A new analysis of attacks in 2021 shows massive increases across the board, painting a very concerning picture for 2022 cyberattacks of all types.

New data from security vendor PhishLabs in their Quarterly Threat Trends & Intelligence Report, covering all of 2021 provides a better sense of what last year's state of cyberattacks looked like, and unveils that the increases in efforts by cybercriminals that we saw throughout 2021 looks like they're here to stay for the time-being.

According to the report:

• Phishing attacks grew 28%
• Social Media-based threats grew by 103%
• Attacks with malware nearly tripled
• Vishing attacks (https://us.norton.com/internetsecurity-online-scams-vishing.html) (combinations of phishing emails and phone calls) jumped 554%
• 52% of phishing attacks focused on credential theft
• 38% of phishing attacks are response-based (e.g., job scams, tech support, BEC)
• Only 10% focused on malware delivery

Be particularly wary of calls you might receive from individuals claiming to be from your bank or an email asking you to call a number . Recently scammers were spoofing (making fake emails) from Amazon like this one: 

Callers reported speaking to someone who then attempts to direct them to a web site in order to input more information. This could be an elaborate credentials theft attempt or a way to install a remote access Trojan on you computer - allowing bad actors any number of possibilities (key stroke logging of passwords for example). 

With email being such a large attack surface, we’ve enabled two factor authentication (2FA) on our Google environment. To help keep your email secure, we recommend enabling 2FA on your email account. For step by step directions on enabling that go here: https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform%3DAndroid. 

1. You:  First and foremost, technology alone cannot fully protect you – you are the best defense. Attackers have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. If they want your password, work data or control of your computer, they’ll attempt to trick you into giving it to them, often by creating a sense of urgency. For example, they can call you pretending to be a help desk staff and claim that your computer is infected. Or perhaps they send you an email warning that a package could not be delivered, fooling you into clicking on a malicious link. The most common social engineering attacks include: trying to create a tremendous sense of urgency (I need you to to this now!!), asking you to bypass normal business operations, or pretending to be a colleague or friend but the wording does not sound like them. Additionally, be sure you use your work device for only work-related activities. It's tempting to start to use your work device for more personal activity, but minimizing that crossover between work and personal will greatly reduce the likelihood you compromise your work device and the data/information that is on it. While we monitor risk activity through our antivirus software on work issued devices, it is not a perfect solution / guarantee that we can remotely stop every possible threat. 
2. Home Network: Almost every home network starts with a wireless (Wi-Fi) network. This is what enables all of your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. Both work in the same way: by broadcasting wireless signals to which home devices connect. This means securing your wireless network is a key part of protecting your home. Three things you can do now if you haven't already are: change the default administrative password on your home router (you can often times google how to do this or contact your internet service provider for instructions), allow only trusted individuals access to your network (don't give out your WiFi password to people you don't know or trust), and make all of your passwords strong (best practices recommend using a password with special characters, a mixture of numbers and letters, capital and lower case and having at least 12 to 15 characters total - more on that below). 
3. Passwords: When a site asks you to create a password, create a strong password: the more characters it has, the stronger it is. Using a passphrase is one of the simplest ways to ensure that you have a strong password. A passphrase is nothing more than a password made up of multiple words, such as “bee honey barrel.” Using a unique passphrase means using a different one for each device or online account. This way if one passphrase is compromised, all of your other accounts and devices are still safe. If you are having a hard time remember all of these passwords, consider using a password manager. We recommend 1password and LastPass. 
4. Update your Software: Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Meanwhile, the companies that created the software for these devices are hard at work fixing them by releasing updates. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. To stay current, simply enable automatic updating whenever possible. This rule applies to almost any technology connected to a network, including not only your work devices but Internet-connected TV’s, baby monitors, security cameras, home routers, gaming consoles or even your car.
5. Family and Friends: Make sure your family and friends know they cannot use your work devices.  They can accidentally erase or modify information, or, perhaps even worse, accidentally infect the device. Bethel does maintain antivirus software on laptops we issue which track and block all risky behavior but with support difficult during this period of time we recommend not taking the chance of sharing a device. 

Institutions of higher education (IHE) have hundreds or thousands of new customers that come through their doors every year. If they are successful, those customers are retained for a few years and become happy, economically successful alumni in the future. 

With all of the customer data (aka students) and a culture of openness, sharing, flexibility, and each person exploring their own interests, there can be a very serious threat to the confidentiality and integrity of that information. 

Some schools are so focused on providing that experience to students that they don’t have the time or resources to focus on an information security. Its critically important though that all employees learn to treat student information as the most important thing they manage on a daily basis. 

Hacking vs Leaking

Hacking remains the largest single source of data breaches in the U.S. However, something know as “data leaking” is not far behind. Data leaks are caused by unintentional actions of employees. That may be sending an email with student data in it. Saving a spreadsheet in a space with the wrong permissions. Misconfiguration of an application or database associated with one. These are examples of data leaks - situations where a hacker may not have acted to penetrate a system, but could still access data because someone has made it easily accessible outside of the secure “perimeter” set up by the institution. 

What Matters?

So, what data is important? Banking and other financial data is. Social Security numbers are. Those should be very obvious data points that give an employee pause to ensure they are being saved, sent and otherwise handled in a fully secure manner. However, it can be more than just those two big ones - FERPA regulations ensure that information regarding the student’s academic record also be private. So, before you share that information with an outside partner, a textbook company, an application you want your students to use, think - is this secure? Can I do this? If you ever want guidance, feel free to send an email to information-security@bethel.edu and we’ll do a quick assessment for you - giving you the guidance you need to keep our customer’s data safe and secure. 

What is Secure?

Google is a secure file storage location. For long term storage, we still recommend using Network Attached Storage (NAS) aka, department drives. To access those network drives off campus, please use the instructions we've provided in Learning, Teaching and Working Remotely for Students, Faculty, and Staff. 

To share files securely outside of the NAS or our Google environment (like with another email provider - comcast.net, yahoo.com, etc) we recommend using our secure file share system. That is accessible at secure-files.bethel.edu. 

For that same reason, staff and faculty and STRONGLY encouraged not to forward their Bethel email to a private account. Doing so opens the possibility up for what should have been secure information to be leaked outside of Bethel.

Researchers at Malwarebytes warn that a phishing campaign is informing users that someone logged into their account from an IP address in Moscow. The email contains a button to report the issue, which “opens a fresh email with a pre-filled message to be sent to a specific email account.” If a user sends this email, the attacker will reply and attempt to rope them further into the scam.

The researchers note that while the timing may be coincidental, users will probably be more inclined to respond to the emails given the current situation with Russia and Ukraine.

“We have to be very clear here that anybody could have put this mail together, and may well not have anything to do with Russia directly,” the researchers write. “This is the kind of thing anyone anywhere can piece together in ten minutes flat, and mails of this nature have been bouncing around for years. But, given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason.”

Malwarebytes explains that this is a common but effective technique used in phishing attacks.

“Trying to panic people into hitting a button or click a link is an ancient social engineering tactic, but it sticks around because it works,” they write. “We’ve likely all received a ‘bank details invalid,’ or ‘mysterious payment rejected’ message at one point or another."

"Depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff,’” the researchers write. “That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”

Note how topical scams can be. Criminals and spymasters watch the news and cut their phishbait to fit current events. New-school security awareness training enables your employees a healthy sense of skepticism so they can avoid falling for social engineering attacks.

Malwarebytes has the story.