I’ll make you an offer you can’t refuse… – NCSC Site

One of the terms we didn’t include in our advent calendar of definitions was ‘malvertising’. This is a term which we felt we could say a little more about, and so we’ve saved it for this blog. Malvertising may seem like a scary topic, but it doesn’t need to be. This blog includes some simple steps to protect your End User Devices and your networks, so you don’t need to be afraid of online adverts.

What is malvertising?

Malvertising, or ‘malicious advertising’, is when an attacker uses online advertising as a delivery method for malicious activity. It’s particularly insidious because it often doesn’t require any user interaction – such as choosing to run downloaded files – to cause problems. You can become a victim of malvertising simply by visiting a popular website. Code within online adverts on the website could install ransomware or other malware.

It’s a popular method because a single malicious advertisement could be distributed to many publishers and onward to many websites – causing widespread attacks against their users. Ad networks allow advertisers to target online advertisements on features like location and device types; attackers can also leverage this to launch targeted malvertising campaigns. In addition, it can be difficult to attribute malicious activity to malvertising.

How malvertising works

To understand how to protect against malicious advertising, it helps to understand how it is delivered. Website owners and mobile application developers, known as publishers, receive payment from advertisers in return for displaying online advertisements. Online advertisements can allow advertisers to run code to display rich media advertisements that incorporate elements like animations, video and scripts. Malicious actors can take advantage of this to deliver malicious content within an online advertisement, without the knowledge of the publisher.

There are different ways for malicious advertisements to be displayed on a publisher’s site:

  • Publishers can use their own servers to deliver online advertisements.
  • Alternatively, publishers can use an ad network. Within ad networks, advertisers can buy the rights to serve an advertisement onto a publisher site.

Whether an attacker compromises a publisher’s server or poses as a legitimate advertiser, the same delivery vector – online advertisements – is used to deliver malicious activity. It is important to note that while publishers are being used in the infection process, they are – like the end user – victims of malvertising. Publishers will suffer reputational damage if their customers get infected from malvertising displayed on their sites.

Embedded malicious code

Malicious advertisements typically do not require any user interaction because they contain embedded code. The user does not need to click on the advertisement as they have malicious code within them. The code can carry out a variety of tasks, such as exploit software vulnerabilities, or silently redirect users to malicious websites that host exploit kits. In this regard, malvertising is like drive-by-downloads, in that software is run on a victim’s computer simply by visiting a malicious website.

Note: Exploit kits are automated toolkits or frameworks designed to scan a victim’s device, find software vulnerabilities and then exploit them in order to deliver a malicious payload.

What is the impact of malvertising?

Numerous high-profile publisher sites have been victims of malvertising campaigns. In March 2016, visitors to various major publishers including aol.com, bbc.com, nfl.com and nytimes.com received malicious advertisements. The malvertising campaign targeted US users and was delivered through multiple ad networks. Shortly afterwards, a similar malvertising campaign targeted visitors to UK websites.

In both campaigns, the malicious advertisement redirected victims to websites hosting the Angler exploit kit. This can lead to malicious activity such as stealing financial information stored on victims’ machines, or installing ransomware whereby victims’ files are encrypted unless payment is made to the attacker.

Ad blocking

Ad blocking is a technology designed to limit (or completely prevent) the display of online advertisements. There are several ad blocking solutions that work in different ways. Some ad blockers are designed to block all advertisements (whether legitimate or malicious), whilst others whitelist ‘trusted’ ad networks. It is worth noting that whitelisted ad networks could still be a source of malicious advertisements. Whilst ad blockers can help prevent malvertising from affecting you, they should not be regarded as a security product.

Protecting your devices and networks

The clear majority of malvertising targets unpatched vulnerabilities in web browsers, plugins, and associated internet-facing software on End User Devices. Prompt patching and updating of this software is the most effective mitigation available. For more information on protecting End User Devices within your organisation, see our EUD guidance.

In addition, Cyber Essentials contains five critical controls which can help to reduce the harm from malvertising. We recommend that all organisations consider these controls, and the recommendations in the 10 steps to cyber security. Wider network security hygiene protections, such as network segregation, web proxying, and least privilege are also useful in minimising the impact of any successful malware infection.

