Information Technology

After unveiling its new apps portfolio Tanzu last year, VMware has on Tuesday announced it is expanding the offering.

More VMworld

The Tanzu portfolio debuted in March, providing a package of tools for building and managing applications. VMware’s goal, CEO Pat Gelsinger said at the time, is to become “the ubiquitous, central infrastructure to enable our customers’ digital transformation.”
Over the last year, VMware has added to the Tanzu portfolio, expanded its partner ecosystem, and added new customers. 
The first Tanzu-branded offering was Mission Control, which allows customers to have a single point of control to manage all of their conformant Kubernetes clusters regardless of where they are running — vSphere, public clouds, managed services, packaged distributions, or DIY Kubernetes.
A year on, VMware Tanzu products include those gained with Bitnami, Heptio, Pivotal, and Wavefront acquisitions. VMware earlier this month announced the packaging of these products into four Tanzu editions: Tanzu Basic, Tanzu Standard, Tanzu Advanced, and Tanzu Enterprise.
Image: VMware
The company has also embedded Kubernetes in the vSphere control plane, as vSphere with Tanzu, which it said was providing customers with a single platform for all applications.
Must read: Why VMware’s Kubernetes investment will shape your multi-cloud strategy
With more than 75 independent software vendors now part of the VMware Tanzu community, vice president of VMware’s advanced technology group Chris Wolf told ZDNet there has been a lot of interest in Tanzu over the last 12 months.
“It’s been a fantastic journey for us because since the announcement a year ago, we’ve been able to ship vSphere 7 with Tanzu and this means that your Kubernetes APIs are baked into our core platform —  for both our customers as well as our partners,” he said.
VMware is extending the Virtual Cloud Network to connect and protect environments through VMware Tanzu Service Mesh powered by NSX and support for Project Antrea, which is an open source networking and security project for Kubernetes clusters.
Tanzu Service Mesh includes new capabilities focused on improving application continuity, resiliency, and security, the company said.
The new VMware Container Networking with Antrea is a commercial offering consisting of signed images and binaries and full support for Project Antrea. VMware Container Networking with Antrea will be included in VMware NSX-T, vSphere 7 with Tanzu, and Tanzu Kubernetes Grid.
Now, Tanzu will also be supported across VMware Cloud on AWS, with preview support for Oracle Cloud VMware Solution and Google Cloud VMware Engine.
“From a customer perspective, they now have native Kubernetes on a VMware stack, they can run Kubernetes pods and VMs side by side, software developers can interact with the infrastructure … on top of all that, if you think about it from a partner perspective, the fact that we’re exposing upstream Kubernetes above our stack means any third party can create an integration with VMware and much of that engineering work to build that innovation onto our platform, they can even repurpose with our competitors — its actually very friendly for our partners,” Wolf added.
VMware and Microsoft are also working closely to make the preview available soon to early adopters.
VMware also announced a partnership with GitLab that will see the DevOps platform delivered as a single application.
“I’m really excited about the growth of Kubernetes and where our Tanzu portfolio is continuing to evolve,” Wolf told ZDNet. “We have a lot more innovation happening there.”
MORE FROM VMWORLD 2020 More

Realising the future of work has shifted due to the COVID-19 pandemic, VMware is looking to centralise the security controls its customers now need, saying legacy networking and security approaches lack the automation, cloud scale, and intrinsic security needed to connect and protect apps, data, and users that are globally distributed.

