Information Technology

There’s been a steep rise in phishing attacks which hijack legitimate, ongoing conversations between users to steal passwords, steal money, deliver malware and more. Phishing attacks have been a cybersecurity issue for a long time, with criminals sending out vast waves of emails in an attempt to dupe victims into clicking on malicious links, downloading malware or handing over their passwords via fake login portals.  They range from basic, generic attacks claiming that the victim has won a prize and they just need to click a link to retrieve it, to more targeted campaigns which send corporate emails designed to look legitimate for the intended target. For example, it’s common for cyber criminals to send emails posing as company’s CEO to that company’s employees in an attempt to trick the user into following orders from their ‘boss’. But increasingly, cyber criminals are looking to exploit the actual email accounts of real users by hacking into accounts and hijacking ongoing conversations in order to send phishing emails.  These conversation hijacking attacks have the potential to be more effective because the source of the email is someone the victim trusts and the message comes as part of an ongoing thread, so doesn’t look as suspicious as an unexpected email coming out of the blue and asking for a file to be downloaded or a link to be clicked. According to cybersecurity researchers at Barracuda Networks, conversation hijacking attacks grew by almost 270% in 2021 alone. These attacks begin by hackers taking over the email account of a victim which the attackers can then use to lure other victims into responding to messages. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)  Once in control of an account, the attackers take the time to read their emails and monitor their ongoing communications to understand more the day-to-day activities of the user, how they communicate with internal and external contacts, along with gaining information about business operations, payment procedures and potential deals in progress. Cyber criminals use this information to craft authentic-looking and convincing messages which appear in ongoing conversations, asking users to click a malicious link or download a malicious attachment – all in the correct context of the situation. Conversation hijacking attacks take more time and effort than regular phishing attacks – but for the cyber criminals, patience can be extremely rewarding. “Although there is a lot of upfront work, when conversation hijacking is done “right,” it can have a huge payout for cyber criminals. The number is growing because it’s very difficult to detect, success rates can be high and payouts are big,” Mike Flouton, VP Product Management at Barracuda Networks told ZDNet.  While conversation hijacking only makes up a small number of social engineering attacks – researchers say they account for 0.3% – the high success rate of the attacks means that it’s likely that more cyber criminals will turn to them. “I expect that the number of these instances will continue to grow in the coming years,” said Flouton. But like with other phishing attacks, it’s possible to protect users from conversation hijacking attacks.Strong passwords should be applied to accounts so hackers can’t easily crack them. Users should also use multi-factor authentication to add an extra barrier to cyber criminals simply being able to login to accounts with stolen passwords. And if a password is suspected of being stolen, it should be changed. For organisations, it’s recommended that account-takeover protection is applied and that inboxes and networks are monitored to register suspicious activity, particularly if logs show that the user has seemingly accessed their account from a new location or a different time zone. Staff should also be trained to recognise and report suspected phishing attacks. Ultimately, the reason conversation hijacking attacks are being deployed is because they’re successful. Therefore, organisations and their information security teams should have plans in place about how to deal with a successful attack.   “Make sure you are prepared for a cyber attack – have a well thought out response plan in place that will help you recover quickly,” said Flouton. MORE ON CYBERSECURITY More

iPhone and Android users are falling prey to new and even more extortionate tactics by romance and cryptocurrency scam artists. 