Source: I’ll make you an offer you can’t refuse… – NCSC Site

Putting the cyber in crime: How lower barriers and increased profits have led to a surge in cybercrime.

It seems as if not a day goes past where cybercrime isn’t in the headlines. Whether it is a ransomware attack, a huge data breach, theft of intellectual property, or the unavailability of service, ‘cyber’ is playing an increasingly important role for both enterprises and individuals alike.

Nowadays, nearly all crimes have an element of cyber to them and we’re seeing more ‘traditional’ criminals get into the cybercrime industry. However, this isn’t just bandwagon jumping; there are actually some very good reasons why the world of cyber makes a lot of sense to criminals.

Lowering barriers to entry:Go back ten years or so and ‘hacking’ knowledge was limited to a few select individuals that understood technology. It wasn’t easy to find experts that were willing to be “hackers for hire”, and for those new to the industry, acquiring such skills wasn’t an easy task either. However, in recent years, the barriers to entry have gotten significantly lower due to a few key factors:

  1. Availability of online marketplaces. Online marketplaces have become commonplace and provide a convenient place where hackers for hire can advertise their skills to bidders. These can encompass a broad range of services such as DDoS attacks, botnets, and targeting of individuals or businesses, as well as custom services.
  2. As-a-service. Taking a cue from legitimate businesses, cybercriminals are beginning to remodel their organizations for greater efficiency. This has resulted in the rise of “cybercrime-as-a-service”. For example, Petya & Mischa ransomware-as-a-service (RaaS) was launched in July 2016. This platform encourages distributors to generate high returns by enticing them with the cybercrime equivalent of performance bonuses. If distributors generate less than five bitcoins in each week, then they only earn 25% of the ransom paid. However, if the weekly payment is over 125 bitcoins, then they can potentially keep 85% of it. Through such initiatives, the RaaS business model has proven to be highly lucrative, for both the providers and the distributors, and there’s no sign that the these operations will go away anytime soon.
  3. The rise of cryptocurrency. The third leg of the stool is made up of crypto currencies such as bitcoin, which allow payments to be made anonymously. This allows cybercrime service providers to sell their wares easily, and allows cybercriminals to extort money from their victims more effectively.

Profit and loss: Another aspect contributing to the rise in cybercrime is the increase in potential profits. The cybercrime market is lucrative because of the extent to which things have gone digital. Everything from finance, to healthcare, to national infrastructure is connected in some way or another. On top of this, the introduction of IoT and smart devices has resulted in an explosion of connected devices, each of which presents a potential money-making opportunity for a clever hacker.

The abundance of connected devices gives criminals an advantage because there will always be unsecured, unpatched, or simply insecure targets. Attacks can be individual consumers as they could from attacking large enterprises. By targeting individuals, hackers further lower the bar to entry, as no pre-qualification needs to be done on the target.

 Key takeaways: The growing number of criminals taking advantage of lucrative cyber money-making opportunities will unfortunately only continue to grow. Therefore, it is more important than ever that enterprises and individuals take appropriate steps to protect themselves from cyber-attacks. Here are few tips to bear in mind:

  • User education and awareness is the first, and arguably the most important, line of defence. For example, knowing not to click on suspicious links could prevent a potential infection entirely.
  • Segregating critical systems and assets is also a good defensive measure. If a user does click on a link, having segregated systems will prevent infections from spreading.
  • Have robust detection and response controls in place, which are enhanced by threat intelligence, is also critical so that infections can be detected quickly and remedial action taken immediately to minimize impact.
  • Finally, the importance of backup processes cannot be forgotten or neglected. If the worst does happen, it’s often better to wipe systems and reinstall from a clean, trusted backup than try to fix the mess.

Cyber-threats in university Clearing and how to overcome them -it Security Guru

A Level results are out.  For many, this is a time of celebration as they take up offers for the university or college of their choice.  However, for those who have not received the results they need it can be a stressful time as they enter Clearing, and turn to online search to secure a university or college place to continue their studies.

