Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Here is our February 2017 wrap-up of malicious emails making the rounds for Australian businesses.
Cyber risk awareness is slowly growing but still has a long way to go before email phishing scams start to lose the incredible financial incentive. Share this list with your colleagues to spread awareness of recent scams which may come across your email inbox.
Australian Citibank customers have been the victims of the most elaborate scam email of the past few months involving replica websites and fake SMS security codes. The inclusion of SMS is extremely unusual and indicates the elaborate lengths criminals are taking. The scam itself notifies Citibank customers their account has been ‘temporarily limited’ as a result of invalid online log-in attempts. Customers are directed to follow a link to sign in and restore their online access.
Customers are then redirected to a very realistic replica of the authentic Citibank website which prompts the user input their User ID and password.
Unfortunate victims who put their details into the replica website are then prompted to verify extra personal information such as their mobile phone number and date of birth.
The next officially branded Citibank page will advise that a “one-time PIN Authentication” has been sent via SMS and advises to wait at least 5 minutes for the code to arrive. This ingenious method replicates the real two-factor authentication security procedure used by Citibank legitimately. In this time, the scammers have a short window to log in to the real Citibank website disguised as the customer. At this stage the scammer has obtained the User ID and password, allowing them to make any transaction they want which triggers the correct security code to be sent to their victim’s phone. The victim then inputs their security code which goes straight to the scammer and in turn allows them to finalise and transaction they like.
These emails can be exceedingly hard to spot as scammers are putting unseen levels of effort into duping the average recipient. This sophisticated scam tricks visitors into thinking they are dealing with the legitimate Citibank site but in reality the domain begins with rctproduction.cz which is a Children’s party business in Czech Republic.
Citibank has requested all suspicious emails be sent to spoof@citicorp.com.
Strange Parking Fines
A recent wave of peculiar emails has been reported which has raised a few eyebrows regarding the unpaid bill the recipient apparently failed to settle earlier. Fake parking infringement notices have been circulating for years but this surprisingly low dollar amount is causing curiosity to get the best of some recipients. Sums as low as $1.04 and upward of $100 are showing up with a 50% discount if paid within 14 days. Simply view the attached “ticket” for details and quickly settle the previously unknown fine.
At the time of detection by MailGuard, zero of 64 well-known antivirus vendors had flagged the link as suspicious. as can be seen at virustotal.com
The unbranded email link triggers a malicious software downloader hidden in a seemingly innocuous .zip file. Once enabled, the people behind the email are capable of downloading further malware like ransomware or key-logging software. This scam is very similar to the previous driver infringement notice email we discussed last month.
Australian Taxation Office
Perhaps the most commonly used government department for malicious email scams would have to be the Australian Taxation Office or the ATO. The email in this attempt was sent from ‘basnotification@ato.gov.au’ which appears legitimate but was traced to a compromised SendGrid account which provides bulk email delivery services. Recipients are greeted with legitimate looking email addresses, formatting, wording and the official government coat of arms.
If clicked, the suspicious link triggers an automatic download of malicious files hosted on another compromised SharePoint site. Once on your machine, the malicious .zip file executes a JavaScript file which is used to download further malicious software such as ransomware, key-logging software and spyware. The extra layers of legitimacy don’t just fool recipients but are also used to trick antivirus software. Again, at the time of discovery none of the 64 well-known antivirus providers were detecting the link as a potential danger, only MailGuard had reported the suspicious email.
The ATO featured last month with another email, this is yet another perfect example of employee education being key to identifying these emails.
Help protect your business from malicious emails with cyber insurance.
Fake Apple Account Email
An Apple email phishing scam has been discovered which is attempting to trick users into giving away their log-in information with a simple tactic. The malicious email has gone undetected by switching a lot of common letters with Greek alphabet characters ρ, υ and ω in place of p, u and w as can be seen in the screenshot below. Altering characters in this manner can help obfuscate common phrases which would normally be picked up from content filters in your antivirus.
The differing letters can clearly be seen in the above screenshot after someone points out the difference but would pass by many recipients unless paying attention. The email states that Apple is updating their user accounts but was not able to update your account and requests the user to do so by clicking the embedded link.
Users are presented with a mirror replica of the apple sign-in page and prompted to enter their account information. The fake sign-in page will also resize and adapt to different device screen sizes such as mobile phones and tablets. This tactic has been around for many years but clearly the method has not died out yet as it still nets results and warrants effort for cyber criminals.
Help protect your business from malicious emails with cyber insurance.
That is our February list of malicious emails to keep a look out for. Each month we will be updating and reporting new malicious emails making the rounds for Australia Businesses.
Thanks to MailGuard, subscribe to the security blog for regular updates here.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
Why use a specialist broker to buy cyber insurance?
Many insurance professionals target an industry or area of specialisation which correlates with their personal interests or hobbies as they have a greater knowledge of the challenges facing businesses within that area.
