Don’t Wait For Cyberattacks
Cyberattacks: Many managers still do not fully realize that the Internet, so helpful in their daily activities, is also a source of an increasing number of threats. Every day, computer thieves, hackers, and even states use the global network to steal data or act to the detriment of companies, institutions, and even governments. Therefore, it is worth observing new trends in the field of cyber threats and proactively anticipating potential attacks rather than waiting for the next strike.
Every year, spending on combating cybercrime is increasing, and online attacks are on a larger scale. In mid-May 2017, hospitals, telecommunications companies, the transport giant FedEx and the German Deutsche Bahn railway lines fell victim to cybercriminals. Hackers attacked around 200,000 computers in at least 150 countries. They used a worm called WannaCry to attack, and they also exploited the Eternal Blue vulnerability discovered by the US National Security Agency. Computers have been infected by the so-called ransomware, which is software that encrypts files in such a way that devices become useless and data inaccessible until the ransom is paid. Fortunately, Poland was not affected by the WannaCry attack on a larger scale.
CERT Orange Polska, a specialist unit responsible for the security of Internet users using the operator’s network, detected over 91,000 ransomware attacks in the first quarter of this year, an increase of 215% YoY. The number of malware attacks on mobile devices increased by 363% – 110,000 were recorded from the beginning of 2017 to the end of March, and almost 139,000 in the whole of 2016.
The number of digital threats is growing rapidly. Criminals take advantage of every vulnerability in the systems, the ignorance and carelessness of users, and the lack of imagination of decision-makers.
This is why in the Orange Łódź Data Center, the links are protected with Orange security solutions (DDoS Protection, Malware Protection). This is one of the most modern and safest places for the virtual world. 36% of all virtual servers globally delivered by OBS Orange Cloud for Business to Orange Group companies are hosted here. The Center stores data of key importance for the continuity of operation of the operator’s systems, which are also critical for the security of the state and citizens. The center meets the requirements of Tier 3 and most of Tier 4; it is also ISO / IEC 27001 and ISO / IEC 223011 certified.
Digital security experts from CERT Orange Polska do not keep their knowledge only to themselves. In cooperation with Integrated Solutions, a provider of modern solutions from the world of information technology and telecommunications, they have already issued the third report on last year’s threats and the directions and forms of threats in the current year, this time entitled “We will lead you into a safe future.” As the Orange network covers about 40% of the Polish Internet, the conclusions of the report can be applied without risk to the entire network in our country.
Table of Contents
What happened, and what could happen?
In 2016, CERT Orange Polska handled approximately 47 security incidents daily. “Offensive and illegal content” prevailed (41%), almost 20% of cases were hacking attempts, 6.7% – malware, and almost 17 out of 100 incidents were DDoS ( Distributed Denial of Service) attacks.). When it comes to the characteristics of the latter, there are practically no differences between us and the rest of the world – attacks lasted shorter here and there, targets were selected more precisely, they were carried out, among others, by the Internet of Things (IoT) devices. DDoS attacks consist of flooding the victim with many network queries, which leads to the saturation of the Internet connection or the attacked servers. As a result, it is impossible to use the attacked company’s website and/or services, which in today’s network-centric world usually translates directly into image losses and business. Counteracting DDoS attacks without expert support and extremely large attacks – without the help of a network service provider – is very difficult. Recently, new developments are attacks using botnets created from IoT devices. The most significant DDoS attack in history (almost one terabit per second) was recorded in 2016, mainly using previously infected webcams and video recorders. According to the authors of the report, the problem of IoT is only just beginning because more and more such equipment is in our homes, and many manufacturers do not pay to invest resources and money in creating appropriate security. We cannot count on a decrease in the number of malwares, ransomware, and phishing campaigns this year – the authors of the report believe.
Users make life easier for hackers.
Despite large-scale – Orange Polska – attempts to raise awareness of Internet threats, many Internet users still fall into deception and open suspicious-looking attachments or click on links in emails pretending to be well-known brands. The low effectiveness of detecting the perpetrators and the low number of reports to law enforcement agencies enhance the attackers’ courage. Hackers also make their activities easier because they do not necessarily have to write malware from scratch and plan the campaign themselves. Today, malware and tools for its distribution can be purchased and configured to suit your needs. That is why continuous education and careful use of cybercriminals are so important.
