Posted by Brian Monroe - email@example.com 10/08/2021
ACFCS Special Contributor Report for Cybersecurity Awareness Month: If it’s phishy, don’t take the bait – Basic safety measures against phishing emails
Phishing and Ransomware: Think before you link
Besides these monetary losses, phishing emails can be a vehicle for delivering malware as an attachment or an embedded URL.
Malware can take many forms and have varying degrees of virtual virulence. Some examples include:
- Spyware: This is, as the name implies, a specific malware used to covertly gather data on an unsuspecting user’s computer. In certain cases, the program is geared to look for bank passwords stored on your computer.
- Keylogger: A keylogger is a particularly persnickety kind of spyware that records keystrokes in order to steal passwords.
- Rootkit: software tools that give illicit actors control over a computer by gaining root access (administrator-level control).
- Remote Access Trojan: A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program — such as a game — or sent as an email attachment.
- Malware downloader: A trojan-downloader is a type of trojan that installs itself to the system and waits until an Internet connection becomes available to connect to a remote server or website in order to download additional programs (usually malware) onto the infected computer.
- Adware: malware that forces your browser to redirect to web ads, which often seek to download even more malicious software.
- Ransomware: think Colonial Pipeline – malware that encrypts a hard drive’s files and demands payment in exchange for decryption key.
- Scareware: ransomware that claims to have taken control of your computer and demands a ransom, but actually is just using tricks like browser redirect loops to make it seem like a true ransomware attack.
- Cryptojacking: crypto mining malware infects your computer and uses your CPU cycles to mine Bitcoin for your attacker’s profit.
- Malvertising: use of legitimate ads to covertly deliver malware to unsuspecting users’ computers.(2).
According to Kratikal (3), a network security company, 97% of phishing emails received by its customers in 2020 contained ransomware.
On March 16, 2021, the FBI (4) sent an alert to cybersecurity professionals and system administrators about an increase in ransomware attacks, perpetrated in part by phishing emails, on educational institutions.
Other organizations have also been increasingly targeted by ransomware, which is initiated through phishing emails that exploit software or RDP (Remote Desktop Protocol) vulnerabilities (5).
In October 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.S. Department of Health and Human Services advised healthcare organizations to be vigilant regarding increasing and imminent malicious ransomware attacks (6).
In that missive, the trio of U.S. government agencies detailed fresh warnings about the rising cyber-scourge of ransomware, stating they had intelligence that digital attackers were targeting the U.S. healthcare system, a callous and ill-timed attack that could have costed lives during an uptick at the time of coronavirus cases.
In the hefty and alarming alert, the FBI and other agencies stated they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” a warning made all the more dire as the country was still firmly in the grasp of the rampaging and ravenous COVID-19 pandemic.
The agencies were trying to warn hospitals, medical offices, outpatient facilities and every operation associated with the sector that illicit hacking collectives were looking to engage in “data theft and disruption” of services, including life-saving medical treatments, to lock down systems for multi-million dollar payments and pilfer data to open doors for further virtual fusillades or sell on darknet markets.
In recent years, the overall global costs and smoking virtual ruins left by ransomware attacks have soared, from an estimated $8 billion in 2018, to $20 billion in 2020, according to a 2017 report from Cybersecurity Ventures.
Two disturbing recent trends are data releases, resulting in double extortion, and the growth of Ransomware-as-a-Service options that are readily available for less skilled individuals with malicious intent (5).
(1) Federal Bureau of Investigation. (2021). Internet crime report 2020. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
(2) Proofpoint. (2021). 2021 State of the phish: An in-depth look at user awareness, vulnerability and resilience. https://www.proofpoint.com
(3) Kratikal. (2020). Staggering phishing statistics in 2020. https://www.kratikal.com/blog/Staggering-phishing-statistics-in-2020/
(4) Federal Bureau of Investigation. (2021, March 16). Increase in PYSA ransomware targeting education institutions. Alert number CP-000142-MW. https://www.ic3.gov/Media/News/2021/210316.pdf
(5) FortiGuard Labs. (2021, February). Global threat landscape report: A semiannual report by FortiGuard Labs.