Romance scams are nothing new, but their potential impact has expanded due to mobile technology and the connectivity of our smartphones to core financial services, banking, and investment opportunities. The US Federal Trade Commission (FTC) says that 2021 was a “goldmine” for scammers, and $770 million was lost due to social media scams alone during the year. Investment, cryptocurrency, and romance scams were the most common ways fraudsters cashed in.  In 2021, Sophos revealed “CryptoRom,” an international criminal ring conducting romance scams across Asia, the US, and Europe. At the time, Sophos said that CryptoRom primarily targeted Bumble and Tinder users, luring them into downloading fake cryptocurrency trading apps by abusing Apple’s Enterprise Signature platform.  The researchers have now provided an update on the scammers’ activities. On Wednesday, ESET said that victims have been contacting the company, providing their own stories and allowing the team to collect more threat information.  “Most also reported that they had lost thousands of dollars in personal savings to the crooks behind the scams, though some saw our previous reports and recognized the scam before being drawn into it too deeply,” ESET said. “In some cases, victims have lost their entire savings and even taken out loans with the hope that they will get their money back.” Also: Microsoft warns of emerging ‘ice phishing’ threat on blockchain, DeFi networksIt now appears that CryptoRom fraudsters are also soliciting victims through cold-call WhatsApp messages, offering them investment opportunities and trading tips — and, of course, “huge” financial returns are promised.  Victims are then redirected to fraudulent websites and third-party app repositories, where they are induced to download and install fake cryptocurrency and trading apps. However, this is when a change in tactics has been noticed.  Normally, scam artists will lure their targets into either submitting their sensitive financial information into an app or purchasing cryptocurrency through other services, which end up in the wallets of attackers.  In this case, however, CryptoRom scammers will allow victims to initially make withdrawals of their initial deposits from the fake apps — designed to mimic popular, legitimate services — after a ‘win’ on the market.  This may seem counter-productive, but the scam artist then will urge their target to invest even more, as it appears that the investment ‘opportunity’ has already resulted in profit — and there is more money to be made.  Keep in mind that the scam artist is masquerading as a friend or a romantic interest. Having laid the groundwork of a personal bond and a seemingly real investment opportunity, the crooks will try to squeeze more cash out of their victim. “To sweeten the pot, they even offer to ‘lend’ the target a huge sum to increase the investment; since they control the back-end of the app, they can inject fake deposits on accounts and create imaginary profits at will,” the researchers noted.  When ‘profit’ appears, and the user tries to make a withdrawal, the attackers’ strike. Profits have been artificially created to any sum they wish — and now, the victim having paid in further, the scam artist demands a “tax” of 20% on the imaginary figure via the app’s “customer service” team.  Some victims reported threats that tax authorities would take everything if they did not pay up. Naturally, they aren’t allowed to pay using the funds held in the app.  An individual reached out to ESET and said that all of their retirement money, and loans, had been deposited and was ‘frozen’ in the app, with over one million dollars held. The fraudsters demanded a ‘tax’ payment of $625,000.  This kind of double-dipping appears to be a successful tactic in romance & investment scams and one that we need to be more aware of. Fund recovery services targeting CryptoRom victims have also appeared on social media to make matters worse. It’s likely these fake services want to capitalize on those already taken in once by online criminals.  “Because of the nature of cryptocurrency and the fact that cross-border foreign transactions are involved, it is difficult at best to recover funds through law enforcement or other legal channels,” ESET says. “The vast majority of these services are fake, and it is highly unlikely that any service would be able to get victims’ money back.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Russian state-sponsored hackers have used a clever technique to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. The goal? Accessing the victim’s cloud and email.  The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about Russian state-sponsored activity that pre-dates recent warnings over cyber activity related to Russia’s military invasion of Ukraine. 

ZDNet Recommends

As early as May 2021, the hackers combined a default configuration issue in a Duo MFA setup at a non-government organization (NGO) with the critical Windows 10 PrintNightmare flaw CVE-2021-34481 to compromise it. SEE: There’s a critical shortage of women in cybersecurity, and we need to do something about itMicrosoft patched that elevation of privilege issue in August. Once inside a network, the flaw allowed an attacker to create new accounts on Windows 10 machines. In the NGO’s case, the use of a weak password allowed the attackers to use a password-guessing attack to gain the credentials for initial access. The attackers also used the fact that Duo’s default configuration setting allows the enrollment of a new device for dormant accounts.  “Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password,” CISA said in an alert.   After compromising the account, PrintNightmare came into play, with the attackers using it to escalate privileges to a more powerful admin level and then “effectively” disabled MFA for the compromised account.”This change prevented the MFA service from contacting its server to validate MFA login – this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable,” CISA explains. It notes that the “fail open” issue is not specific to Duo. From there, the operation was repeated but applied to higher-value domain accounts. After disabling MFA, the attackers authenticated to the victim’s VPN as non-administrator users and made RDP connections to the Windows domain controllers. They nabbed credentials for additional domain accounts and went on to change the MFA configuration file, allowing them to bypass MFA for these newly compromised accounts. “Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” CISA explains.  CISA outlines several mitigations related to and beyond MFA implementations. The MFA-specific mitigations include: Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.Implement time-out and lock-out features in response to repeated failed login attempts.Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.Updating software and prioritizing patching of known exploited vulnerabilities, especially critical and high-level vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.Require service accounts, admin accounts, and domain admin accounts to have strong, unique passwords.  More