Hundreds of dedicated insurance brokerages have popped up over the years for everything from marine related risks, mining, financial services, healthcare and medical industry, personal home insurance and the list goes on for each area of insurance.
The reason these brokerages separate themselves with dedicated products and agreements is to leverage their greater knowledge outside the immediate insurance industry. Utilizing insurance brokers who have a passion for your industry, were previously business owners themselves or employees within the industry they are insuring is a great way to guarantee the broker has a better understanding of the niche risks faced by your business
Protect your business with cyber insurance.
Craig McDonald, Founder of Australian cyber security firm MailGaurd, recently stated in an interview with Insurance Business Mag “Cyber insurance policies will need to constantly evolve and the broker will need to be cyber savvy in order to address the many variables within the online realm.”
” he expects cyber insurance to become a must-buy for many businesses, a proactive in-depth strategy will be key for businesses as they plan for every eventuality. Cyber insurance is great as an added layer of protection, but it’s no replacement for a strong cybersecurity strategy,”
“Brokers have an important role to play in helping organisations plan for the requirements for businesses to return to their normal operating status after a cyber attack or a data breach. Cyber insurance policies will need to constantly evolve and the broker will need to be cyber savvy in order to address the many variables within the online realm.”
How a broker works
Buying insurance online is commonplace in today’s connected world, however it can leave gaps in your insurance cover which if not accurately reviewed could be disastrous for business. Customers may choose to use the insurance company directly for their insurance needs because they believe they are cutting out the middle man to get a cheaper product. However many industries have confusing contractual obligations and regulations which in turn allows many customers to get stuck with a more expensive option which isn’t the best for their business
Your insurance broker has years of in-depth knowledge of the insurance market and can locate and negotiate the best available options assisting you to make informed decisions. Essentially doing the shopping around for you. Brokers will work with you to identify your business needs, then recommend insurance policies that ensure you are properly protected.
Dealing with an insurance broker as opposed to the insurance company directly has many benefits, for example;
An insurance broker works for you, not the insurance company so you can feel confident they have your businesses best interest at heart
A broker can explain the pros and cons of different policies to help you compare
Brokers will save you time in researching and negotiating the best insurance fit for your business needs
A broker will act as your advocate in the event of a claim and mediate the outcome, allowing you to continue trading
Brokers are able to offer premium funding options, allowing for better business cash flow
Insurance brokers can negotiate insider deals and policies which aren’t available to regular consumers.
Why use Cyber Insurance Australia?
Cyber Insurance Australia are the dedicated specialists when it comes to cyber liability and business insurance solutions for commercial and corporate organisations. Our goal is to create a more educated and protected online business community enabling Australian businesses to take all reasonable precautions to protect themselves.
Our advisers have more than 5 years corporate and commercial business insurance experience and over 15 years Information Technology industry experience
We work with a range of leading Australian and international insurers including;
More than 48% of small to medium victims paying up
Ransomware, like any sort of malware, can get into your organisation in many different ways: most often buried inside email attachments, via poisoned websites, through exploit kits, on infected USB devices and occasionally even as part of a self-spreading network worm.
Receiving spam emails is part and parcel of doing business for a large number of Australian and international businesses. Regularly our staff speak with staff who laugh “of course” when asked if they receive suspicious emails from unsolicited addresses. The overwhelming awareness is increasing but the seriousness is still lacking as some employees scoff at the sophistication of these emails. We’ve written previously about recent malicious emails making the rounds and their complexity which has caught many Australians off guard.
What is Ransomware?
Ransomware can encrypt the files on a computer (including network file shares and attached external storage devices), prevent you from accessing windows or stop certain apps from running, victims are then directed to a webpage with instructions on how to pay a ransom in bitcoin to unlock the files. The ransom has typically ranged from $500 – $3000 in bitcoin. Microsoft have seen some recent ransomware make you complete surveys which give micro payments to the criminal for each finished survey.
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network). They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
Protect your business with cyber insurance.
Ransomware By The Numbers
A recent survey in the U.S indicated that more than 50% of small to medium enterprise (SME) have experienced ransomware and of those, a staggering 48% have paid the ransom.
Reports in 2016 that more than $1 billion was taken in from ransomware alone with an even higher figure expected for 2017. “The $1 billion number isn’t at all unreasonable and might even be low,” confirmed Mark Nunnikhoven, vice president of cloud research at Trend Micro. The amount of money up for grabs is incredible and it is easy to see why potential cyber criminals are enticed and existing criminal groups have switched their methods.
The above figure was gathered by monitoring known criminal bitcoin wallets. More than $50 million was tracked for each of three wallets associated with the Locky ransomware, and a fourth one that processed close to $70 million. Cryptowall brought in close to $100 million before it was shut down this year. CryptXXX gathered in $73 million during the second half of 2016, and Cerber took in $54 million.
