Category Archives: Malware

Latest Sextortion Campaign Highlights Impact of Poor Corporate Security

by Bharat Mistry

The UK’s national fraud and cybercrime reporting centre is warning UK netizens of a new sextortion campaign in which the attackers threaten to publish an intimate webcam video of their victims. They make the threat more realistic by including a genuine password that the victim has used in the past. While user education is the most effective way to counter this kind of opportunistic digital blackmail, the case highlights yet again the potential downstream impact of corporate breaches.

By improving enterprise security standards across the board and migrating away from password-based systems, organisations can not only reduce data breach costs but also the knock-on effects of PII compromise that may haunt customers for years.

A new take
Online extortion is nothing new, in fact it’s what has made ransomware such a popular money-maker for cyber-criminals. But this campaign is slightly different in that it includes the victim’s password in the subject line. Action Fraud claimed to have contacted several of the 110+ victims who reported the unsolicited scam email and they confirmed the credential to be recent. It’s more than likely that they were bought on a dark web site, after originally being stolen from an online provider.

Having grabbed the recipient’s attention by posting the valid password, the extorter then claims to have recorded a webcam video of the individual watching pornography, and to have used malware to harvest all of their social media contacts. Users are required to pay $2,900 in Bitcoin within 24 hours.

The email concludes:

“If I do not receive the BitCoins, I will definately send out your video recording to all of your contacts including close relatives, co-workers, and many others. Nevertheless, if I receive the payment, I’ll destroy the video immidiately. If you need evidence, reply with “Yes!” and I will send your video to your 10 friends. It is a non-negotiable offer, therefore do not waste my time and yours by responding to this message.”

What can we learn?
Action Fraud is quite rightly urging netizens not to panic, not to pay up and to always respond to any unsolicited message like this critically. It also pays to cover up your webcam, just in case. While this sextortion campaign is clearly a scam, previous ones have used malware to genuinely record individuals via their webcams. In fact, it was estimated in 2016 that thousands of Brits are likely caught out by such attacks each year, with at least four suicides linked to the trend.

But pulling back even further, this particular scam campaign is made possible in part via breached credentials. One could argue that if organisations worked harder to secure customer data in the first place, as the GDPR demands, there would be fewer opportunities for follow-on blackmail and fraud. That means choosing a trusted partner to provide security at every layer of your infrastructure, from endpoint to web/email gateway, network and server. Trend Micro’s cross-generational blend of cyber-defence tools is optimised to offer protection where you need it most from the huge range of modern threats.

Best practice security today also dictates moving away from static password-based systems for your employees and customers and towards multi-factor authentication. With no passwords to steal, breaches become harder to carry out and the resulting impact on users diminishes.

Scams like this one are just the tip of the iceberg and we could see an escalation in similar blackmail attempts using breached PII as a highly effective social engineering tactic. The GDPR should be your guide here. Only with improved security processes backed up with state-of-the-art technologies can organisations minimise opportunities for the cyber-criminals and reduce the risk of long-term post-breach brand damage.

A New EU Cyber Force Highlights the Power of Strategic Alliances

by Bharat Mistry

Several EU members states have just resolved to develop a new cyber-response force to help mitigate the threat posed by online attacks in the future. It’s another very promising step towards a more joined approach to cybersecurity at a trans-national level. But let’s not also forget the importance of public-private partnerships here, to ensure that those governments avail themselves of the best resources and intelligence available from leading private sector cybersecurity companies. Continue reading

MPs Are Right to Fear CNI Threats: Here’s How to Mitigate Them

by Bharat Mistry

A new poll has revealed that many MPs regard cyber-attacks on the UK’s critical national infrastructure (CNI) as the biggest online threat facing the nation. The good news is that we have an EU law to tackle exactly this challenge: the NIS Directive. But effective compliance will only be possible if organisations working in these sectors get better at bridging the traditional divide between IT and OT. Continue reading

Global BEC Disruption is Welcome, But Don’t Forget Email Security

by Bharat Mistry

This week the FBI announced a major international law enforcement operation spanning six months which resulted in scores of arrests and serious disruption to several Business Email Compromise (BEC) campaigns. At Trend Micro we welcome any efforts designed to make it harder for the black hats to make money from their illicit schemes. But we can’t rely on law enforcement alone.

Organisations must also get proactive by improving staff training and education and ensuring they have the kind of email protection capabilities which can spot and block BEC scams. Continue reading