Did You Know?
The average malicious website exists for only 10 minutes.
This statistic comes from Google, and as researchers at KnowBe4 say,
“That’s a huge piece of information that materially impacts cybersecurity efforts. Any security solution that checks websites against a database to see if they’re dangerous may fail their customer completely.”
The unspoken part is that most databases of sites or files known to be potentially dangerous are not updated every 10 minutes or less. So there would be no warning about one of these short-lived malicious sites and a user could click through to it thinking it was safe.
For additional context, this finding comes from Google’s announcement that their Safe Browsing tool is now offering real-time checks. Prior to the update a few weeks ago, they checked sites or files against a database that was updated every 30-60 minutes.
What does this mean for you?
Training your people continues to be more effective than any tool or program out there. Every layer of protection that you can add will strengthen your cybersecurity, but teaching your people how to identify suspicious links, websites, and file types will ultimately protect you most.
Recent Key Findings
2024 Sophos Threat Report
More than 75% of cyber incidents targeted small businesses in 2023.
The introduction sums it up:
“Cybercrime affects people from all walks of life, but it hits small businesses the hardest. While cyberattacks on large companies and government agencies get a majority of the news coverage, small businesses (broadly speaking, organizations with less than 500 employees) are generally more vulnerable to cybercriminals and suffer more proportionally from the results of cyberattacks. A lack of experienced security operations staff, underinvestment in cybersecurity, and smaller information technology budgets overall are contributing factors to this level of vulnerability. And when they are hit by cyberattacks, the expense of recovery may even force many small businesses to close.”
Gone are the days when we could tell ourselves, ‘the bad guys aren’t targeting little old me.’
So what can you do?
- Just as you are doing right now, stay informed on the latest threats.
- Work with an IT partner that will make your security a priority.
- Follow best practices for hardening your network, and communicate openly with your IT partner about any questions, changes planned in your business, or concerns you may have.
- Educate your team. Continuously.
Mimecast’s State of Email and Collaboration Security Report 2024
The Good:
9 out of 10 companies now have a formal cybersecurity strategy in place.
The Bad:
3 out of 4 respondents say their company is at risk of inadvertent data leaks by careless or negligent employees.
Yet only 15% of companies provide cyber awareness training to their employees on an ongoing basis.
Click the image above and jump to page 9 for more Key Findings.
Main Takeaway:
At the risk of repeating myself, educate your team.
The FBI’s Internet Crime Complaint Center (ic3) Internet Crime Report 2023
From the FBI’s press release about the report:
“In 2023, the Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding 12.5 billion dollars. This is almost a 10% increase in complaints from 2022 and a 22% increase in losses.
IC3 received over 2,800 ransomware complaints and losses rose to 59.6 million, a 74% increase from last year.”
The top 5 crimes this year were
- Ph!shing (just under 300K crimes)
- Personal Data Breach (55K)
- Non-Payment/Non-Delivery (50K)
- Extortion (48K)
- Tech Support (37K)
Overall, ph!shing is the overwhelming attack type at nearly 6 to 1 over the next top crime.
Last year’s top 5 crimes were in the exact same order. So why aren’t we getting better? The answer is in the data – ph!shing is the number one attack vector and continues to grow because it continues to be an effective means of tricking recipients.
In other words, the recipients themselves aren’t trained to spot malicious emails.
Are you sensing a theme?
Train your people and they will be your strongest protection.
Looking Ahead
There is a phishing kit that has become one of the most widespread kits over the last few months, and it bypasses your multi factor authentication (MFA).
Sekoia analysts report on an Adversary-in-the-Middle (AitM) ph!shing kit associated with the Tycoon 2FA Ph!shing-as-a-Service (Phaas) platform.
Based on their research, this kit appears to hit organizations all around the world, though it may focus on employees in certain departments such as financial, accounting, and executive.
The scam messages have come as an attached Docusign pdf, spreadsheet, or even Microsoft security alert. They often use QR codes and link redirects to hide their malicious links.
What makes it so damaging, however, is how it tricks the target into confirming their login or giving MFA access and then captures those steps.
“Due to its position in the middle of the authentication process, the C2 server captures all relevant data and notably the session cookies, allowing the cybercriminals to replay a session and therefore bypass the MFA.”
What can you do about this?
- Again, train your team on the red flags to look out for in scam emails. Unsolicited attachments – especially when they lead to login or credential screens – should always be treated suspiciously.
- Teach them how to safely handle any message they are not 100% confident is legitimate.
- Make sure you are sharing cybersecurity awareness information continuously, not just once a year.
- Consider investing in simulated email programs that can provide real-world examples and real-time feedback and training.