Smaller ransomware families brought in another $150 million, and the FBI has reported $209 million in ransomware payments during the first three months of 2016. In addition to this $800 million or so in known payments, there are many other Bitcoin wallets that are unknown to researchers and uncounted, pushing the estimated total to $1 billion for all of 2016.
A Mimecast survey in 2016 found that 34 percent of Australian executives consider ransomware to be a ‘high threat’ – well ahead of the 25 percent in the US and 18 percent in South Africa.
Time frames for ransom payments can range from as short as 48 hours to as long as 1 week.
Over 4,000 ransomware attacks occurred daily since January 1,2016 which is a 300% increase on the 1,000 daily attacks recorded in 2015 according to the US Department of Justice.
Preemptive Protection
Employee Education
Employee error is the number one reason for the majority of data breaches and cyber intrusion events. Having a good information security culture for all staff is beginning to take hold as directors are being shown that this isn’t simply an IT issue.
Data Protection Services
Arranging a solid data protection solution is a terrific fail-safe. As important as employee education is, the same goes for the information security procedure in place on a daily basis. There is a myriad of data protection solutions on the market today from numerous vendors for all aspects of the digital side of business. Have your business audited today!
Applying patches and other software fixes as soon as they become available is one of the best ways to keep criminals away from your sensitive information. Software manufacturers regularly update versions to include newly found software vulnerabilities that attackers could otherwise exploit. While staying up to date will not stop all attacks, it can make the process more difficult and potentially discourage attackers from accessing to your system.
Most recent versions of popular software can be configured to download and automatically update, giving you a great start toward keeping your business secure online.
Protect your business with cyber insurance.
The majority of businesses we have spoken with unfortunately only took precautions as a reactive measure following a breach. Staying ahead of the curve and taking steps to put comprehensive cyber security measures in place before it’s too late is still the strongest option.
More resources and information about what a typical attack looks like and it’s life cycle can be found here.
For the past few years the media has been reporting large scale attacks such as Yahoo, AirBnB, LinkedIn, Myspace and a long list of others. In reality between 40% to 60% of all cyber attacks on Australian businesses are targeted at small to medium sized companies. Reports suggest this is due to a few important factors but a lack of security procedures and lower levels of employee risk awareness seem to be the major ones.
PwC found 65 per cent of Australian organisations experienced cybercrime in the last 24 months with more than one in 10 reporting losses of more than $1 million (compared to the global average of 32 per cent).
When you consider that 84% of Australian small and medium businesses are online and 1 in 2 are receiving payments online, Australia is a very attractive target for the would-be cyber criminal.
From Australian Cyber Security Strategy
Check out this short video from the National Insurance Brokers Association (NIBA) which succinctly summarizes who needs cyber insurance and why.
The 5 industries with the highest recorded amount of cyber-attacks 2015 – 2016:
1. Healthcare
2. Manufacturing
3. Financial Services
4. Government
5. Transportation
According to the 2016 IBM X-Force Cyber Security Intelligence Index — which reports more than 100 million healthcare records were breached last year. The IBM report is based on data they have collected from thousands of network devices they monitor in over 100 countries.
Between July 2015 and June 2016, CERT Australia – the main point of contact for cyber security issues affecting Australian businesses – responded to 14,804 cyber security incidents, 418 of which involved systems of national interest and critical infrastructure.
PwC Australia national cyber leader Steve Ingram, who previously headed fraud and security management for the Commonwealth Bank, says cyber attacks happen all the time. “It’s prolific,” he says
Here is another great cyber insurance summary from the KnowRiskNetwork.
Conclusion
In the past, business leaders adamantly avoided talking about cyber security processes or breaches for fear of reputational damage and legal fallout. We are slowly seeing more businesses who are not reluctant to talk about their cyber security hurdles and recognize the overall business risk not simply an IT risk.
Australia is currently on the receiving end of an estimated 10 million cyber attacks per year according to professional services firm, Deloitte. With such a large dragnet across Australian businesses it is inevitable that there will be some eye opening data breaches in the coming year and widespread change to company security procedures. We previously wrote about some of the largest data breaches and exposures of 2016 which indicated approximately 2.2 billion personal records were revealed to have been compromised from 2015 – 2016.
The proposed bill which has been passed by the lower house but is still yet to be introduced in the senate will make it a requirement to notify the Australian Information Commissioner and affected individuals if their privacy has been breached. With the exception of eHealth data breaches falling under the My Health Records Act 2012, mandatory data breach notification does not exist yet in Australia. The former Labor government’s Privacy Amendment (Privacy Alerts) Bill 2013 received bipartisan support to introduce such a scheme, but did not pass the parliament before the 2013 election.
Most government agencies, businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive health data are all currently subject to Privacy Act obligations.