More VMworld

This idea, vice president of VMware’s advanced technology group Chris Wolf said, is key to the company’s new VMware Future-Ready Workforce solutions. He labelled them as providing “exceptional workforce experiences”, end-to-end zero trust security controls, and simplified management.
“The Future-Ready Workforce solutions combine industry-leading Secure Access Service Edge (SASE), Digital Workspace, and endpoint security capabilities to help IT manage and optimise secure access to any app, on any cloud, from any device while providing a simple, high performant, and a safer user experience for the distributed workforce,” he told ZDNet.
The VMware SASE platform, the company explains, is a cloud-first offering that “delivers application quality assurance, intrinsic security, and operational simplicity, and is ideal for organisations that are supporting a work from anywhere workforce”.
As Wolf explained, legacy networking and security approaches lack the cloud scale and intrinsic security required to connect and protect apps, data, and users across a global business fabric. He said this leads to the accelerated adoption of SD-WAN and the emergence of Secure Access Services Edge (SASE).
The VMware SASE platform combines SD-WAN with cloud-delivered security. VMware is adding Secure Web Gateway, Cloud Access Service Broker, and expanded zero trust network access capabilities to the VMware SASE platform.
Under the SASE offering, VMware has expanded its global network to over 2,700 cloud service nodes across 130 points of presence.
VMware is also announcing VMware Edge Network Intelligence, which is based on technology acquired from Nyansa that uses machine learning-based predictive analysis, actionable intelligence, and proactive remediation. Meanwhile, VMware vRealize Network Insight 6.0 improves VMware SD-WAN visibility.
See also: Remote working: Security tips for working from home
The Dell EMC SD-WAN solution powered by VMware has also been expanded to include built-in LTE to support mobile clinics or temporary sites, as well as higher reliability for work from home.
Meanwhile, VMware Secure Access, a zero trust network access service that combines VMware Workspace ONE and VMware SD-WAN into the one cloud-hosted offering, is touted by the company as enabling more secure, optimised, and high-performance access for remote and mobile users.
The new VMware Cloud Web Security service will integrate Menlo Security’s secure web gateway, cloud access service broker, and remote browser isolation capabilities natively into the VMware SASE solution.
While the company’s VMware NSX firewall will be integrated into the VMware SASE platform for “cloud-delivered firewall as a service” in both single-tenanted and multi-tenanted deployment options.
“When you look at SASE, that’s solving real world work 2.0 problems that our customers have, we see that as a fantastic opportunity for VMware and our customers,” Wolf added.
Building on its Workspace ONE and Workspace Security offerings, VMware has also announced VMware Workspace Security Remote and VMware Workspace Security VDI.
Workspace Security Remote, Wolf said, combines unified endpoint management (UEM), endpoint security, and remote IT support into an integrated solution for protecting Mac and Windows 10 devices.
Workspace Security VDI, meanwhile, integrates VMware Horizon and VMware Carbon Black Cloud with the goal of helping deliver highly secure virtual desktops and applications.
See also: VMware goes shopping with $2.7B Pivotal purchase, $2.1B Carbon Black acquisition
“The distributed workforce introduces a number of challenges ranging from employee on-boarding, visibility and compliance, security, employee safety, and more,” VMware said. “In order to address these challenges and successfully embrace the future of work, organisations need to re-think how they approach security, experience and operational complexity associated with the IT environment.”
Adding to the company’s “new innovations to deliver intrinsic security to the world’s digital infrastructure” play, is the VMware Carbon Black Cloud Workload.
“The solution combines Carbon Black’s security expertise with VMware’s deep knowledge of the data centres to build security into workloads,” the company said.
“Tightly integrated with vSphere, VMware Carbon Black Cloud Workload provides agentless security that alleviates installation and management overhead and consolidates the collection of telemetry for multiple workload security use cases.”
VMware Workspace Security Remote and VMware Workspace Security VDI are already available; VMware Edge Network Intelligence is expected to be available by the end of October; BYOD capabilities for VMware Secure Access are expected to be available by the end of January 2021; VMware Cloud Web Security is expected to be available from around February, and NSX Firewall as a Service for the VMware SASE Platform is expected to be available some time next year.
VMware Carbon Black Cloud Workload is expected to be available in November 2020 and a month later, the Carbon Black Cloud module for hardening and securing Kubernetes workloads will be available. VMware expects the Carbon Black Cloud Workload will expand later this year to include a new Carbon Black Cloud module for hardening and securing Kubernetes workloads.
MORE FROM VMWORLD 2020 More

VMware has kicked off day one of its virtual VMword 2020 conference with a slew of announcements focused on its idea of a “digital foundation for an unpredictable world”.

