We know that as time goes on, the cybercrime network’s operations will only more closely resemble those of any legitimate, sophisticated business network. And like all enterprising businesspeople, those who are part of the “cybercriminal hierarchy”—which is discussed in the Cisco 2014 Annual Security Report and illustrated below—look to increase their profits by continually innovating new products and improving upon existing ones.
This was certainly the trend in 2013: Cisco researchers observed cybercriminals applying several tried-and-true techniques in new, bold, and highly strategic ways. The Cisco 2014 Annual Security Report examines some of these actions and our associated research in detail, including:
Brute-force login attempts: There was a threefold increase in the use of brute-force login attempts just in the first half of 2013. Cisco TRAC/SIO researchers discovered a hub of data with millions of username and password combinations that malicious actors were using to feed these actions. Many brute-force login attempts are being directed specifically at popular content-management system (CMS) platforms like WordPress, Joomla, and Drupal. (Read the Cisco 2014 Annual Security Report to find out why CMS platforms are favored targets—especially for adversaries trying to commandeer hosting servers in an effort to compromise the Internet’s infrastructure.)
Distributed denial of service (DDoS) attacks: Another oldie but goodie among cybercrime techniques, DDoS attacks have been increasing in both volume and severity since 2012. But today’s DDoS attacks aren’t just about creating disruption for businesses or making a political statement. There is evidence some attacks are now being used as smokescreens to conceal the theft of funds. The DarkSeoul attacks, examined in theCisco 2014 Annual Security Report and a big focus for our researchers last year, are an example of this strategy. Looking ahead, we expect DDoS attacks launched through DNS amplification to be an ongoing concern. (It’s not a big leap when you consider The Open Resolver Project reports that 28 million open resolvers on the Internet pose a “significant threat.”)
Ransomware: In 2013, we saw many attackers moving away from traditional botnet-driven infections on PCs and increasing their use of ransomware. This includes a new type of malware in this category called Cryptolocker, which our researchers discovered last fall. Ransomware prevents normal operation of infected systems until a prescribed fee is paid. It provides a direct revenue stream for attackers—and it’s hard to track.
The Cisco 2014 Annual Security Report also notes that while the tactics used by today’s profit-oriented online criminals are only growing in sophistication, there’s a shortage of security talent to help organizations address these threats. The bottom line: Most organizations just don’t have the people or systems to monitor their networks consistently. There’s also a clear need for data scientists who can help the business understand why cybersecurity needs to be a top priority, and how security and business objectives can (and should) be aligned.
A few months ago we discussed the various ways that consumer PII is compromised. The recent attacks against Target and Neiman Marcus illustrate the constant threat that payment card accepting retailers of all sizes face. Yesterday Reuters reported that similar breaches over the holidays affected “at least three other well-known U.S. retailers”. Given the current onslaught, it’s a good time for retailers to examine their detection capabilities before a payment card data attack, while creating new goals for shortening remediation windows during and after an attack.
Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU
Update 2014-01-21: We’ve updated the chart to include the Vodafon emails and latest URL activity
English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English language emails, spammers have
also adopted the English language as the means of getting their message to large numbers of international recipients. However, spam messages that are written in a local language and that reference local companies can be particularly enticing for recipients to open because they do not expect malicious messages to be written in anything other than English. Cisco has observed and blocked a large number of malicious spam messages written in German language masquerading as phone billing statements. Initially the spam run masqueraded as Telekom Deutschland, with subsequent messages masquerading as messages from NTTCable and Volksbank.
Cisco TRAC was able to locate what appears to be a single attack attempt, likely a test run, on 2013-12-16 however the majority of the attack started on 2014-01-05 and is ongoing. The malware is currently targeting users as depicted in the heap map below. The vast majority of attacks are occurring in Germany. It is reported that the end goal of this malware is to harvest credentials.
This heat-map represents the malicious URL activity we have detected and blocked:
When Fox-IT published their report regarding malvertisements coming from Yahoo, they estimated the attack began on December 30, 2013, while also noting that other reports indicated the attack may have begun earlier. Meanwhile, Yahoo intimated a different timeframe for the attack, claiming “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.”
With so much uncertainty regarding this attack, Cisco TRAC decided to review what data we had to see if we could sort out some of the competing claims. Cisco Security Intelligence Operations data regarding the Yahoo incident supports the conclusion that the attack against Yahoo began on December 31. However, the malicious advertisements were just one attack in a long series of other attacks waged by the same group.
There are many advantages in outsourcing functions to specialist providers that can supply services at lower cost and with more functionality than could be supplied in-house. However, companies should be aware that when buying services, you may also be buying risk. Organisations that have successfully implemented strategies to reduce the probability of experiencing a breach, and to decrease the time required to discover and remediate breaches, may still encounter embarrassing public breaches via third parties. Within the past two weeks, we have seen two examples of companies having their websites defaced apparently due to security lapses in service providers. Read More »