Information Technology

What is phishing?
Phishing is one of the easiest forms of cyberattack for criminals to carry out, and one of the easiest to fall for. It’s also one that can provide everything hackers need to ransack their targets’ personal and work accounts.
Usually carried out over email – although the scam has now spread beyond suspicious emails to phone calls (so-called ‘vishing’) social media, messaging services (aka ‘smishing’) and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants.

More on privacy

That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.
SEE: Network security policy (TechRepublic Premium)
Phishing is also a popular method for cyber attackers to deliver malware, by encouraging victims to download a document or visit a link that will secretly install the malicious payload in attacks that could be distributing trojan malware, ransomware or all manner of damaging and disruptive attacks.
The aim and the precise mechanics of the scams vary: for example, victims might be tricked into clicking a link through to a fake web page with the aim of persuading the user to enter personal information – it’s estimated that an average of 1.4 million of these websites are created every month.  
More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years in cases where specific individuals are targeted for data that they would only ever hand over to people they trust.
That data can range from personal or corporate email address and password, to financial data such as credit card details or online banking credentials or even personal data such as date of birth, address and a social security number.
In the hands of fraudsters, all of that information can be used to carry out scams like identity theft or using stolen data to buy things or even selling people’s private information on the dark web. In some cases, it’s done for blackmail or to embarrass the victim.
In other cases, phishing is one of the tools used for espionage or by state-backed hacking groups to spy on opponents and organisations of interest.
And anyone can be a victim, ranging from the Democratic National Committee in the run up to 2016 US Presidential Election, to critical infrastructure, to commercial businesses and even individuals.
Whatever the ultimate goal of the attack, phishing revolves around scammers tricking users into giving up data or access to systems in the mistaken belief they are dealing with someone they know or trust.
How does a phishing attack work?
A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks.
The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.
Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Most people simply don’t have the time to carefully analyse every message that lands in their inbox – and it’s this that phishers look to exploit in a number of ways.
Scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a ‘winning voucher’.
In this example, in order to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.

If that email ‘prize’ seems too good to be true, it usually is and it’s usually a phishing scam.
Image: iStock
Similar techniques are used in other scams in which attackers claim to be from a bank or other financial institution looking to verify details, online shops attempting to verify non-existent purchases or sometimes — even more cheekily — attackers will claim to be from tech security companies and that they need access to information in order to keep their customers safe.
Other scams, usually more sophisticated, aim at business users. Here attackers might also pose as someone from within the same organisation or one of its suppliers and will ask you to download an attachment that they claim contains information about a contract or deal.
In some cases the aim may be to harvest personal data, but in many cases it’s also used to deploy ransomware or rope systems into a botnet.
Attackers will often use high-profile events as a lure in order to reach their end goals. For example, 2020 has seen cyber criminals extensively send emails that supposedly contain information about coronavirus as a means of luring people into falling victim. Cyber criminals have also attempted to use the 2020 US Presidential election as a means of attack.
One common technique is to deliver a Microsoft Office document that requires the user to enable macros to run. The message that comes with the document aims to trick the potential victim into enabling macros to allow the document to be viewed properly, but in this case it will allow the crooks to deliver their malware payload.
Why is phishing called phishing?
The overall term for these scams — phishing — is a modified version of ‘fishing’ except in this instance the one doing this fishing is the crook, and they’re trying to catch you and reel you in with their sneaky email lure.
It’s also likely a reference to hacker history: some of the earliest hackers were known as ‘phreaks’ or ‘phreakers’ because they reverse engineered phones to make free calls.
When did phishing begin?
The consensus is that the first example of the word phishing occurred in the mid-1990s with the use of software tools like AOHell that attempted to steal AOL user names and passwords.
These early attacks were successful because it was a new type of attack, something users hadn’t seen before. AOL provided warnings to users about the risks, but phishing remained successful and it’s still here over 20 years on. In many ways, it has remained very much the same for one simple reason – because it works.
How did phishing evolve?
While the fundamental concept of phishing hasn’t changed much, there have been tweaks and experimentation across two decades as technology and how we access the internet has changed. Following the initial AOL attacks, email became the most appealing attack vector for phishing scams as home internet use took off and a personal email address started to become more common.
Many early phishing scams came with tell-tale signs that they weren’t legitimate – including strange spelling, weird formatting, low-res images and messages that often didn’t make complete sense. Nonetheless, in the early days of the internet, people knew even less about potential threats that meant these attacks still found success – many of these are still effective.
Some phishing campaigns remain really, really obvious to spot – like the prince who wants to leave his fortune to you, his one long-lost relative, but others have become to be so advanced that it’s virtually impossible to tell them apart from authentic messages. Some might even look like they come from your friends, family, colleagues or even your boss.
What’s the cost of phishing attacks?
It’s hard to put a total cost on the fraud that flows from phishing scams, but the FBI suggests that the impact of such scams could be costing US business somewhere around $5bn a year, with thousands of companies hit by scams annually.
One example of a high-profile incident: in July 2017, MacEwan University in Edmonton, Alberta, Canada fell victim to a phishing attack.
“A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor,” the university said in a statement.
What do phishing scams look like?
The ‘spray and pray’ is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the ‘URGENT message from your bank’ and ‘You’ve won the lottery’ messages that look to panic victims into making an error — or blind them with greed. Some emails attempt to use fear, suggesting there’s a warrant out for the victim’s arrest and they’ll be thrown in jail if they don’t click through.
Schemes of this sort are so basic that there’s often not even a fake web page involved – victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as a blank message with a malicious attachment to download.
This is the way Locky ransomware spread in 2016 and at the time it was one of the the most effective forms of the file-encrypting malware around. Many of the most damaging ransomware campaigns have now switched to other means of gaining access to networks, such as compromising internet-facing servers or remote desktop ports, although there’s recently been a resurgence in phishing emails being used to distribute ransomware. 

