something that’s very, very difficult to identify with the naked eye. We’ll speak about these specific types of threats a bit further on into the webinar. But the main point to note here is, if you see a domain that comes in and it looks slightly off key, there’s an indication that something is suspicious about that and again, verify the sender by giving someone a phone call. That extends to your supply chain, so it doesn’t just stop with your own domain. Attackers are clever enough to go away and do research and understand who your suppliers are, what your vendor network looks like, and will incorporate those same techniques to swap out characters and create fake domains to try and exploit end users.
The next part that we should be focusing on when you receive these types of emails is the language. I’m sure we’ve all received emails before where the grammar looks slightly unusual or there’s spelling mistakes or it’s poorly written or is written in a way where the contact is communicating with different language. If you’re speaking to the same people day in and day out and you receive an e-mail that doesn’t sound like it’s them, again, that could be an indication that something unusual is happening. But there’s also other terms to look out for, so an example on the screen here, we’ve got the term ‘ASAP’ in there as an example.
So attackers often use language that’s quite emotive, generating a sense of urgency or panic or authority, and these are things that you need to look out for, creating e-mails that get you to respond without thinking twice, almost causing that sense of panic inside you. So look out for language like that, some of the terms that we often see is ‘urgent’, ‘pay now’, ‘wire transfer’, ‘bank account details’, ‘credit card number’, ‘change of account details’, ‘debit account’ etc. These may be terms that you see in e-mail a lot but certainly at this time, given what’s going on with Covid-19, we would certainly want to think twice before responding to these emails.
The last few things will cover off, is there apply to a mismatch. This is the scenario where the sender’s domain and the ‘reply to’ address in the e-mail are different, i.e., getting you to send information to a separate e-mail address that has nothing to do with the sender. This one can be quite tricky to spot, but there are ways that we can look into this. And then the final one, really straightforward and doesn’t take much detective work to spot this one, is an external domain. If it’s separate and different from your actual company e-mail domain it’s come from an external sender, just think twice before you interact with the message.
So those are all then indicators there, and Mimecast it does have a number of tools that can automate this process and look out for that, and we can cover that stuff off a bit later. So we’ve spoken about phishing attacks, business e-mail compromise, impersonation attacks, macros, viruses malware, there’s a lot of things that are going on in terms of the threat landscape for e-mail. It’s great talking about what these attacks look like, but we also need to bear in mind what the business impact could be if you were unfortunate enough to fall susceptible to one of these exploits.
So let’s start by talking about the actual of industry of cybercrime itself and impersonation attacks. So as of 2018 this particular threat landscape itself, generated $12 billion in the industry, so economical losses here. It’s big business and a lot of organisations perceive cyber criminals to be a bunch of teenagers sitting in the basement coding away and trying to hack websites. But that couldn’t be farther from the truth. So the actual industry itself, of cybercrime does have a number of professionals, people that are very talented when it comes to coding and scripting, they really know what they’re doing, and they have a lot of resources.
And if we’re talking about $12 billion, that’s massive losses globally, but what does that look like to the everyday business. Well, the average loss that we’re seeing is around £27,000. Especially out there, the nature of what’s going on outside with Covid-19, that could be a significant loss to your organisation and it could be done in such a simple method of sending a wire transfer to a contact that’s acting as a finance director that’s saying they’re very urgent, they’re tied up on calls, and they really need to settle this invoice for £27K.
So that’s what we’re seeing, and from personal experience, there’s been organisations that I’ve worked with where we had an accounts assistant who wired out £80,000 in a wire transfer. In terms of the impact that that has on employees and organisations themselves, we’ve seen that’s one in five businesses actually had to make redundancies due to the financial impact of sending out that money in that wire transfer. The other side of it sometimes doesn’t relate to financial loss, it could actually be data loss. So an actual data breach itself. Perhaps you have a file, a confidential file of your employees as an example, or your customers, and you’ve sent that out to an illegitimate source because they’ve had requested it and coerced you into thinking they were your CEO.
The other side of that is credential harvesting as I mentioned earlier on. So the scenario where an e-mail is sent to you, it has a dangerous link in there, you click on the link, that takes you to a website that looks like your company web mail application, you put in your username and password and in the back end of that, an attacker has actually gone away, copy and pasted your password and your username and now has access to your corporate e-mail and maybe even resources on your network. Sometimes these attacks can go unidentified. So you may have leaked your password and been unaware of that and in the background an attacker is navigating around your corporate network ad your e-mails and going ahead and doing some significant damage.