Director of ICT Infrastructure and Cybersecurity
Social media will also be used on a large scale for attacks, using increasingly sophisticated social engineering techniques. It is often enough to convince the Internet user to take the appropriate action – click on a post or enter seemingly irrelevant data, such as the mother’s name – and thus only one step to completely take over the virtual identity. In the case of extremely valuable “targets,” criminals even go so far as to copy the profile data of a potential victim’s friend (information, photos) to a new social account and send a request for re-admission. As a result, by instinctively accepting the request of our friend’s “friend”, the cybercriminal gains access to the user’s profile.
Another threat is the fake contests that appeared on Facebook. The prize is supposedly free or very bargain purchases. It is enough to like the post, share it on your profile, and post a comment with the desired content to enable the criminals to reach new people, i.e., the friends of the first victims. Then, the profile says that to check the list of winners, fill in the form provided and confirm your identity with the PIN received in the text message, which is supposed to verify the phone number of the “winner.” The cost of these messages is high, but the victim learns about it on the phone bill.
Recently, new developments are attacks using botnets created from the Internet of Things devices. The problem of IoT is just beginning because more and more such equipment is in our homes.
In addition to the use of social media and the Internet of Things, in 2017, there will be more and more attacks on specific professional groups (potential victims typed on Facebook or LinkedIn), companies, institutions, and entire sectors of the market. Although the banking sector has been a favorite target of hackers for years, it cannot be counted on not directing their interests to other industries.
What were the most interesting crimes of 2016? Let’s take a look at a few listed in the CERT Orange Polska report – both those that were among 17,199 incidents2 handled by the unit and those that simply took place on the Polish Internet.
Error on the viasms.pl website that allows you to download confidential data of any customers:
Each client of this company could download the content of loan agreements relating to other clients. It was possible due to the trivial system of contract identification. On the company’s website, in the appropriate place in the address field, it was enough to enter the contract ID, each of which was a number higher by 1. The problem of personal data leakage could concern over 2 million contracts. Borrowers’ agreements included, inter alia, PESEL number, series and number of ID card, residential address, email address, and telephone number.
Error in the mobile application of one of the mobile operators allowing access to confidential information of other customers. Using the operator’s website or its application to manage their account, the company’s subscribers experienced the problem of automatic login to the accounts of other customers of this operator. Autologin resulted in users obtaining unauthorized access to the contact details of other subscribers. They could view payment information, call history, and make changes to many settings.
Phishing attacks on mBank’s electronic banking users. The message to the bank’s customers contained false information that the account was blocked for security reasons due to allegedly unauthorized access to the account. The client was asked in an email to click on the link provided to verify the account owner’s data and unblock the account. The campaign used several fake domains that were not detected by browsers as phishing. An inattentive customer might not notice that the link did not lead to a secure website of the bank (‘https: //’ was missing) and that the message was from a random email address. It was clicking on the provided link that resulted in going to a fake bank website and filling in with confidential data of a fake form.
On the Internet, just like behind the wheel of a car, it is worth following the principle of limited trust.
Phishing campaigns related to the 500+ program:
Cybercriminals copied the official website family500plus.gov.pl, creating an almost identical page in the info.pl domain (hosted in Poland). Blocking the fake website resulted in creating a new clone of the net website (this time hosted in Russia). The fraudulent site offered to submit an online application, requiring the beneficiary’s phone number in the first step. The victim received a code to this number in the reply message, the entry of which triggered the subscription of paid SMS messages. Orange Polska customers were protected against this attack by CyberTarcza. When attempting to access the substituted page, they were redirected to a special website informing them that they had almost fallen victim to phishing.
In 2016, 20 years passed since the establishment of a unit in the structures of Telekomunikacja Polska, dedicated solely to ensuring ICT security. Last year, CERT Orange Polska, as the only team from our country, joined the elite group of 16 European CERTs with Certified status under the Trusted Introducer initiative. He also recorded a very good result during his debut in the pan-European CyberEurope 2016 exercise, taking 6th place out of 114 teams participating in the exercise. The CERT Orange Polska team protected, among others against DDoS attacks, the infrastructure supporting the NATO summit as well as PAP and KAI infrastructure during the World Youth Day.