A simple Locky distribution phishing email – it looks basic, but if it didn’t work, attackers wouldn’t be using it.
Image: AppRiver
These attacks are mostly ineffective, but the sheer number of messages being sent out means that there will be people who fall for the scam and inadvertently send details to cyber attackers who’ll exploit the information in any way they can.
What is spear phishing?
Spear phishing is more advanced than a regular phishing message and aims at specific groups or even particular individuals. Instead of vague messages being sent, criminals design them to target anything from a specific organisation, to a department within that organisation or even an individual in order to ensure the greatest chance that the email is read and the scam is a success.
It’s these sorts of specially crafted messages that have often been the entry point for a number of high-profile cyberattacks and hacking incidents. Both cyber-criminal gangs and nation-state-backed attackers continue to use this as means of beginning espionage campaigns.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
At a consumer level, it can be designed to look like an update from your bank, it could say you’ve ordered something online, it could relate to any one of your online accounts. Hackers have even been known to seek out victims of data breaches and pose as security professionals warning victims of compromise – and that targets should ensure their account is still secure by entering their account details into this handy link.
While spear phishing does target consumers and individual internet users, it’s much more effective for cyber criminals to use it as a means of infiltrating the network of a target organisation as it can produce a far more lucrative bounty.

Lure document used in a ransomware attack against a hospital – attackers used official logos and names to make the email and the attachment look legitimate.
Image: Proofpoint
This particular type of phishing message can come in a number of forms including a false customer query, a false invoice from a contractor or partner company, a false request to look at a document from a colleague, or even in some cases, a message that looks as if it comes directly from the CEO or another executive.
Rather than being a random message, the idea is to make it look as if it has come from a trusted source, and coax the target into either installing malware or handing over confidential credentials or information. These scams take more effort but there’s a bigger potential payback for crooks, too.
It’s quite possible for hackers to compromise the account of one user and use that as a stepping stone for further attacks. These ‘conversation hijacking’ attacks take advantage of using a real person’s account to send additional phishing emails to their real contacts – and because the email comes from a trusted source, the intended victim is more likely to click.  
What is Business Email Compromise?
Recent years have seen the rise of a supremely successful form of targeted phishing attack that sees hackers pose as legitimate sources – such as management, a colleague or a supplier – and trick victims into sending large financial transfers into their accounts. This is often known as Business Email Compromise (BEC).
According to the FBI, common BEC scams include: cyber criminals posing as a vendor your company regularly deals with that sends an invoice with a (fake) updated mailing address; a company CEO asking an employee to buy gift cards to send out as rewards – and to be sent the gift card codes over immediately; or a homebuyer receiving an email about transferring a down-payment.
SEE: FBI: BEC scams accounted for half of the cyber-crime losses in 2019
In each instance, the attacker will rely heavily on social engineering, often attempting to generate a sense of urgency that the money transfer needs to be made right now, and in secret.
For example, attackers have been known to compromise the email account for a supplier that they’ll use to send an ‘urgent’ invoice that needs paying to the victim.  