(6) CISA, FBI, HHS. (2020, October 29). Joint cybersecurity advisory: Ransomware activity targeting the healthcare and public health sector. AA20-302A
(7) Verizon. (2020). Data breach investigations report. https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf
(8) Federal Bureau of Investigation. (2006). Financial crimes report to the public. U.S. Department of Justice. https://fbi.gov/file-repository/stats-services-publications-fcs_report2006-financial-crimes-report-to-the-public-2006-pdf/view
(9) Button, M., & Cross, C. (2017). Cyber frauds, scams and their victims. Routledge.
(10) Oest, A., Zhang, P., Wardman, B., Nunes, E., Burgis, J., Zand, A., Thomas, K., Doupe, A., & Ahn, G.J. (2020b). Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. Proceedings of the 29th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity20/presentation/oest-sunrise.
(11) Ekblom, P. (2017). Crime, situational prevention and technology: The nature of opportunity and how it evolves. In M. R. McGuire & T. J. Holt (Eds), The Routledge handbook of technology, crime and justice. (pp. 353-374). Routledge.
(12) Cornish, D. (1994). The procedural analysis of offending and its relevance for situational prevention. In R. Clarke (Ed), Crime prevention studies, vol. 3. (pp. 151-196). Criminal Justice Press.
(13) National Cyber Security Centre. (2018). Phishing attacks: Defending your organization. https://ncsc.gov.uk/guidance/phishing.
(14) Better Business Bureau. (2019, September). Is that email really from “the boss?” The explosion of business email compromise (BEC) scams. https://www.bbb.org/article/news-releases
(15) Reinheimer, B., Aldag, L., Mayer, P., Mossano, M., Duezguen, R., Lofthouse, B., von Landesberger, T., & Volkamer, M. (2020). An investigation of phishing awareness and education over time: When and how to best remind users. Proceedings of the 16th USENIX Symposium on Usable Privacy and Security. https://www.usenix.org/system/files/soups2020-reinheimer_0.pdf
(16) Cybersecurity & Infrastructure Security Agency. (n.d.). CISA Insights: Enhance email & web security. https://www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-EnhanceEmailandWebSecurity_S508C-a.pdf
(17) Cybersecurity & Infrastructure Security Agency. (2020). Cyber essentials toolkit chapter 4: Your surroundings. https://www.cisa.gov/sites/default/files/publications/cyber%20Essentials%20Toolkit%204%2020200818_508.pdf
(18) Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide: Recommendations of the National Institute of Standards and Technology. U.S. Department of Commerce. Special publication 800-61, Revision 2.
See What Certified Financial Crime Specialists Are Saying
"The CFCS tests the skills necessary to fight financial crime. It's comprehensive. Passing it should be considered a mark of high achievement, distinguishing qualified experts in this growing specialty area."
KENNETH E. BARDEN
"It's a vigorous exam. Anyone passing it should have a great sense of achievement."
(CFCS, Official Superior
de Cumplimiento Cidel
Bank & Trust Inc. Nueva York)
"The exam tests one's ability to apply concepts in practical scenarios. Passing it can be a great asset for professionals in the converging disciplines of financial crime."
(CFCS, Royal Band of
"The Exam is far-reaching. I love that the questions are scenario based. I recommend it to anyone in the financial crime detection and prevention profession."
(CFCS, CAMS Lead Compliance
Trainer, FINRA, Member Regulation
Training, Washington, DC)
"This certification comes at a very ripe time. Professionals can no longer get away with having siloed knowledge. Compliance is all-encompassing and enterprise-driven."
CFCS, CAMS, CFE, CSAR
Director, Global Risk
& Investigation Practice
FTI Consulting, Los Angeles