Hackers have come up with some convincing new phishing attacks aimed at businesses, and they’ve moved from double to triple extortion by targeting individuals named in leak data.  And just wait until you hear how long it takes them to target a vulnerability once it’s disclosed…

When You Don’t Pay, Your Customers May

After years of ransomware data lock-ups, hackers began adding a new wrinkle to the attack by threatening to leak private internal data in addition to deleting it off of networks.  Now, they’re taking it one step further – by threatening to contact the individuals and companies named in the data.

When breached companies don’t pay the demanded ransom to keep stolen data off of the dark web, some hackers then contact each person named in the data and demand payment to keep it private.  The hackers aren’t shy about the source of the stolen data, and they’re quick to let everyone know that the target refused to pay to keep the data private. [Read more at Health IT Security]

New, More Sophisticated Phishing Attacks Targeting Businesses in 2021

Cybercriminals are getting more creative with phishing emails designed to trick employees to hand over credentials and credit card information.  Business targets are especially likely to receive high-quality counterfeits.

Some recent tricks include:

(1) providing a QR code which, when scanned, directs a device to a malware distribution site

(2) phishing emails that link to legitimate Facebook pages – which link to malware distribution sites

(3) fake invoices for very small purchases (that were never actually made) designed to collect Credit Card information. [Read More at Threatpost]

Hackers Move with Minutes of Notice

The very best hackers discover software vulnerabilities and attack them before they are ever disclosed.  Most hackers aren’t that good – so they wait for a new vulnerability to be disclosed and start scouring networks for unpatched devices. And they get to work fast.  In fact, one cybersecurity company started detecting attacks within five minutes of a vulnerability and patch being disclosed.  You can’t rely exclusively on software patching to protect against vulnerabilities when your lead time is measured in seconds. [Read more at ZDNet]