Cyber Risk Index (CRI)
Trend Micro and the Ponemon Institute investigate cybersecurity gaps
“Overall, the North American risk increased from the previous results and was the highest.”
- 78% of North American organizations have experienced one or more attacks in the last 12 months
- 15% have experienced seven or more attacks in the last 12 months
- Trend Micro estimate a 77% likelihood that organizations will suffer a critical data breach in the next year
Click here to view an infographic of the report’s findings, as well as an executive summary, and more information.
1. LinkedIn Job Listing Scams
LinkedIn, known for its business networking and recruiting tools, is often the first place you look for jobs nowadays. But Bleeping Computer researchers want you to be very careful before applying.
“Anyone can post a job under a company’s LinkedIn account and it appears exactly the same as a job advertised by a company… For example, if Google’s LinkedIn company page is vulnerable, we will be able to post a job on their behalf and add some parameters to redirect applicants to a new website where we can harvest [personal information and credentials].”
There have already been examples of fraud through the LinkedIn platform, and common wisdom has been to beware of recruiters since anyone can create a fake profile and claim to be recruiting. This scam is a little trickier because it is not a person. It is a job posting listed under a company profile. There is no obvious red flag. And when you are the one doing the searching and taking independent action, you don’t feel targeted and may be less alert.
How can you avoid this scam?
- As an individual: Carefully consider what information is being asked of you to submit. Your social security number, for example, is often required at some point in the job application process. But you may want to re-think sharing it unencrypted through a social networking site. When a company requires such sensitive information, ask them if they have a secure, private application portal. Same goes for your birthday and other personally identifiable information you wouldn’t typically include on your resume. And don’t be afraid to reach out to individuals at that company if you have questions or feel like something is ‘off.’
- As a company/employer: The first quick thing you can do is check your own job listings. Make sure the only ones out there are what you created, and report any that aren’t. Another fun discovery from the researchers is that you cannot take these unauthorized job posts down even if you are an admin on your company’s page. However, anyone can report a posting by clicking on the 3 dots in the right-hand corner. Companies can also email LinkedIn’s trust and safety team to ask about authorized user options and getting them enabled: tns-SAFE@linkedin.com.
2. Pandemic Trends Continue
For scammers, the global pandemic is the gift that keeps on giving. The latest theme uses vaccinations and your HR department. INKY, an email protection service, describes the recent timeline and campaigns they’re seeing:
“In [spring], INKY data analysts began seeing campaigns that aimed to take advantage of people’s uncertainty about returning to the office. In June, things were looking positive. By August, the Delta variant cast its pall over everyone’s hopes for going back to normal. First, vaccinated workers felt nearly invulnerable. Then, breakthrough cases started making the news. This confusion was a perfect environment for black hats to introduce a new form of [scam].”
The messages they see now appear to come from HR. You’ll get an email claiming that a vaccination status form is required per county or company rules. The language is believable, and the sender is typically a legitimate, though hacked, account. There is a link to the form that takes you to a Microsoft login page. If you login, you will have your credentials stolen.
So how can you stay safe from this?
- As with any scam that targets internal communication at your company, know what to expect first. Get familiar with who will send emails out from HR–will it be a department email or certain individuals? Carefully check the sender information on anything that appears to be internal yet uses a link rather than an attachment. And pick up the phone to speak to your HR people if you have any questions or doubts.
- If you do click on the link in the email and you come to the login page, stop. Always be suspicious of pages requiring your credentials that you did not independently navigate to. Carefully check the URL of that page, looking for minor misspellings or numbers used to look like letters at first glance. And again, ask your HR people before logging in to an external webpage to view a required form that they could have sent as an attachment or told you where to find in your company’s shared drives.
3. Microsoft Warning – 3 Different Angles
In a recent warning from Microsoft, three different ‘campaigns’ were found trying to deliver the same malware. Each attempt is similar to another I’ve shared in the past (see October 2020 and April 2021), and all 3 can be foiled if you remain alert.
What makes each one dangerous is what the criminals learn about our security systems and behaviors. For example, sending a Word document with a macro in it will likely set off alerts, but a zip file can slide by depending on what it contains and how your email filters are configured. Likewise, an email from outside the company would typically raise more flags or concerns than the same message coming from the company website. The criminals see what we click on and what we don’t, and then they send more of the kind that were effective.
Angle 1. This message comes to you appearing as part of another email thread, meaning it looks like someone you know. There will be a zip file attached to it, marked as some sort of information you need or requested. The zip file is password protected, and the email will contain the password. If you use the password and open the attachment, you will download the malicious software.
Angle 2. Your website’s contact form is used to submit some kind of phony threat. Typically, this message is about stolen images on your website and contains links to ‘prove’ the original content or copyright info. If you click on those links, however, you will download the malware. Apparently some people are still falling for this attack because they are afraid of the threat and they mistakenly believe the message is safe because it came from the company website. Unfortunately, many businesses configure their email filters to allow website form submissions, which can mean those messages bypass or go through less scanning than typical external emails.
Angle 3. You get a message designed to make you call the scammers. It may be a fake ticket confirmation to a concert or travel, which of course you will want to get a refund on. Back in April, the trend was a fake renewal for some software at a high price. In any case, they want you to call. A fake call center will answer and talk you through the cancellation or refund process. At some point, you will need to download a file. If you do, that file will have a macro in it that downloads the malware as soon as you open it.
What can you do against this?
- Continue to be vigilant with every message, especially those with links or attachments. Stop yourself when you notice an emotional reaction, such as fear or anger, and remember that scammers often try to use emotions to get you to act without thinking.
- Keep reporting any scam messages you see, and remember that you can always ask your IT team to check messages you have doubts about. Trust your gut whenever something seems strange, and don’t hesitate to pick up the phone or send a chat to someone when you have a question.
- With all the millions of people affected by various data breaches, combined with most people’s habit of re-using passwords, it is easier and more likely that someone you know will have their email compromised. You can help keep this from spreading by being alert, by practicing good password hygiene, and by encouraging others to be more cybersecure as well.