CEO fraud sees attackers posing as executives and sending multiple messages back and forth with victims.
Image: Trend Micro
Cyber criminals also engage in CEO Fraud, a subset of BEC attack, where the attackers pose as a board member or manager, asking an employee to transfer funds to a specific account – often claiming it as a matter of secrecy and urgency.
In each of these cases, the attackers direct the funds into bank accounts they control, then make off with the money.
It’s estimated that BEC attacks were responsible for half the money lost to cyber criminals during 2019, and almost $700m is being lost to these attacks every month.
The growth of remote working during 2020 has arguably made it easier for criminals to conduct these schemes, because people working from home can’t as easily talk to one of their colleagues to check if the email is legitimate.  
What types of phishing attacks are there?
While email still remains a large focus of attackers carrying out phishing campaigns, the world is very different to how it was when phishing first started. No longer is email the only means of targeting a victim as the rise of mobile devices, social media and more have provided attackers with a wider variety of vectors to use for attacking victims.
What is social media phishing?
With billions of people around the world using social media services such as Facebook, LinkedIn and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.
Some attacks are simple and easy to spot: a Twitter bot might send you a private message containing a shortened URL that leads to something bad such as malware or maybe even a fake request for payment details.
SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users
But there are other attacks that play a longer game. A common tactic used by phishers is to pose as a person using photos ripped from the internet, stock imagery or someone’s public profile. Often these are just harvesting Facebook ‘friends’ for some future mission and don’t actually interact with the target.
However, sometimes plain old catfishing comes into play, with the attacker establishing a dialogue with the (often male) target – all while posing as a fake persona.

The ‘Mia Ash’ social media phishing campaign saw attackers operate a fake social media presence as if the fake persona was real.
Image: SecureWorks
After a certain amount of time – it could be days, it could be months – the attacker might concoct a false story and ask the victim for details of some kind such as bank details, information, even login credentials, before disappearing into the ether with their info.
One campaign of this nature targeted individuals in organisations in the financial, oil and technology sectors with advanced social engineering based around a single, prolific social media persona that was absolutely fake.
Those behind ‘Mia Ash’ are thought to have been working on behalf of the Iranian government and tricked victims into handing over login credentials and private documents.
What is SMS and mobile phishing?
The rise of mobile messaging services – Facebook Messenger and WhatsApp in particular – has provided phishers with a new method of attack.
Attackers don’t even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials – the internet-connected nature of modern communications means text messages are also an effective attack vector.
SMS phishing – or smishing – attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.

Text messages offer another attack vector to criminals.
Image: Action Fraud
The nature of text messaging means the smishing message is short and designed to grab the attention of the victim, often with the aim of panicking them into clicking on the phishing URL. A common attack by smishers is to pose as a bank and fraudulently warn that the victim’s account has been closed, had cash withdrawn or is otherwise compromised.
The truncated nature of the message often doesn’t provide the victim with enough information to analyse whether the message is fraudulent, especially when text messages don’t contain tell-tale signs such as a sender address.
Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.
What is cryptocurrency phishing?
As the popularity – and value – of cryptocurrencies like Bitcoin, Monero and others have grown, attackers want a piece of the pie. Some hackers use cryptojacking malware, which secretly harnesses the power of a compromised machine to mine for cryptocurrency.
However, unless the attacker has a large network of PCs, servers or IoT devices doing their bidding, making money from this kind of campaign can be an arduous task that involves waiting months. Another option for crooks is to use phishing to steal cryptocurrency directly from the wallets of legitimate owners.

