A spate of recent stories in the news reinforces the importance of not going it alone when it comes to protecting yourself online. Whether you’re using the internet for business or pleasure, you can’t take your cybersecurity for granted – you need to proactively engage the services of the experts at Kobargo Technology Partners. Contact us today to schedule a discussion to go over your IT system security and to talk about ways we can help you safeguard your company in our increasingly treacherous digital age.
Hackers continue to come up with new ways to exploit vulnerabilities to commit nefarious acts online, whether it’s attacking a popular collaboration website used by businesses; using malware to infiltrate smartphones; gathering personal, potentially embarrassing information and selling it to the highest bidder on the Dark Web; or more than 90,000 residents of one state having their online data breached. Here are the latest cautionary tales Kobargo has compiled that will serve as a wake-up call to be more cautious online.
A recent report discovered a disturbing new workplace hack. A group of bad guys are using a previously undocumented backdoor program designed to interact with attackers over the popular enterprise collaboration site Slack, which allows users to create and use their own workspaces through the use of channels. A security firm detected a targeted attack launched from the compromised website of the Korean American National Coordinating Council, an organization that posts articles related to North and South Korean politics. Infecting websites that are of interest to a particular group of individuals or organizations is known as a “watering hole” attack. While taking advantage of legitimate services for malware command-and-control purposes is nothing new, this is the first time Slack has been targeted this way. It hasn’t been determined if victims were led to the website through an email campaign or if the hackers waited for regular visitors, but the site was modified to host an exploit in Windows. Since that flaw was fixed by Microsoft in an update, your operating system wouldn’t have been affected if it was up-to-date. The backdoor program was used to collect information about victims and their activities on Twitter, Skype, and KakaoTalk, as well as bulletin board systems (BBS). It also allowed the hackers to execute commands and malicious files, take screenshots and collect information about storage drives and volumes. In this report, researchers stated, “Our investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign. So far, we have not been able to find related attacks and have not spotted the custom backdoor elsewhere,” adding, “We have been searching for similar samples and have found none so far, which is a strong indication that the attackers either developed the malware or got it from a private developer who has not publicly leaked it.”
Researchers speculate that hackers use legitimate services for this kind of attack because it allows them to steer clear of network-level and even endpoint-level detection of potentially suspicious traffic. Sites like Slack are more likely to be whitelisted in firewalls and Web security gateways. They also use HTTPS, so any data sent back to them is encrypted. After it was notified, Slack disabled the workspace set up by the attackers for violating the company’s terms of service.
The number of cyberattacks on smartphones is increasing at a dramatic rate. A new report found that there were 116.5 million mobile malware attacks last year, up from 66.4 million in 2017. Trojan attacks – a malicious computer program which intentionally misleads users of its true intent, named after the story of the large, deceptive wooden horse that led to the fall of the city of Troy in ancient Greece – saw the greatest increase, up from 8.63% in 2017 to 17.21% in 2018. Researchers say, “This type of malware is designed to bypass system protection to inject all kinds of malware, from bank Trojans to ransomware.” The numbers are alarming: in 2018, there were 5,321,142 malicious installation packages, 151,359 new mobile banking Trojans, and 60,176 new mobile ransomware Trojans. Researchers say that last year, smartphone users faced what could be the strongest effort by cybercriminals they’ve ever witnessed. These include DNS hijacking (changing the IP address linked to a specific domain name, redirecting it to a malicious site use to collect information); Trojan. Droppers (using malicious software programs to drop other malware files onto a compromised smartphone or computer, designed to avoid detection); attacks on bank accounts; using apps to compromise your smartphone; and using malware on preinstalled apps.
