to gain access to victims ' systems . Once inside , they used the company 's credentials to attack their client companies . The security of the supply chain has been a recognised weakness in security systems since at least 2013 when it was discovered that attackers had gained access to the Target retail chain in America through an HVAC service provider . Now it appears that APT10 is using that approach on a large scale . The group was discovered by PwC 's cyber-security practice and BAE Systems , working alongside the UK 's National Cyber Security Centre ( NCSC ) . The scale of the espionage campaign only became apparent in late 2016 , but the attack is thought to be the largest sustained global cyber-espionage campaign ever seen . PwC and BAE Systems said APT10 conducted the espionage campaign by targeting providers of managed outsourced IT services as a way in to their customers ' organisations around the world , gaining unprecedented accessAttack.Databreachto intellectual property and sensitive data . It is thought the group launched the campaign in 2014 and then significantly ramped it up in early 2016 , adding new developers and intrusion operators to continually enhance capability . The group is known to have exfiltratedAttack.Databreacha high volume of data from multiple victims and used compromised networks to stealthily move this data around the world . A number of Japanese organisations have also been targeted directly in a separate , simultaneous campaign by the same group , with APT10 masquerading asAttack.Phishinglegitimate Japanese government entities to gain access . Forensic analysis of the timings of the attack , as well as tools and techniques used , led investigators to conclude that the group may be based in China , but apart from that , it is not known precisely who is behind APT10 or why it targets certain organisations . Kris McConkey , partner for cyber-threat detection and response at PwC , said that the indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats they 're exposed to – including those of their supply chain . “ This is a global campaign with the potential to affect a wide range of countries , so organisations around the world should work with their security teams and providers to check networks for the key warning signs of compromise and ensure they respond and protect themselves accordingly , ” he said . Richard Horne , cyber-security partner at PwC , added that “ operating alone , none of us would have joined the dots to uncover this new campaign of indirect attacks . “ Together we 've been working to brief the global security community , managed service providers and known end victims to help prevent , detect and respond to these attacks , ” he added . Ilia Kolochenko , CEO of High-Tech Bridge , told SC Media UK that until there is more detail on the attacks , it would not be possible to make a reliable conclusion as to who was behind the so-called APT10 . “ Taking into consideration how careless and negligent some managed IT providers are , I would n't be surprised if all the attacks were conducted by a group of teenagers – something we have already seen in the past , ” he said . “ IT services providers should better enumerate and assess their digital risks , and implement appropriate security controls to mitigate related threats and vulnerabilities . Security standards , like ISO 27001 , can significantly help assure that the risks are continuously identified and are being duly addressed . For cyber-security service providers , accreditation by CREST is also an important factor to demonstrate the necessary standard of care around security , confidentiality and integrity for their own and client data , ” he added . “ Companies looking to secure their supply-chain can oblige their suppliers to get certified by ISO 27001 for example , or to provide solid and unconditional insurance to cover any data breachesAttack.Databreachand data leaksAttack.Databreach, including direct and consequent damages . ''
Just in time for President Trump ’ s meeting with Chinese President Xi Jinping this week , and following The US Secretary of State ’ s recent visit to China , Fidelis Cybersecurity made a troubling discovery of a possible cyber-espionage sponsored by that country , which it ’ s calling Operation Tradesecret . In late February , the Fidelis threat research team observed Scanbox malware embedded on specific webpages on the National Foreign Trade Council ( NFTC ) site , whose members are key private-sector players involved in lobbying US foreign trade policy . Scanbox provides multiple capabilities to threat actors . It can be used to determine the versions of applications , as well as other selected tools , such as JavaScript keyloggers , running on the target 's machine . Information gathered from this reconnaissance can be used in targeted phishing campaignsAttack.Phishing, with the goal of exploiting specific vulnerabilities on end-user devices . Indicators show the attackers are part of the global China-backed hacking group APT10 , whose actions have extended to organizations in Japan . Scanbox was previously reported to have been used by multiple Chinese actor groups , including those thought to be behind well-publicized , massive intrusions at Anthem Healthcare and the US Office of Personnel Management ( OPM ) breaches . “ In the research community , Scanbox has exclusively been known to have been used by threat actors associated with , or sponsored by , the Chinese government , ” researchers said in an analysis . “ Our most recent observation of the use of Scanbox was on a Uygher political site . Subsequent research has revealed artifacts suggesting that a similar campaign was conducted shortly after that involved a site masquerading asAttack.Phishingthe Ministry of Foreign Affairs of Japan . In this case , the targets specifically appear to be the NFTC board of directors , who are participants in the dialogue around the composition of the new trade policy framework being formulated within the Trump administration . “ Since the strategic web compromise was observed on the registration page for the board of directors meeting , it can be surmised that the campaign targeted the individuals visiting the site to register for the meeting , ” Fidelis researchers noted . “ We observed a brief , targeted operation in which visitors to select webpages , including those used to register for specific meetings at the NFTC , were served reconnaissance malware known as the Scanbox framework , ” the firm noted . The link from the NFTC site was removed on March 2—but Fidelis believes that the operation had almost certainly concluded by that time .
