Email Security News Round-Up [October 2021]

October Is the National Cybersecurity Awareness Month

The U.S. Department of Homeland Security launched the National Cybersecurity Awareness Month 18 years ago. This annual campaign aims to raise awareness about cyber security best practices.

Phishing and cyberattacks occur every 39 seconds. Moreover, 90% of all cyberattacks stem from human error. That’s why cyber security awareness should be a top priority for companies big and small and their employees.

The 2021 campaign aimed to emphasize personal accountability and take steps to enhance cybersecurity through the following weekly topics that covered the whole month:

• Be Cyber Smart: Week one emphasized the priority of focusing on basic cyber hygiene. The first step is to back up data, create strong passwords, and use two- or multi-factor authentication. It’s also important to update software regularly and keep hard drives clean.
• Fight the Phish! Next, the campaign emphasized the importance of being cautious of emails, text, or voice messages from strangers and anonymous sources. Think before opening any suspicious emails, attachments, or links and report them if necessary.
• Explore. Experience. Share. This week aimed to engage students, unemployed people, or those seeking a career change. It promoted cybersecurity as a possible vocation.
• Cybersecurity First: The awareness month wrapped up with a campaign about prioritizing cybersecurity. Protecting your business and personal information shouldn’t be an afterthought. Thus organizations should insert best practices into the day-to-day, organize training sessions, and pay more attention to processes.

Outage and Data Leak: Is Meta Still Facebook?

On October 4 at about 11:40 a.m. Eastern time, Facebook’s users lost access to all of its facebook.com webpages, WhatsApp and Instagram. The sites began returning about six hours later.

The Facebook outage lasted almost an entire working day, causing losses for small businesses with Facebook, Instagram, and WhatsApp as primary sales and marketing platforms. The estimated amount during Facebook’s outage ranged from a few hundred dollars to over $5,000.

The outage affected over 10 million brands and businesses that advertise on Facebook and Instagram. This proves how significant Facebook’s influence is over the online economy. A minor outage means enormous losses for those relying on it. Therefore, taking business elsewhere after this would be more than justifiable. 

Facebook (now, Meta) lost about $164,000 in a single minute. At the same time, the company co-founder Mark Zuckerberg dropped out of the Forbes top five wealthiest people list, losing about $6 billion.

While the social media platform’s parent company is rebranding, the gist of the values stays the same. Privacyaffairs.com, a cybersecurity publication, claims that the sensitive data of over 1.5 billion Facebook users is on sale on the dark web.

Internet Shutdowns: How Much Freedom Do You Have?

The problem of deliberate internet shutdowns is getting worse. This year, it happened at least 50 times. Pulling the plug is a tool used by authoritarian governments to silence objections and control populations. This method has been used against citizens’ freedom, independent political views, and democracy for a while now.

Here are just a few examples from past years:

• During the 2009 Green Movement, The Iranian government was among the first to block websites.
• Egypt took this approach in 2011, depriving people of communication for months.
• Recently, Russia restricted Twitter for not removing “offensive” content about opposition figure Alexei Navalny.
• India had 127 internet shutdowns in 2020 and multiple instances in 2021, including the recent months.

To solve this issue, the democratic communities need unity from governments, large companies, and journalists ready to voice the problem for the world to face.

New Super Malware On Android Steals Data from Your Device

Dubbed TangleBot, the malware which spreads via text messages first appeared in September. It gains access to your device to:

• Steal sensitive data
• Monitor all user activity
• Listen to audio
• Use the camera
• Observe the device location
• See visited websites
• Steal login credentials

In short, the bot provides the attackers with complete information from the infected Android device. The U.S. and Canada are the primary targets.

Google Launches the Security to Workspaces Initiative

In October, Google invested in workspace security by creating their Action Team. It aims to support small business strategic advisory, digital transformation of governments, critical infrastructure, and threat intelligence.

The Action Team sets out to assist organizations in creating and implementing security strategies across hybrid environments, including on-premises, data center, and cloud infrastructure.

Google has also stated that it’ll invest $10 billion over the next five years to expand its Google Career Certificate program. It aims to train 100,000 Americans in entry-level technical fields.

Microsoft Training Programs for Community Colleges

Pushing cybersecurity awareness and education has become a trend among large companies. On October 28, Microsoft announced its plan to collaborate with community colleges across the United States. The goal is to use their potential to train entry-level cyber professionals, improving their chances in the job market. Microsoft will

• Provide free training courses for 25,000+ students and teachers in 150 U.S. community colleges
• Fill 250,000 cybersecurity jobs over the next four years
• Spread cybersecurity awareness

The corporation’s decision to collaborate with community colleges is logical. They are

• Cheaper to attend
• Located in every state
• More flexible with their curricula

Business Email Compromise (BEC) Analysis by Trend Micro

Trend Micro’s recent report states that BEC detections reached 22% in September, compared to the 5% at the beginning of the year. Another significant analysis in the research touches on name spoofing. Most of the attacks (64%) in this category targeted the Americas.

BEC scams and phishing can be challenging to detect, as they target specific recipients. Attackers seek email accounts to gain access to financial and other sensitive information linked to business operations. BEC actors can easily use such access and information for various illegal activities.

Google Disrupts a Massive YouTube-Based Phishing and Malware Campaign

Since May 2021, Google has blocked 1.6 million phishing emails from a malware campaign to hijack YouTube accounts and promote cryptocurrency scams. The company also identified 1,011 domains created for malware delivery. The latter impersonated leading tech sites, such as Cisco VPN, Games on Steam, and Luminar.

The hackers used intensive attacks, trying to infect the creators’ computers with login cookie stealing malware. The process involved around 15,000 fake accounts and over a million messages sent to targets.

A Series of Cybercrime-Related Arrests 

Phishing attacks can last days and even years. After a year of investigation, Europol arrested 106 members of an organized crime group in October. They were accused of carrying out phishing attacks to steal confidential information, gain access to bank accounts, and do SIM swapping.

While this European-based organization was significant and took at least one year to dismantle, it’s not the largest currently operating. Businesses and governments often neglect security measures, while they should start understanding the role of proactive data loss prevention measures.