How Business Email Compromise (BEC) Scams Target Your Organization

How Business Email Compromise (BEC) Scams Target Your Organization

Recent findings from the Financial Crimes Enforcement Network, a bureau of the US Department of the Treasury, found that Business Email Compromise (BEC) scams cost organizations over $300 million each month in 2018. BEC scams are highly researched, sophisticated phishing attacks. They often target specific employees and the goal of these attacks are to steal finances or important data.

Any organization can be a target for a BEC attack. Recently, the City of Griffin, Georgia fell victim to a BEC attack after receiving an email from what looked to be a vendor asking for an account change. They ended up transferring over $800,000 to a fraudulent account.

Source: Statista

How BEC Scams Affect Everyone in Your Organization

Finance Department  

Hackers will target your financial department with fake invoices that appear to be from a business partner or with requests to change the bank account details for direct deposits. These attacks often go undetected until the legitimate business partner requests their payment. These kinds of attacks are very specific as they require prior knowledge of an organization’s business partners/vendors/suppliers and their type of partnership. In the case of the City of Griffin attack mentioned earlier, attackers even knew the specific amounts required for invoices.

CEOs or Executives

Hackers often impersonate CEOs or executives to engage in CEO fraud. They will often email employees and request wire transfers to fraudulent accounts. These emails often sound urgent and are sent near end of day to pressure employees into responding quickly.  

Human Resources (HR) Department

Data theft a type of BEC attack that seeks to gain access to personally identifiable information. Since HR deals with sensitive information, they will often be targets of this kind of attack. If a hacker has access to the HR account, they will also have access to information on all employees including executives. They can also use the compromised account to directly request information from employees. Stealing personally identifiable information is valuable for a hacker because they can use it as a starting point to further compromise an organization.

Legal Representation

This BEC scam involves impersonation of a lawyer or legal firm that supposedly represents the company or a business partner. Attackers claim to be handling sensitive information regarding the organization and will request company bank statements or other confidential documents. These documents provide hackers with information about the financial workings of the organization, which they can use for further attacks. Attackers behind this scam will tell employees to be discreet to avoid leaks or to fulfill sensitive business requirements.  

Employee Accounts

Account compromise can happen to any of your employees. This occurs when hackers gain unauthorized access to an employee’s account through a phishing scam or password spray attacks. Once hackers manage to compromise an account, they can move around an organization’s network undetected. As a result, they can compromise an organization further by sending malware to coworkers/clients/business partners.

Protect Against BEC Scams

The best way to protect against BEC attacks is to have a strong cybersecurity culture in your organization. This includes educating staff on cyber threats and encouraging them to speak up if they receive a suspicious looking email in their inbox. Protecting email inboxes with an advanced email security solution like Secure IT Mail will also help block malicious emails.

Threats of the Week – July 29, 2019

Threats of the Week – July 29, 2019

Triada Malware

New research into the impact of Triada, a sophisticated remote access Trojan that was recently found pre-installed on numerous Android devices, has shown that more than 15% of telecom companies globally have infected devices running on their network.

Initially at least, the malware’s purpose was to install apps for displaying ads on an infected device for ad fraud purposes. But Triada is modular and can be easily repurposed for other malicious purposes, the vendors have warned. The only way to get rid of it from systems on which it is pre-installed is to upgrade the firmware.

Source: DarkReading

How do you protect yourself?

Proper security measures must be in place to defend against Triada Malware and similar threats. Ensure your systems have the latest patches installed. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE-2019-8670

Apple has released security patch updates for Safari.

An inconsistent user interface issue was addressed with improved state management. Visiting a malicious website may lead to address bar spoofing.

Source: Apple

How do you protect yourself?

Update to Safari 12.1.2.

Monokle Malware

A never-before-publicized mobile spy tool, a mobile surveillanceware remote access trojan (RAT) for Android called Monokle, has been spotted using novel techniques to exfiltrate data.

According to the Lookout researchers who discovered Monokle in the wild, the malware has the ability to self-sign trusted certificates to intercept encrypted SSL traffic. It can also record a phone’s lockscreen activity in order to obtain passcodes, and it can leverage accessibility services to gain access to third-party apps.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Monokle malware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Anatomy of a Ransomware Attack

Anatomy of a Ransomware Attack

Ransomware is on the rise. Recent research from Malwarebytes found that ransomware targeting businesses has increased by 195% compared to the last few months of 2018.