Official summary of the bill below:
“Privacy Amendment (Notifiable Data Breaches) Bill 2016 implements recommendations of the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice by amending the Privacy Act 1988 to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach.”
Help protect your business with cyber insurance.
Mandatory Breach Notification Laws Abroad
Today, approximately 90 countries have data protection laws or relevant court rulings – ranging from Angola and Argentina to Venezuela and Zimbabwe but many of those countries still don’t require breached organizations to notify either authorities or the individuals whose personal information was exposed in the event of a breach.
At the time of writing, 47 states, three U.S territories and Washington D.C. have adopted breach notification laws of varying requirements for organisations. In the past any attempts to replace them with a standard federal law have struggled due in part because some changes would have weakened some states current security approach.
The European Union’s General Data Protection Regulation, which will go into effect May 2018, includes multiple privacy provisions, including mandatory breach notification. The EU regulation is expected to serve as a model for other countries as global awareness spreads.
India has also weighed in to the global discussion with privacy practitioners stating they may not be ready for mandatory breach notifications as it lacks the strict regulatory enforcement and the country is still making amendments to it’s Right to Privacy Bill 2014. The EU’s GDPR will be especially relevant to the Indian IT industry as it caters to U.S.-based enterprises and processes personal data of EU, Australian and New Zealand citizens.
“It will also significantly increase compliance costs for service providers – which are already higher when serving EU-based clients, as compared with markets like USA,” “However, GDPR also may remove any misgivings about the Indian industry and data security standards in India, says Mumbai-based Sunder Krishnan, chief risk officer, Reliance Life Insurance Company Ltd.
Legal Problems
Some warn that when the bill is passed there will be very similar problems facing businesses as is seen currently in the United States. Data breaches frequently lead to identity theft and financial losses, the victims of which may qualify for a lawsuit. On the other hand, organisations which don’t report their breaches face a range of penalties including fines of $340,000 for individuals and up to $1.7 million for companies.
Social media has also increased the pressure being put onto businesses as we are seeing unprecedented public customer service complaints causing reputation and public relations nightmares. Expect to see disgruntled customers rallying together using social media after future data breaches.
Class action lawsuits are being enabled by the online connectivity of claimants and are costing organisations millions. Below are a few high profile data breach settlements from Classaction.com
Home Depot (affected 50 million cardholders): $19.5 million settlement
Sony (PlayStation network breach): $15 million
Target: $10 million
Sony (employee information breach): $8 million
Stanford University Hospital and Clinics: $4.1 million
AvMed Inc.: $3.1 million
Vendini: $3 million
Ashley Madison: $1.6 million
LinkedIn: $1.25 million
Companies much prefer settling cases out of court to going to trial. But that is especially true for data breach lawsuits, because there is almost no court precedent for these kinds of cases.
Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.
Insuring Against the Risk
Many Australian insurance providers have already put policies in place to respond and cover expenses from a data breach. We recently wrote in detail about where cyber insurance steps in, which can be found here. Expenses which are typically covered are;
Forensic Investigation
A forensic IT investigation is necessary to determine what occurred, how to repair the damage and how to prevent the same type of breach. Investigation may involve services from a third party security firm or law enforcement.
Business Interruption
The business may be unable to continue trading and suffer interruption costs due to network security failure or attack, programming errors or human errors. Loss of profits and costs incurred to continue business as usual are typically covered under a cyber insurance policy.
Legal & Public Relations
Cyber Insurance policies will cover legal defence costs due to a privacy breach, fines and penalties, reputational damage and public relations expenses to assist an organisations public image after a breach.
Extortion & Blackmail Costs
Policies will cover ransomware & extortion costs from criminal organisations and disgruntled employees for the release or protection of private information.
Moving Forward
Mandatory breach notification is the best step forward but it also relies heavily on organisations actually discovering they have been exposed. In recent reports, numerous websites such as Linkedin, Myspace and of course, Yahoo have suffered very high profile breaches which occurred up to 4 years ago and were only discovered years later.
Many large industry groups including Google, Yahoo, Facebook and Microsoft are stating that the existing voluntary breach notification scheme is effective and doesn’t require change. Despite their support and mixed reception from the private sector, security experts and business leaders from various industries are getting behind the bill and arguing it’s benefits.
The OAIC annual reports from 2014 – 2015 & 2015 – 2016 are unable to provide enough depth from voluntary reporting which indicates the need for mandatory laws to be passed. It is likely that the larger industry groups are protecting their interests and understand the ramifications of mandatory breach notification from their legal departments abroad.
Help protect your business with cyber insurance.
It looks inevitable that the bill will be passed and the public understanding of what is happening to their personal information will continue to increase.
Arranging an insurance policy, educating employees and instituting solid security processes will be key to mitigating this risk.