Bitcoin and other cryptocurrencies are popular with cyber criminals.
Image: Laremenko, Getty Images/iStockphoto
In a prominent example of cryptocurrency phishing, one criminal group conducted a campaign that copied the front of Ethereum wallet website MyEtherWallet and encouraged users to enter their login details and private key.
Once this information has been gathered, an automatic script automatically created the fund transfer by pressing the buttons like a legitimate user would, but all while the activity remained hidden from the user until it was too late. The theft of cryptocurrency in phishing campaigns like this and other attacks is costing millions.
How can I spot a phishing attack?
At the core of phishing attacks, regardless of the technology or the particular target, is deception.
While many in the information security sector might raise an eyebrow when it comes to the lack of sophistication of some phishing campaigns, it’s easy to forget that there are billions of internet users – and everyday there are people who are only accessing the internet for the first time.
SEE: Personally identifiable information (PII): What it is, how it’s used, and how to protect it
Large swathes of internet users therefore won’t even be aware about the potential threat of phishing, let alone that they might be targeted by attackers using it. Why would they even suspect that the message in their inbox isn’t actually from the organisation or friend it claims to be from?
But while some phishing campaigns are so sophisticated and specially crafted that the message looks totally authentic, there are some key give-aways in less advanced campaigns that can make it obvious to spot an attempted attack.
Signs of phishing: Poor spelling and grammar
Many of the less professional phishing operators still make basic errors in their messages – notably when it comes to spelling and grammar.
Official messages from any major organisation are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate.
It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.
How to spot a phishing link
It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious or fake website designed for malicious purposes.
Many phishing attacks will contain what looks like an official-looking URL. However, it’s worth taking a second careful look.
In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won’t check the link and will just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice.
Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and, if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to one that that you’d usually expect.
A strange or mismatched sender address
You receive a message that looks to be from an official company account. The message warns you that there’s been some strange activity using your account and urges you to click the link provided to verify your login details and the actions that have taken place.
The message looks legitimate, with good spelling and grammar, the correct formatting and the right company logo, address and even contact email address in the body of the message. But what about the sender address?
SEE: Security Awareness and Training policy (TechRepublic Premium)
In many instances, the phisher can’t fake a real address and just hopes that readers don’t check. Often the sender address will just be listed as a string of characters rather than as sent from an official source.
Another trick is to make the sender address almost look exactly like the company – for example, one campaign claiming to be from ‘Microsoft’s Security Team’ urged customers to reply with personal details to ensure they weren’t hacked. However, there isn’t a division of Microsoft with that name – and it probably wouldn’t be based in Uzbekistan, where the email was sent from.
Keep an eye on the sender address to ensure that the message is legitimately from who it says it is.
This phishing message looks strange and too good to be true
Congratulations! You’ve just won the lottery/free airline tickets/a voucher to spend in our store – now just provide us with all of your personal information including your bank details to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is.
In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment – never clicking on mysterious, unsolicited attachments is a very good tactic when it comes to not falling victim.
Even if the message is more detailed and looks as if it came from someone within your organisation, if you think the message might not be legitimate, contact someone else in the company – over the phone or in person rather than over email if necessary – to ensure that they really did send it.
How to protect against phishing attacks
Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organisation from malicious attacks.
Exercises allow staff to make errors – and crucially learn from them – in a protected environment. At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren’t designed to be malicious – they’re designed to help users perform repetitive tasks with keyboard shortcuts.

Documents dropped by phishing attacks often ask the victim to enable Macros so as to enable the malicious payload to work.
Image: Digital Guardian
However, the same processes can be exploited by attackers in order to help them execute malicious code and drop malware payloads.
Most newer versions of Office automatically disable macros, but it’s worth checking to ensure that this is the case for all the computers on your network – it can act as a major barrier to phishing emails attempting to deliver a malicious payload.
Multi-factor authentication also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using multi-factor authentication blocks 99.9% of attempted account hacks.
What is the future of phishing?
It might have been around for almost twenty years, but phishing remains a threat for two reasons – it’s simple to carry out – even by one-person operations – and it works, because there’s still plenty of people on the internet who aren’t aware of the threats they face. And even the most sophisticated users can be caught out from time to time.
For seasoned security personnel or technologically savvy people, it might seem strange that there are people out there who can easily fall for a scam claiming ‘You’ve won the lottery’ or ‘We’re your bank, please enter your details here’.
On top of this, the low cost of phishing campaigns and the extremely low chances of scammers getting caught means it remains a very attractive option for fraudsters.
Because of this, phishing will continue as cyber criminals look to profit from stealing data and dropping malware in the easiest way possible. But it can be stopped and by knowing what to look for and by employing training when necessary, you can try to ensure that your organisation doesn’t become a victim.
MORE ON CYBER CRIME More

A cybercriminal has published private data belonging to thousands of students following a failed attempt to exhort a ransomware payment from a Nevada school district.