For hackers, ransomware remains a lucrative business. The average cost of a ransomware demand has now doubled to $36,295 according to new research from Coveware. As long as ransomware remains profitable, hackers will continue to target organizations with these attacks.

Source: ZDNet

How a Ransomware Attack Works

Ransomware is constantly evolving to outmanoeuvre advances in cybersecurity technologies. It helps to understand how a ransomware attack works in order to take precautions to help protect against these attacks. While each ransomware strain is different, they typically follow a general set of steps to infect computers.

1. Find an entry point: To start the infection process, the ransomware has to find a way into the target’s system. There are a variety of ways a hacker can spread ransomware, such as exploiting a vulnerability or sending a phishing email.  

2. Install the malware: Once the malicious file is opened, the system begins to install the ransomware. The ransomware then connects to the attacker’s Command and Control (C&C) server to receive the cryptographic keys.

3. Encryption: The ransomware starts to encrypt any files it can find after receiving the encryption key from the C&C server. All original files are deleted from the machine and a new encrypted file is uploaded in its place. In order to decrypt the files, the user must have the decryption key that unlocks the files.

4. Ransom demand: Unlike malware or other attacks that try to hide or evade detection, ransomware attacks want targets to know that their systems have been compromised. Attackers will notify victims of the attack once the encryption process is complete. A ransom demand will appear in every folder of the encrypted files, with directions on how to contact the hackers and how much payment (usually in bitcoin) they request. These ransom messages usually have a deadline for payment and will often threaten to delete files if they are not paid. Unfortunately, paying the ransom doesn’t always mean that the hackers will give victims the decryption keys, which is why there is no consensus on whether organizations should pay the ransom or not.

What to Do If You’re Infected by Ransomware

Prevention and awareness are key to protecting against ransomware. However, mistakes can happen, and anyone can accidentally click on a malicious link. Here’s some things to keep in mind if you find yourself facing a ransomware attack.

1. Isolate the infection: In order to stop the ransomware attack from spreading to other parts of your network you need to isolate the infected machine. Disconnect the computer from the network to help prevent it from communicating with the C&C.

2. Identify the ransomware: Identifying the type of ransomware infection can help with the removal process. The ransom demand will typically identify what kind of ransomware has been installed but you can also do some research online to determine what type of ransomware strain you’re facing. It’s important to note that even if you can remove the ransomware, lingering malware might still be present on the system. For your own safety, ensure your systems are wiped clean so that no remnants remain.

3. Hire a cybersecurity consultant: When you’re in a crisis it can help to have an expert on your side. A cybersecurity consultant can help guide you through the process of dealing with a ransomware attack. They can help you negotiate the ransom and give advice on what to do.

4. Try to recover files: If you have a good backup system that’s isolated from the main network, you might be able to restore your encrypted files from your backup system. If you are unable to do so, ensure that you protect your systems with security solutions and backup all your files so that you are prepared for any future disasters. 

Threats of the Week – July 29, 2019

Threats of the Week – July 22, 2019

Topinambour Malware

The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.

Since January, Topinambour has become the first-stage implantation for Turla campaigns. Once installed, it fetches all the other malware that the group uses to gain access to target networks and exfiltrate information.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Topinambour malware and similar threats. Ensure your systems have the latest patches installed. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE-2019-5847

Google Chrome has fixed several security bugs in the Google Chrome browser for Windows, Mac and Linux.

In one critical vulnerability found, V8 sealed/frozen elements cause crash.

Source: Chrome Releases

How do you protect yourself?

Stay tuned for the latest update for Google Chrome version 75.0.3770.142.

DoppelPaymer Ransomware

Malware researchers have discovered a new file-encrypting malware they dubbed DoppelPaymer that has been making victims since at least mid-June, asking hundreds of thousands of US dollars in ransom.

The ransomware strain has at least eight variants that extended their feature set gradually, with the earliest one dating since April.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against DoppelPaymer ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

3 Tips to Deal with Online Impersonators and Impersonation Attacks

3 Tips to Deal with Online Impersonators and Impersonation Attacks

The online space makes it easier for people to pretend to be others. People can easily create fake profiles with the click of a button. Facebook says they removed 2.2 billion fake accounts in the first quarter of 2019.

