Hackers sit somewhere between masterminds and master criminals, depending on who you ask. There’s a fascination and frustration that surrounds them and how they do their dirty work.
Ever wanted to get inside the mind of a hacker to help protect your business from threats like malware? The MITRE ATT&CK framework is the perfect place to start.
What is the MITRE ATT&CK framework?
The MITRE ATT&CK framework is a detailed knowledge base of the tactics cybercriminals use to target victims. Using real-world examples, it shows you how hackers prepare, launch, and execute attacks.
The framework matrix is split into tactics and techniques. A tactic is a goal the cybercriminal wants to achieve, such as accessing credentials. A technique is the action or actions that achieve the tactical goal, such as brute force.
It exists to help businesses understand how cybercriminals behave in the preparation and execution of an attack. This helps raise awareness of common threats and how you can detect them in action.
Discovery – gathering system and network intelligence
Lateral movement – controlling remote systems
Collection – gathering relevant, goal-related information
Command and control – communicating with systems without detection
Exfiltration – stealing network data gathered at the collection stage
Impact – disrupting service availability and data integrity
Each tactic includes a list of techniques that explain how a hacker achieves their goal, alongside mitigation information, detection tips, and references for further reading. These are updated twice a year from public threat intelligence and incident reporting, so the information stays relevant.
It’s suitable for any organisation using:
Windows, macOS, or Linux IT systems
Network infrastructure devices
Container technologies
Cloud services such as IaaS, SaaS, Office 365
Android and iOS mobile devices
Keeping your organisation secure
The framework is a great resource to include in your cybersecurity strategy.
It encourages collaboration and information sharing, is easy-to-follow, and helps you improve your knowledge and cybersecurity posture. And, it’s free.
Use it alongside other cyber defence methods to give you broad coverage against common threats, including:
Active monitoring
Investing in an outsourced security operation centre for 24/7 protection from cyber threats on all devices that access company data.
Software
Using robust antivirus or anti-malware software to prevent, detect, and remove malicious software.
With such a powerful resource at your fingertips, you’re only going to benefit by including the MITRE ATT&CK framework in your cybersecurity strategy. Share it with your colleagues so you can all play an active role in protecting your organisation from attacks.
Social media savvy: privacy settings and security on social platforms
Social media platforms connect us with friends, family, and colleagues but can also be a goldmine for attackers. This blog post looks at the world of social media privacy and security, exploring the potential threats and steps you can take to protect yourself (and your business) from them.
Social media at home and work
Social media plays a big role in both our personal and professional lives. In our personal lives, we use platforms like Facebook, Instagram, and Twitter to stay connected with loved ones, share updates, and follow our interests.
In our work lives, LinkedIn is a go-to for professional networking, while companies use platforms like Twitter and Facebook for marketing and customer service.No matter how we use social media, it’s crucial to understand the potential risks.
The threats you face when using social media
Sharing information online comes with inherent risks. Common threats include:
Social engineering: Attackers might try to manipulate you into revealing personal information or clicking on malicious links.
Malware: Links or downloads shared on social media can infect your device with malware that steals data or disrupts your system.
Phishing scams: Fake accounts or posts might try to trick you into sending money or sharing personal details. In addition, spear phishers will often use social media to gather background information on targets.
Privacy violations: Without carefully calibrated settings, your personal information and online activity could be exposed to unintended audiences.
Social media scams in practice
Operation Dreamjob
In 2023 cybercriminals from the Lazarus group, an alleged North Korean state-sponsored hacking organisation, targeted employees at a Spanish-based aerospace company.
Under the campaign ‘Operation Dreamjob’, the cybercriminals identified employees on LinkedIn, introduced themself as a recruiter from Meta and commenced a fake recruitment process.
As the victim progressed through the rounds of the ‘recruitment process’, they were asked to demonstrate their competency by downloading and completing a quiz.
In this case, the victim downloaded the quiz using a work computer. Unfortunately, the download contained more than a quiz and the attackers used this to access the company’s critical systems.
This followed a similar attack by the same group in 2022 which used fake LinkedIn job offers to steal $625 million from the Ronin Network, a blockchain network that powers the popular crypto games Axie Infinity and Axie DAO.
Below is an example of what these attacks typically look like.