Ransomware is a form of malware that can have a devastating impact on businesses and individuals alike. 
Once a ransomware package has landed and executed on a vulnerable system, files are usually encrypted, access to core systems and networks is revoked, and a landing page is thrown up demanding a payment — usually in cryptocurrencies such as Bitcoin (BTC) or Monero (XMR) in return for a decryption key — which may or may not work.   
See also: Ransomware is your biggest problem on the web. This huge change could be the answer
Ransomware operators target organizations across every sector in the hopes that the fear of disrupting core operations will pressure victims into paying up. It may not be a valid legal expense, but for some, paying a ransom is now considered a new cost of doing business. 
While it is estimated that at least half of organizations struck with a ransomware infection will pay up, others will refuse as to not give in criminal activities — no matter the consequences. 
CNET: US government won’t detail how TikTok is a security threat
In the case of the Clark County School District in Nevada, officials reportedly refused to pay the ransom, leading to the potential exposure of student data. 
First reported on September 8 by the Associated Press, the Clark County School District said its computer systems had been infected with malware on August 27, locking up access to files. 
At the time, it was thought that some employee personally identifiable information (PII) may have been exposed, including names and Social Security numbers, but students were not mentioned. 
TechRepublic: Google removes 17 Android apps designed to deploy Joker malware
The district pulled in law enforcement and cyberforensic investigators to manage the incident. However, this doesn’t appear to have been enough to prevent a leak. 
The ransomware’s operator was holding data hostage in the hopes of forcing the distinct to pay up but was left disappointed, as reported by Business Insider. In retaliation, student information has been published on an underground forum. 
Speaking to the Wall Street Journal, Emsisoft threat analyst Brett Callow said the file dump discovered on the forum claims to include student names, Social Security numbers, addresses and financial information, although what type of financial data has not been disclosed. 
In an update posted on Monday, the Clark County School District said:

“CCSD is working diligently to determine the full nature and scope of the incident and is cooperating with law enforcement. The District is unable to verify many of the claims in the media reports. As the investigation continues, CCSD will be individually notifying affected individuals.
CCSD values openness and transparency and will keep parents, employees, and the public informed as new, verified information becomes available.”

According to Coalition, ransomware incidents accounted for 41% of cyberinsurance claims filed in the first half of 2020. Claims following ransomware-related security incidents have ranged from $1,000 to over $2,000,000. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Securities and Exchange Commission (SEC) has charged a former Amazon finance manager with insider trading. 

On Monday, the regulatory watchdog said that from at least January 2016 to July 2018, Laksha Bohra conducted securities trading based on confidential information she had access to as a member of the e-commerce giant’s tax department. 
The senior manager was involved in preparing and reviewing financial statements included in Amazon’s quarterly earnings. Bohra allegedly leveraged this knowledge to play the market in what is known as insider trading in order to reap “illicit profits,” according to SEC.
See also: Shopin founder charged by SEC for running $42 million scam cryptocurrency ICO
36-year-old Bohra not only played this game herself but also allegedly tipped off members of her family, including her father-in-law and husband. 
“Bohra disregarded quarterly reminders prohibiting her from passing material nonpublic information or recommending the purchase or sale of Amazon securities,” SEC’s complaint reads. 
If an individual has access to pre-release financial information, they may be able to buy or sell stocks and shares based on predictions of what will happen to a company’s share prices. For example, profits may send stock prices upward, whereas the disclosure of losses or lawsuits can cause a share price slump.
In total, over the course of roughly two years, the former manager and her family traded in 11 separate brokerage accounts, earning themselves roughly $1.4 million. Bohra’s father-in-law reportedly told one of the brokerage firms used that the accounts were treated as a “one family thing.”
“Amazon considered [..] pre-release financial information to be confidential, highly sensitive, material, and nonpublic,” the US agency says, adding in the complaint that Amazon has previously demonstrated a “zero tolerance” stance on insider trading. 
CNET: Universal Health Services slammed by massive cyberattack
Amazon suspended Bohra’s employment in October 2018, leading to Bohra’s resignation. However, the reason for the termination was not disclosed in the complaint.
Filed in Seattle federal court, the complaint (.PDF) lays out charges against all three family members for violating federal securities laws. 
TechRepublic: 5 more things to know about ransomware
According to SEC, all three have agreed to pay back $1,428,094, interest of $118,406, and additional penalties of $1,106,399.
“Employees with access to confidential, potentially market-moving corporate information may not use that information to enrich themselves, their friends, or their families,” commented Erin Schneider, Director of the SEC’s San Francisco Regional Office. 
ZDNet has reached out to Amazon and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Western Australian government has announced it will sink AU$1.8 million to establish a whole-of-government cybersecurity operations centre.
To be managed by the Department of Premier and Cabinet’s Office of Digital Government, the centre will provide further support to existing cybersecurity efforts across government and the dedicated cybersecurity team within the Office of Digital Government.
Western Australian Innovation and ICT Minister Dave Kelly has labelled it a first for the state.
“During COVID-19, we’ve seen a rise in malicious cyber activity in terms of frequency, scale, and sophistication … the new operations centre will provide unprecedented visibility of threats against agencies’ networks, as well as improve the state government’s ability to coordinate and respond to cybersecurity threats against our systems,” he said.
Read more: Chinese APT group Naikon targeted Western Australia government  
Kelly added how the centre would also be an additional avenue for cybersecurity TAFE and university students who participate in the Office of Digital Government’s work-integrated learning program.
Earlier this month, the state’s Office of Digital Government signed a memorandum of understanding with Microsoft to see both deliver cybersecurity capabilities for the public sector and collaborate on initiatives to identify and eliminate cybercrime.
These initiatives follow revelations from a recent audit that even after 12 years, many entities within the government failed to meet the benchmark for minimum practice when it came to information security, business continuity, management of IT risks, IT operations, change control, and physical security.
See also: How to become a cybersecurity pro: A cheat sheet (TechRepublic)    
The audit found only 15 entities met the benchmark in 2019, compared to 13 in 2018. The results echoed many of the concerns highlighted in previous years.
The number of entities that met the benchmark for information security increased from 47% to 57% in 2019.
“However, a large number of entities are still not managing this area effectively,” the report said.
Weaknesses found included inadequate or out-of-date information security policies; no reviews of highly privileged access to applications, databases, and networks; a lack of processes to identify and patch security vulnerabilities within IT infrastructure; no information security awareness programs for staff; a lack of staff training and development in information security; a lack of information classification policy or procedures; and weak password controls without multi-factor authentication.
MORE FROM THE WEST More