The chief security officers of Australia’s big four banks have likened combating cybersecurity attacks to playing a team sport. “I think I’m not alone in saying that we see cyber as very much a team sport,” Commonwealth Bank of Australia CISO Keith Howard said during the virtual Cyber Live event on Wednesday.”The competitors, from my perspective, is not [the other banks], it’s the attackers … at the end of the day, we’re stronger when we work across industry, across education, and also work across government as well.”This joint security effort between the big four occurs regularly, according to National Australia Bank CSO Sandro Bucchianeri.”What we typically do is we would talk about indicators of compromise and share our threat intelligence so that we can better defend ourselves because something I see at NAB, Richard may not have seen it at Westpac, or Lynwen [at ANZ] may have also seen it, so we try to compare notes essentially — and that helps us protect the wider Australian community as a whole,” he said.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Bucchianeri also emphasised the importance of having diverse skill sets to make up a strong cybersecurity team. “Just like soccer, where you have strikers, defenders, midfielders, goalkeepers, doctors, coaches, nutritionists, and the list goes on, we are looking for new diverse talent that will help us better defend the organisation. Something that I’m personally very excited about is training visually impaired students to become cybersecurity professionals,” he said.From ANZ CISO Lynwen Connick’s perspective, diversifying the cybersecurity sector is not only just about gender, but also bringing in people from other fields like psychology, media, and fashion. “People come from all different walks of life, and that’s really important from a diversity point of view as well because you get that diversity of thought,” she said. “People have had different training, different experiences coming into cybersecurity because cybersecurity is really part of everything we do, so we need all sorts of different people.”  The need to boost Australia’s cybersecurity skills comes at a time where cyber attacks are no longer synonymous with a specific sector or enterprise — rather it’s hurting all sectors. A prime example was when global meatpacker JBS last year paid $11 million in Bitcoin to cyber attackers that encrypted its files and disrupted operations in the US and Australia with ransomware.As BT Australasia cybersecurity head Luke Barker puts it, compared to a decade ago, there was nowhere near as many targeted activities towards organisations that run operational networks, such as manufacturing, mining, energy, and water, as there are today. “Ten years ago, I don’t think the adversaries were targeting those types of industries as much,” he said. “Whereas I look now and most of the organisations we work with, we’re seeing a significant rise in cybercrime against organisations that run those types of environments because the impact is so big.”If you’re having to take down an organisation’s manufacturing facility, that is the number one source of revenue, so the impact of their business and the likelihood of them potentially paying a ransom is going to be more so than say their website goes down, when their core business is manufacturing.”We’re seeing that shift towards what’s going to create the biggest impact and where are the crown jewels for that organisation.” Related Coverage More