A bad romance
In my previous life as a cyber detective, I saw firsthand how cybercriminals frequently harness social media. This ranged from using social media platforms to execute their attacks, like above, or obtaining information from them.
In a previous blog post, I wrote about the case of a business owner who lost thousands of pounds after falling victim to social engineering. In this attack, the cybercriminal used open-source research to find out information about their target – the business owner. The business owners’ use of social media to advertise their business enabled the cybercriminal to locate a business website, mobile number and key information about the business owner that enabled the attacker to go on and effectively build a relationship with the victim.
Here are some key steps to take control of your social media privacy and security.
1. Review and adjust privacy settings
Every social media platform offers privacy settings that allow you to control who sees your posts and profile information. Where possible, set everything to ‘private’ or ‘followers only’.
2. Be mindful of what you share
Think twice before sharing personal details like your birthday, address, or phone number. Could this information be used against you?
3. Beware of suspicious links and messages
Don’t click on links or download attachments from unknown senders.
These measures add an extra layer of security to your accounts and prevent you from being the low-hanging fruit cybercriminals target.
6. Be cautious about location-sharing
Consider disabling location sharing on your posts or using it selectively. Also consider what location information is in the backgrounds of your photos, as this too can be used by cybercriminals.
7. Limit third-party app access
Review and restrict third-party apps’ access to your social media accounts, including add-ons and plug-ins. And, if you need to use these tools, ensure they’re reputable first.
The founding fathers of social media created it with a utopian vision of connectivity. And, although social media has fallen a long way from those halcyon days, that doesn’t mean you can’t use it safely.
By understanding the risks and taking proactive measures, you can create a safer and more secure social media experience. Remember, privacy and security are ongoing processes, so regularly review your settings and stay informed about evolving threats.
Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them.
What is quishing and how can you protect your business?
Quishing or QRishing is a brand of phishing scam that uses QR codes to trick victims into downloading malware or sharing personal data. Despite its unthreatening name, quishing poses a real risk to businesses. However, with the right knowledge, you can stop your business from falling prey to these attacks, read on for everything you need to know.
Why QR codes?
Read most media and you’ll see plenty of stories about the security threat posed by AI or the latest nation-state attack. However, cybercrime doesn’t have to involve the latest tech or be the height of nefarious sophistication. In fact, it’s often simple scams that get you.
QR codes have been around for almost three decades. Very few people think of them as on the bleeding edge of technology, more something you use to attend an event or scan for a marketing gimmick. Yet, since they’ve seen a resurgence in their use post-pandemic, they’ve stirred up a hornet’s nest of security problems.
The most prominent of these problems is quishing. QR code technology might not be sophisticated by today’s standards, but it does lend itself well to phishing scams.
Why? Unlike a URL or email address, QR codes are hard to evaluate for legitimacy. A QR code is opaque to the human eye, making it indecipherable without a scanner. This means that by the time the victim has realised the QR code is bogus, it’s often too late.
Phishing is by far the most common form of cyberattack. According to the DCMS Cyber Security Breaches Survey 2024, 84% of businesses in the UK experienced a phishing attack in 2023.
When it comes to quishing specifically, the scant figures available are equally ominous. Research from cybersecurity company Vade detected over 20,600 quishing attacks in one seven-day period in 2023.
What’s more, it isn’t just the spectre of falling victim that threatens businesses. If your business uses QR codes, cybercriminals could hijack them to target your customers.
What does a quishing attack look like?
Quishing attacks are versatile and can take any number of forms. We’ve seen examples of them conducted in person, with a scammer approaching the victim and asking them to scan a QR code for some sort of benefit. However, the most common approach is to send an email, much like a typical phishing scam, with a QR code included.
This approach was exemplified by the Microsoft 365 quishing attack in 2023. The attack began with a phishing email asking users to reactivate their multi-factor authentication (MFA). The email used the Microsoft Authenticator logo giving it a veneer of legitimacy. Once the victim scanned the code and clicked the embedded link they were sent to a webpage that infected their device with malware.
Microsoft eventually managed to get the situation under control and issued these instructions for detecting a scam, but not before thousands of users had been attacked.
The most obvious fallout from a successful quishing scam is financial harm.Research from BDO found that among the six in ten organisations in the UK hit by phishing scams the average loss was around £245,000.
What are the consequences of a breach?