Today we take a look at how some small to medium Australian businesses responded and recovered from various cyber events and how their insurance was able to assist. In the past 12 months the majority of all cyber attacks against Australian businesses were targeted at small to medium size businesses. Many owners have heard the buzzwords and have seen the major international incidents on the news but haven’t seen relatable cyber claims from Australian businesses.
Eye Surgery Clinic
2 Locations
15 Employees
$8 million turnover
Incident
An employee opened an email attachment which contained ransomware, causing the Insured to lose access to their network of digital patient records. The cyber criminals demanded ransom payment in Bitcoin of approximately $6,000 at the time of writing. Both practice’s were able to continue trading however at greatly reduced efficiency as they had not used paper records for accepting and treating patients in years. Despite having access to some paper filing, the business was not able to raise invoices as this is part of a paperless system. Forensic Investigators were able to recover the vast majority of data and restore the paperless system.
Outcome
$126,000 in forensic IT expenses, First Party damage and lost work hours.
Law Firm
1 Location
55 Employees
$20 million turnover
Incident
An unknown organisation gained access to a law firm’s network and may have gained access to sensitive client information, including a public company’s acquisition target, another public company’s prospective patent technology, the draft prospectus of a venture capital client, and a significant number of class-action lists containing plaintiff s’ personally identifiable information (PII). A forensic technician hired by the law firm determined that malware had been planted in its network. Soon after, the firm received a call from the intruder seeking $10 million to not place the stolen information online.
Outcome
The law firm incurred $2 million in expenses associated with a forensic investigation, extortion-related negotiations, a ransom payment, notification, credit and identity monitoring, restoration services and independent counsel fees. It also sustained more than $600,000 in lost business income and extra expenses associated with the system shutdown.
$2.6 million total costs
Help protect your business with cyber insurance.
Raw Materials Manufacturer
1 Location
28 Employees
$7.5 million turnover
Incident
The Insureds system was hacked via an email they received carrying a Ransomware virus. The virus prevented them from having any access to emails and their network. The criminals held the clients system to ransom and would only release files if the client paid $12,500. The fact that the client had numerous file shares and common storage areas made their system particularly vulnerable to attack and made it easy for the ransomware to encrypt nearly every file in their system.
Outcome
$12,500 in ransom costs plus an additional $25,000 in IT expenses related to diagnosing the problem, decommissioning the old servers and installing a new network.
Hardware Store
1 Location
20 Employees
$5 million turnover
Incident
An employee at a hardware store ignored internal policies and procedures and opened a seemingly innocuous file attached to an email. The next day the hardware store’s stock order and cash registers started to malfunction and business trade was impaired as a result of the network failing.
Outcome
The hardware store incurred over $100,000 in forensic investigation and restoration services. They also had additional increased working costs of $20,000 and business income loss estimated at $50,000 from the impaired operations.
$170,000 total costs
Health Clinic
1 Location
7 Employees
Turnover: unknown
Incident
A small health clinic discovered that an unauthorised third party had gained remote access to a server that contained electronic medical records. The third party posted a message on the network stating that the information on the server had been encrypted and could only be accessed with a password that would be supplied if the insured made a “ransom” payment. The insured contacted law enforcement and working with law enforcement, determined that the payment ($2,500) should be made. The payment constituted cyber extortion monies under the policy. Furthermore loss of business income amounted to $65,000 and IT forensic costs of $5,000 were paid in accordance with the coverage provided by other sections of the policy.
Outcome
$72,500 in ransom, forensic IT and lost business income costs
Help protect your business with cyber insurance.
Conclusion
Regardless of staff size, turnover or industry, all businesses have a possible exposure from the ever increasing reliance on information technology. From most reports it is only a matter of time rather than a matter of being secure or not.
Here is our January 2017 wrap-up of large scale malicious emails making the rounds for Australian businesses.
We have all received some suspicious emails in the past and laughed at the seemingly obvious red flags, it appears that gone are the days of the poorly translated foreign prince simply trying to return your unknown wealth. Today, as employee education continues to increase, criminals are very fastidious and clever with their malicious email phishing attempts.
Earlier this month a torrent of Australia Post scam emails were discovered with a simple method of infection designed to evade anti-virus software. At the time of discovery by MailGuard, only 1 of 68 popular antivirus vendors were detecting the link as malicious
The message indicates a parcel is ready for collection at their local post office, simply confirm your correct postal address by clicking the link at the bottom of the email.
Malicious Australia Post Email
Replica Australia Post Website
After clicking to confirm, a series of prompts leading to an identical Australia Post website end with a remotely executed malicious file being downloaded. An identical Australia post website has been created with the noticeable difference being the www.auspost.tk address instead of the official www.auspost.com.au, the malicious website even has ‘Captcha’ security forms and correctly scales for mobile users.
Help protect your business with cyber insurance.
