In a brief warning alert last week, US-CERT urged individuals and organizations to proactively secure systems against an increase in malware spread via macros. Mimecast is today offering new guidance to help organizations combat this threat.
Our own research also points to resurgence in this attack technique. We found that:
- 50% of firms have seen email attacks that use macros in attachments increase
- 44% saw increase in attacks with social engineering asking users to enable macros
- 67% are not confident employees would spot this combined attack
These findings came from a recent Mimecast security survey of 436 IT experts at organizations in the US, UK, South Africa and Australia in March 2016.
While most organizations choose to block executable attachments at the gateway by default, they must still allow files such Microsoft Office documents to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats.
Here’s a recent targeted attack email we saw containing a weaponized attachment:
Mimecast Email Security Guide to Stop Malicious Macros
Here are five recommendations to help you stop weaponized attachments and macro-enabled malware:
- Ensure macros are not enabled by default across your Microsoft Office application estate, and that ‘Protected View’ is enabled at all times
- Consider disabling macros and VBA code in all but essential applications
- Ensure all email attachments are sandboxed by an appropriately advanced email security gateway. Remember non-sandboxing gateways are not able to recognize or signature macros, as the code is not a viral payload
- Consider a secure email gateway that offers the capability to neutralize weaponized attachments, or strip active code from all inbound Office documents
- Train and educate end users to the changing nature of threats in email. Ensure they understand the risks presented to their inboxes, and how to handle unexpected email and attachments. Ensure they understand the hacker’s tactics and how to recognize simple social engineering attacks
You can see more examples in my recent security advisory on macro threats.
Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms. These new social-engineering and impersonation attacks could leave leaving firms of all sizes at risk of taking the full financial brunt of crime.
Waves of high-profile breaches and new breach notification legislation is setting the scene for a huge growth in cyber insurance take-up. But while insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account.
Whaling (CEO fraud) attacks have been growing rapidly in volume and in scale. Mimecast revealed in April that 67% of firms have seen an increase. Then only last month, Austrian aerospace manufacturer FACC sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack.
Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered. For example, how would an insurer decide compensation if a set of W-2 tax forms were stolen compared to the secret plans for a new and theoretical product? What about hacks that compromise the integrity of data rather than stealing it? Can insurance ever really fully provide coverage for these data-specific use cases?
One other concern for insurers is that it can be difficult to separate real crime from potential insurance fraud.
As part of Mimecast’s research into cyber insurance policies, Mimecast questioned 436 IT experts at organizations in the US, UK, South Africa and Australia. The research revealed that:
- 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date
- 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions
- 64% of firms don’t have any cyber insurance at all
One example of this growing risk is the legal proceeding between Texas-based AFGlobal Corp and Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but insurer denied a claim when scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.
The rise of whaling has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.
Mimecast research also found that:
- 58% of organizations have seen an increase in untargeted phishing emails
- 65% have seen targeted phishing attacks grow
- 50% said they have seen social engineering attacks that utilize malicious macros in attachments increase
A survey of risk managers by The Hartford Steam Boiler Inspection and Insurance Co. (HSB) highlighted the primary reasons for not buying coverage. Perceived complexity (44 percent), lack of a sufficient threat (34 percent) and cost (22 percent) were cited.
With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. CEO fraud is a prime example how quickly an attack can grow morph. Tomorrow’s threats will almost always comes as a surprise.
Mimecast is recommending that all organisations review their cyber insurance policies regularly. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.
*Mimecast will be exhibiting at Infosecurity Europe, 7-9 June, at stand #G100. Mimecast security experts will discuss the top email attack strategies being used against millions of organizations around the world today.
This will be the second Infosecurity Europe since its return to Olympia last year. We've been regular exhibitors at the premier European security show for years and been part of an era of fundamental changes in the security industry. Let’s take a look at some key things to watch at this year’s Infosec 2016. I’ll cover patterns in the program, speakers to watch for and some highlights of what to look for in the Mimecast booth!
Patterns in the Program
A quick glance at the speaker programme shows that this year, a pattern is already emerging - a widening of the description of a cybercriminal. What once was just the traditional hacker in a darkened basement has changed to a completely different variant, urging all those who control the security of their companies to think ahead of the next hack. Attacks can now come from governments (think Stuxnet), from bored teens (Talk Talk) or from anyone with a credit card and the motivation to rent a botnet. Cybercrime is big business and the continuing upward spikes in ransomware (complete with support helpdesks to assist with payments) highlights how criminals are adopting legitimate business practices to increase their effectiveness.
