Identifying legitimate looking tactics used by hackers to get inside your organization | Webnames Blog

Identifying legitimate looking tactics used by hackers to get inside your organization

So you think that site is safe?

It is common myth that cyber thieves and hackers can be avoided by having a good anti-spam filter, a firewall, and anti-virus software installed at the end-points (endpoint = user).

However, with today’s sophisticated cybercriminals these simple steps may only protect you from the easy and often automated threats.  I mean when is the last time anyone got an email for herbal Viagra in their primary inbox?

For high-value targets like municipalities or hospitals , as well as companies where operations can be impacted by something like ransomware, personalized approaches are often used to launch an attack. The big growth in cyber threats is fueled because, quite frankly, it is successful. The largest ever known payout in Canada was $425,000 while the most recent numbers from cybersecurity company Coveware, show that the average ransomware payout has spiked to right around $13,000 (US).  And don’t think that small businesses are off the radar. In fact, some recent reports indicate that up to  70% of ransomware attacks in 2018 targeted small businesses.  Cryptocurrencies and commercial-quality hacker tools have helped fuel this growth.

How hackers infiltrate organizations

There are two typical ways that hackers breach organizations. First by exploiting vulnerabilities in servers or other infrastructure that are either zero-day (i.e. a problem discovered for the very first time globally) or that have not been patched by the organization. The latter happened to the City of Baltimore because, it was reported that they had a system that hadn’t had a security patch installed since 2017. In Baltimore the ransomware costs there are $18 million and counting.

The second is by exploiting end users. According to Verizon, 93% of successful data breaches can be attributed to end user exploitation. When an end-user makes a mistake, at best, it locks down their single computer; at worst, it can introduce an exploit that logs their keystrokes or a worm that spreads throughout the organization. In ancient history these often got in with executable attachments. With the strength of firewalls and mail filters in blocking malicious attachments, hackers got more creative.

Last week, an interesting file-transfer-based scam hit the security news. In this case, end users received a typical phishing email to get a file from the popular online storage site, WeTransfer.  Distinctly, this content was an htm or html file rather than an executable. When the file launched in a browser, the landing page requested the users sign-in credentials. This was a clever way to bypass typical security and was shown to be successful in getting though most gateways.

 

 

Another tool is something called typo-squatting has been long used for phishing or malware distribution. In this case, a domain exploits common typos a user makes in entering it and resolves to malicious content (i.e. webnames.ca versus webanmes.ca). Related to this is when a phishing email uses a fake domain name that looks like the real service (i.e. service.royalRBC.com) to attempt to trick the user into providing information. Oftentimes, this fake name doesn’t even resolve to a site on its own and it hides a link to a pseudorandom name like jkein75sdhje5hnj23.xyz. Importantly, these malicious domains can be delivered from what look like legitimate email address from the offending organization who has been spoofed.

Would you know if you were hacked?

To many people reading this, the above exploits seem obvious, and yet people keep falling for them. Sometimes good people who are in a rush or otherwise not paying attention just plain make a mistake. That said, these are still more obvious attempts to scam and so how do hackers get even more sinister?

CIRA, the organization that manages the .CA domain name on behalf of Canadians, ran a web exploit testing kit against a random sample of .CA domain names. In this test, just over 1% were identified as likely to be hosting malware and almost 4% had a number of traits suggesting they were at risk.  And these results are for a top level domain that Spamhause shows as one of the least exploited in the world.  What happens in these instances, is that the organization has their web server hacked and it is being used to distribute malware or conduct phishing campaigns.

Most times organizations add new security they do find minor botnets or other threats that their other services have not found. As a case in point, CIRA manages a DNS Firewall service, that organizations use to block malware and phishing with a cloud service that lives outside the organization. One of our larger hospital customers had one of their own services blocked when they turned on the D-Zone DNS Firewall. Their first instinct was to call us to report a problem with our service, but on further investigation they discovered that they were unknowingly hosting malware related to payday loans. For any organization this is a worst-case situation for both the potential victim and the site being exploited.

Let’s look at another example to understand this:

CIRA recently saw a small spike in municipal users attempting to visit a blocked domain for a golf course – at the same time there was a tournament where there were likely to be some senior municipal leaders involved. What made this one interesting is that the domain itself didn’t seem to be the culprit.  It looked like they were using a cloud service for golf course member management that may have been used by spammers in the past.  Importantly, this appears to have tarred the website for this small business. You can see that it is flagged with a “this site may be hacked” by Google and the member service provider’s domain, cottonwood.site.offcourse.golf, is being blocked by several global security vendors, including CIRA.

Google search result showing that they flag the site as a security risk

 

blocked threats during the period cottonwood golf course was trying to be reached

 

In this case there are three lessons to be learned. Lesson one is that you can’t always assume a site is safe because it may have been hacked. You need to pay attention to how you got there and what it is asking you to do. Lesson two is that in this cloud world there are many different places it could have been hacked. Many organizations can’t know what cloud services their various software suppliers use. Lesson three is that you need to be on top of your technology stack because you don’t want your site to land on global block lists.

The best defense is a good offense

So, how to protect yourself? In addition to traditional security most organizations will benefit with a DNS-based firewall with unique and effective threat feeds. This adds a cost effective and important layer of protection against the obvious and non-obvious threats. CIRA’s service uses data gathered from billions of recursive DNS queries globally to detect malicious domains and add over 100,000 new threats to the global threat protection every day. For individual organizations that spot something not on a global list (i.e. spearphishing) they can easily add it to a DNS-based block list via a simple dashboard.

Sign-up for a free trial

Be proactive. Protect your organization from malware and phishing attacks by blocking access to malicious websites. Webnames customers can try CIRA’s D-Zone DNS Firewall service for free for 30 days, no strings attached.

Register for free cybersecurity awareness training

Whether you’re a business owner or an IT manager, up-to-date cybersecurity training is essential to reducing reduce organizational risks associated with cyber-attacks. CIRA’s D-Zone Cybersecurity Awareness Training will help you empower others across your organization to be part of the solution, not a risk to be managed. Much more than a lunch-and-learn or webinar, the training consists of online courses, phishing simulations, a results dashboard and more delivered through a cloud-based platform. Complete details available here.

 

* * *

This blog was contributed by Rob Williamson who has more than  20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools to cyber-security and the DNS. Rob is a Product Marketing Manager at CIRA.

 

 

Posted in:

Domain Names Security
/* Adroll script */