Source: Facebook

Instead of hacking into your account, an attacker can just pretend to be you. Bad actors can easily take your photos and create a fake social media profile or mock up an email address that looks close to your work email. From there they can try to contact people close to you and engage in impersonation attacks.

3 Types of Impersonation Attacks

Bad actors who try to impersonate others can engage in any of the following attacks:

1. BEC/CEO Fraud: In these attacks, attackers impersonate companies or high-level executives like CEOs. They then contact employees or business partners and ask them to wire transfer money into a fraudulent account. BEC attacks are very common and losses are typically in the excess of $100,000 according to the Canadian Anti-Fraud Centre.

2. Romance Scam: Colloquially known as catfishing, this scam involves bad actors trying to woo their victims by pretending to be another person. This attack involves stealing photos from real life people and crafting a persona from those images. In some cases, an attacker will pretend to be a well-known celebrity. They build a rapport with their victim to establish trust. Once trust is established, they will concoct a story that will move the victim into giving them money.

3. Vishing: Scammers will not only impersonate people online but also through telephone calls. Vishing is a type of phishing attack where attackers call potential victims and pretend to be a government authority or help desk support. They try to scare victims by telling them they have bank, computer or fraud issues, or they will try to entice victims into giving information by saying they’ve won a prize.  

What to Do If You’re Being Impersonated Online

Anyone can be a victim of online impersonation. Here are three things you can when dealing with a fake account:

1. Report the user: It’s important to try to get the fake account taken down as soon as possible. Report any false accounts that are in your name. Do not engage with the fake account. They could get hostile and end up escalating the situation to something worse.

2. Warn others: Having multiple accounts in your name can confuse your friends, family and employees. If they accidentally mistake the impostor for you, valuable data or finances could be lost. Let your contacts know that you are being impersonated. If the account is doing any specific actions, like messaging your employees to buy gift cards, make sure you warn others about these actions too. 

3. Monitor for other incidents: Check for other fake accounts on other websites like LinkedIn, Twitter or Facebook. Make sure that there aren’t any other impersonators elsewhere. Continue to monitor time and time again to ensure that this doesn’t happen in the future.

How to Avoid Falling Victim to Impersonation Attacks

1. Awareness: In order to combat these attacks, you need to know what to look out for. Engaging in a security awareness course like our Secure IT – Cyber Awareness Training will help employees understand the threat landscape and learn what they can do to help build defenses.

2. Speak up: Employees may be hesitant to doubt the veracity of a message from an executive or boss but if they are receiving strange messages, it’s important to alert someone about it. Creating a good security culture in your workplace will encourage employees to speak up about potential security incidents. By directly asking the person who supposedly sent the email or having a second opinion from another co worker, it can help curb potential fraud or data leaks.

3. Increase email security: A secure email solution like Secure IT – Mail will help protect your inbox and can filter out malicious messages. This solution provides advanced security technologies like AI and SIEM to protect your inbox from threats.

Threats of the Week – July 29, 2019

Threats of the Week – July 15, 2019

Agent Smith Malware

A newly discovered piece of Android malware that replaces portions of apps with its own code has infected more than 25 million devices, according to security firm Check Point. Check Point’s researchers named the malware “Agent Smith” because of the methods it uses to attack a device and avoid detection.

The malware doesn’t steal data from a user. Instead, it hacks apps and forces them to display more ads or takes credit for the ads they already display so that the malware’s operator can profit off the fraudulent views. Check Point says the malware looks for known apps on a device, such as WhatsApp, Opera Mini, or Flipkart, then replaces portions of their code and prevents them from being updated.

Source: The Verge

How do you protect yourself?

Proper security measures must be in place to defend against Agent Smith malware and similar threats. Ensure your systems have the latest patches installed. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE-2019-1170

Mozilla has released security patches for vulnerabilities in Firefox. Some of these bugs showed evidence of memory corruption and is presumed that with enough effort that some of these could be exploited to run arbitrary code.

Source: Mozilla

How do you protect yourself?

Update Firefox to version 68.

eCh0raix Ransomware

A newly discovered form of ransomware is targeting network storage devices by brute-forcing weak credentials and exploiting known vulnerabilities in their systems.