Attacker forgesAttack.Phishingsecurity certificates , sendsAttack.Phishingemails to government offices and private citizens . In the past few days , the National Authority for Cyber Security has seen evidence of planned cyber attacks on various targets in the Israeli marketplace . The Authority analyzed the evidence and uncovered the attacker 's plan , as well as the different points of application he had used . Their analysis showed the attacker sentAttack.Phishingemails under the guise of a legitimate organization and attempted to attackAttack.Phishing120 organizations , government offices , public institutions , and private citizens . He also forgedAttack.Phishingsecurity certificates , masquerading asAttack.Phishinga safe company . The National Authority for Cyber Security is continuing its efforts to block the threat , and is working to publish guidelines and suggestions to help the Israeli marketplace avoid future attacks of the same type . The guidelines will be published on the Authority 's website .
Researchers have discovered over 300 cybersquatting domains masquerading asAttack.Phishingreal UK banking sites , many of which are designed to trickAttack.Phishingcustomers into handing over personal details . DomainTools used its PhishEye tool to search for domains registered by individuals to mimicAttack.Phishingthose of Barclays , HSBC , Natwest , Lloyd ’ s and Standard Chartered . It found a whopping 324 registered domains abusing the trademarks of these lenders , including lloydstbs [ . ] com , standardchartered-bank [ . ] com and barclaysbank-plc [ . ] co.uk . “ Imitation has long been thought to be the sincerest form of flattery , but not when it comes to domains , ” explained DomainTools senior security researcher , Kyle Wilhoit . “ While domain squatters of the past were mostly trying to profit from the domain itself , these days they ’ re often sophisticated cyber-criminals using the spoofed domain names for more malicious endeavors. ” Cybersquatting can be used for a variety of ends , including redirecting the user to pay-per-click ads for the victim company ’ s competitors ; for-profit survey sites , or ransomware and other forms of drive-by malware . However , one of the most common is to createAttack.Phishinga phishing page similar to the spoofed bank ’ s original , which will ask for log-ins or other banking and personal information . This years ’ Verizon Data Breach Investigations Report ( DBIR ) claimed phishingAttack.Phishinghas soared in popularity , present in a fifth ( 21 % ) of attacks , up from just 8 % last year . “ Many [ cybersquatters ] will simply add a letter to a brand name , such as Domaintoools.com , while others will add letters or an entire word such as ‘ login ’ to either side of a brand name . Users should remember to carefully inspect every domain they are clicking on or entering in their browser . Also , ensure you are watching redirects when you are going from site to site , ” advised Wilhoit . “ Brands can and should start monitoring for fraudulent domain name registrations and defensively register their own typo variants . It is better to lock down typo domains than to leave them available to someone else and at an average of £12 per year per domain , this is a relatively cheap insurance policy . ”
The Google Doc phishing scamAttack.Phishingthat conned over a million users this week illustrates how attackers cleverly respond to wider spreadAttack.Phishingend-user awareness about how phishing attacksAttack.Phishingwork . The attack did n't ask users to enter credentials . Instead , it exhibited very few traditional phishing scamAttack.Phishingbehaviors and could n't have been detected by endpoint protections . Some researchers are calling this attack a `` game changer '' that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy . The attack trickedAttack.Phishingvictims into clicking a link that gave attackers access to their Google Drive through OAuth authentication connections commonly used by third-party applications . The attackers did so by sendingAttack.Phishingvictims lure messages claimingAttack.Phishingto contain links to a shared Google Doc . Instead of a legit document , the link actually initiates a process to give a phony app masquerading asAttack.Phishing`` Google Docs '' access to the user 's Google account . If the user is already logged into Google , the connection routes that app into an OAuth permissions page asking the user to `` Allow '' access to the user 's legitimate Google Drive . `` You are n't giving your Google credentials directly to the attacker . Rather , OAuth gives the attacker permissions to act on behalf of your account . You 're on the real Google permissions page . OAuth is a legitimate way to give third-party applications access to your account . The application name is 'Google Docs , ' which is fake but convincingAttack.Phishing, '' says Jordan Wright , R & D engineer for Duo Security . `` So unless you know that Google Docs wo n't ask for your permissions , there is little you could use to determine that this was fake . '' The lure emails appear to come fromAttack.PhishingGoogle Drive from a previous victim , making it difficult to detect as a fakeout , says Travis Smith , senior security researcher at Tripwire . `` Not only does this have a casual appearance of being legitimate , by