More VMworld

The first is Project Monterey, which the company considers as redefining hybrid cloud architecture for the data centre, cloud, and edge.
Speaking with ZDNet, vice president of VMware’s advanced technology group Chris Wolf said Project Monterey will help customers address the requirements of a new generation of applications.
As organisations modernise existing apps and deploy news ones, traditional IT architectures are being stretched to meet their unique requirements, he said next-generation apps spanning 5G transformation, cloud native, data-centric, machine learning, multi-cloud, and hybrid apps distributed across environments have produced new challenges for IT organisations.
To avoid adding further silos to the process, such as resulting from the adoption of GPUs, field programmable gate arrays (FPGAs), and smart network interface controllers (SmartNICs), VMware believes Project Monterey will tackle the problem from the start.
The initiative will span support for SmartNICs, platform re-architecture, and security.
“If we look at where we are at …. cloud native, telco, 5G transformations — this is really increasing the amount of network traffic and scale. How does the next-generation infrastructure handle that? It’s really looking at network I/O and virtualisation offload that would come in the form of SmartNICs as they continue to grow,” Wolf said.
“For machine learning and data-centric apps, there’s a stronger need for hardware acceleration requirements and then for multi-cloud and hybrid apps, we’re seeing a lack of traditional perimeter create a need for newer security models as well.
“We’ve been looking at ways to create better isolation for those particular use cases.”
VMware is working to evolve VMware Cloud Foundation — vSphere, vSAN, and NSX — to support SmartNIC technology, which is a new architectural component that offloads processing tasks that the server CPU would normally handle.
“By supporting SmartNICs, VMware Cloud Foundation will be able to maintain compute virtualisation on the server CPU while offloading networking and storage I/O functions to the SmartNIC CPU,” the company said in a statement.
“This will allow applications to maximise the use of the available network bandwidth while saving server CPU cycles for top application performance.
“VMware has taken the first step of this evolution by enabling ESXi to run on SmartNICs.”
As part of Project Monterey, VMware will rearchitect VMware Cloud Foundation to enable disaggregation of the server including extending support for bare metal servers.
“This will enable an application running on one physical server to consume hardware accelerator resources such as FPGAs from other physical servers,” the company said. “This will also enable physical resources to be dynamically accessed based on policy or via software API, tailored to the needs of the application.”
VMware said as ESXi is running on the SmartNIC, organisations will be able to use a single management framework to manage all their compute infrastructure, be that virtualised or bare metal.
“Another cool use case is around bare metal and composability. What gets really fascinating from a virtualisation perspective is if we take the ESX control plane that’s normally running on the server, running your applications in virtual machines, and we move that off to the SmartNIC, we can actually now start to get the best benefits of VMware virtualisation such as NSX and vSAN storage and be able to apply that to bare metal workloads running on the server,” Wolf added.
“So for some of your applications that may want to take advantage of just bare metal, we can give you the best of both worlds.”
He added the decoupling of networking, storage, and security functions from the main server allows these functions to be patched and upgraded independently from the server.
VMware said with Project Monterey, advancements in silicon further enable its vision of bringing “intrinsic security” to life.
“Each SmartNIC is capable of running a fully-featured stateful firewall and advanced security suite. Since this will run in the NIC and not in the host, up to thousands of tiny firewalls will be able to be deployed and automatically tuned to protect the particular services that make up the application — wrapping each service with intelligent defences that can shield any vulnerability of that specific service,” it added.
“This will enable a custom-built defence that will be able to be automatically tuned and deployed across tens of thousands of application services.”
To bring Project Monterey to life, VMware is working with its partners including Intel, Nvidia, and Pensando Systems, and system companies Dell Technologies, Hewlett Packard Enterprise, and Lenovo, to deliver solutions based on the new project.
Project Monterey is currently in preview.
MORE FROM VMWORLD 2020 More

There’s been a surge in Distributed Denial of Service (DDoS) attacks throughout the course of this year, and the attacks are getting more powerful and more disruptive.
DDoS attacks are launched against websites or web services with the aim of disrupting them to the extent that they are taken offline. Attackers direct the traffic from a botnet army of hundreds of thousands of PCs, servers and other internet-connected devices they’ve gained control of via malware towards the target, with the aim of overwhelming it.

More on privacy

An attack can last for just seconds, or hours or days and prevent legitimate users from accessing the online service for that time.
SEE: Security Awareness and Training policy (TechRepublic Premium)    
And while DDoS attacks have been a nuisance for years, the prospect of corporate, e-commerce, healthcare, educational and other services being disrupted at a time when the ongoing global pandemic means more people are reliant on online services than ever could create huge problems.
But a new threat intelligence report by cybersecurity company Netscout suggests that’s exactly what’s happening, as cyber criminals have launched more DDoS attacks than ever before. The company said it observed 4.83 million DDoS attacks in the first half of 2020, up 15% compared with 2019.
“When looking at cyber threats historically, as the footprint of available attack surface increases, so do attacks against them. This is also true in the DDoS world,” Richard Hummel, threat intelligence lead at Netscout, told ZDNet.
And while there are sometimes political or financial motivations behind conducting DDoS attacks, in many cases those controlling the campaigns just launch them because they can.
“The motivation behind these attacks are varied from ‘because they can’ to ‘showboating’ or even just to cause havoc and disruption,” Hummel added.
The bad news is that DDoS attacks are also growing in size, with the potency of the strongest attacks up 2,851% since 2017 – providing attackers with the ability to knock out networks much faster than ever before.
The reason DDoS attacks are getting more powerful is because they’re getting more complex, using many different types of devices and targeting different parts of the victim’s network. Indeed, attackers are learning that the most basic DDoS attacks are becoming less effective, so are dropping them in favour of more powerful campaigns.
“Attacks leveraging only one vector decreased year over year by 43%. Combine that with attacks across the board being faster, with more packets per second and shorter duration. It means that the attacks happen in short bursts that overwhelm a target quickly, making mitigation more difficult,” Hummel explained.
SEE: Network security policy (TechRepublic Premium)
One element that helps the cyberattacks behind botnets for DDoS attacks is that much of the source code for these is available for free. The most notorious case of this is the Mirai botnet, which took out vast swathes of online services in late 2016. The source code for Mirai was published online and it has served as a popular backbone for building botnets since.
The growing number of connected devices also serves to increase the potential power of botnets; not only can attackers take control of insecure PCs and servers as part of attacks, but the rise in Internet of Things (IoT) devices – which are connected to the internet and often have the bare minimum or no security protocols – can be used to power attacks.
Some botnets like Gafgyt are powered by IoT devices alone ,as cyber criminals increasingly look to exploit their lack of protections.
“No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world,” said Hummel.
MORE ON CYBERSECURITY More