Image: QNAP

Taiwanese hardware vendor QNAP urged customers last week to update the firmware and apps installed on their network-attached storage (NAS) devices to avoid infections with a new strain of ransomware named AgeLocker.
The ransomware has been active since June this year when it first began making victims.
It was named AgeLocker for its use of the Actually Good Encryption (AGE) algorithm to encrypt files. The AGE encryption algorithm is considered cryptographically secure, which means encrypted files can’t be recovered without paying the ransom demand.
Techniques like brute-forcing the encryption key or identifying weaknesses in the encryption scheme are not reliable against AGE.
The impossibility of recovering encrypted files without paying the ransom demand is why users should take care to secure QNAP NAS devices.
Last week, QNAP said it identified two sources of how AgeLocker gains access to QNAP devices. The first is the QNAP device firmware (known as QTS), while the second is one of the default apps that come preinstalled with recent QNAP systems (named PhotoStation).
“QNAP’s initial investigation showed that no unpatched vulnerabilities are [currently] found in QTS. All known [AgeLocker-]affected NAS are running older, unpatched QTS versions,” the company said in a blog post.
“[The] QNAP Product Security Incident Response Team (PSIRT) has found evidence that the ransomware may attack earlier versions of Photo Station,” the company also said in an alert on September 25.
Older versions of the PhotoStation app are known to contain security flaws.
Its two discoveries are why the company is now recommending and providing instructions on how users can update both QTS and the PhotoStation app.
“Once again, QNAP urges users to periodically check and install product software updates to keep their devices away from malicious influences,” QNAP said.
This is the same advice QNAP gave to NAS owners earlier this year when devices were also targeted by another ransomware strain known as eCh0raix. More