The other part of that of course is reputational damage. So of course if you were a customer and you had your data leaked by one of these phishing attacks, I’m sure you would like to know. And of course there is a duty of organisations now under GDPR, to notify customers of breaches and notifying authorities of the breaches so we understand what damage is done and of course, you have trust in these organisations for storing your data. Simple things like maybe your credit card number, or your date of birth or even your address. These are things that you’re willingly happy to pass on to organisations having faith that they’ve got the right controls in place and that’s some of the things that we need to think about.
So beyond that, the impact that GDPR has had on organisations has been astronomical, and I think for the better because he’s making organisations think about data protection, but data protection goes beyond having the right technical controls in place. We also need to think about your end user awareness training, and we need to question ourselves and our employees as to whether we understand what these threats are, how to identify them and how to try and mitigate the risk that’s associated with them. But the core things are around GDPR and how they’re enforcing data protection. So some of the fines that we’ve seen in organisations if you have been subject to a breach and it indicates you didn’t have the right technical controls in place, you could receive a fine up to €20 million or four percent of your global turnover, whichever is higher.
Again, given the state of what’s going on with the pandemic at the moment, that’s probably the last thing your organisation wants to face. Then we’ll wrap up with the final pieces about what the consequences are of a data breach, and only 20 percent of victims have said that they will think twice before receiving these types of impersonation requests at work so that’s a very, very small number so there are a significant amount of impersonation attacks that we’re seeing in the industry and we’re only seeing 20 percent of organisations that are actually slowing down and verifying the sender’s details and the language in the message and the actual domain itself. So a couple of things to think about.
So that wraps up the E mail portion of the webinar. We spoke a lot around impersonation attacks and phishing, and some of the exploits that we see but sadly it doesn’t stop there. The web is another attack surface that we’re used to seeing so this goes beyond receiving an e-mail, this is actually interacting with browsers and websites yourselves, and again, we’re all working from home, so it’s another attack surface that we need to consider. So at the start of this webinar I spoke about impersonation attacks that use non-Western characters and different alphabets to try and trick end users. So on screen here, I have an example of the website apple.com. At a glance, nothing looks unusual but I’ve actually giving you guys a shortcut and highlighted that’s all of the characters in apple are Cyrillic, so from the Russian alphabet.
None of those are your typical characters. The question might be so why does that matter? It looks like apple.com, it’s got the green padlock which we’re used to seeing when the site is legitimate. Yes, the site looks like apple.com, but the actual party behind this website that’s hosting this website is an attacker. And that’s the core thing I want us to think about, is how do we verify that the characters we’re seeing on the web browsers are legitimate ones and correct ones?
Well, the first thing we want to think about is when we receive links to websites, when we receive password resets as an example, you may click on the link and then be taken to this website and think okay this is absolutely fine I’ll go ahead and reset my password, but you may not know. So I recommend when you receive emails that have password breaches or password change notifications or unusual activity notifications actually, you log into the website yourself by going to a web browser, typing in the account and then going in and changing your details instead of following a dangerous link.
And what I wanted to do was cover off a couple of other examples here. So there is an attack that we used to seeing called Punycode attacks. In short, what an attacker would do is go away and register a domain that has unusual characters, i.e. again, Cyrillic characters. The back end of that website would look like this, as an example, but when you’re taken to a web browser, it will render it differently and won’t look as suspicious. So a couple of things we need to think about is the web browser you’re using and making sure your web browser can spot this exploit, and give you a quick notification to let you know this website looks unusual.
The other examples that we’re seeing of this is of course Google.com, and you can see slight accents on the ‘L’, Ikea.com, again an accent on the ‘K’, and then Waitrose where the ‘I’ is from a different alphabet. The reason I’m using these examples are these are websites that will have high traffic as an example, so Adidas, people are working from home, they want to get more exercise in so they’re ordering fitness gear. Of course, everyone uses Google day to day. And Ikea, we’re now all at home, so we have plenty of time to go ahead and renovate our living space and make sure it’s more comfortable whilst we’re in this pandemic. And then the final piece is groceries. So these are just a couple of examples, again, I’m not saying that these are attacks that we’re seeing day to day and we have to worry about visiting Waitrose.com, this is just to highlight how easy it is for an attacker to try and exploit end users that aren’t aware that these attacks exist.