Image: Shutterstock
A slew of Australia’s critical infrastructure service providers and union groups have lambasted the federal government’s critical infrastructure cyber laws due to it requiring organisations to install third-party software onto their systems if they are deemed to not be “technically capable” of managing cyberthreats. Roger Somerville, Amazon Web Services’ (AWS) ANZ public policy head, said the need for new cybersecurity laws was apparent and AWS supported the Bill, but he remained critical of the software installation scheme contained within it. The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the parliamentary committee that is currently reviewing the laws. Among these outstanding elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software. Addressing the parliamentary committee that is reviewing the Bill, Somerville said there is a lack of clarity on how the software installation scheme would operate, and that the federal government saying it would only be used as a “last resort” is not sufficient. “We do acknowledge that the Australian government has told us that those sorts of powers would be more relevant for less sophisticated cyber security entities than ourselves. But from our perspective, I think we’re very concerned that we still do need to see clear, practical guidance on how this would work,” Somerville said. Somerville added that if the federal government was adamant in pushing ahead with establishing the software installation scheme, a technical support body that exists as an independent statutory office holder should be created to oversee the scheme’s operation. “This body would also perhaps create an avenue for contestability of those decisions, particularly on the questions of technical feasibility,” he said. AWS was not alone in sharing its concerns, as Palo Alto Networks ANZ public policy head Sarah Sloan, who also appeared before the committee, said the software installation scheme introduces unnecessary security risks into critical infrastructure environments. This security concern was echoed by Communications Alliance CEO John Stanton, who provided an example of how the scheme could be dangerous. “The danger is probably more when information is combined with other information sources, so we don’t necessarily hold a list of the people’s names behind IP addresses, but other organisations do. So if you combine data [from critical infrastructure entities] with telecommunications service providers data, because they know who the service providers are of those IP addresses then you’re able to effectively put together personal information,” Stanton said. Software Alliance COO Jared Ragland, meanwhile, noted that the security issues with the scheme did not stop there as the installation of the software could lead to more issues across critical infrastructure supply chains. “In addition to concerns about what kind of information might have legitimate access to the software, a real concern is that if the software is installed at each stage along this chain and it operates improperly, then there could be accidental problems. Perhaps it could be data leakage, but it could also be operational interruptions of other sorts,” Ragland explained.For each of these organisations, trust appeared to be a core issue in their opposition to the software installation scheme. To address this lack of trust, not-for-profit advocacy group Internet Association of Australia (IAA) said the federal government should amend the proposed cyber laws to allow critical infrastructure entities to heavily test code. “It’s highly, highly important that we need to have to trust the type of software that goes on to manage this. And we need the opportunity to be able to read the code, assess the code, test the code against other things,” IAA CEO Narelle Clark said. The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second trance of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies. Related CoveragePezzullo frames Critical Infrastructure Bills as ‘defence’ and ransomware plan as ‘offence’Home Affairs believes the second critical infrastructure Bill would create a common framework for preventing cyber attacks.MacTel warns critical infrastructure reforms create gaps in government data protectionThe cloud and data provider also sees a potential future where critical infrastructure providers and their suppliers shift data stores and processing functions offshore to avoid being regulated.Home Affairs releases second Critical Infrastructure Bill with leftover obligationsThis new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021. More

Logo: Kaspersky Lab // Composition: ZDNet
Kaspersky has responded to an advisory issued against it by the German Federal Office for Information Security (BSI) saying users should replace its products by claiming the warning is politically motivated.”We believe this decision is not based on a technical assessment of Kaspersky products — that we continuously advocated for with the BSI and across Europe — but instead is being made on political grounds,” the security company said on Wednesday.”We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone.”One does not need to look much further than a classic Clausewitz quote to realise that war and politics are very much linked.As the BBC reported, the BSI said the advisory was made due to the Russian invasion of Ukraine.”A Russian IT manufacturer can carry out offensive operations itself, be forced against its will to attack target systems, or be spied on as a victim of a cyber operation without its knowledge or as a tool for attacks against its own customers,” BBC translated the warning as saying.Kaspersky said its data processing was shifted to Switzerland in 2018, and its customers can “run a free technical and comprehensive review” including source code reviewing and rebuilding.”Beyond our cyberthreat-related data processing facilities in Switzerland, statistics provided by users to Kaspersky can be processed on the Kaspersky Security Network’s services located in various countries around the world, including Canada and Germany,” the company added.