Australian Securities and Investments Commission – ASIC
Reports of fake emails claiming to be from ASIC are making the rounds and distributing malware at an alarming rate. “Malware can reformat your hard drive, alter, delete or encrypt files, steal sensitive information, send unauthorised emails, or takes control of your computer and all of the software on it.”
“The message claims to contain an important message. But those who click to the link inadvertently download a malicious JavaScript file. The file is housed within a zip file on a compromised SharePoint site.” said Jaclyn McRae of Mailguard.
The emails have been disguised using a third party program which causes them to appear to be sent from a legitimate @asic.gov.au account.
ASIC email scam
According to MailGuard, at the time of reporting, none of 68 well-known antivirus vendors were detecting the link as malicious.
“Scammers pretending to be from ASIC have been contacting Registry customers asking them to pay fees and give personal information to renew their business or company name,” “These emails often have a link that provides an invoice with fake payment details or infects your computer with malware if you click the link.”ASIC says.
Australian Taxation Office – ATO
The next government organisation being impersonated is the Australian Tax Office. The malicious emails are coming from a recently registered set of domains with slight variations to the correct ATO web address which is https://www.ato.gov.au.
“The email looks quite legitimate, and includes the recipient address within the text body. It includes Australian Government branding and confidentiality clause.”said Jaclyn McRae
The email contains a Microsoft Word attachment which the recipient is told requires their attention.
ATO scam email
“The attached document contains a a macro which when executed, downloads a virus from a remote location.”
Microsoft Word Malicious Macro
We’ve recently written about malicious Microsoft Office macros and other methods of infection, here.
“Adversaries are increasingly using Microsoft Office macros – small programs executed by Microsoft Office applications such as Microsoft Word, Excel or PowerPoint – to circumvent security controls that prevent users from running untrusted applications. Microsoft Office macros can contain malicious code resulting in a targeted cyber intrusion yielding unauthorised access to sensitive information.”
Commonwealth Bank
Apart from government departments, financial services giants are also regular targets. ANZ, Macquarie and AMEX have been recent targets of phishing scams.
Commonwealth Bank scam email
Very similar to the above mentioned ATO email scam, Commonwealth Bank customers have been sent the above secure message requiring the attached content to be downloaded. Once again, the Microsoft Macro contained in the Message.doc attachment downloads a virus from a remote location. Once recipients ‘enable editing’ and then ‘ enable content’ the virus is activated.
According to the MailGuard Security Blog , the malicious emails were sent from cloud-hosted servers in Hong Kong but the attack could have originated anywhere.
Driving Infringement Notices
A round of malicious emails poorly disguised as driving infringement notices has been targeting Australians for a few months. The continued attempts from criminals suggests some measure of success.
Despite having no branding, the ‘from’ name having no relationship to the sending domain and no reference to which police authority had issued the fine, it seems many targets have taken the bait.
According to MailGuard, “The malicious emails claim the recipient has incurred a fine for negligent driving. It says the fine will arrive in the mail, but that it can be viewed by clicking the link.”
Negligent driving scam email
The “photo proof” attachment contains a link which accesses a malicious ZIP archive and allows malicious software to be downloaded.
Conclusion
Thanks to MailGuard, subscribe to the security blog for regular updates here.
Each month we will try to highlight some common email scams targeted at the Australian market.
If we have missed a scam you think is important, please let us know below.
Lloyd’s of London better known as Lloyd’s is a corporate body which brings together multiple financial backers to pool and spread risk. These financial backers are grouped into syndicates, the syndicates referred to as underwriters or members are a collection of corporations and private individuals. In 2015, there were 84 syndicates that wrote £26.69 billion of gross premiums on business placed by 242 Lloyd’s brokers globally.
In the insurance industry Lloyd’s is one of, if not the biggest player with their syndicates having international bases and insight from markets around the globe.
In the past cyber insurance has been a relatively unknown product but this is all changing faster than the majority of businesses can keep up with. Expert predictions for 2017 are already indicating a lot more to come with no end in sight for historical breaches such as the 2014 Yahoo breach which was only discovered in 2016.
The current Chief Executive Officer for Lloyd’s and the first female CEO in the insurance market’s 328-year history is Dame Inga Beale. Heading the insurance market behemoth with regular insight into global insurance markets puts Mrs. Beale at the forefront of international business risk.
Inga Beale, Lloyd’s CEO
Beale spoke with Intelligent Insurer regarding the increase in businesses of all sizes taking up cyber policies over recent years.
“In Australia, Lloyd’s has seen the amount of cyber insurance being purchased increase 168-fold in the last two years, as the risk becomes more of a concern for businesses.”
“In 2016 we’ve seen highly publicised cyber-attacks on some of the biggest corporate and retail names in the UK and globally. The effect of these breaches is multi-layered – besides business interruption, they can have a long lasting reputational impact and seriously affect the bottom line,” Beale, said.