The Australian government has announced it will expand its digital identity system, touting that the move will allow more businesses to securely access government services online as part of its newly announced AU$800 million Digital Business Package.
The opt-in service allows users to verify their identity once before gaining access to over 70 government services, rather than having to continually be verified by each Commonwealth entity. It is currently being used by 1.6 million Australians and 1.16 million businesses.
“We need our businesses to be online, we need them to be digital businesses,” Prime Minister Scott Morrison said on Tuesday.
“In recent months we have seen through COVID a rapid acceleration produced by necessity of businesses really engaging and upgrading their digital capability. What we’re announcing today, will build on that. It will strengthen it and it will accelerate it.”
The package also includes AU$28.5 million dedicated towards rolling out the Consumer Data Right (CDR) in the banking and energy sectors. There are also plans for that investment to be used for applying the CDR to mortgages and personal loans by the end of the year.
The Commonwealth has also vowed that all government agencies will adopt e-invoicing by 1 July 2022 to allow small businesses transacting with government to be paid faster. In addition, it has proposed to pay e-invoices within five days.  
“90% of small and medium businesses today still use paper-based invoices, and if you take the Commonwealth together with the states, governments are responsible for around 10% of all business invoices,” Treasurer Josh Frydenberg said.
“It is hoped that the Commonwealth by taking the lead in e-invoicing will lead to states … to follow in the Commonwealth’s lead in this respect.”
Read more: New Australian cybersecurity strategy will see Canberra get offensive
Other elements of the package include implementing a modern business register program, with the biggest single component of the package being valued at AU$420 million. The idea is to allow businesses to view, update, and maintain their business register in one location.
Additionally, AU$29 million has been allocated toward accelerating the rollout of 5G, which includes running trials in sectors such as agriculture, mining, logistics, and manufacturing.
The federal government also announced initiatives aimed at cutting regulatory red tape, such as placing AU$7 million in two blockchain pilots that aims to reduce business regulatory compliance costs and nearly AU$11.5 million for regtech commercialisation.
The decision to make temporary reforms that were introduced during the peak of the COVID-19 pandemic, such as enabling annual general meetings to be held virtually and for documents to be executed electronically, permanent were also a part of the federal government’s announcement on Tuesday.
The rest of the funding as part of the package will be allocated to helping businesses adapt to technology, government said. This includes just over AU$22 million for expanding the small business advisory program, AU$9.6 million for promoting Australian fintechs overseas and attracting inward investment, and a AU$2.5 million injection into digital skills training for small and medium-sized businesses.
“We should see all see digital transformation as an opportunity, not as a threat … we want new businesses in Australia to be born digital,” Frydenberg said.
The AU$800 million package will be included in next week’s federal budget, which Morrison said would be the “most important budget since the Second World War”.
“The budget will confirm the strong plan we have for recovery for economic recovery from the COVID-19 recession and to build our economy for the future, to continue to cushion the blow to continue to recover what has been lost … that’s what this budget is about,” he said.
See also: Backflip to the home: NBN to upgrade FttN areas with fibre
Shadow Assistant Minister for Treasury Andrew Leigh agreed that while technology is “incredibly important”, he warned about the need to consider the flow-on effects.
“There’s going to be some level of job displacement that comes from technologies such as automated checkout within retail or greater use of robots within factories. So that’ll have impacts on the labour market, and I don’t see from the government a sense that they’ve really thought this through for the long term,” he said on Tuesday.
Leigh also raised concerns about the government’s ability to deliver the initiatives announced in the package.
“You’ve just got to look back at the census fail and the robo-debt disaster to worry about the government’s ability to really get it right when it comes to technology,” he said.
“Rationalising business registers is something that Parliament passed previously, getting a director identification number is something that should have been done years ago. Some of these measures are re-announcements to the extent that they’re fresh. We’ll obviously look through them carefully.
“But the best way of getting Australians engaged with technology is to expand education, and right now you’re not seeing that with universities. You’re not seeing an expansion of universities, which should take place at an economic moment like this.”
Related Coverage More

Emergency services across at least 14 US states have reported outages of their 911 lines on Monday.
Issues were reported by police departments in counties across Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington.
Impacted counties reported losing connectivity for 911 phone and SMS services, but did not provide any technical details about the source of the outage.
“ATTENTION: The 911 lines are not operational nationwide. This is for phone calls and text messaging,” the Minneapolis police department wrote on Twitter earlier today at the start of the outage.

ATTENTION: The 911 lines are not operational nationwide. This is for phone calls and text messaging. If you need police, fire or emergency medical assistance in Minneapolis, please call 612-348-2345. We will advise when this issue is fixed.
— Minneapolis Police (@MinneapolisPD) September 28, 2020

911 services are down in the City of Tucson. If you need to make an emergency call, dial 520-372-8011. We will let you know when 911 is back online. pic.twitter.com/aDfAIX3yDU
— Tucson Police Dept (@Tucson_Police) September 28, 2020

Multiple U.S. cities are reporting 911 outages at this time.
— Outage Alert ⚠️ (@OutageAlert2020) September 28, 2020

The outage impacted all emergency services simultaneously, and 911 services were restored within 30 and 60 minutes for most affected counties.
A clue of the source of the outage comes from the city of Redmond, Washington, home of tech giant Microsoft, which also reported a similar phone line outage and blamed the incident on “a larger Microsoft 365 outage.”

