This month’s cybersecurity news includes ransomware masquerading as a cease-and-desist letter, a hacked password manager, and the Department of Justice trying to slow down the unbridled growth of cybercrime.
Microsoft detailed a recent malware attack that arrives via a legal threat submitted on a company website form. In the real-life example provided, a “photographer” submits a form that accuses the company of using her photos on its website without permission. The form includes a link to a Google Sites-hosted document that supposedly details specific photos that are being used without permission.
Trusted companies are used by the attacker to make the attack seem less suspicious. Since the email is from a website form submission, it is coming from the company’s own domain, which is unlikely to be blocked. The link provided in the form is to a legitimate Google.com address, and recipients who follow the link are required to provide legitimate Google account login credentials to continue further. This helps the link bypass other malware filters.
Once the recipient has followed the link and logged into their Google Account, a zip file downloads. If executed, this file installs malware that steals banking credentials and allows cybercriminals long-term access to internal file systems.
This is just the latest example of why it’s dangerous to execute email attachments or files that you weren’t expecting. [Read More at Microsoft]
An update recently issued for the password manager Passwordstate contained malware which was installed onto software users’ networks. Once the update was installed, data stored in Passwordstate user accounts (including website URLs, usernames and passwords) were automatically uploaded to hackers’ content distribution network. Passwordstate developer Click Studios has recommended that its users change all stored passwords for their accounts.
While the extent of this attack is still unfolding, the Solarwinds-style attack method being used – embedding malware in software updates to target end-users – is worrisome. These “supply chain” attacks require more time and effort than single target attacks, but they can yield tremendous amounts of data. The fear is that they may become more prevalent as cybercriminals get better at taking advantage of massive numbers of compromised accounts in the window of time before notified users change passwords. [Read more at Gizmodo]
The US Department of Justice is launching a task force focused on disrupting ransomware attacks and bolstering education on the issue, after what Acting Deputy Attorney General John Carlin said was “By any measure the worst year ever when it comes to ransomware and related extortion events.”
The DOJ is trying to disrupt the risk-reward structure of ransomware attacks, where a successful ransom can yield millions of dollars, and overseas cybercriminals are unlikely to be pinpointed and even less likely to be brought to justice. The plan aims to turn the tide on all three of these measures – improving methods to identify cybercriminals, finding new ways to bring them to justice, and reducing ransomware payouts by taking down command-and-control and data distribution servers more quickly and frequently.
Deputy Attorney General Carlin said he had personally seen multiple ransoms exceeding $20 million paid by companies in his previous work as a private attorney. “In almost every case, they knew the amount of damage [that could be caused if they didn’t pay] was 10, 20 times what they were paying,” Carlin said. [Read more at the Wall Street Journal]