What is phishing?
Phishing is one of the easiest forms of cyberattack for criminals to carry out, and one of the easiest to fall for. It’s also one that can provide everything hackers need to ransack their targets’ personal and work accounts.
Usually carried out over email – although the scam has now spread beyond suspicious emails to phone calls (so-called ‘vishing’) social media, messaging services (aka ‘smishing’) and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants.

More on privacy

That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.
SEE: Network security policy (TechRepublic Premium)
Phishing is also a popular method for cyber attackers to deliver malware, by encouraging victims to download a document or visit a link that will secretly install the malicious payload in attacks that could be distributing trojan malware, ransomware or all manner of damaging and disruptive attacks.
The aim and the precise mechanics of the scams vary: for example, victims might be tricked into clicking a link through to a fake web page with the aim of persuading the user to enter personal information – it’s estimated that an average of 1.4 million of these websites are created every month.  
More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years in cases where specific individuals are targeted for data that they would only ever hand over to people they trust.
That data can range from personal or corporate email address and password, to financial data such as credit card details or online banking credentials or even personal data such as date of birth, address and a social security number.
In the hands of fraudsters, all of that information can be used to carry out scams like identity theft or using stolen data to buy things or even selling people’s private information on the dark web. In some cases, it’s done for blackmail or to embarrass the victim.
In other cases, phishing is one of the tools used for espionage or by state-backed hacking groups to spy on opponents and organisations of interest.
And anyone can be a victim, ranging from the Democratic National Committee in the run up to 2016 US Presidential Election, to critical infrastructure, to commercial businesses and even individuals.
Whatever the ultimate goal of the attack, phishing revolves around scammers tricking users into giving up data or access to systems in the mistaken belief they are dealing with someone they know or trust.
How does a phishing attack work?
A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks.
The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.
Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Most people simply don’t have the time to carefully analyse every message that lands in their inbox – and it’s this that phishers look to exploit in a number of ways.
Scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a ‘winning voucher’.
In this example, in order to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.

If that email ‘prize’ seems too good to be true, it usually is and it’s usually a phishing scam.
Image: iStock
Similar techniques are used in other scams in which attackers claim to be from a bank or other financial institution looking to verify details, online shops attempting to verify non-existent purchases or sometimes — even more cheekily — attackers will claim to be from tech security companies and that they need access to information in order to keep their customers safe.
Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment that they claim contains information about a contract or deal.
In some cases the aim may be to harvest personal data, but in many cases it’s also used to deploy ransomware or rope systems into a botnet.
Attackers will often use high-profile events as a lure in order to reach their end goals. For example, 2020 has seen cyber criminals extensively send emails that supposedly contain information about coronavirus as a means of luring people into falling victim. Cyber criminals have also attempted to use the 2020 US Presidential election as a means of attack.
One common technique is to deliver a Microsoft Office document that requires the user to enable macros to run. The message that comes with the document aims to trick the potential victim into enabling macros to allow the document to be viewed properly, but in this case it will allow the crooks to deliver their malware payload.
Why is phishing called phishing?
The overall term for these scams — phishing — is a modified version of ‘fishing’ except in this instance the one doing this fishing is the crook, and they’re trying to catch you and reel you in with their sneaky email lure.
It’s also likely a reference to hacker history: some of the earliest hackers were known as ‘phreaks’ or ‘phreakers’ because they reverse engineered phones to make free calls.
When did phishing begin?
The consensus is that the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell that attempted to steal AOL user names and passwords.
These early attacks were successful because it was a new type of attack, something users hadn’t seen before. AOL provided warnings to users about the risks, but phishing remained successful and it’s still here over 20 years on. In many ways, it has remained very much the same for one simple reason – because it works.
How did phishing evolve?
While the fundamental concept of phishing hasn’t changed much, there have been tweaks and experimentation across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams as home internet use took off and a personal email address started to become more common.
Many early phishing scams came with tell-tale signs that they weren’t legitimate – including strange spelling, weird formatting, low-res images and messages that often didn’t make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats that meant these attacks still found success – many of these are still effective.
Some phishing campaigns remain really, really obvious to spot – like the prince who wants to leave his fortune to you, his one long-lost relative, but others have become to be so advanced that it’s virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues or even your boss.
What’s the cost of phishing attacks?
It’s hard to put a total cost on the fraud that flows from phishing scams, but the FBI suggests that the impact of such scams could be costing US business somewhere around $5bn a year, with thousands of companies hit by scams annually.
One example of a high-profile incident: in July 2017, MacEwan University in Edmonton, Alberta, Canada fell victim to a phishing attack.
“A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor,” the university said in a statement.
What do phishing scams look like?
The ‘spray and pray’ is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the ‘URGENT message from your bank’ and ‘You’ve won the lottery’ messages that look to panic victims into making an error — or blind them with greed. Some emails attempt to use fear, suggesting there’s a warrant out for the victim’s arrest and they’ll be thrown in jail if they don’t click through.
Schemes of this sort are so basic that there’s often not even a fake web page involved – victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as a blank message with a malicious attachment to download.
This is the way Locky ransomware spread in 2016 and at the time it was one of the the most effective forms of the file-encrypting malware around. Many of the most damaging ransomware campaigns have now switched to other means of gaining access to networks, such as compromising internet-facing servers or remote desktop ports, although there’s recently been a resurgence in phishing emails being used to distribute ransomware. 

