WHY IT MATTERS: Digital Transformation

Protecting People cybersecurity threat report explores who’s being targeted, how they’re being attacked, and what you can do about it.

Every year, millions of fraudulent web domains are registered by threat actors looking to impersonate trusted brands. Using these domains, they launch phishing attacks or other scams.

What are the latest trends around fraudulent domains, and how can you protect your organization?

Download the report now to learn: 

• How threat actors create fraudulent domains
• What characterizes fraudulent and legitimate domains
• Which keywords and top-level domains (TLD) are trending
• How fraudulent domains use email to launch attacks

In 2019, we saw phishing attacks reach new levels of creativity and sophistication.

Based on an analysis of more than 5 billion daily emails, 200 million social media accounts, and 250,000 daily malware samples, we found that a small subset of individuals with high levels of access or privilege continue to receive the majority of targeted attacks.

Highlights include: 

• Among the most targeted malware and credential phishing attacks, nearly 30% targeted generic email aliases
• Individual contributors and lower level management accounted for 72% of highly targeted malware and phishing attacks
• Web-based attacks that use social engineering grew 150% vs. the previous quarter

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. The web security oriented articles listed here provide information that may help you secure your site and its code from attacks and data theft.

A video explainer on the technology that’s changing the meaning of the human face.

you’ll learn about some of the expert roles that are often the hardest to find or are only required in specific situations. This paper details these roles, their responsibilities and the cross-functional processes that are required to successfully hunt for, respond to and prevent threats as part of a world-class security organization.

Institutions are crossing functional boundaries to enable collaborative resistance against financial cybercrime and fraud.

We teamed up with researchers from New York University and the University of California, San Diego to find out just how effective basic account hygiene is at preventing hijacking. The year-long study, on wide-scale attacks and targeted attacks, was presented on Wednesday at a gathering of experts, policy makers, and users called The Web Conference.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.

Our tech columnist listened to four years of his Alexa archive, and discovered Amazon tracks us in more ways than we might want.

Our tech columnist offers some practical advice for fighting back against iOS apps hungry for your personal data.

The open source list of trackers that powers our browser extensions, Firefox’s private browsing mode, and other popular privacy tools can be found here along with a change log and notes.

We ran a privacy experiment to see how many hidden trackers are running from the apps on our iPhone. The tally is astounding. Apple says, “What happens on your iPhone stays on your iPhone.” Our privacy experiment showed 5,400 hidden app trackers guzzled our data — in a single week.

Market Guide for Security Threat Intelligence Products and Services. Key Findings:
- The term “threat intelligence” covers a diverse set of capabilities.
Client interest in industry-led government and commercial TI has increased significantly during the past two years. There are still large numbers of providers in this market, with startups also entering.
- The number and diversity of TI services, as well as expertise, have created an environment in which purchasers often struggle to compare services, and there’s still no single provider to address all of them. Many vendors can provide access to information; fewer provide truly anticipatory content or curation based on customized intelligence.
- The value of these services is sometimes constrained by the customer’s ability to afford, absorb, contextualize and, especially, use the information provided by the services.

We’re rolling out two new features, Password Checkup and Cross Account Protection, to keep your information safe beyond Google’s sites and apps.

The Magicverse is an Emergent System of Systems bridging the physical with the digital, in a large scale, persistent manner within a community of people.

Last week brought an extraordinary demonstration of the dangers of operating a surveillance state — especially a shabby one, as China’s apparently is. An unsecured database exposed millions of records of Chinese Muslims being tracked via facial recognition — an ugly trifecta of prejudice, bureaucracy and incompetence.

Whether it was here on Hackaday or elsewhere on the Internet, you’ve surely heard more than a few cautionary tales about the “Internet of Things” by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

Phishing attacks are increasingly using impersonation to bypass traditional defense mechanisms. Weak sender identification will continue to present opportunities for creative attacks. Security and risk management leaders should use this research to adjust their strategy and business processes.
Key Challenges
Phishing attacks are still increasing as a targeting method of attackers. Phishing attacks targeting credentials will continue to escalate as applications and data migrate to better-protected cloud providers.
Email is not designed to truly authenticate sender identity. Efforts like DMARC to authenticate domains are not granular enough to authenticate users and do not address all attack types.
Most implemented secure email gateways (SEGs) are not designed with post-delivery detection and remediation techniques, costing incident responder and email admin time and reducing the feedback loop from end users.
User phishing education is a good start toward people-centric security, but current email security does not provide users with any indicators of the trust they can put in emails or the proper workflow for dealing with suspect emails.
Recommendations
Security and risk management leaders responsible for endpoint and mobile security should:
Upgrade secure email gateway solutions to cloud versions that include phishing protection, particularly for impostor or business email compromise (BEC) protection.
Integrate employees into the solution and build capabilities to detect and respond to suspect attacks.
Work with business managers to develop standard operating procedures for handling sensitive data and financial transactions.
Strategic Planning Assumptions
By 2023, sender identity verification will be a common critical component on secure email gateways and other anti-phishing solutions.
By 2023, anti-phishing education will be a critical part of the feedback loop between end users and email security solutions.
Through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for healthcare and government organizations.

This infographic breaks down the chapters of our new handbook by security roles to show how each role can identify risks faster and more accurately.

Passwords are awful. The software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, with each one being unique. Obviously this is impossible for most people, and for those whom it is possible, why would they want to waste all of that brain power on something that is, essentially, meaningless?

*** This article is for beginners in security or other IT folk, not experts.

So why isn’t this system in widespread use? After all, much of it has been available since 2014. (Tehranipoor even described some in his 2017 article for IEEE Spectrum about the dangers of cloned chips.) “Sometimes a technology is ready, but it’s not used by companies because an attack hasn’t been seen to be real,” Tehranipoor says. This attack might be enough to change that perception, he says.  

Have your accounts been leaked or stolen in a data breach? Find out at Firefox Monitor. Search our database and sign up for alerts.

As the point of entry for 91% of cyber attacks, email is every organization’s biggest vulnerability. From malware to malware-less attacks including impersonation attacks like CEO fraud, a single malicious email can cause significant brand damage and financial losses. Understanding these ever evolving attacks and identifying the tactics used, is key to staying one step ahead of cyber criminals.