July Computer Use Threat Advisory

Highlights

  • Please be advised a ransomware campaign similar to Wannacry is currently spreading internationally.
  • A new Phishing scam is targeting PayPal users not only for their login credentials, but also for selfies of them holding their ID cards. Email
  • Mobile clicks on malicious URLs doubled in 2016 revealing the importance of being suspicious of unexpected messages across all device platforms. Mobile
  • In 2016, more than 99% of attachment-based email attacks were enabled by the user clicking something rather than an automated exploit. Attacks
  • OneLogin says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data. Breaches

Learn about the latest cyber threats below, along with a more expansive list of best practices. Remember safety is everyone’s responsibility!

Need to Know

  • Please continue to be aware that if any County pc were to receive a Ransomware pop-up that pc should be shut down immediately and Information Systems notified by the department manager.
  • Do not use unsubscribe links in unsolicited messages because they may be forged and could confirm your email address is a legitimate email address
  • Do not fill out forms or reply to email messages / phone calls that ask for personal financial information or to confirm account information
  • Do not download any files or execute software that is from the Internet unless it is for county business and has been approved & scanned for viruses by MIS

Read on to find out more about these threats and others that can wreak havoc in your professional and personal lives.

Email Threats

  • The global spam rate decreased slightly in May, but is still slightly over 54%
  • The email malware rate increased again in May, coming in at one in 422 emails.
  • The number of new malware variants decreased in May with 76.7 million variants.
  • The phishing rate increased again in May, up to one in 2,998 emails. This is the highest rate seen since November 2016 which follows three months of relatively low phishing activity and a new Phishing scam is targeting PayPal users not only for their login credentials but also for selfies of them holding their ID cards.
  • Phishing campaigns moved to mobile devices in 2016. Targets of these attacks will often receive SMS and email instructions asking for account credentials. Employees clicking on SMS messages with malicious links clicked 42% during 2016 compared to the long-running rate of 20%. Phishing messages designed to steal Apple ID were the most sent, for example, but Google Drive phishing links were the most clicked.

Mobile Devices

  • No new Android malware families were discovered during May.
  • The number of Android variants per family remained at 62 in May.
  • Mobile clicks on malicious URLs doubled in 2016 revealing the importance of being suspicious of unexpected messages across all device platforms.
  • When it comes to all mobile applications with malicious intent or intrusive behavior, data leakage is by far the worst for both iOS and Android.
  • Please be advised of these mobile device best practices;
    • Use strong passwords
    • Think before you click
    • Always update to the latest mobile security patch.
    • Only download apps from official app stores such as the Apple App Store or Google Play. Mobile botnets will continue to surface on Google's Play Store and users should protect themselves by reading the reviews of any app prior to installation, including programs found on the Play Store. If users decide to install an app, they should review its permissions carefully before they finalize the download process and be very suspicious if any app requests/requires admin privileges.

Attacks

  • Please continue to be aware that if any County pc were to receive a Ransomware pop-up that pc should be shut down immediately and Information Systems notified by the department manager. Please be advised a ransomware campaign similar to Wannacry is currently spreading internationally.
  • Dramatic shifts in the threat landscape that started 2015 continued throughout 2016 and into 2017. Advanced attacks focus more on exploiting human flaws than system flaws with human targeted attacks leading the pack in 2016. Attackers’ used automation and personalization to increase the volume and click-through rates of their campaigns.
  • In 2016 more than 99% of attachment-based email attacks were enabled by the user clicking something rather than an automated exploit. This trend extended to URL-based threats, where more than 90% of messages led users to credential phishing pages, which trick victims into entering their usernames and passwords, rather than to exploits.
  • Attackers understand when recipients are most likely to click on malicious messages and optimize their campaigns. Activity increases quickly with the start of the business day and peaks around 4-5 hours after that—right around lunchtime. These messages have their greatest impact the day they arrive; 87% of clicks occur within first 24 hours of delivery, almost half of clicks occur within an hour after the message arrived and a quarter of clicks occur just 10 minutes after arrival. The median time-to-click (the time between arrival and click) is shortest during business hours: from 8 a.m. to 3 p.m. EDT in the U.S.
  • Ransomware message volumes were much higher on Thursday than the other days of the week. Tuesday and Thursday remain the top days for sending malicious URL messages – the main vector for credential phishing attacks. Information stealers arrive early in the week when they can collect the most information. Ransomware and point-of-sale (POS) Trojans arrive later in the week when security teams have less time to detect and mitigate infections before the weekend.

Breaches & Vulnerabilities

  • Social-engineering schemes lack the refinement of some email-based malware campaigns but underscore the breadth of attackers’ shift to exploiting “the human factor.” In social attacks, malvertising on a legitimate web site direct targeted web surfers to a landing page. The page uses code that prevents users from closing or bypassing dialog boxes. A series of on-screen prompts that leverage expected Windows dialogs and behavior lead users to download a shortcut containing Windows PowerShell commands. The command, in turn, downloads and executes malicious code like ransomware.
  • Accounts used to share files and images—such as Google Drive, Adobe Creative Cloud, and Dropbox—are the most effective lures. These messages made up less than 24% of the message volume among the top ten lures but were the most effective as measured by click rates.
  • OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
  • For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. The company is not commenting on how many of its 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.
  • Manual sharing continues to dominate social media scams, increasing in May to almost 89%. Like Jacking decreased over 2.5 percentage points during the month of May to just over 7%.

Please read and continue to adhere to the following best practices:

  • Be suspicious of unexpected emails. Watch out for poor grammar or misspelled words which are red flags that the email is suspicious.
  • Do not open email attachments unless they are expected.
  • Do not use links in emails to get to webpages, especially if you suspect the message in any way.
  • Be very suspicious of shortened URL’s, do not click on them without previewing or expanding.
  • Be suspicious of search engine results and review the presented addresses prior to clicking on them.
  • Do not use unsubscribe links in unsolicited messages because they may be forged and could confirm your email address is a legitimate email address.
  • Do not fill out forms or reply to email messages / phone calls that ask for financial information or to confirm account information.
  • Do not download any files or execute software that is from the Internet unless it is for county business and has been approved & scanned for viruses by MIS.
  • Any removable media data must be scanned for malicious content prior to being attached to the County network.