A simple Locky distribution phishing email – it looks basic, but if it didn’t work, attackers wouldn’t be using it.
Image: AppRiver
These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who’ll exploit the information in any way they can.
What is spear phishing?
Spear phishing is more advanced than a regular phishing message and aims at specific groups or even particular individuals. Instead of vague messages being sent, criminals design them to target anything from a specific organisation, to a department within that organisation or even an individual in order to ensure the greatest chance that the email is read and the scam is a success.
It’s these sorts of specially crafted messages that have often been the entry point for a number of high-profile cyberattacks and hacking incidents. Both cyber-criminal gangs and nation-state-backed attackers continue to use this as means of beginning espionage campaigns.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
At a consumer level, it can be designed to look like an update from your bank, it could say you’ve ordered something online, it could relate to any one of your online accounts. Hackers have even been known to seek out victims of data breaches and pose as security professionals warning victims of compromise – and that targets should ensure their account is still secure by entering their account details into this handy link.
While spear phishing does target consumers and individual internet users, it’s much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation as it can produce a far more lucrative bounty.

Lure document used in a ransomware attack against a hospital – attackers used official logos and names to make the email and the attachment look legitimate.
Image: Proofpoint
This particular type of phishing message can come in a number of forms including a false customer query, a false invoice from a contractor or partner company, a false request to look at a document from a colleague, or even in some cases, a message that looks as if it comes directly from the CEO or another executive.
Rather than being a random message, the idea is to make it look as if it has come from a trusted source, and coax the target into either installing malware or handing over confidential credentials or information. These scams take more effort but there’s a bigger potential payback for crooks, too.
It’s quite possible for hackers to compromise the account of one user and use that as a stepping stone for further attacks. These ‘conversation hijacking’ attacks take advantage of using a real person’s account to send additional phishing emails to their real contacts – and because the email comes from a trusted source, the intended victim is more likely to click.  
What is Business Email Compromise?
Recent years have seen the rise of a supremely successful form of targeted phishing attack that sees hackers pose as legitimate sources – such as management, a colleague or a supplier – and trick victims into sending large financial transfers into their accounts. This is often known as Business Email Compromise (BEC).
According to the FBI, common BEC scams include: cyber criminals posing as a vendor your company regularly deals with that sends an invoice with a (fake) updated mailing address; a company CEO asking an employee to buy gift cards to send out as rewards – and to be sent the gift card codes over immediately; or a homebuyer receiving an email about transferring a down-payment.
SEE: FBI: BEC scams accounted for half of the cyber-crime losses in 2019
In each instance, the attacker will rely heavily on social engineering, often attempting to generate a sense of urgency that the money transfer needs to be made right now, and in secret.
For example, attackers have been known to compromise the email account for a supplier that they’ll use to send an ‘urgent’ invoice that needs paying to the victim.  