However, the potential consequences can hit more than your pocket. If the scammers manage to steal customer’s personal data, you could also be looking at serious reputational damage and regulatory fines. What’s more, your standing among partners and suppliers could take a hit too.
How can you protect your business?
Like all phishing attacks, quishing relies on social engineering to trick victims. This means it can be tricky to recognise a bogus QR code, particularly when it’s attached to a seemingly legitimate message. But that doesn’t mean it’s impossible. Here are a few things you can do to protect your business.
1. Provide cyber awareness training for staff
Staff security training is the most important tool for protecting your business from quishing attacks. The rationale behind this is simple. If your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them.
Cyber awareness training can go a long way towards resolving this problem. It can give them the basic cyber skills to spot and avoid a potential threat. And, it needn’t be extensive or time-consuming, just a few hours a month on the basics and regular updates on new threats can make all the difference.
2. Deploy MFA
Multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
3. Use an Anti-malware tool
Anti-malware software focuses on defending against the latest threats. An effective tool should protect your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Most anti-malware tools constantly update their rules, meaning you’ll be protected swiftly against any new threats, including the malware injected by quishing scams.
4. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
Install a network firewall to filter network traffic
Use a VPN to encrypt network traffic
Segment your network to eliminate single points of failure
Regularly update your router’s firmware
5. Follow software providers’ advice
As we saw in the example earlier, cybercriminals will often try to imitate software providers when launching a quishing attack. Software providers such as Microsoft are all too aware of the threat and many have released guidance on how to counter a scam.
6. Limit user access
Limit who has access to what within your business. Staff should only have admin rights within a system or application if it’s critical for their role. It might sound a bit draconian, but the reasoning behind it is sound. If a cybercriminal compromises a user account through a phishing campaign, the fewer permissions that account has the less damage a hacker can do.
7. Tie it all together
Don’t be put off by the length of the list above. If you’re unsure about where to start, complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification.
These certifications can help you adopt good cybersecurity practices (including all of the above) and build your cyber confidence.
However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where continuous cybersecurity monitoring tools like CyberSmart Active Protect can help by giving you an ‘always-on’ view of your business’s defences.
Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them.
Antivirus and anti-malware are the basic building blocks for any small and medium enterprise’s (SME) cybersecurity strategy. They’re the most well-known cybersecurity tools, and it’s rare to find a business that doesn’t use one.
But do you know what they protect you from, the difference between an antivirus and an anti-malware, and whether you need both? Let’s explore these key talking points.
Malware vs viruses
Before discussing the merits of the two types of software, we must tackle the difference between viruses and malware. Most people assume that the two things are synonymous. Isn’t ‘virus’ just a slightly dated way to say ‘malware’?
That’s almost correct. However, this is the world of cybersecurity, so things are always a little more complicated than they first appear.
The term ‘virus’ describes malicious code that can reproduce repeatedly – just like a biological virus. The code damages your device by corrupting your system or destroying data. Viruses are also usually considered legacy threats that have existed for a long time, and today’s cybercriminals rarely use them.
On the other hand, malware is an umbrella term that refers to many different threats. These range from ransomware to spyware and even some newer viruses (confusing, we know). The key difference is its novelty.
The threats under the term malware are new, constantly evolving, and very much in use among modern cybercriminals. So, antivirus software providers have upped their game to protect customers.
Antivirus vs anti-malware: the key differences explained
As you might expect, antivirus usually deals with older, more established cyber threats. To illustrate, think of warnings from the noughties – endless error pop-ups, trojan horses, and worm viruses. These attacks typically enter your business through tried and tested routes such as email attachments, corrupted USBs, and other standard cyber threat delivery methods.
These cyber nasties are generally very predictable and easy to counter. However, they can still do plenty of damage if left unchecked.
Anti-malware
Anti-malware software focuses on defending against the latest threats. A good anti-malware protects your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Anti-malware usually updates its rules faster than an antivirus, making it the best protection against any new threats you might encounter.
Antivirus vs. anti-malware: which should you choose?
At this point, you might be wondering why you need an antivirus if anti-malware can protect your devices against the most common types of cybercrime.
Although this is a valid question, it’s a risky way to approach cybersecurity. Sure, most of the threats covered by antivirus might be dated and rarely used by the bad guys. However, that doesn’t mean they no longer exist or that they can’t still give you a significant cybersecurity headache.