Cybercriminals are wise to this forthcoming uptick in web traffic, and have been creating higher education phishing sites to trick stressed students into clicking on malware-laden links.  This is not a new scam, and is evidence that cybercriminals are diversifying to rework banking, online shopping and other phishing scams.  Today security researchers at Forcepoint are now warning prospective students across the UK and internationally to beware of these scams.

Carl Leonard, principal security analyst at Forcepoint said: “This activity could come from one-off individual criminal elements speculating for financial gain or as part of an organised gang spreading malware kits or adding to botnets.  Using search analytics criminals can map likely human reactions and rework tried and tested social engineering scams to target vulnerable individuals.  Broadly, if a university or college offer appears too good to be true, it probably is.”

“University students will continue to be targeted by cyber criminals at relevant times of the year.  The scammers will continue to setup fraudulent websites and send convincing emails demanding interaction in order to manipulate a student’s behaviour when they are under the most time pressure.”

As a way of preventing these cyber scams, Forcepoint advises students searching for university and college courses for the autumn to do the following:

  • Type in the URL rather than clicking on links in email or in online adverts
  • Use reputable search engines
  • Be aware of lure lines such as “discounted course fees,” “multiple course places available now,” or the usage of highly respected educational establishment names in promotions
  • Keep internet security up to date on PCs and mobiles
  • Begin your Clearing search via the UCAS website, which contains official links and the latest up-to-date places
  • Reach out to the university or colleges admin secretary office if you have doubts as to the legitimacy of a fee or offer

Wayne Gaish, IT Strategic Development Manager, Petroc said: “Petroc takes cyber security very seriously and in particular for our learners at this crucial time of year. The guidance provided by Forcepoint will help promote a better understanding for our learners in today’s digital world.”

Frank Jeffs, post-graduate researcher and former Head of Advertising at Middlesex University said:

“Scams of this nature have the potential to trick stressed UK-based students, but could also catch out international students who are seeking courses in the UK.  In my experience, scammers use well-known university names such as Oxford or Cambridge and create fake institutions which sound very similar.  Designed to look realistic and offering qualifications at a low price or attempting to capture personal information, this social engineering trick could easily catch out international studients or people who might not have the local knowledge of the official educational establishment names.  Always go via the UCAS website or type in the URL of the university or college you are interested in.”


Stop children bingeing on social media during holidays, parents urged | Society | The Guardian

Children’s commissioner says too much time is spent online as she launches ‘five a day’ campaign. Children’s access to Snapchat should be limited, the children’s commissioner says. Photograph: Lucy Nicholson/Reuters.

Source: Stop children bingeing on social media during holidays, parents urged | Society | The Guardian

‘LinkedIn Update’ Phishing Scam Email

If you use LinkedIn, keep an eye out for an email that claims you must click a link to update your account. The email, which has the subject “LinkedIn Update” claims that LinkedIn is updating its “Services Agreement and Privacy.

The message warns that your account will be deactivated if you do not click the link and update your account. However, LinkedIn did not send the email and your account will not be deactivated if you don’t click the link. Instead, the email is a phishing scam that is designed to steal your LinkedIn account login details. If you click the link, you will be taken to a fraudulent website that has been built to emulate the real LinkedIn login page. Once on the fake site, you will be asked to enter your account email address and password to log in. After entering your details, you’ll see a message claiming that you’ve successfully completed the supposed update.

Online criminals can now use the information you provided to hijack your LinkedIn account. Once they have gained access to your account, the criminals can use it to send spam, scam, and malware messages to your LinkedIn contacts in your name.  They may also gather more of your personal information from your account and use it to pose as you and attempt to steal your identity. LinkedIn users are regularly targeted in such phishing scams.

LinkedIn has information about phishing scams and how to report them on its website.

Cyber Safe Warwickshire – Significant Rise In Council Tax Rebate Frauds

Action Fraud are warning that fraudsters may be posing as local council officials or professionals and cold-calling customers stating that they are eligible for a general tax or council tax rebate, with a sharp increase in the number of reports relating to fake council tax refunds in the last few weeks.

Source: Cyber Safe Warwickshire – Significant Rise In Council Tax Rebate Frauds