CEO fraud sees attackers posing as executives and sending multiple messages back and forth with victims.
Image: Trend Micro
Cyber criminals also engage in CEO Fraud, a subset of BEC attack, where the attackers pose as a board member or manager, asking an employee to transfer funds to a specific account – often claiming it as a matter of secrecy and urgency.
In each of these cases, the attackers direct the funds into bank accounts they control, then make off with the money.
It’s estimated that BEC attacks were responsible for half the money lost to cyber criminals during 2019, and almost $700m is being lost to these attacks every month.
The growth of remote working during 2020 has arguably made it easier for criminals to conduct these schemes, because people working from home can’t as easily talk to one of their colleagues to check if the email is legitimate.  
What types of phishing attacks are there?
While email still remains a large focus of attackers carrying out phishing campaigns, the world is very different to how it was when phishing first started. No longer is email the only means of targeting a victim as the rise of mobile devices, social media and more have provided attackers with a wider variety of vectors to use for attacking victims.
What is social media phishing?
With billions of people around the world using social media services such as Facebook, LinkedIn and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.
Some attacks are simple and easy to spot: a Twitter bot might send you a private message containing a shortened URL that leads to something bad such as malware or maybe even a fake request for payment details.
SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users
But there are other attacks that play a longer game. A common tactic used by phishers is to pose as a person using photos ripped from the internet, stock imagery or someone’s public profile. Often these are just harvesting Facebook ‘friends’ for some future mission and don’t actually interact with the target.
However, sometimes plain old catfishing comes into play, with the attacker establishing a dialogue with the (often male) target – all while posing as a fake persona.

The ‘Mia Ash’ social media phishing campaign saw attackers operate a fake social media presence as if the fake persona was real.
Image: SecureWorks
After a certain amount of time – it could be days, it could be months – the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their info.
One campaign of this nature targeted individuals in organisations in the financial, oil and technology sectors with advanced social engineering based around a single, prolific social media persona that was absolutely fake.
Those behind ‘Mia Ash’ are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.
What is SMS and mobile phishing?
The rise of mobile messaging services – Facebook Messenger and WhatsApp in particular – has provided phishers with a new method of attack.
Attackers don’t even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials – the internet-connected nature of modern communications means text messages are also an effective attack vector.
SMS phishing – or smishing – attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.

Text messages offer another attack vector to criminals.
Image: Action Fraud
The nature of text messaging means the smishing message is short and designed to grab the attention of the victim, often with the aim of panicking them into clicking on the phishing URL. A common attack by smishers is to pose as a bank and fraudulently warn that the victim’s account has been closed, had cash withdrawn or is otherwise compromised.
The truncated nature of the message often doesn’t provide the victim with enough information to analyse whether the message is fraudulent, especially when text messages don’t contain tell-tale signs such as a sender address.
Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.
What is cryptocurrency phishing?
As the popularity – and value – of cryptocurrencies like Bitcoin, Monero and others have grown, attackers want a piece of the pie. Some hackers use cryptojacking malware, which secretly harnesses the power of a compromised machine to mine for cryptocurrency.
However, unless the attacker has a large network of PCs, servers or IoT devices doing their bidding, making money from this kind of campaign can be an arduous task that involves waiting months. Another option for crooks is to use phishing to steal cryptocurrency directly from the wallets of legitimate owners.

Bitcoin and other cryptocurrencies are popular with cyber criminals.
Image: Laremenko, Getty Images/iStockphoto
In a prominent example of cryptocurrency phishing, one criminal group conducted a campaign that copied the front of Ethereum wallet website MyEtherWallet and encouraged users to enter their login details and private key.
Once this information has been gathered, an automatic script automatically created the fund transfer by pressing the buttons like a legitimate user would, but all while the activity remained hidden from the user until it was too late. The theft of cryptocurrency in phishing campaigns like this and other attacks is costing millions.
How can I spot a phishing attack?
At the core of phishing attacks, regardless of the technology or the particular target, is deception.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users – and everyday there are people who are only accessing the internet for the first time.
SEE: Personally identifiable information (PII): What it is, how it’s used, and how to protect it
Large swathes of internet users therefore won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn’t actually from the organisation or friend it claims to be from?
But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns that can make it obvious to spot an attempted attack.
Signs of phishing: Poor spelling and grammar
Many of the less professional phishing operators still make basic errors in their messages – notably when it comes to spelling and grammar.
Official messages from any major organisation are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate.
It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.
How to spot a phishing link
It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious or fake website designed for malicious purposes.
Many phishing attacks will contain what looks like an official-looking URL. However, it’s worth taking a second careful look.
In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won’t check the link and will just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice.
Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and, if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to one that that you’d usually expect.
A strange or mismatched sender address
You receive a message that looks to be from an official company account. The message warns you that there’s been some strange activity using your account and urges you to click the link provided to verify your login details and the actions that have taken place.
The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?
SEE: Security Awareness and Training policy (TechRepublic Premium)
In many instances, the phisher can’t fake a real address and just hopes that readers don’t check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.
Another trick is to make the sender address almost look exactly like the company – for example, one campaign claiming to be from ‘Microsoft’s Security Team’ urged customers to reply with personal details to ensure they weren’t hacked. However, there isn’t a division of Microsoft with that name – and it probably wouldn’t be based in Uzbekistan, where the email was sent from.
Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.
This phishing message looks strange and too good to be true
Congratulations! You’ve just won the lottery/free airline tickets/a voucher to spend in our store – now just provide us with all of your personal information including your bank details to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.
In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment – never clicking on mysterious, unsolicited attachments is a very good tactic when it comes to not falling victim.
Even if the message is more detailed and looks as if it came from someone within your organisation, if you think the message might not be legitimate, contact someone else in the company – over the phone or in person rather than over email if necessary – to ensure that they really did send it.
How to protect against phishing attacks
Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.
Exercises allow staff to make errors – and crucially learn from them – in a protected environment. At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren’t designed to be malicious – they’re designed to help users perform repetitive tasks with keyboard shortcuts.