Doing without antivirus is a bit like a state deciding to focus exclusively on protection from nuclear threats while neglecting the potential for invasion by land. It’s a flawed approach that leaves your business open to attack.Instead, it’s better to take a layered approach to your cybersecurity – by which we mean installing antivirus and anti-malware software to protect your business against new and old threats.
Choosing cybersecurity solutions isn’t an either/or dilemma
Antivirus and anti-malware aren’t mutually exclusive. A truly effective cybersecurity strategy includes tools, training, and measures to counter any threat. Something as simple as a Cyber Essentials certification ensures your business complies with the basic requirements to deter cyber threats. This is because the steps to get qualified include:
Data encryption
Firewalls
User access management
Software and operating system updates
You get support and clear step-by-step instructions for mitigating malware in your business so you don’t overlook any vulnerabilities. Learn how easy it is to get certified today.
Malware-as-a-Service and the rise of DIY cybercrime
Cybercriminals are always looking for the next sophisticated method to target businesses. And as a small business owner, it can sometimes feel impossible to keep up with the latest developments. However, knowledge is power, which is why we bring you regular updates. Let’s explore the latest trends in DIY cybercrime and Malware-as-a-Service, and how to mitigate them.
What is Malware-as-a-Service?
Malware-as-a-Service (MaaS) is a business model used by cybercriminals known as MaaS operators. MaaS operators lease their software, hardware, and related infrastructure to others for a fee. This enables malicious criminals to distribute pre-made malware, even with minimal coding skills.
You might’ve heard of similar terms like a Software-as-a-Service model, where an end-user purchases a pre-made software solution for their business or personal use. MaaS is the same concept but with malicious software. MaaS operators distribute the software on the dark web and sometimes even provide customer support to nefarious clientele.
DIY cybercrime, or do-it-yourself cybercrime, is where a cybercriminal uses a pre-made solution to execute malicious activity. For example, they purchase ready-to-use Malware-as-a-Service, quickly get it up and running, and then use it to distribute malware to their target.
The worrying thing about DIY cybercrime is that anyone can purchase and use an off-the-shelf tool. It has never been easier for criminals to distribute malware, engage in phishing, and more.
At this point, you might be shaking your head and thinking, ‘D-I-WHY?!’ But don’t worry, all is not lost. You can dramatically reduce the threat to your business by putting the correct cybersecurity solutions in place.
Malware-as-a-Service examples
ZeuS/ZBOT
ZeuS, or ZBOT, is a MaaS package that runs on Microsoft Windows. It was designed to steal sensitive information like banking credentials. First detected in 2007, it has successfully targeted large organizations like Amazon, Bank of America, and NASA.
SpyEye
SpyEye is a computer program that infects victims’ devices and steals sensitive data. In a rare case of justice, the creator of SpyEye was caught and sentenced to nine and half years in US federal prison. However, this hasn’t stopped the presence of SpyEye across the internet.
Blackhole Exploit Kit
Released on an underground Russian hacking platform, Blackhole Exploit Kit made up 29% of all web threats in 2012, making it a significant threat. Since then, the exploit kit model has continued to transform and is still widely used by cybercriminals.
How to prevent Malware-as-a-Service attacks
Like all criminal activity, MaaS isn’t a threat that’ll soon disappear. But there are several simple steps to protect your business. Here’s what we think you should prioritise.
Educate employees
Most people don’t have in-depth knowledge of malware and DIY cybercrime. Due to the ever-changing nature of cybercrime, your employees must play a part in protecting your business. Make sure people know how to spot a malware attack in your business and provide them with training and resources so they stay informed.
Complete a cybersecurity certification
A cybersecurity certification, like Cyber Essentials, is an excellent way to quickly implement robust security measures in your business. This is because the steps to qualify help you attain certification status and proactively mitigate against malware.
Additionally, many companies find that the steps help them identify overlooked vulnerabilities in their business that they might otherwise be unaware of. It covers a broad range of factors like:
Certification is a great starting point for putting in place the right defences and building your cyber confidence. However, cybercriminals won’t only attack on certification day, so you need a way of monitoring your defences year-round. You could approach this manually, but beware it’ll be time-consuming and require familiarity with cybersecurity best practices.
An alternative is to use a cybersecurity monitoring service, like CyberSmart Active Protect, which checks for vulnerabilities around the clock and ensures everyone in your business is working safely. Likewise, a vulnerability management tool can help you get ahead of the latest developments in cybercrime.