As of 5 p.m., City phones and emails are experiencing intermittent outages related to a larger Microsoft 365 outage. We are hoping the issue is resolved shortly. Sorry for any inconvenience.
— City of Redmond #MaskUpRedmond (@CityOfRedmond) September 29, 2020

On Monday, Microsoft reported a massive outage after a recent infrastructure change took down services like Office.com, Outlook.com, Teams, Power Platform, and Dynamics365. The company fixed the issue earlier today by rolling back the problematic change.
However, the Microsoft outage only impacted Office and email-related services.
Other sources suggest the 911 outage may not be related to the Microsoft Office 365 outage at all, and most likely originated at a provider of PSAPs (Public Safety Answering Points).
PSAPs are telephony systems where 911 (or 112) emergency calls are terminated before reaching the actual emergency service call centers. They’re choke points in 911 traffic, which explains why multiple emergency services across different states had issues. According to reports on Twitter, a PSAP provider named Intrado was most likely behind the 911 outage today.

Intrado and TCS are the biggest players in the E911 routing and interconnection space. They make it possible for CLECs, wireless providers, voip providers, etc to route E911 calls to PSAPs nationally without having a relationship with each.
— Matthew Hardeman (@mdhardeman) September 29, 2020

News of the 911 outage comes on the same day that a major ransomware attack took down multiple Universal Health Services (UHS) hospitals across the US. Many users have suggested that the two are connected; however, there is no evidence to support this theory, at the moment. More

Image: Dimitry Anikin

With today’s news that French shipping giant CMA CGM has been hit by a ransomware attack, this now means that all of the four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years, since 2017.
Previous incidents included:
APM-Maersk – taken down for weeks by the NotPetya ransomware/wiper in 2017.
Mediterranean Shipping Company – hit in April 2020 by an unnamed malware strain that brought down its data center for days.
COSCO – brought down for weeks by ransomware in July 2018.
On top of these, we also have CMA CGM, which today took down its worldwide shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by the Ragnar Locker ransomware.
This marks for a unique case study, as there is no other industry sector where the Big Four have suffered major cyber-attacks one after the other like this.
But while all these incidents are different, they show a preferential targeting of the maritime shipping industry.
“I’m not so sure it’s that they’re any more or less vulnerable than other industries,” said Ken Munro, a security researcher at Pen Test Partners, a UK cyber-security company that conducts penetration testing for the maritime sector.
“It’s that they are brutally exposed to the impact of ransomware.
“After Maersk was hit by the NotPetya crytper, I believe criminals realized the opportunity to bring a critical industry down, so payment of a ransom was perhaps more likely than other industries,” Munro said.
It’s not the ships! It’s the shore-based networks
Over the past year, incidents where malware landed on ships have intensified. This included sightings of ransomware, USB malware, and worms; all spotted aboard a ship’s IT systems.
Maritime industry groups have responded to these increasing reports of malware aboard ships by publishing two sets of IT security guidelines to address maritime security aboard ocean-bound vessels.
But Munro points out that it’s not the ships that are usually getting attacked in the major incidents.
Sure, malware may land on a ship’s internal IT network once in a while, but the incidents where malware gangs have done the most damage were the attacks that targeted shore-based systems that sit in offices, business offices, and data centers.
These are the systems that manage personnel, receive emails, manage ships, and are used to book container transports. There is nothing particularly different from these systems compared to any other IT systems sitting inside other industry verticals.
“That said, if you can’t book a container, there’s no point in having the ship,” Munro added.
For all intents and purposes, it appears that despite efforts to protect ships from external hacking, the maritime industry has failed to treat its shore-based systems with the same level of attention.
While the rare ship hacking incidents are the ones that usually grab headlines, it’s the attacks on a shipping company’s shore-based systems that are more common these days, and especially the attacks on their container booking applications.
These systems have often been hacked by sea pirate groups looking for ship manifests, container ID numbers, and ship sea routes so they can organize attacks, board ships, and steal containers transporting high-value goods like electronics and jewelry [1, 2, 3, 4].
These waves of “cyber pirates,” as these groups have been often named, along with the recent attacks on the Big Four shipping giants, are a clear sign that the shipping industry needs to stop prioritizing the less likely ship hacking scenarios and focus more on its shore-based systems, at least, for the time being. More