“The problem is that I think there’s a slight disconnect between clients and their understanding of what’s on offer, and perhaps even a lack of understanding within the insurance sector,” Beale said while speaking at CFC Underwriting’s Cyber Symposium event in London last Thursday.
Mandatory breach notification laws
“What we have seen elsewhere in the world is as soon as you’ve got some regulation out there, a requirement for businesses to report breaches when there is a loss of personal data, that is one of the key drivers for elevating the risk up to the boardroom.” Beale stated.
Mandatory data breach reporting laws have been passed in the United States and other countries so far with the Australian bill passing through parliament at the time of writing. Under the new bill, organisations that determine they have been breached or have lost data are required to report the incident, and notify customers that are directly impacted or considered “at risk”.
Organisations and individuals that don’t will face a range of penalties, including fines of $360,000 for individuals and $1.8 million for organisations.
Safeguard your business with cyber insurance.
Why Cyber Insurance?
“I’m afraid we no longer live in a world where you can prevent breaches taking place, instead it is about how you manage them and what measures you have in place to protect your business and importantly, your customers. As recent events have shown, hard-earned reputations can be lost in a flash if you do not have the correct plans in place.”
“There are two types of businesses. Ones who are being hacked and those who don’t know they are being hacked” Inga Beale.
“Insurance can play a critical role in helping businesses in this environment, not just in terms of cover for any financial losses, but for the support regarding meeting regulatory obligations and dealing with potential operational and reputational fall-outs.
The evolving cyber threat and new stricter regulations will change the way businesses are impacted by cyber incidents: they will have to deal with business interruption, financial penalties, regulatory scrutiny and reputational damage in a way they haven’t done before. All of these could be serious threats to a business’s revenue, share price or even survival.
That’s why, today, Lloyd’s views cyber as one of the most complex, current and critical risk businesses face.
Future expectations
“Our research has shown that cyber risk increasingly sits at the most senior level of business, and although the UK and Europe are still lagging behind the US in terms of take up of cyber coverage, the Lloyd’s market has seen a threefold increase on cyber business over the past two years, and we expect it to continue to grow in 2017.” Beale said.
With all reports for 2017 indicating a continued growth for cyber crime and mandatory reporting laws coming into effect around the globe, the time for robust cyber insurance and cyber security practices is now.
Have you ever wondered what the financial incentive for cyber criminals is? Many experts are reporting a staggering $1 billion was taken in from ransomware alone in 2016 not counting the other options for cyber crime.
For years we have repeatedly seen stories in the media about shadowy criminals making purchases with your credit card online and the onus being put onto the financial institution to identify,block and refund these transactions. Today things have escalated drastically and the black market for information has a broad range of options from online reward point accounts, medical records, auction site accounts and tutorials for new people interested in cyber crime. This escalation also means that the responsibility for online security is shifting to the personal side instead of solely the vendor.
Below are a few examples of the many ways cyber criminals are making money online from your accounts and information. Whether they are taking a website down to stop trade, extorting hospitals with sensitive patient information, auctioning hacking tools and guides for new criminals or just use of your netflix subscription, there is a market for it and it is thriving.
Bank details
Selling credit card numbers has been a classic source of revenue for cyber criminals. Although the market is starting to lean towards more specific details like medical records for social engineering and fraud purposes, credit card information is still a strong source of revenue. As can be seen below from a 2016 McAfee report, full card and personal details for a little as $40.
“Everything is available. We see bank-to-bank transfers offered for sale, and the availability of banking login credentials.”
Bank credentials for a specific account to drain funds has a higher value which runs as a percentage of the account balance. Usually around 1% – 5% of the available balance.
DDoS Rental Services
A DDoS attack will overload a victims website causing it to crash and prevent access until the attack stops. A frozen website can cause an instant halt to sales and have ongoing reputational damage. In 2016, 84% of Australian small and medium businesses are online with that percentage expected to increase in 2017.
The average cost to the victim of a DDoS attack is around $500USD per minute, the mean cost to the attacker is only $66 per attack. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that any organization can potentially be the target of a DDoS attack. What is a DDoS attack?
Russian DDoS advertisement
Exploit kits
Exploit kits are designed to be a ready to launch hacking tool, with many different variations available online for the budding cyber criminal to purchase and start causing mischief. One case of a student in Virginia, USA is facing a 10 years prison sentence after creating a key logger tool which records keystrokes and ultimately account information on the victim’s system. The student offered the nefarious tool for sale at $35 USD and sold to around 3,000 people who, in turn, infected over 16,000 victims, the U.S. Attorney’s Office said.
Using those numbers, his personal incentive for the key logger tool was approximately $105,000 USD which is certainly an attractive figure for any would-be cyber criminal.
