Cyber threats have become a top concern for today’s security, risk, finance, legal and technology leaders. With notable data breaches leading evening newscasts and malicious e-mails zipping through inboxes, the Internet is quickly becoming a combat zone. And the war rages on not only between white hats and black hats, but also with outside parties, such as government officials, who are paying increasing attention to the issue.
To bring some relief to Internet users under siege, the U.S. House of Representatives recently approved the Protecting Cyber Networks Act to grant private companies certain liability protections in order to encourage the reporting of cyber breaches.
This information would then be shared with designated government agencies, including the Department of Homeland Security and the Department of Treasury. The bill encourages companies to share threat intelligence with one another, ultimately helping them put better security practices in place.
Guest article by Dylan Sachs, Director, Incident Response, BrandProtect
Still, despite the benefits of this bill, it remains more of a political statement on the status of cybersecurity and information sharing, rather than a sure-fire template to stop cyber threats. Other groups have attempted to create standards for cybersecurity, such as Structure Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII), but no group has proposed an irrefutable suggestion. Having the support of a federal entity would certainly help businesses have access to larger databases to catch cybercriminals more quickly.
However, even as businesses prepare to fend off large-scale attacks, they often overlook the lesser-publicized threats that don’t reach for news headlines as often. If left unmonitored, these smaller threats can wreak just as much havoc on a company’s bottom line and brand reputation as the large ones. Thankfully, the information required to identify these risks and the tools to mitigate them often don’t even need a third party to become involved.
Here are three common threats that often get minimized by businesses because they don’t grab the general public’s interest. Therefore, politicians are not as likely to invest their time and rallying power into these threats — but that doesn’t mean the long-lasting impact is any less potent.
According to Verizon’s 2015 Data Breach Report, during the past two years, more than two-thirds of all cyber espionage incidents involved phishing. In fact, a small phishing campaign of only 10 emails is more than 90 percent likely to produce at least one victim.
And, while today’s Internet users may have become savvier in noticing blatant phishing emails, today’s cybercriminals have also evolved. By tapping into some of today’s most buzzed-about news stories, such as the 2014 Ebola outbreak or the 2013 Target breach, scammers are able to more easily target unsuspecting email users.
For instance, lately, there has been an increase in fake e-mail activity around the recent earthquake in Nepal. These scammers claim to be from reputable charities. But, rather than donating to help the people of Nepal, users may be sending donations to the hacker — or another group entirely.
Traditionally, phishing emails were tied almost exclusively to phishing websites – fake sites designed to fool users into giving up their account details and other personal information. Recently, however, phishing emails are being used to infect users with potentially devastating malware, from it acting as a traffic proxy to distribution nodes for other malicious files.
Rogue Mobile Apps
With more than 1.4 million apps currently available in Google Play, it’s fairly easy for a malicious application to masquerade as a familiar, legitimate one.
Often, users hear about the “latest app” and run to download the first one that pops up in their search, rather than looking very closely at it to ensure it’s authentic. The app may look official and even feature the brand’s logo and imagery. However, what they’ve just downloaded may actually be an app riddled with malware. An additional level of risk is added by the plethora of third-party app stores, many of which are run by the “bad guys” themselves.
The pace of the app revolution has increased significantly in the last few years as users tap into apps for everything from gaming and banking to tracking their health. As users have flocked to mobile platforms, hackers have also become more sophisticated in their techniques to design imposter apps to trap innocent consumers. Take, for instance, the Virus Shield incident in which users paid $4 to download the app, which did absolutely nothing. Meanwhile, the developers made almost $40,000 before Google caught the scam.
Sinister Social Posts
Social media is by far the fastest-growing domain for scammers. As brands invest in these channels to stay relevant and engaged with their customers, scammers are also taking advantage of users across social media. These platforms allow scammers to sit back and watch as users become unwilling accomplices by sharing malicious content with their own followers.
According to Symantec’s latest Internet Security Report, 70 percent of social media scams in the last year were manually shared by users. This speaks to the fact that social users trust when they see a well-known brand posting on social media, and they may not think twice about sharing posts.
Beyond the Headlines
In today’s cybercrime-ridden world, attacks in progress or schemes that infect systems with malware may grab the most headlines, but simple phishing, brand abuse and identity theft continues to set the stage for larger-scale attacks.
The breach of a sophisticated network can happen with the click of a mouse, but the exploitation of that network does not happen overnight. And, luckily, many companies are now investing in monitoring technologies and services to identify and mitigate potential threats, both internal and external, no matter how small. The forensic data developed from phishing attack investigations can reveal just as much about potential hackers and criminals as those who are plotting larger-scale incidents.
Whether or not a business is willing to share its information with the government to potentially help curb large data breaches, these smaller threats will remain a serious threat. If left unchecked, something as simple as a phishing e-mail could have long-lasting ramifications for the brand and its business. That is why implementing a wider, more encompassing security strategy that might include a holistic monitoring approach, could potentially help businesses.
By taking the information they already have access to and then identifying risks across multiple online domains, businesses will be able to safeguard companies and citizens alike. And in the end, companies will be able to ensure a better business model with proactive threat monitoring, a more solid brand reputation and a safer consumer community.
For more on minimizing cyber threats in your organization, check out all of Aberdeen’s IT security research on the topic, available 100% free of charge to our community members.
Dylan Sachs, Director, Identity Theft at BrandProtect, is responsible for leading the Incident Response Team, who handles all identity theft incidents targeting BrandProtect clients. Leveraging his technical and customer service background, Dylan works directly with many Fortune 500 national and international banks to help better protect their customers through developing anti-phishing and identity theft strategies. He is a regular participant and contributor to APWG (Anti-Phishing Working Group) and FIRST (Forum for Incident Response and Security Teams) groups, and hopes to meet you at one of the many conferences he attends.