Of these, Trojan Droppers appear to be the favorite of cybercriminals who target victims using mobile malware, for several reasons. They can be easily created, used and sold by various groups. A Dropper creator may have several clients involved in developing ransomware Trojans, banking Trojans, and apps that show persistent ads. They are used to hide the original malicious code, while also avoiding detection by generating a new hash (transforming a string of characters into a shorter string, to index and retrieve items in a database to make them easier to find.) This enables a large number of unique files to be created, which virus writers need when using their platform with a fake app store. The number of attacks involving mobile banking Trojans is also jarring; early last year, it looked like this type of threat had been stabilized, by measuring the unique samples discovered and user attacks. By the second quarter of 2018, these numbers were up dramatically. While they’re not sure why this occurred, researchers suspect the creators of two Trojans, the Asacub and Hqwar, are to blame. The use of banking Trojans last year was also noteworthy because of the use of Accessibility Services (designing products, devices, services, or environments for people with disabilities.) This was partly a response to new versions of Android phones that make it harder to place phishing windows on top of banking apps and partly because accessibility allows a Trojan to place itself in a device so users aren’t able to remove it. Cybercriminals can also use Accessibility Services to hijack a legitimate application and force it to launch a banking app to make a money transfer on the victim’s device.
Malware attacks on porn sites are on the rise. The number of users who visit porn sites is staggering. The world’s largest pornography website had 23 billion visitors in 2016, who watched a jaw-dropping 4.6 billion hours of videos. With numbers like that, it should come as no surprise that attempts to steal log-in credentials of porn site users are at a record high. A recent study shows a reach of 850,000 users in 2018, tripling the number from the year before. More and more PCs are being infiltrated by malware designed to steal personal information from porn sites. This malware can deliver itself as a Trojan pretending to be a porn-related program or file to steal log-in credentials. The malware monitors what webpages a user opens on a PC or creates fake log-in pages to porn sites that secretly record the characters entered in password fields. Hackers then peddle that stolen information on the dark web. This study found, “In total, 29 websites displayed more than 15,000 offers to buy one or more accounts to pornography websites.” Prices can range from for $3 to $9 per paid account, a significant discount from the $9.99 a month legitimate users spend on an account with the porn site. While we don’t advocate visiting porn sites, this should serve as a warning to people who do.; online porn can come from nefarious sources and could be a hacker-sponsored attempt to install malware on your PC. The report states that “Most malware that reaches users’ computers from malicious websites, is usually disguised as videos.”
A new Colorado law reveals more than 90,000 residents have had their personal data exposed. The new consumer data privacy protection law, which took effect Sept. 1, is among the strongest in the country. It says that any company or public agency storing a Coloradan’s personal information will need a data protection policy, a swift notification system – within 30 days – and the ability to destroy the data when it’s no longer needed. The Colorado Attorney General’s office says that as of Feb. 5, 33 Colorado organizations reported data breaches to more than 91,000 Coloradans.
The law, House Bill 1128, went into effect Sept. 1. As of Feb. 5, it’s resulted in 33 organizations reporting consumer data breaches and sent notifications to 91,235 Coloradans, according to the Colorado Attorney General’s office. Given that since September, data breaches affected 50 million Facebook users, and 500 million Marriott International customers, that number may be low. It’s unknown how many Colorado companies are in compliance with the new law. “We’ve had a few” breaches, said Benjamin Hase, a Colorado attorney, and information manager for the Employers Council, which helps companies with employment law. “We’ve had (members) get hacked. We’ve had people with stolen laptops.” Companies are required to inform the A.G.’s office only if a breach affects more than 500 Coloradans. Hase says that if companies aren’t familiar with the new law, they should learn about it and make sure they’re in compliance. “We’ve issued a few of these (notices) but nothing so big that it’s required telling the AG’s office,” Hase said, adding, “factor that in with the many organizations that still don’t know about this and who knows how many (breaches) are out there?”