Dubbed eCh0raix after a string of code, the new form of file-locking malware emerged in June and has been detailed by cybersecurity researchers at Anomali. The ransomware specifically targets QNAP network attached storage (NAS) devices produced by Taiwanese firm QNAP systems, which has offices in 16 countries and customers around the world.

The attacks are opportunistic, with the initial infection coming via unsecured, internet-facing ports and the use of brute-force attacks to bypass weak login credentials. NAS devices make appealing targets for cybercriminals dealing in ransomware, because they’re used to store critical data and backups – but despite this, the devices don’t tend to be equipped with security software.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against eCh0raix ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

3 Types of Insider Threats to Look Out For

3 Types of Insider Threats to Look Out For

Most organizations may see hackers as their biggest threat but security threats can happen from inside their company as well. According to Verizon, 57% of database breaches involved insider threats within an organization. 

Insider threats can occur in various ways and are not always intentionally malicious. For example, an employee who has their credentials leaked can inadvertently become an insider threat if a hacker compromises their account to steal data. In this case the employee may seem like they are a bad actor when in reality their account is being controlled by a malicious actor. 

Understanding the different types of insider threats can help organizations ensure they have effective measures in place to prevent insider threats from harming their company. 

insider threat

Source: Verizon

What Is An Insider Threat?

An insider threat is someone who has authorized access to an organization and misuses that access and puts an organization’s security and data at risk. They can be former or current employees, stakeholders, partners or someone who frequently access your organization’s premises.

Insider threats are serious because they know their way around an organization. They will most likely have access to or know how to gain access to important data. Since they have authorized access, they can be hard to detect or determine if they are using their access maliciously.

A well-known example of an insider threat is the whistleblower Edward Snowden. Snowden famously leaked highly classified information from the NSA, where he used to work.

3 Types of Insider Threats

Unintentional Leak

Employees accidentally leaking information or putting data at risk end up acting as an insider threat. This type of insider threat doesn’t have malicious intentions but may use poor cybersecurity habits that end up threatening an organization’s security.  According to research by SolarWinds, more than 50% of organizations reported that employees pose the biggest risk for insider abuse or misuse.

The best way to combat employee error is to have a good cybersecurity culture. Cyber awareness through cybersecurity training can help users avoid common mistakes, such as clicking on a phishing link, that put organizations at risk.

Malicious Intentions

This type of insider threat wants to use their access maliciously for their own desires. They may be a disgruntled employee looking to cause havoc on their former employer or an employee trying to use their access for financial or personal gain. Research from Accenture found that nearly one in five healthcare employees said they would sell confidential information like login credentials to unauthorized parties.

Of course, organizations are unable to read the minds of their employees let alone know their intentions. In order to combat this type of threat, using advanced technology like a SIEM can help detect suspicious behaviour, such as employees accessing unusual data or systems or if your network is communicating with a malicious server. Organizations should also disable the accounts/access of recently departed employees as soon as possible.

Insider Accomplice(s) 

This threat occurs when the person colludes with other employees or with external parties to steal information.

An example of this type of insider threat would be the the incident with the “Wolf of Manchester.” In 2015 an insurance worker partnered with a former employee to steal customer data and used that information to commit fraud. The pair made £18,250 (approximately $30,000 CAD) by using the stolen data. 

To mitigate this kind of insider threat, it’s important that you are protecting your critical assets with privileged access management and monitoring. Limiting access to important data to only those who need it will help you keep track of who has access to the data. Monitoring your networks for suspicious behaviour can help detect fraudulent activity or abuse of access.

Threats of the Week – July 29, 2019

Threats of the Week – July 8, 2019

Golang Malware

A new form of malware has been spotted in the wild by cybersecurity companies which say the code’s main focus is the fraudulent mining of the Monero (XMR) cryptocurrency.

The spreader malware is based on the open-source Go programming language.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Golang malware and similar threats. Ensure your systems have the latest patches installed. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE-2019-2104

Android has released its monthly security bulletin. Security patch levels of 2019-07-05 or later address all of these issues.

The vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

Source: Android

How do you protect yourself?

Check your Android for updates to the latest version.

Sodin Ransomware

The ransomware, named Sodin, takes advantage of a zero-day vulnerability in the Windows operating system, which means that victims don’t even need to download and run a malicious attachment (which was typically essential for the success of a ransomware campaign).