Ransomware is malicious software which once it has infected a system the software will encrypt important files rendering the operations frozen until the victim pays a ransom usually demanded in bitcoin. Multiple ransomware kits have been found for rent in online marketplaces for as little as $1,000USD a month or $100USD for 48 hours.
Insure your business against cyber crime.
Online rewards programs
Online rewards programs such as account information for airline points have also been found for sale on cyber crime marketplaces. According to the report 300,000 airline points for as low as $90USD which is very concerning after the recent reveal that 90% of airline booking systems are insecure.
“Flight bookings worldwide are managed by the so-called Global Distributed Systems (GDS) that connect travel agencies, online booking websites, airlines and passengers. Amadeus, Sabre, and Travelport, the three largest GDS networks, administer more than 90 percent of the bookings as well as numerous hotel, car, and other travel reservations, according to Security Research Labs (SR Labs), a Berlin-based hacking research collective.”
Compromised organisation & infrastructure access
Other types of data for sale include access to systems within organizations’ trusted networks. The types of entry vary, from very simple direct access (such as login credentials) to those that require a degree of technical competence to carry out (such as vulnerabilities). We can see the availability of vulnerabilities that allow potential buyers access to bank and airline systems located in Europe, Asia, and the United States.
A recent report by cyber crime expert Idan Aharoni suggests that the types of systems criminals sell access to now include critical infrastructure systems. In his article “SCADA Systems Offered for Sale in the Underground Economy,” Aharoni included one example in which a seller provided a screenshot that appears to be a French hydroelectric generator as evidence that the seller had access.
Stolen enterprise data is also for sale, we have seen sellers offering data stolen from a university.
Medical Records
One of the fastest growing areas of data theft is the medical industry. Client records have been shown to be extremely valuable in the black market community for a number of reasons. One reason is the level of detail which medical records hold. Most medical records hold sensitive information which financial institutions are not privy to for example full name, age, family history, government ID numbers and other details used for social engineering.
Another reason medical records have increased in value is their extortion value to the holding hospital or medical practitioner. “A breach happens at one of these companies. The hackers go direct to that company and say, ‘I have your data.’ The cost of keeping this a secret is X dollars and the companies make the problems go away that way,” said Greg Virgin, CEO of the security firm RedJack.
Online Subscription Services
Netflix, HBO, Spotify, etc are just a few of the online subscription services for digital content that are available to purchase for a low as $1 USD. High demand for these accounts can be seen from the widespread listings in the marketplace despite their seemingly low value.
video streaming services are in high demand. Even premium professional sports streaming services can be purchased for $15. We also found other online accounts being sold, including lifetime subscriptions to premium pornography accounts, as well as free referral links to the dark web market Agora.
Insure your business against cyber crime.
It is unclear how 2017 will unfold with reports already saying 123456 is still the world’s most popular password but if that is any indicator of the state of personal security, 2017 is going to be a very lucrative year for cyber criminals.
“Employees still remain the most cited source of compromise”
With each new report the cyber security expert consensus remains the same regarding internal culture to self mitigate. The below is an excerpt from the latest Australia Securities and Investment Commission (ASIC) Cyber Resilience Assessment Report: ASX Group and Chi-X Australia Pty Ltd.
“There is clear recognition that effective cyber resilience requires a strong ‘cultural’ focus driven by the board and reflected in organisation-wide programs for staff awareness, education and random testing, including of third parties.”
CERT Australia (the CERT) is the national computer emergency response team and are the point of contact in Government for cyber security issues affecting major Australian businesses. The CERT is part of the Federal Attorney-General’s Department, with offices in Canberra and Brisbane.
At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions.
“This Cyber Security Strategy sets out my Government’s philosophy and program for meeting the dual challenges of the digital age—advancing and protecting our interests online.” Hon Malcolm Turnbull MP
CREST Australia New Zealand Ltd, a not for profit company, runs CREST Australia New Zealand on behalf of member companies and provides assessment, accreditation, certification, education and training in cyber and information security for individuals and corporate entities and promotes the provision of high quality, best practice information security services according to its company constitution.
MailGuard is one of Australia’s leading technological innovators and the world’s foremost cloud web and email security service, providing complete protection against web and email security threats like malware, ransomware, spyware, phishing, spear phishing, viruses, spam and similar malicious scams in 27 countries around the world.
“This comprehensive report is a must-have reference for C-suite executives, senior managers and anyone new to the information security management space.”
CSO provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.
The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. SANS is the most trusted and by far the largest source for information security training and security certification in the world.
“Everything you want to know about cyber security and are too tired to search for.” Whatever you may be interested in – from DEF CON to SANS – you will find on this page.
Conclusion
As the emphasis on employee exploitation tactics continues, the more important it is to educate all staff. Cyber Insurance Australia will continue to update this cyber security resource list as more valuable resources are discovered. For any additions please comment or message.