How good are you at spotting a phishing email? Not too long ago it was fairly easy to recognise email scams by their offers of get-rich-quick schemes, spelling mistakes and grammatical errors.
But cyber criminals have upped their game and are using more sophisticated techniques such as business email compromise – an attack strategy that is frustratingly difficult to spot.
In this newsletter, we’ve gone deep on this important subject with detailed tips from our Head of Security. Read them as a matter of urgency.
There’s also a strong theme of justice and retribution in our other news items this month. Read about IT suppliers being fined for basic security failures and ransomware gangs foiled at last.
Business email compromise – how to stay safe. A deep dive
It’s easy to spot a phishing email from a Nigerian prince offering you millions if you click on a link. But an email from a legitimate third-party vendor asking for your Microsoft account details? This is when the waters get a bit muddy.
Business email compromise is a cyber attack trend we’re seeing more of this year. It’s when hackers spoof, or even worse, take over a legitimate business email account to either steal funds or valuable data.
The victims are often decision-makers or those in charge of financial functions within an organisation.
Business email compromise can be very targeted to only a few key roles within an organisation. But other times, it can be used as a blunt instrument to target all the vendors within an organisation’s supply chain. It’s why these attacks are also known as supply chain attacks.
Jake Ives, our Head of Security, has warned SMEs to stay alert to the spike in these supply chain attacks. “In just a week, I’ve had to reach out to two legitimate organisations whose email accounts had been hacked and used by cyber criminals to try and breach our systems. Since Intersys staff are continuously trained in cyber security awareness, the hack was stopped in its tracks. But it was a race against time for the victim organisations to try to undo the damage as quickly as possible.”
Worryingly, these sophisticated phishing campaigns are available as a paid-for service that can be easily bought on the dark web. If you know where to look, you don’t need to be an expert coder to be able to pull off such an attack.
Says Jake, “All a cyber criminal needs is a spare $200, a computer and some help from the wider hacker community operating on the likes of Telegram.”
So, what can organisations do to be better protected? Here are Jake’s tips:
- Verify the sender: always check the sender’s email address carefully. Look for any unusual or misspelled domains.
- Don’t open links or files if you didn’t expect them! Even if you know the sender, you can’t guarantee that the email came from them. Hover over links to see the actual URL before clicking, and when navigating sites, keep your eyes on what is displayed in the address bar.
- Watch out for suspicious emails containing fake banners declaring “This email address has been added to your organisation’s safe senders.”
- Don’t ever enter your Microsoft credentials unless you’re at login(dot)microsoftonline(dot)com. Scan for typos or similar-looking characters that can signify a spoof Microsoft site.
- Look for red flags. Be wary of urgent requests, unexpected invoices, or messages that create a sense of urgency even if the sender address looks correct.
- Use strong and unique passwords everywhere. Ensure your email account is protected with a strong, unique password and enable two-factor authentication (this includes your email accounts outside of work).
- Invest in good email security. Security checks such as DMARC compliance will allow only emails from legitimate sources to be delivered to your inbox. It can help alert you to email spoofing.
- Protect your website. Ensure your CMS platform is updated frequently and hosted with a provider that takes security seriously. Otherwise, you might find yourself being used to facilitate these attacks.
- Do your supplier due diligence and hold the companies in your supply chain to the same cyber security standards as your own organisation.
- Keep training! Ensure a regular programme of cyber security awareness training for all staff and encourage employees to report anything suspicious.
MFA blunder leads to £3 million fine for NHS IT supplier
The UK Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group £3.07m for breaking data protection law. Worrying security failings at a subsidiary of Advanced put the personal information of more than 79,000 people at risk due to a paralysing NHS ransomware attack back in 2022.
Advanced Health and Care Limited, a subsidiary of Advanced Computer Software Group, provides IT support to the NHS and other health organisations.
The final sum was reduced from an original proposed fine of £6.09 million because Advanced did not appeal and cooperated with the authorities.
In 2022, they were hit by a ransomware attack by Russian LockBit ransomware group (more on them later) that disrupted NHS operations across the country. Non-emergency 111 phone operators were forced to use pen and paper to deal with calls and other health care workers couldn’t access patient records.
The hackers stole over 79,000 people’s data, including vulnerable patients receiving home care. Some of the data stolen included instructions for medics on how to access patient’s homes.
Most shockingly, the ICO’s investigation found that LockBit was able to begin its attack by hacking a customer account that didn’t have multi-factor authentication. The ICO has found that Advanced didn’t have the technical and organisational measures to fully secure its systems including gaps in MFA deployment, a lack of comprehensive vulnerability scanning and poor patch management.
It’s the first time the ICO has fined a data processor – a company that processes data on behalf of a data controller (in this case the NHS).
In a stark warning, John Edwards, the UK’s Information Commissioner said, “…I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable.”
Ransomware coder faces US justice
A Russian-Israeli cyber criminal who wrote malicious code for one of the world’s most notorious ransomware groups has been arrested and extradited to the US.
Rostislav Panev was a developer for LockBit, a ransomware gang that is believed to have made at least $500 million in illegal profits from targeting thousands of entities worldwide.
As we mentioned earlier, LockBit also hit the NHS during the devastating 2022 ransomware attack.
Panev’s job at LockBit was to design and maintain the gang’s code base. According to the US Justice Department, his work included the “… development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network…” as well as providing other technical advice to LockBit.
Several other key figures in the group have also been nabbed. It has been a major blow to LockBit, whose online infrastructure was disabled by law enforcement agencies in February 2024.
Phishing alert: beware of fake PDF files
The next time you’re searching for a PDF document online such as a user guide or manual, be extra vigilant.
Don’t be tempted to click on the first link in search engine results – it could very likely be a phishing lure.
Cyber experts at Netskope Threat Labs are urging people to be aware of a popular phishing scam that uses PDF files to redirect victims to malicious websites.
These phishing websites can steal credit card information as well as personal data such as logins. Some of the websites also use fake CAPTCHA images to trick victims into downloading malicious scripts that install information-stealing malware on the victim’s device.
The investigation also revealed that cyber criminals are using search engine optimisation to ensure that their malicious websites appear at the top of search engine results, making them hard to ignore. Words such as “pdf”, “free”, “download” and “printable” are used frequently to lure victims to click on these malicious links.
As a general rule, be sure to always scrutinise the URL of any website before clicking on it. Hover over the URL first and then open a new browser window and type in the address. Scan for spelling mistakes, check to see if the content of the website is related to the topic you were searching for and look for other trust signals such as online reviews and quality of content. Also make sure that your devices are up to date with their antivirus software.
Other vulnerabilities and updates
VM Ware security vulnerabilities
Chrome early stable update for desktop