Instead, all they need to do is find a vulnerable server and send a command to download a malicious file called “radm.exe.” This then saved the ransomware locally and executed it.

Source: ITProPortal

How do you protect yourself?

Proper security measures must be in place to defend against Sodin ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

5 Business Impacts of Cyber Attacks

5 Business Impacts of Cyber Attacks

The impacts of a cyber attack can be devastating, and many executives are now recognizing cybersecurity as a key business driver. A recent report from Radware surveyed executives worldwide and found that security remains a top priority in the enterprise, with 72% of executives citing information security as a recurring agenda topic in every board meeting. With the rise of cyber attacks and data breaches, it’s getting more important for businesses understand the impacts these attacks can have on their operations.

Source: Cisco 2018 Annual Cybersecurity Report

Cyber Attacks and Your Business

Cyber attacks are no longer just the problem of the IT department. A single cyber attack can cripple an entire business’s operations. Organizations cannot ignore the long reaching effects of cyber attacks. Here are 5 ways a cyber attack can negatively impact your business.

1. Revenue loss: Cyber attacks like DDoS attacks can cripple websites and render them unusable for customers. Customers who are unable to access a business’s online store may look to a competitor to make their purchases. Cyber attacks can also lead to future revenue loss if customers decide they no longer want to do business with the company.

2. Brand reputation: Brand reputation is not only important for a business’s customer relationships but also for their relationships with other businesses and stakeholders. Building trust is an integral part of an organization’s relationship with others. A single cyber attack can cause damage to a brand’s reputation. Consumers will not want to do business with an organization that puts their information at risk. As a result, stakeholders will not want to invest in your business. Research from Bitglass has found that publicly traded companies suffer an average drop of 7.5% in their stock values after a breach and that it takes an average of 46 days for stock prices to return to their pre-breach levels.

3. Operational disruptions: Cyber attacks can cause service disruptions to an organization’s infrastructure. Organizations can either shut down due to an attack or be forced to divert their efforts into stopping the attack. Actions like having to unplug and isolate computers as well locating threats, negotiating ransoms, restoring backups, removing viruses, etc. disrupts business productivity. Additional activities like having to conduct investigations and implementing new resources can also cause additional disruptions after an attack.

4. Hidden financial costs: Cyber attacks have many hidden costs that can cause an attack to cost more than just the initial damage. For example, when Wasaga Beach got hit by ransomware, they paid a negotiated ransom of nearly $35,000. However, the cost of the attack didn’t stop there. The town had to hire consultants and make changes to their IT infrastructure. Overtime and productivity losses also added extra costs. Overall, the ransomware attack cost the town $251,759. That’s more than seven times the amount the town negotiated to pay for their ransomed servers. Other hidden costs can also include legal fees, PR/communications strategies and compliance penalties.

5. Loss of Data: Cyber attacks put your data at risk. Hackers can steal any kinds of data, including those from your customers and employees. Once your data is in the wrong hands a number of things can occur. Hackers can hold it for ransom, sell it on the dark web or use it in other malicious ways. Hackers not only target personal identifiable information but also intellectual property. Information regarding product designs, marketing campaigns, strategies and blueprints can also be at risk. Losing this type of data can affect the competitiveness of your business.

How to Protect Your Business

No matter the size of your business, cybersecurity protection is vital. Using advanced cybersecurity solutions like Jolera’s Secure IT, combined with cyber aware staff, can help protect your business and prevent these kinds of attacks.

Threats of the Week – July 29, 2019

Threats of the Week – July 2, 2019

Silex Malware

A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

Named Silex, this malware began operating earlier today, about three-four hours before this article’s publication.

The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Silex malware and similar threats. Ensure your systems have the latest patches installed. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.


CVE-2019-5439


VideoLAN has released a security advisory that affects VLC media player 3.0.6 and earlier.

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

Source: VideoLAN

How do you protect yourself?

VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file.


Sodinokibi Ransomware


The Sodinokibi Ransomware has been spotted being distributed through malvertising that redirects to the RIG exploit kit. With the use of exploit kits, Sodinokibi is now using a wide stream of vectors to infect victims with the ransomware.

With the addition of exploit kits to the distribution arsenal, this ransomware is poised to be a big player in the ransomware space.

Source: Bleeping Computer

How do you protect yourself?

Proper security measures must be in place to defend against Sodinokibi ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.