So that wraps up web. Some of the other things we want to focus on of course is mobile, so everyday professionals are using their mobile more a more to send e-mails to browse company resources as an example. Technology continues to improve, meaning that it’s much easier for us to do our day jobs on the go. But the attack surface doesn’t stop at web. It does carry on over to mobile. Some of us on the webinar today may be familiar was what we call smishing. So combining the term SMS with phishing. So receiving a phishing attack fire text message instead of e-mail. An example of this is what we have onscreen here.
One that seems is coming from the U.K. government, speaking about payments relating to Covid-19 and of course this is an attack there’s also a link there as well. And sometimes it’s very tricky to verify whether links are OK, but if you’re receiving an unsolicited e-mail from an unsolicited source, I would was heavily recommend that you don’t click on the link and verify whether this communication is legitimate. This particular attack is one I’ve actually received myself, I’ve received this text at least twice. So we need to bear in mind that attackers understand what’s going on, current affairs are being exploited by cyber criminals and although you would say it’s completely unethical, this is exactly the prime time for attackers to go away and exploit public fear and anxiety.
The other thing that we’re also seeing an increase in, not just because of Covid-19, this attack has existed way before that, is vishing. So automated voice messages, and this is an attack I receive quite often myself from unsolicited numbers where you pick up the phone call and it sounds like there’s someone at the helpdesk having a conversation with you but you start to realise that the communication seems a little bit unusual, and if you pause for a moment and you say nothing, you start to realise that it’s an automated script and a voice that has been pre-recorded and it’s just playing when they call you. You may question, “OK why does that matter?” Well, the other side of it is the other side of the phone.
These attackers are recording your voice. So they may act as if they are part of an insurance company, maybe they inform you that you’ve been in an accident, and whilst the script is speaking to you and verifying your address and your date of birth as an example, that’s being recorded, so that’s your personal identifiable information that could grant that attacker access to more sensitive information, maybe access to your bank or your insurance company. So these are some of the things that we need to bear in mind. So when you do receive these phone calls, and it’s unsolicited, take a bit of a pause before you say hello. Just wait a few moments and just see if the person on the other side of the phone responds in a way that is actually human and not scripted.
And the final piece of this is elongated URLs. So I don’t have an example of this onscreen, but if we think about mobile phones, the screen is relatively small in comparison to your laptop I understand that the modern-day iPhones now have significantly larger screens, but they’re still very small in comparison to your desktop machine or your laptop, which means that attackers can go away and create domains and websites that have elongated URLs, websites that have longer links then you would expect to see. Maybe triple the characters, and the reason that’s done is it hides what the rest of that website looks like, masking that that website it isn’t legitimate and it isn’t apple.com and actually your spoof that’s got another 20 characters that haven’t registered.
And because that’s when your mobile phone and that’s hidden from view, that will often trip up end users. So something else we need to think about when you’re on your mobile phone. Look out for unsolicited messages, there are some smart phones that will allow you to treat unsolicited messages as spam. Certainly don’t click on any links if it sounds suspicious and relates to Covid-19. In most scenarios you should be expecting a communication relating to the pandemic itself. Automated voice messages, pause, take a moment, if it’s a number you don’t recognise, definitely be a bit more cautious and then when it comes to websites, just click on the actual website itself and scroll a little bit to see if that websites looks unusual and whether there is far more characters then you would expect to see.
So that wraps up the e-mail, web and mobile segments of the webinar. Now we’ll focus on some of the trends that our threat intel teams have actually seen. So Mimecast as a solution sits in front of your e-mail service, so whether that’s Exchange, or whether that’s G-Suite or maybe even Microsoft 365, because we’ve had a lot of organisations transition to the crowd. Mimecast essentially acts as a bodyguard, so stands in front of your e-mail server and waits for messages to arrive and if it’s things like spam or has dangerous links or an attachment we can reject them and then bounce them off and only pass through the legitimate emails that you need.
However, what we’ve seen at the moment is 15 percent of the spam that we’re rejecting and not allowing into Microsoft 365, is related to Covid-19. And again, not legitimate Covid-19 traffic, illegitimate malicious traffic that’s coming through, so that’s a significant increase. So, given all the spam that we receive and there is tons of that that we typically reject, that’s 15% that attackers are trying to exploit end users with. So there’s been quite a big increase there. But what does that look like in kind of practical terms, given the fact that were all working from home at the moment.