Want to know more about the threats facing small businesses like yours? Then have a read of our SME cost of living crisis report. It’s packed full of insight into how small businesses are defending themselves during an economic downturn.
For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different. According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?
How a spear phishing attack works
Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting. A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.
Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access.
We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:
1. Goal setting
The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.
2. Picking the target(s)
This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?
These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.
3. Building a profile of the victim(s)
By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims.
Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.
4. Initiate contact and use social engineering techniques
Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.
The most expensive spear phishing attacks of all time
1. Google and Facebook
This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms.
Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum.
2. Ubiquiti Networks
In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack.
3. Colonial Pipeline
Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat.
The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network. Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting. We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.
Spear phishing affects small businesses too
Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth. According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise.
Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target. SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence. Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.
How to protect your business
There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected. 1. Use a VPN
A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter.
Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).
2. Staff training
As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.
3. Patch all software
Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.
4. Deploy MFA
Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
5. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
Install a network firewall to filter network traffic
Use a VPN to encrypt network traffic
Segment your network to eliminate single points of failure
Regularly update your router’s firmware
6. Always use back-ups
If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.
7. Limit user access
Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.
8. Tie it all together
If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence. However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help. Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.
Zeus, SpyEye, Emotet. What do those names mean to you? As much as they sound like Marvel supervillains, they’re all examples of high-profile banking trojans.
Emerging in the mid-noughties, banking trojans have morphed into one of the most dangerous SME cybersecurity threats. But what are banking trojans? And how can you protect your business from them?
What is a banking trojan?
A banking trojan is a particularly nasty form of trojan horse malware that aims to give cybercriminals access to networks and confidential information stored in online banking systems.
Banking trojans typically come in two forms:
Backdoor trojans: Use backdoors in your system to circumvent security measures and gain access to your computer.
Spoofers: Steal user credentials by creating a fake version of a financial institution’s login page.
How do banking trojans work?
A banking trojan works in much the same way as the mythological wooden horse from which it draws its name. A typical banking trojan looks and behaves like legitimate software until you install it. Once it’s on your device, it shows its true colours.
Banking trojans are a particularly hazardous form of malware for several reasons. Firstly, they’re usually well disguised as legitimate software, which makes them difficult to detect for anyone who isn’t a cybersecurity expert.
Secondly, they cause significant damage. In a worst-case scenario, a banking trojan can give cybercriminals total access to your bank accounts, which could spell financial ruin.
How do you know when you’ve been hit?
Although it can be challenging to spot a banking trojan, it’s not impossible. Like any malware attack, there are a few telltale signs to look out for:
New or unexpected forms appearing in your bank accounts
It’s important to note that none of these are conclusive proof that someone’s successfully hacked your system. Think of them as signs that suggest something isn’t quite right. So, if you’re in any doubt, it’s time to call the professionals.
What can you do to protect your business?
Thankfully, protecting your business against banking trojans and similar forms of malware is relatively straightforward. Beyond investing in reliable threat monitoring software, we recommend following these six simple steps.
Use multi-factor authentication
Multi-factor authentication (MFA) is a security measure that requires you to provide two or more verification methods to sign into an application. Instead of asking for your username and password, MFA demands additional information such as:
A randomly generated PIN code sent by SMS
A piece of memorable information known only to you
Your thumbprint
The idea behind MFA is simple: the more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and some cameras to keep the bad guys out.
Train staff how to spot the signs
Human error is responsible for as much as 90% of cyber breaches, and it’s easy to see why. Few of us are cybersecurity experts, and if you aren’t aware of what a cyber threat looks like, you’re much more likely to find yourself on the receiving end.
Cybersecurity training can bridge this knowledge gap. Training helps staff recognise, understand, and mitigate the threats they face. What this training looks like depends on your business and the knowledge within it. For some, it’s a case of starting from scratch and covering the basics; for others, it’s about addressing specific weak spots.
Patch software regularly
Patching your software is the simplest way to improve your business’s cybersecurity. Even the best software can develop vulnerabilities, suffer a breach, or become outdated. Software developers release security patches to ensure cybercriminals don’t have an easy route into their clients’ systems.
It’s easy to install these patches. You can check your system for updates every few days or activate the auto-update setting on all company devices.