being part of the official marketplace the link in the email went back directly to legitimate Google servers , '' says Smith . `` For those that are trained to validate the link before clicking on it , this passes two of the common techniques the majority of internet users are trained to not click on every link they comeAttack.Phishingacross : 'Does it come fromAttack.Phishingsomeone you trust and validate the link is going to a trusted source ? ' '' The only big tip-off is that many of the messages seem to have an suspicious account , hhhhhhhhhhhhhhhh @ mailinator.com , cc 'd on the message , says John Bambenek , threat research manager at Fidelis Cybersecurity . He says the attack shows the glaring problem with OAuth , namely that it allows passive authentication . Netskope 's analysis found that a number of enterprise users across various industries ended up falling prey to this attack . Google worked to quickly block the attack , but there was a window of opportunity in that time between compromise and mitigation where emails , contacts , attachments and whatever else on a Google account could have been purloined , he warns . `` If an enterprise has identified that their users have granted access to the app in this attack , we recommend they conduct a full audit of the activities that were performed in Google Gmail after the permissions were granted to the app , '' Balupari writes .
Between an industry-wide push to encrypt all web traffic and the newfound popularity of secure chat apps , it 's been a boom time for online privacy . Virtual private networks , which shield your web traffic from prying eyes , have rightly garnered more attention as well . But before you use a VPN to hide your online shopping from the IT department at your company—or help protect yourself from state surveillance—know that not all mobile VPNs are created equal . You can use VPNs to conceal the location revealed by your IP address ; one common use before a recent crackdown was to access regional content , like US Netflix , from countries with lesser libraries . Ideally , a VPN funnels all your traffic through an encrypted , secure , private network , making it more difficult for a third party to monitor your browsing than if your data were exposed on a public network . It all sounds great , but is n't always so rosy in practice . That 's because using a VPN grants the company behind it extensive access to your data at the same time that it hides the stream from everyone else . Even worse , malware masquerading asAttack.Phishinga VPN could do real damage by concealing malicious activity on your device behind a veneer of security protection . `` These days , many people know what a VPN is and what they can do with one , '' says Kevin Du , a computer security researcher at Syracuse University and an IEEE senior member . `` Not many people know what a bad or flawed VPN can do to their devices , because they don ’ t know how VPN works . '' VPNs have been around for years , as have their attending trust issues . But while previously VPN enthusiasts were mostly a core base of desktop users , the mobile boom and app-store accessibility have created an explosion in mobile VPN offerings .
UK police are warning that fraudsters are posing asAttack.PhishingDepartment of Education officials in order trickAttack.Phishingschools into installing ransomware . An Action Fraud notice claimed that the fraudsters have been cold calling education institutions pretending to beAttack.Phishinggovernment officials and socially engineering the victim into giving them the email address of the head teacher , in order to send across “ sensitive information ” . The resulting email contains a .zip attachment loaded with ransomware that will apparently demandAttack.Ransomup to £8000 to recover the files . Action Fraud claimed similar cases have been noted where the fraudsters pretend to beAttack.Phishingcalling from the Department for Work and Pensions , or even telecom providers . The newly reported incidentsAttack.Phishingrepresent an escalation in tactics designed to get ransomware on the networks of targets presumably selected because they may be relatively poorly secured , and be willing to pay a high penaltyAttack.Ransomto gain access back to their data . “ Once again , hackers have preyed on the weakest link in security – the end-user – but this is not where the fault lies . It ’ s unfair to expect busy teachers to be able to tell the difference between an email from the Department of Education and these sophisticated mimics , ” argued Fraser Kyne , EMEA CTO at Bromium . “ Hackers are clever and convincing con artists , yet the industry continues to try and convince us that they can be defeated through detection tools and user education . As we can see from the rise in such attacks , this approach is neither realistic nor effective ” . In related news , new tacticsAttack.Phishingdesigned to deliver the Petya variant GoldenEye have been discovered using fake job application emails . The new campaignAttack.Phishingis designed to target HR staff , with the ransomware hidden in a malicious attachment masquerading asAttack.Phishinga CV , according to Check Point . The emails also contain a harmless PDF as covering letter in order to lullAttack.Phishingthe recipient into a false sense of security , the vendor claimed