make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Threat Intelligence Updates: November 2017

11/27/2017  |  By: Jason Riddle, CISSP, President, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

BEC Attacks Continue to Plague Companies

We have seen a large spike in the number of Business Email Compromise (BEC) attacks lately. This was already a very popular attack vector. Lately, it feels like a can of gasoline was poured on the fire. We saw the increase begin around late September and early October. Since that time, our Incident Response Team has received multiple calls per week that are related to these attacks.

Most of the BEC attacks we have investigated appear to originate from Africa. We have seen threat actors using IPs based in several African nations (e.g. South Africa, Nigeria, etc.). However, most of the attacks also involve US-based IP addresses.

The attackers are maturing beyond their past tactics of impersonating a company executive and directing a subordinate to wire funds to a particular account or sending fraudulent invoices and requesting payment.

Some of the more creative attacks we have seen recently begin with spearphishing attacks, followed by employee credential harvesting, and then using the purloined credentials to access cloud applications that allow the criminals to move money themselves.

A common thread in these newer attacks is the use of stolen credentials to access Microsoft’s Office 365 email environment. The criminals will access O365 via an Outlook Web Access (OWA) connection and then harvest email contacts and context to use for additional spearphishing emails.

These attacks target companies of all sizes across every industry. Here are a few basic steps you can take to protect your organization:

  1. Educate employees about phishing attacks (how they work, how to report them, etc.)
  2. Enable Multi-factor Authentication for all remote access VPN connections and any business critical cloud services (e.g. O365 email access)
  3. Carefully scrutinize all email requests to transfer money. Consider requiring a 2nd approval or a verbal authorization for larger amounts.

More information on BEC attacks is available at:

Recent Uptick in Cryptocurrency Mining Software

We have detected a marked increase in the use of cryptocurrency miners recently. Mining programs, such as Coinhive, are used to mine cryptocurrency from unsuspecting victims. Coinhive is a JavaScript-based cryptocurrency miner that can be embedded in websites. When users visit the affected websites, processing power from their device is silently used to compute intensive mathematic functions in order to mine for cryptocurrency without the need for malware to be installed on a user’s system. 

Coinhive has been found on at least 500 compromised websites, including the popular political fact-checking website Politifact[.]com. Additionally, at least two Android apps from Google Play were discovered to be mining for cryptocurrency in a hidden browser window on victims’ smartphones. Coinhive advertises as a way to support websites without requiring users to view online ads. This allows site owners to profit from the mined amount as well as Coinhive itself. However, there is no requirement for Coinhive to ask users for permission or to inform users of its activity. Additionally, there are no restrictions on how much processing power Coinhive can consume. 

This form of cryptocurrency mining can substantially slow system performance on the victim’s device in order to benefit the threat actor. For these reasons, many anti-malware programs have already begun blocking these miners until they allow users to choose if they would like to opt-in for an alternative to online advertisements. LBMC Information Security recommends allowing end users’ antivirus software to block Coinhive and other cryptocurrency miners to prevent this activity. Additionally, it is recommended to block Javascript-based applications from running in web browsers unless they are from trusted domains.

More information on this can be found at:

Threat Intelligence Updates: November 2017

Related People