Use a password manager
Many banking trojans use keyloggers – programs that record your keystrokes so cybercriminals can steal your PIN or password. Using a password manager, which doesn’t require you to type anything, instantly overcomes the threat of keyloggers.
Only download files from trusted sources
This might seem obvious, but if you’re unsure about the origin of a file or piece of software, don’t download it. Set clear rules throughout your business to ensure people only download software from trusted sources, such as Microsoft, Google, or Apple stores. This helps to minimise your exposure to compromised software and malware.
Use all the security features offered by your bank
Banks offer a range of security features. Use them! If your bank provides MFA for sign-in (virtually all of them do), use it. Many business-oriented banks also have app stores full of free or low-cost cybersecurity features. Use them, too. These little extras are often the difference between cyber safety and falling victim to a banking trojan.
Banking trojan examples to watch out for
Zeus
Active since 2007, cybercriminals use Zeus to target Microsoft Windows and steal financial data. It quickly became one of the most successful pieces of malicious software in its class, affecting millions of systems worldwide and giving rise to a host of similar threats. After a brief lull in 2010, when the creator reportedly retired, we’ve seen an uptick in Zeus variants since the source code went public.
SpyEye
Once touted as the successor to Zeus, SpyEye established itself as one of the most dangerous banking trojans in the early 2010s. SpyEye enabled its creators to steal sensitive information from its victims’ bank accounts, including account credentials, credit card information, and PIN numbers. Its Russian creator was sentenced to nine-and-a-half years in prison in 2016.
Emotet
Emotet is a banking trojan that spreads primarily through email. These emails often use familiar branding and convincing wording to trick the victim into clicking on a malicious link. Emotet has gone through a few iterations since emerging in 2014, in an attempt to circumvent modern detection methods.
Don’t suffer the same fate as Troy
Understanding the threat banking trojans pose and adopting appropriate countermeasures are integral to safeguarding your financial information in today’s digital landscape.
Simple, inexpensive malware prevention tips – like updating your software regularly, using a password manager, and educating staff – help protect your business against banking trojans and other malware strains, too.
We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers. However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.
What is nation-state cyber warfare?
Nation-state cyber warfare is best defined as:
‘Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’
Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.
There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.
Military operations
Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.
Sabotage
Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.
Espionage
Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.
Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.
Stealing funds
Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.
Why does this matter to you?
Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.
What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me.
The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail.
Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them.
The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.
So while you might not be the direct target, the impact can be felt by everyone.
Nation-state attacks in the real world
We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare.
Stuxnet (2010)
We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme.
We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme.
2016 American election (2016)
In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.
And one fresh off the press…
In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.
Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.
Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?
What should I do to protect myself?
Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be.
What can we do as individuals?
Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.
What should businesses do?
Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity.
What should we expect from governments?
Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.
The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.
We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.
With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.
Malware is almost as old as the first personal computers. And like anything that’s existed for a long time, it’s easy to become complacent about it.
However, if your business has ever fallen victim to a malware attack, you’ll know how damaging it can be. The repair costs alone can set you back thousands; then, there’s the indirect financial impact of prolonged business disruption, data loss, and reputational damage.
Yet, it’s not all doom and gloom. Armed with a little understanding, you can prepare your prepare your business and stay safe online. To help you do this, we’ve put together this short guide to help you get your head around the stages of a malware attack and how they work.
But first…
What is malware?
Malware is the umbrella term for malicious software that damages, disrupts, or gives cybercriminals access to a computer system.
Cybercriminals typically disguise malware as legitimate files, links, or attachments on a web page or email. The goal is to trick the victim into downloading the malicious program onto their device, where it can:
Steal corporate information or sensitive customer data
Delete or encrypt data
Disrupt business operations
In some cases, malware can exploit vulnerabilities in your cybersecurity to spread to other connected systems in your network.
Malware is a pervasive threat. The AV-TEST Institute registers 450,000 new types of malware every day, contributing to the estimated 1.5 billion malicious software programs and potentially unwanted applications (PUA) in the world today.
Cybercriminals and threat groups are responsible for billions of malware attacks every year – there were 5.5 billion in 2022 alone. Cybercrime, including malware, costs UK businesses an estimated £21 billion every year.