Well a good example of this would be streaming websites. Now is the prime time to catch up on box sets and TV shows that you’ve been putting off because you’ve been too busy. So now you’ve got a bit more flexibility, hopefully the work/life balance has shifted a little bit and given you the opportunity to explore hobbies or maybe even watch TV shows and box sets. However, attackers also know this, and Netflix is a prime example of a domain that has been impersonated. So impersonation doesn’t just stop at emails and people acting as senders via e-mail, this extends to the websites as well and we’ve seen 500 suspicious domains impersonating Netflix.
And I’ll just pause for a second, if we think about the term I used earlier on, Punycode, using non-Western characters and characters that look different once they’re rendered onto a website, that’s exactly how they’re tricking users, so maybe you receive an e-mail that’s a password reset notification from what you’ve seen as Netflix, but the ‘I’ in Netflix is swapped with a ‘1’. You click on the link and you’re taken into the site to try and reset your password. The website looks fine, but again, the ‘I’ is slightly different and if you’re moving quickly, you’re panicking because you feel like someone’s accessed your site without your knowledge, then you may not pick that up. So that’s just one example, but it doesn’t stop at Netflix, we’ve also seen streaming sites such as Disney Plus, Amazon Prime, and of course YouTube as well, so a couple of things to bear in mind.
And the other side of stuff is around actual communications regarding Covid-19 as well. So one thing we need to bear in mind is around fake news and illegitimate sources. So at the moment we’re seeing a surplus of 302-plus websites selling home test kits. Again, when you receive these unsolicited e-mails you need to verify the legitimacy of that, and certainly what you don’t want to do is send money to an illegitimate source for a home test kit that’s not real. The other side of things that we are seeing is 44 websites suggesting a Covid-19 cure. Attackers again, going away and banking on the fact that there is a lot of public anxiety and panic at the moment.
And some of the other things we’ve seen is impersonation for the CDC. So the Centre for Disease Control, and also the World Health Organisation as well, so, two legitimate sources that people are trusting with Covid-19- related news being exploited via e-mail and fake websites. So the final piece to wrap this up is around donations. So we’ve seen a number of different fake websites that are coercing people into sending donations for Covid-19 patients at the moment. So the core thing to think about here is when you’re receiving unusual e-mails or notifications or you’re going to websites you don’t recognise, do slowdown and certainly don’t send any money or transfers or information until you can verify that source is legitimate.
So we’ve covered of a lot of different areas so far, and one thing I want to focus on is the human element to what’s going on at the moment. So some of us are fortunate enough to have some great IT teams and technical experts that really understand how to spot these threats and stop and combat them. However, sometimes things do go wrong. And some of these attacks so do catch us off guard. Ultimately it does happen to the best of us, so the core focus here is how do you strengthen your own awareness to look out for these threats, and also be another layer against your company’s cyber-security?
So if you spot something yourself that maybe a solution or scan didn’t pick up, how do you inform your IT team so that so they can combat the threat? But there is certainly a lot to think about. There’s an overwhelming amount of threats that we see, or whether that’s phishing, fake news Punycode attacks, emails that have social engineering language in that, attackers exploiting current affairs, there’s a lot to think about. However, one thing I will say is it’s quite easy to combat and make a start, and what you want to do is simplify. Simplify all of those things we spoken about today into three core areas.
First, e-mail. So making sure you’ve got the right technical controls and also awareness in place to spot those types of attacks, whether that’s a phishing link, a dangerous document that has macros or an impersonation Attack. The next part is web. Again, having the same technical controls in place to block dangerous websites, but also the right amount of awareness to know what those threats look like and take action. And we need to remember that it doesn’t just stop at the office or working from home or your business e-mails and business resources, these attackers can exploit your own personal e-mail addresses and your own personal laptops, machines and mobiles as well. And then the final piece is mobile. So looking out for smishing attacks, vishing attacks, and also being mindful of the websites that you’re actually visiting. If they look elongated or unusual, just pause for a second.
So that’s it. Three core attack surfaces, email, web and mobile. Explore ways that you can get technical controls in place to automate their inbound flow or traffic, when it comes to web making sure you’ve got the right controls to block access through that and then when it comes to mobile, certainly slow down and if you’re receiving an unsolicited notification from an unknown source, think twice before you interact with it.