Category Archives: Cybercrime

IoT Security Still an Afterthought for Many IT Leaders — This Must Change

by Simon Edwards

IoT security is new frontline in the battle against enterprise cyber-threats. As more smart endpoints are connected to corporate networks, the potential for mass data theft, service outages, sabotage and more will only increase. Yet new Trend Micro research reveals that only half (53%) of IT and security decision makers regard IoT as a security risk. This is a major miscalculation that could cost their organisations dear in the long run.

You need to start planning now for ways to mitigate the new risks presented by IoT technologies. Our annual CLOUDSEC show in September will also provide some much-needed best practice advice in this area. Continue reading

CLOUDSEC is Back: This Time We’re Taking on AI

by Ross Baker

The threat landscape moves so fast sometimes that just staying on top of current trends can be a full-time job for IT security professionals. That’s where industry events like Trend Micro’s CLOUDSEC come in. Now in its fourth year, it offers a platform for leading security practitioners, law enforcers, technical experts, academics and many others to share best practices and anticipate the key trends shaping the future of information security.

This year’s event will be no different. With a tag-line of Freedom to Connect: Man versus Machine there’ll be a special focus on the challenges and opportunities for the industry presented by artificial intelligence (AI). Continue reading

Latest Sextortion Campaign Highlights Impact of Poor Corporate Security

by Bharat Mistry

The UK’s national fraud and cybercrime reporting centre is warning UK netizens of a new sextortion campaign in which the attackers threaten to publish an intimate webcam video of their victims. They make the threat more realistic by including a genuine password that the victim has used in the past. While user education is the most effective way to counter this kind of opportunistic digital blackmail, the case highlights yet again the potential downstream impact of corporate breaches.

By improving enterprise security standards across the board and migrating away from password-based systems, organisations can not only reduce data breach costs but also the knock-on effects of PII compromise that may haunt customers for years.

A new take
Online extortion is nothing new, in fact it’s what has made ransomware such a popular money-maker for cyber-criminals. But this campaign is slightly different in that it includes the victim’s password in the subject line. Action Fraud claimed to have contacted several of the 110+ victims who reported the unsolicited scam email and they confirmed the credential to be recent. It’s more than likely that they were bought on a dark web site, after originally being stolen from an online provider.

Having grabbed the recipient’s attention by posting the valid password, the extorter then claims to have recorded a webcam video of the individual watching pornography, and to have used malware to harvest all of their social media contacts. Users are required to pay $2,900 in Bitcoin within 24 hours.

The email concludes:

“If I do not receive the BitCoins, I will definately send out your video recording to all of your contacts including close relatives, co-workers, and many others. Nevertheless, if I receive the payment, I’ll destroy the video immidiately. If you need evidence, reply with “Yes!” and I will send your video to your 10 friends. It is a non-negotiable offer, therefore do not waste my time and yours by responding to this message.”

What can we learn?
Action Fraud is quite rightly urging netizens not to panic, not to pay up and to always respond to any unsolicited message like this critically. It also pays to cover up your webcam, just in case. While this sextortion campaign is clearly a scam, previous ones have used malware to genuinely record individuals via their webcams. In fact, it was estimated in 2016 that thousands of Brits are likely caught out by such attacks each year, with at least four suicides linked to the trend.

But pulling back even further, this particular scam campaign is made possible in part via breached credentials. One could argue that if organisations worked harder to secure customer data in the first place, as the GDPR demands, there would be fewer opportunities for follow-on blackmail and fraud. That means choosing a trusted partner to provide security at every layer of your infrastructure, from endpoint to web/email gateway, network and server. Trend Micro’s cross-generational blend of cyber-defence tools is optimised to offer protection where you need it most from the huge range of modern threats.

Best practice security today also dictates moving away from static password-based systems for your employees and customers and towards multi-factor authentication. With no passwords to steal, breaches become harder to carry out and the resulting impact on users diminishes.

Scams like this one are just the tip of the iceberg and we could see an escalation in similar blackmail attempts using breached PII as a highly effective social engineering tactic. The GDPR should be your guide here. Only with improved security processes backed up with state-of-the-art technologies can organisations minimise opportunities for the cyber-criminals and reduce the risk of long-term post-breach brand damage.

Armed and Ready for a Great H2 2018

by Matt Poulton

With the first half of the year almost unbelievably already over, Team Trend Micro UK upped sticks to Winchester last week to kick off 2H 2018. Why Winchester? Because this is where you can find the British Army Training Regiment. It was a privilege to hear from some truly inspiring individuals during our stay there, and experience some obstacles of our own to overcome as a team. It’s set us up for what we hope will be another knock-out six months. Continue reading