Documents dropped by phishing attacks often ask the victim to enable Macros so as to enable the malicious payload to work.
Image: Digital Guardian
However, the same processes can be exploited by attackers in order to help them execute malicious code and drop malware payloads.
Most newer versions of Office automatically disable macros, but it’s worth checking to ensure that this is the case for all the computers on your network – it can act as a major barrier to phishing emails attempting to deliver a malicious payload.
Multi-factor authentication also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using multi-factor authentication blocks 99.9% of attempted account hacks.
What is the future of phishing?
It might have been around for almost twenty years, but phishing remains a threat for two reasons – it’s simple to carry out – even by one-person operations – and it works, because there’s still plenty of people on the internet who aren’t aware of the threats they face. And even the most sophisticated users can be caught out from time to time.
For seasoned security personnel or technologically savvy people, it might seem strange that there are people out there who can easily fall for a scam claiming ‘You’ve won the lottery’ or ‘We’re your bank, please enter your details here’.
On top of this, the low cost of phishing campaigns and the extremely low chances of scammers getting caught means it remains a very attractive option for fraudsters.
Because of this, phishing will continue as cyber criminals look to profit from stealing data and dropping malware in the easiest way possible. But it can be stopped and by knowing what to look for and by employing training when necessary, you can try to ensure that your organisation doesn’t become a victim.
MORE ON CYBER CRIME More

A cybercriminal has published private data belonging to thousands of students following a failed attempt to exhort a ransomware payment from a Nevada school district.

Ransomware is a form of malware that can have a devastating impact on businesses and individuals alike. 
Once a ransomware package has landed and executed on a vulnerable system, files are usually encrypted, access to core systems and networks is revoked, and a landing page is thrown up demanding a payment — usually in cryptocurrencies such as Bitcoin (BTC) or Monero (XMR) in return for a decryption key — which may or may not work.   
See also: Ransomware is your biggest problem on the web. This huge change could be the answer
Ransomware operators target organizations across every sector in the hopes that the fear of disrupting core operations will pressure victims into paying up. It may not be a valid legal expense, but for some, paying a ransom is now considered a new cost of doing business. 
While it is estimated that at least half of organizations struck with a ransomware infection will pay up, others will refuse as to not give in criminal activities — no matter the consequences. 
CNET: US government won’t detail how TikTok is a security threat
In the case of the Clark County School District in Nevada, officials reportedly refused to pay the ransom, leading to the potential exposure of student data. 
First reported on September 8 by the Associated Press, the Clark County School District said its computer systems had been infected with malware on August 27, locking up access to files. 
At the time, it was thought that some employee personally identifiable information (PII) may have been exposed, including names and Social Security numbers, but students were not mentioned. 
TechRepublic: Google removes 17 Android apps designed to deploy Joker malware
The district pulled in law enforcement and cyberforensic investigators to manage the incident. However, this doesn’t appear to have been enough to prevent a leak. 
The ransomware’s operator was holding data hostage in the hopes of forcing the distinct to pay up but was left disappointed, as reported by Business Insider. In retaliation, student information has been published on an underground forum. 
Speaking to the Wall Street Journal, Emsisoft threat analyst Brett Callow said the file dump discovered on the forum claims to include student names, Social Security numbers, addresses and financial information, although what type of financial data has not been disclosed. 
In an update posted on Monday, the Clark County School District said:

“CCSD is working diligently to determine the full nature and scope of the incident and is cooperating with law enforcement. The District is unable to verify many of the claims in the media reports. As the investigation continues, CCSD will be individually notifying affected individuals.
CCSD values openness and transparency and will keep parents, employees, and the public informed as new, verified information becomes available.”