It offers users of its network:
- protection against DDoS attacks (protection of the company’s Internet resources against volumetric access denial attacks);
- Web Application Protection ( WAF as a Service ) – protection of the client’s web resources – servers and applications – made available on the Internet using the Web Application Firewall platform located in the Orange backbone network;
- SIEM as a Service – the SIEM (Security Information and Event Management ) system is a key element of the organization’s ICT security management. A properly configured system collects events from systems and applications essential for business and correlates them in search of undesirable activities that may constitute security incidents and a threat to the continuity of business processes;
- SOC as a Service – the ability to use the support of the Security Operations Center (SOC) team 24 hours a day;
- Feed as a Service – provides information on malicious network activity observed in the Orange infrastructure;
- IP Reputation Service – gives the company an additional level of protection of ICT resources made available on the Internet for the purposes of conducting business activities (electronic banking, e-commerce systems, intranet portals, etc.);
- audit of the source code of the developed software – helps to eliminate errors already in the coding phase that may create critical security gaps when running the application in the production environment;
- security tests – penetration and performance tests ( DDoS as a Service ) are to indicate the possible vulnerabilities of the system to break-ins and the possibility of repelling the attack;
- protection against malicious software ( Malware Protection InLine) – monitored and analyzed traffic at the junction of the Internet for the presence of malicious code in a file that is uploaded (not only executable) and script;
- analysis of malware that the company sends to CERT and conclusions for further proceedings;
- Secure DNS – geographic distribution of servers answering DNS queries.
Mailing campaign pretending to be the Polish Post Office. Internet users received information about the impossibility of delivering the parcel in the content of the fake message. The content of the email could raise suspicions due to the strange title of the email and the sender’s address. However, the inattentive addressee who, wanting to know the shipment details, clicked on the link provided in the email was redirected to a page pretending to be the website of Poczta Polska. He downloaded the extremely malicious Cryptolocker file from the site, which encrypted files on his computer’s disk. Files could be decrypted after paying the ransom.
Breakdown of the Lublin criminal group stealing bank accounts. The Police and the Prosecutor’s Office managed to break up a criminal group established in the Lubelskie Voivodeship, which had an international character and stole 94 million zlotys from banks. Criminals used the Tinba virus to intercept data from bank accounts. The balance sheet is 800 break-ins into bank accounts in Poland, Europe, the USA, and Canada. Most of the victims were companies, universities, starosts, voivodeship offices, and private individuals. The group has been operating since at least 2012. One hundred forty-eight people were detained, mainly from Poland and Latvia. The injured were returned PLN 57 million.
A data leak from the PESEL 2016 system:
The Ministry of Digitization detected a huge data leak from the PESEL system, the trace of which led to several bailiff offices. One of the law firms came into possession of as many as 800,000 records of personal data of Polish citizens. The PESEL system contains, in addition to the basic personal data of citizens, also the names and surnames of parents, date, and place of birth, marital status, birth certificate number, registered address, as well as a series, number, and expiry date of an ID card and passport. The case was discovered only after a year, although at that time, the number of queries sent to the PESEL system by one of the law offices reached 2 million, and they were also sent at night. Data can go to the darknet, and access to detailed private data of citizens gives criminals the possibility of huge abuses, e.g., stealing someone else’s identity or forging ID cards.
Users are becoming more and more aware of the dangers.
In June this year, ICAN Research conducted a study on IT security in a group of 262 entrepreneurs. He asked how much of a threat to the security of data and systems in their companies was mobility (the use of laptops, smartphones, and tablets). As many as 73% of respondents decided that it was large or very large. In 2016 and 2015, it was 57% and 39%, respectively. Data transmission via the Internet is a strong concern for 81% of entrepreneurs, and in the previous two years, it was 57% and 44%. Even more, people are afraid of cybercrime: 94% this year, 56% in 2016, and 53% in 2015. On the basis of these data alone, one can become convinced that there has been a statistically significant increase in the sense of discomfort among business managers in relation to the presence in the virtual space. They often ask themselves whether it is really worth digitizing all the resources. However, there is no escape from the virtual world, although the fears, as can be seen from the data provided by CERT Orange Polska, are fully justified. How to defend yourself and how to minimize the danger?
Simple rules of defense
On the Internet, just like behind the wheel of a car, it is worth following the principle of limited trust. You have to keep asking yourself questions: Are you sure this email should reach me? Am I 100% sure that the bank sent it? Do I have to click on the attachment in this strange-looking email, go to the given link, enter any data there?
If something raises even a bit of doubt – you need to spend a moment, even longer, thinking. Criminals, using strong and decisive impulses to act – for example, threaten: financial penalty, account blockage, withdrawal of access, the police – want to cause the victim to react instinctively, guided by emotions.
It is also worth remembering about the appropriate protection of your data. The password should be 8 (and in the case of sensitive data 12) and more characters and consist of upper and lower case letters, numbers, and special characters. Do not forget to update the software, install anti-virus and firewall software. Be careful with your location data and be mindful of your privacy settings. Due to social engineering, email has become the most serious threat; therefore it is necessary to introduce a policy of safe use of this means of communication, and above all, to continuously educate users.