UK businesses are on the frontlines of the malware threat. 84% of UK Chief Information Security Officers (CISOs) say UK organisations are at the highest risk of material cyberattacks, with ransomware among the most common. For example, 66% of businesses fell victim to one or more ransomware attacks in 2023, marking a 44% increase from 2020.
Meanwhile, public administration experiences more malware attacks than any other sector. Public sector bodies reported 488 separate incidents between November 2021 and October 2022.
The 5 stages of a malware attack
Infected websites, email attachments, and removable media are the most common means of malware attack. But whatever the approach, they all follow a similar five-stage pattern.
Stage 1: Entry
The victim inadvertently visits a compromised website by:
Visiting a trusted website that a cybercriminal has hijacked
Clicking on a link (often embedded in an email) that redirects the victim to the compromised website
Cybercriminals can compromise a trusted website by exploiting vulnerabilities in its servers or content management system (CMS) or using stolen credentials to inject malicious code. When the victim visits the compromised web page, the malware automatically downloads the code onto their systems.
Stage 2: Distribution
After bypassing the victim’s cyber defences, the malware redirects to an exploit kit hosting site. Cybercriminals typically use hacked traffic distribution systems (TDS) to create multiple redirections, which help to conceal their activities and the identity of their exploit kit hosting site.
Traffic distribution systems use a combination of traffic filtering and fast-flux networks to hide the host site from search engines and security scans, making them harder to track down and blocklist.
Stage 3: Exploitation
The hosting site installs an exploit kit onto the victim’s system, which loads it with malicious files, including:
HTML
Java
Flash
PDF
These files probe the victim’s system, looking for vulnerabilities they can exploit to gain access to or control of the target computer. And the worst part? The technical barriers to entry for launching malware attacks get lower each year. Cybercriminals can create homemade exploit kits or, if they don’t have the coding skills, they can purchase them cheaply on the dark web.
Stage 4: Infection
Having successfully infiltrated the victim’s system, the malware delivers its harmful payload. This could be anything from ransomware to trojan horses or worms that operate silently in the background.
Stage 5: Execution
Now, the malware gets to its dirty work. Depending on the cybercriminal’s goals, this could be stealing or encrypting sensitive data to ransom back to the victim, disrupting business operations, or infiltrating other connected systems.
Malware attack examples
Malware affects everyone. Even global brands and government organisations with robust cybersecurity tools, practices, and policies have fallen prey to malware over the years.
These examples of recent high-profile attacks illustrate the extent of the threat.
LockBit (ransomware)
One of the most active ransomware strains, LockBit has affected over 1,500 businesses at a total cost of over £72 million since emerging in 2019. The Royal Mail is among its most high-profile victims. At the start of 2023, LockBit caused severe disruption to Royal Mail’s overseas delivery service after it affected one of its back-office systems. The attack lasted two months and cost over £10 million to rectify.
Conficker (worm)
One of the largest and most notorious worms in history, Conficker has infected tens of millions of computers in over 190 countries since its discovery in 2008. Its long list of victims includes government agencies (including the UK parliament), businesses, and home computers, and remains an ongoing threat. To date, it’s caused £7 billion in damages.
Emotet (trojan horse)
First discovered in 2014, the Emotet trojan has wreaked havoc on businesses and government organisations, especially in the United States. According to the Department of Justice, the trojan has infiltrated over 1.6 million computers and caused £2.5 billion in damages.
Prevention is the first step to protection
It’s not always easy to spot a malware attack. Cybercriminals use sophisticated tools and techniques to conceal their activity from victims, so it could be days, weeks, or even months before you realise something’s wrong.
Preparation is the key to protecting your business, suppliers, and customers from malware. At the very least, we recommend regularly updating your systems and software, installing a network firewall, and teaching staff cybersecurity best practices.
If you want to go one step further, consider getting a cybersecurity certification. Schemes like the government-backed Cyber Essentials are quick, easy, affordable, and effective.
Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023 with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers. In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.
How does a remote access scam work?
A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials. Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams. Typically, a remote access takeover works in one of two ways: 1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access. 2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s).
In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated.
As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023.
This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023.
So the problem is real, which begs the question, what can you do to protect your business?
How can you protect your business?
The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.
Don’t give out digital banking details
This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam.
Never install any remote access software as a result of a call
Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately. Verify telephone numbers
If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.
However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.
Just hang up
Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up. Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.
Put processes in place
Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier. Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point. Educate your staff
Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training. What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket. Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.