According to Coalition, ransomware incidents accounted for 41% of cyberinsurance claims filed in the first half of 2020. Claims following ransomware-related security incidents have ranged from $1,000 to over $2,000,000. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Securities and Exchange Commission (SEC) has charged a former Amazon finance manager with insider trading. 

On Monday, the regulatory watchdog said that from at least January 2016 to July 2018, Laksha Bohra conducted securities trading based on confidential information she had access to as a member of the e-commerce giant’s tax department. 
The senior manager was involved in preparing and reviewing financial statements included in Amazon’s quarterly earnings. Bohra allegedly leveraged this knowledge to play the market in what is known as insider trading in order to reap “illicit profits,” according to SEC.
See also: Shopin founder charged by SEC for running $42 million scam cryptocurrency ICO
36-year-old Bohra not only played this game herself but also allegedly tipped off members of her family, including her father-in-law and husband. 
“Bohra disregarded quarterly reminders prohibiting her from passing material nonpublic information or recommending the purchase or sale of Amazon securities,” SEC’s complaint reads. 
If an individual has access to pre-release financial information, they may be able to buy or sell stocks and shares based on predictions of what will happen to a company’s share prices. For example, profits may send stock prices upward, whereas the disclosure of losses or lawsuits can cause a share price slump.
In total, over the course of roughly two years, the former manager and her family traded in 11 separate brokerage accounts, earning themselves roughly $1.4 million. Bohra’s father-in-law reportedly told one of the brokerage firms used that the accounts were treated as a “one family thing.”
“Amazon considered [..] pre-release financial information to be confidential, highly sensitive, material, and nonpublic,” the US agency says, adding in the complaint that Amazon has previously demonstrated a “zero tolerance” stance on insider trading. 
CNET: Universal Health Services slammed by massive cyberattack
Amazon suspended Bohra’s employment in October 2018, leading to Bohra’s resignation. However, the reason for the termination was not disclosed in the complaint.
Filed in Seattle federal court, the complaint (.PDF) lays out charges against all three family members for violating federal securities laws. 
TechRepublic: 5 more things to know about ransomware
According to SEC, all three have agreed to pay back $1,428,094, interest of $118,406, and additional penalties of $1,106,399.
“Employees with access to confidential, potentially market-moving corporate information may not use that information to enrich themselves, their friends, or their families,” commented Erin Schneider, Director of the SEC’s San Francisco Regional Office. 
ZDNet has reached out to Amazon and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Western Australian government has announced it will sink AU$1.8 million to establish a whole-of-government cybersecurity operations centre.
To be managed by the Department of Premier and Cabinet’s Office of Digital Government, the centre will provide further support to existing cybersecurity efforts across government and the dedicated cybersecurity team within the Office of Digital Government.
Western Australian Innovation and ICT Minister Dave Kelly has labelled it a first for the state.
“During COVID-19, we’ve seen a rise in malicious cyber activity in terms of frequency, scale, and sophistication … the new operations centre will provide unprecedented visibility of threats against agencies’ networks, as well as improve the state government’s ability to coordinate and respond to cybersecurity threats against our systems,” he said.
Read more: Chinese APT group Naikon targeted Western Australia government  
Kelly added how the centre would also be an additional avenue for cybersecurity TAFE and university students who participate in the Office of Digital Government’s work-integrated learning program.
Earlier this month, the state’s Office of Digital Government signed a memorandum of understanding with Microsoft to see both deliver cybersecurity capabilities for the public sector and collaborate on initiatives to identify and eliminate cybercrime.
These initiatives follow revelations from a recent audit that even after 12 years, many entities within the government failed to meet the benchmark for minimum practice when it came to information security, business continuity, management of IT risks, IT operations, change control, and physical security.
See also: How to become a cybersecurity pro: A cheat sheet (TechRepublic)    
The audit found only 15 entities met the benchmark in 2019, compared to 13 in 2018. The results echoed many of the concerns highlighted in previous years.
The number of entities that met the benchmark for information security increased from 47% to 57% in 2019.
“However, a large number of entities are still not managing this area effectively,” the report said.
Weaknesses found included inadequate or out-of-date information security policies; no reviews of highly privileged access to applications, databases, and networks; a lack of processes to identify and patch security vulnerabilities within IT infrastructure; no information security awareness programs for staff; a lack of staff training and development in information security; a lack of information classification policy or procedures; and weak password controls without multi-factor authentication.
MORE FROM THE WEST More