Why Password-Thieving Malware should have you Terrified this Halloween
Common Risky Online Actions
Are you guilty?
How to minimise professional risk
i) Clicking on unknown links and opening email attachments — hover your mouse over the link to see the return address, and check the website to verify the domain
ii) Reusing passwords across accounts — use a random number generator app or password log such as LastPass or TrueKey, and guard your master password safely offline or on a USB.
iii) Departments’ sharing accounts with passwords stored in XLS — beware of convenience-seekers
iv) Downloading free software — you want to get that slight edge after all
v) Unsafe web browsing — watch out for linkbait
‘In today’s world, your resources can reside anywhere. They’re not inside your perimeter anymore. Your perimeter has dissolved,’ says David Behr CEO of Liquid Telecom, South Africa, which draws on a network incorporating 7000 miles of cables, data centers and associated cloud infrastructure to inform its cyber security expertise, a new service offering.
The changes in working habits where employees must be able to use work devices from home has several implications:
‘Companies must be able to stop threats wherever they are in a wider network, not just within your corporate network. …That your people are treated as insecure until proved otherwise. This is what we call the zero-trust network user concept.’
Many successful phishing attempts occur via ‘Accidental Insiders’ i.e. convenience seekers, who store their login in files saved and easily accessible on their hard drives. Or inadvertent users, such as third-party contractors who have their applications hi-jacked by Trojans or other malware, which can write in back-doors by which malevolent actors can gain access to login details, and PII of customers on its database.
Really effective penetrations which succeed at getting hold of temporary files like payment information, that if in compliance with data protection rules are stored on separate servers from personally identifiable information (PII), are time-consuming. But they are well-disguised, and threat detection software however sophisticated and frequently updated may not detect it if data outflows are timed so they blend in with normal operations; and if external commands are conducted through what is made to look like a genuine admin account.
Freaky Malware Products Available to Buy off the Shelf on the Dark Web
- Kaptoxa — scrapes devices’ memory and is used to capture data from credit card readers
- Citadel and ZeuS are Trojans, password-stealing malware which install themselves on your system if you click on a dodgy attachment.
- Web Shells, uploaded through third party connections e.g. invoice processing platforms and tender forums are disguised as a genuine submission and act as a back door for malevolent code
Intentional hacks by underpaid employees or those who have been paid off are less common but do occur, as almost happened at Tesla in 2007 when a Tesla owner and member of the community who earned a sideline recycling Tesla parts intentionally hacked their mainframe to expose systemic weaknesses and was paid a substantial bonus for the bug report he submitted — after he managed to find a way to hack any self-driving car in the Tesla fleet.
This is particularly important in South Africa because a reported 78% of employees working from home receive no cyber security education, and experts believe that machine learning and threat detection are of limited use.
A report commissioned by Liquid Telecom entitled ‘State of Cyber Security in Kenya and South Africa in 2020’ found that password compromise (72%) and phishing/ cyber engineering attacks (67%) are the greatest threat. For this reason they have created simulated ‘risky behaviours’ using company-owned domains which ape the patterns of fraudulent sites. Liquid Telecom’s cyber security offering also monitors employee browsing and finds learning opportunities when it identifies risky behaviours.
“Liquid Telecom understands and appreciates that cyber security is not just about technology, but about helping and securing the people within a business,” said Stephen Burke, founder and CEO of Cyber Risk Aware. “When correctly trained and supported in the right way, people are a company’s greatest security asset and first line of defence — their Human Firewall.”
Liquid Telecom Group Chief Digital Office David Behr talks about the growth of what is commonly termed the ‘Shadow IT Problem’, whereby employers are unaware of the extent of un-sanctioned applications being used by employees, particularly now so many are working from home.
According to a Netshape Cloud Report, 2016–20, the average number of cloud apps has increased incrementally, from 917 in 2017 to 1,031 in 2018 rising to 1,295 in 2020. Of these, 70 are business-led and 10% are IT-led, with the remaining 20% of applications being user-led . “Not even the managers of the businesses are aware they are being used,” says Behr.