Companies that store the private data of any Colorado citizen must comply with the law, even if it’s located outside of the state. The statute also commands companies to protect consumer data, manage it and delete it when it’s no longer needed. It’s part of Colorado’s Consumer Protection Act, which defines personal data as a name plus another identifier, such as a health insurance number, biometric data or a security question that unlocks a user’s account. For many businesses, the 30-day notification period has been problematic, according to Esteban Morin, an attorney who specializes in privacy and data security for the Denver office of the law firm Brownstein Hyatt Farber Schreck. “A lot of times, you don’t know the full scope of what information was affected and you have to get cyber forensics to get in there. That can take a lot of time, but you’re on this very rigid clock,” Morin says, adding, “It’s caused us to make some complicated decisions.” He also says some companies might have to notify customers in waves as the breach investigation continues. If more affected accounts are discovered, the notice goes out – even if it’s after the 30-day deadline. “You might be in danger of violating the 30-day statute, but it’s the best you can do. The 30-day (deadline) is challenging and has caused a lot of stress,” he said. “But at the same time, I understand it does represent personal information and the compromise of that can cause harm to a person’s identity and finances.”
Colorado’s Attorney General, Phil Weiser, defends the new law. While he admits it takes time to develop a plan to manage consumer data, and determine what personal data needs to be deleted, he said, “There are times when businesses, think Target and Equifax, have been complacent and failed to take reasonable measures that expose consumers to harm. Identity theft is rising year to year because it’s so attractive to hackers to steal consumer information and abuse it.” He added, “we need to make sure we’re doing everything we can. I’m going to make this a top priority for my administration.” While he didn’t share which organizations have reported data breaches, because cases are under investigation, his office did say that common methods of breaching data include, phishing emails with malicious links, point-of-sale systems, and online shopping carts infected with malware. The types of sites affected range from travel companies and banks to retailers and rewards-program databases. Weiser wants to adopt stronger consumer protections. He recently joined attorneys general from about 30 states to urge the Federal Trade Commission (FTC) to implement rules on identity theft to crack down on thieves who use available data to, for example, get a credit card in someone else’s name. He is also working on getting a group of local business and cybersecurity leaders to collaborate on best practices. “There is, I believe, a real opportunity for us here in Colorado, for us to be at the forefront of developing better cybersecurity, better data privacy, and better security practices,” he said.
Brownstein Hyatt Farber Schreck attorney Morin says, at the least, Colorado’s new law has helped companies to reevaluate data management policies, find risks and make sure they’re deleting personal user data when it’s no longer needed. “Honestly, pound for pound, there are some complications with the 30-day deadline,” Morin said, adding, “but I think all around, the fact is that it’s sparked additional conversations and has spurred companies to examine the big picture and talk about what risks do we face if there’s a security incident or how much trouble are we in.”
Some companies in the Mile-High City have had no problems complying with the new law. Gusto, a benefits, and payroll firm with co-headquarters in Denver and San Francisco, already had experience complying with regulations like HIPAA, the Health Insurance Portability and Accountability Act, and HITECH, the Health Information Technology for Economic and Clinical Health Act. This experience helped the firm to comply with this new Colorado statute. “We shrugged our shoulders and said we already comply with HIPAA and HITECH,” said Rick Chen, a Gusto spokesman. “Anytime there’s any data privacy or security type of legislation or regulation, we always take a look to make sure we’re in compliance. If there’s anything we’re missing, we’ll take time to figure it out.” Gusto did need to tweak its policy to notify Coloradans within 30 days and expects more changes are coming with future laws. Chen thinks firms like Gusto realize they must stay on top of new laws. “As a general rule, we tool processes toward the most strict requirement to fully comply with all relevant laws and regulations,” he said.
The idea of protecting consumer data is spreading. The California Consumer Privacy Act, which goes into effect next January, will make it easier for consumers in the Golden State to find out what personal information has been collected and request it be deleted. A new federal bill proposed by Oregon U.S. Sen. Ron Wyden would allow Americans to find out who is buying their personal data.
The team at Kobargo Technology Partners has a wide array of service offerings, including:
- Managed IT Services
- Hosted Cloud Services
- Cybersecurity Services
- Information Technology Consulting
- Managed Telecommunication Services
- Rapid Application Development (RAD)
- Security Awareness Training
Contact Kobargo Technology Partners today to set up a no-obligation consultation to go over your IT system security and discuss ways to safeguard your organization in today’s digital world. Let our team show you how we can help increase productivity, decrease downtime and keep your customers – and employees – safe and happy.