Speakers to Watch
Speaker slots I'm personally looking forward to include 'Profiling the Connected Cybercriminal' by Mikko Hypponen from F-Secure, who has recently published some interesting posts on the Infosecurity Europe blog, and 'How to Hack a Human; Anatomy of a Social Engineering Attack' by Dr Jessica Barker.
Highlights & Prizes
I'll also be at our ‘Making Email Safer for Business’ stand (#G100) talking about the growing threat of spear-phishing and email impersonation attacks. On our stand, everyone can walk away with RFID protection cards and ‘Snap out of it’ swirly glasses. We’ll also have regular stand presentations from Microsoft Exchange and Office 365 MVP J. Peter Bruzzese – where he’ll be exploring the risk factors you’ll need to consider when moving to Office 365. Plus, we’ll be running through demonstrations of our services on the stand - to book a demonstration with one of our technical team, you can request one here.
Also, you can enter your details into our draw to have a chance to win a pair of Ray-Bans (T&Cs here) and if you publish selfies with our #AddMimecast frame you can be in with a chance to win an iPad Air 2.
Or if you fancy a more informal setting, we’ll be serving drinks at our stand between 4:00-5:30pm on Tuesday, the 7th of June. In addition, on Wednesday the 8th of June between 5:00-7:00pm we’ll be hosting a CIO & IT Professionals drinks reception in the Millennium Gloucester Hotel, London – registration is available on this microsite.
I for one can’t wait to see all of my peers, colleagues, partners and customers this year – it looks set to be a pivotal event for the Infosecurity world again - see you next week!
Organizations of all shapes and sizes face a significant threat from cybercriminals. But small- and mid-sized firms may face heightened risk, as they are often targets, not only themselves, but also for those trying to attack their customer base through their perceived weaknesses in the supply chain.
Indeed, the cyber threat is growing fast, with new and sophisticated attacks proving ever more difficult to defend against. Whaling email scams, for instance are up 270% from January 2015, according to the FBI – while law enforcement received reports from 17,642 victims, amounting to more than $2.3 billion in losses from October 2013 through February 2016. The FBI also reported that law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
The sheer scale of the threat makes it obvious that midmarket businesses must pay close attention to data security, and address the same email-related threats as larger businesses. The big difference, though, is that many in the midmarket must do so with limited budget and IT resource – which clearly makes keeping up-to-date with defence against threats like spear-phishing and whaling all the more challenging.
The truth, however, is that midmarket firms don’t need to compromise on email and data security. Mimecast helps midmarket organizations get out of the business of running email on multiple point solutions, which is costly, complex and eats up IT resources. We provide best-of-breed security, archiving and continuity services for email in the cloud that allows businesses of all sizes to get the protection they need without prohibitive cost. What’s more, our innovative Targeted Threat Protection service, offers robust defence against the very latest cyber threats – including spear-phishing and whaling.
But, midmarket firms need more than technology solutions. Limited by internal resource constraints, they also need rapid access to expert support and advice – and that is exactly what they get from Mimecast.
This combination of innovative solutions and expert support has once again been recognized by two leading midmarket IT organizations. Most recently, Mimecast won two XCellence Awards at the Channel Company’s 2016 Midsize Summit East: “Best of Show” and “Best Boardroom Case Study Presentation.”
In addition, Mimecast was named "Best Vendor, Service" at the Spring 2016 Midmarket CIO Forum. Selected by a panel of CIOs, the award recognizes Mimecast as a leader in the IT Vendor Excellence category for providing an “established service that has been exemplary in specifically meeting the needs of the midmarket.”
It’s fair to say that the contribution that mid- and smaller-companies make to the economy does not always get the recognition it deserves – and, in truth, it’s often the most exciting frontier in terms of new business practice and technology adoption. However, it’s also the front line in a security arms race of evolving threats and security response. It’s the responsibility of technology providers like Mimecast to help midmarket businesses stay one step ahead, for instance with the recent addition of whaling protection to our Targeted Threat Protection service.
Watch this video to learn how Mimecast Targeted Threat Protection can help defend your business against email-based attacks.