Ukraine Crisis More

Image: Getty Images
A defamation law expert has slammed the federal government’s so-called anti-trolling Bill, accusing it of changing Australia’s defamation laws for no adequate reason and through misleading means.”My colleagues and I think that this legislation is misconceived and should not proceed,” barrister Sue Chrysanthou SC said on behalf of some of Australia’s preeminent defamation law experts.”Not one person who supports this legislation has given an adequate reason, to my knowledge or the knowledge of my colleagues, as to why it should be changed … this Bill is a violent assault on the tort of defamation by the Commonwealth, for which no rational basis or reason has been provided.”Barrister Sue Chrysanthou SC made those comments before a Senate legal and constitutional affairs committee hearing on Tuesday afternoon, which is currently conducting an inquiry looking into the Bill. She added that the Bill does nothing to address online abuse or trolling.At its core, the Bill seeks to remove the liability held by owners of social media pages for any defamatory material posted on those pages. If passed, it would also create the requirement for social media companies to identify people if they post potentially defamatory material.  The Bill was established shortly after a High Court judgment ruled media outlets were considered publishers of third-party comments on their social media pages.The anti-trolling legislation has already received flak from senators, online abuse victims, and government agencies, with Australia’s eSafety commissioner having already criticised the legislation due to it containing no mention of the word “troll”. “One of our objections to this Bill is that it is piecemeal. It will increase legal costs and cause confusion because of its inconsistency with the state and territory laws,” Chrysanthou told the committee.Liberal Senator and committee chair Sarah Henderson, who has claimed she was defamed on Twitter, dismissed Chrysanthou’s arguments as the barrister has not run a case against Twitter before.”This Bill is all about Facebook. This Bill is all about Instagram. It’s all about Twitter. It’s about unmasking the anonymous abusers, about giving redress,” Henderson said. In response to Henderson’s comments, Chrysanthou said in her experience there has not been a need to sue Twitter or Facebook on defamatory grounds as yet. “Any client I’ve had that sued over a tweet or Facebook post, the persons who made those tweets or Facebook posts have been identifiable. It is large part of my practice — acting for people who sue over social media posts. So far there hasn’t been a need to deal with Twitter or Facebook,” she said.Earlier in the day, Twitter appeared before the committee to call out Australia’s anti-trolling laws as an extreme risk to the privacy of Australians, particularly minority communities. “We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters,” Twitter director for public policy Australia Kara Hinesley said.”We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.”RELATED COVERAGE More

Image: Getty Images
Twitter has joined other social media companies to call out Australia’s anti-trolling laws as an extreme risk to the privacy of Australians, particularly minority communities.Kara Hinesley, Twitter Australia’s director for public policy, appeared before a Senate legal and constitutional affairs committee hearing on Tuesday afternoon to speak about its privacy concerns regarding the federal government’s anti-trolling Bill.The Bill, currently before Parliament, seeks to remove the liability held by owners of social media pages for any defamatory material posted on those pages. If passed, it would also create the requirement for social media companies to identify people if they post potentially defamatory material.”Under this bill, online platforms choose between facing liability in court or turning over private sensitive information about users without a legal determination as to whether the content is in fact defamatory under the law,” Hinesley said.Hinesley added the requirement to identify people, even those using anonymous accounts, would adversely affect minority communities.”We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters,” Hinesley said.”We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.”Twitter senior public policy director Kathleen Reen, meanwhile, said the anti-trolling Bill would not help social media companies protect users and that the platform was unsure whether it could meet the Bill’s information collection requirements. Liberal Senator and committee chair Sarah Henderson was not convinced by Twitter’s argument, however, with the Senator referring to her own ongoing dispute with Twitter as evidence that the anti-trolling legislation is required.”Obviously, I’ve experienced this personally, where a police search warrant issued by Victorian Police has been met with a brick wall from Twitter,” Senator Henderson said.”And you’re now saying that Twitter is re-examining the way the data was held, and it tends to make data held offshore available under circumstances where an end-user disclosure order is issued against Twitter, requiring them to hand over identifying information.”Twitter’s concerns echoed those of Meta, who told the committee last Thursday it would be extremely difficult, even for online companies as large as Meta, to collate content to meet the Bill’s requirements.”It might not actually be possible to maintain a constantly updated contact list of both email and phone numbers of all Australians and all people who might be visiting Australia,” said Mia Garlick, Meta APAC policy director.RELATED COVERAGE More