NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
Ransomware: Don’t Get Locked Out

Ransomware: Don’t Get Locked Out

Over the past few years, ransomware has become increasingly sophisticated and remains distressingly common. As such, all organizations need to be taking steps to shore up their cybersecurity defenses in the wake of this common and devastating threat. To help you get the information you need, we sat down with VirtualArmour SOC engineer Kurt Pritchard to discuss what ransomware is, a brief history of recent notable ransomware attacks, and what steps your organization can take to improve your cybersecurity posture.

If you have recently experienced, or are currently experiencing, a ransomware attack, please contact our team straight away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

man locked out of his phone

What is Ransomware?

The National Cyber Security Centre in the United Kingdom defines ransomware as a type of malware that prevents legitimate end-users (such as you or your employees) from accessing a computer, tablet, or smartphone on your network or the data that is stored on the infected device. 

A ransomware attack can also spread quickly, locking users out of multiple infected machines and cutting you and your employees off from all the data stored on your local network. Once the device has been seized, and the files have been encrypted, the attacker typically demands payment (the ransom), frequently in cryptocurrencies, before promising to unlock the impacted devices and restore usability. 

However, even if the ransom is paid, the attacker may not follow through on their end, leaving many organizations with locked devices and encrypted files even once the ransom has been paid.

Even if You’re Locked Out, The Attacker Isn’t

Users also need to be aware that while the attack prevents them from accessing the impacted device, it remains fully accessible to the attacker. As such, the data stored on it may be stolen, deleted, or encrypted during the attack. Depending on the nature of the data impacted, this can lead to serious legal and regulatory issues, as well as serious reputational damage.  

Ransomware & Phishing Attacks Go Hand-in-Hand

Ransomware typically targets users using social engineering, specifically phishing attacks. During a phishing attack, the cybercriminal poses as someone the user trusts (such as their boss or the company’s bank) and then tricks them into handing over sensitive information such as usernames and passwords or granting the attacker administrative privileges. 

Doxware: A Subset of Ransomware

Doxware (also called extortionate) is a type of ransomware. However, unlike traditional ransomware, doxware typically involves seizing sensitive files and threatening to release confidential information on the open internet. Such information could include private financial records, sensitive proprietary information, or other data that organizations do not want shared freely. Another major difference between ransomware and doxware also typically targets individual sensitive files (such as financial reports), while ransomware typically targets the device’s entire hard drive.

woman locked out of her computer

Ransomware May Have Peaked in 2017, but Remains a Serious Threat

Though information from Google Trends strongly suggests that ransomware peaked in 2017 with the devastating WannaCry attack, more recent attacks such as those conducted by the cybercriminal group REvil and the supply chain attack that targeted Kaseya software users remind us that ransomware remains a serious threat. 

WannaCry: The 2017 Attack That Crippled the NHS

WannaCry targeted a number of organizations, including the National Health Service (NHS) in the United Kingdom, impacting both hospitals and doctor’s surgeries, compromising medical care for patients, and putting lives at risk. 

The WannaCry ransomware attack on the NHS ran from May 12th, 2017, to May 19th the same year and left doctors, nurses, and other healthcare professionals scrambling to care for patients while the IT system remained completely inaccessible. As a result of the attack, healthcare professionals were unable to access vital information, such as patients’ electronic documents, and critical life-saving devices such as MRI and CT scanning facilities were knocked offline. 

In total, around 230,000 computers in approximately 150 countries were impacted.

The attackers demanded $300 in Bitcoin per machine in exchange for unencrypting the impacted files. However, the attackers also introduced a time limit: If the payment wasn’t submitted within three days, it would double to $600 in Bitcoin. Unfortunately, some researchers who did pay the ransom were still unable to decrypt their files, and priceless research data was lost forever. 

WannaCry has been hailed as one of the most widespread and damaging cyberattacks to date. 

The Kaseya Attach Highlighted a New Trend in Ransomware: Supply Chain Attacks

Though WannaCry may be behind us, ransomware attacks continue to grow in both number and sophistication, with an increasing number of devices being impacted. 

One way ransomware is evolving is the recent trend of using ransomware directly, like in the case of the Kaseya attack of 2021. The group behind the attack, the Russian cybercrime group REvil, launched a ransomware attack targeting Kaseya (a cybersecurity company well known for their remote monitoring and management software) on July 2nd, 2021. However, unlike most ransomware attacks, the cybercriminals didn’t attack their victims directly but instead used Kaseya as an unknowing intermediary to target organizations that relied on Kaseya’s monitoring software. 

Unfortunately for the 200 businesses affected by the attack, Kaseya was the perfect target. According to John Hammond, a senior security researcher at Huntress, the Kaseya attack was “a colossal and devastating supply chain attack”, noting that because Kaseya is plugged into everything from large enterprises to small companies, “it has the potential to spread to any size or scale businesses.” This is because Kaseya’s VSA (virtual system/server administrator) is integrated into desktops, network devices, printers, and servers – leading to a potentially limitless impact. Ransoms varied from user to user, with demands ranging from a few thousand dollars to $5 million or more per organization.

Fortunately, REvil group members were arrested in Russia last January, with the FSB (Russia’s intelligence bureau) stating that the group now “ceased to exist”

Beyond Desktops & Laptops: Ransomware Attacks Now Targeting Android Smartphones

With users relying on their phones now more than ever, ransomware attackers are taking notice. Charger, a new ransomware program specifically designed to target Android smartphones, targeted unwitting users who downloaded the EnergyRescue app (purportedly designed to enhance the battery life of phones and tablets). Impacted users were subject to a ransomware attack that began by stealing contact data and text messages from the infected device. 

Next, the ransomware program asked users to grant it administrative permissions. Once the ransomware had admin access, the ransomware would begin to run, locking users out of their devices and demanding payment. The message warned that users who failed to pay up would remain locked out (ransomware) and have portions of the private information they had stored on their phone sold on the internet “black market” every 30 minutes (doxware).

Though it is still unclear who was behind the Charger ransomware, researchers noticed that one of the first things Charger did when installed was check the device’s location settings. If the device was located in Ukraine, Russia, or Belarus, the malicious code remained dormant, suggesting the cybercriminals behind the attack may be based in Eastern Europe. 

Android’s security team has since removed the EnergyRescue app from the Play Store, and though the malware is thought to have infected only a handful of devices, it remains an important example of how ransomware is evolving and may now include both ransomware and doxware strategies in a single attack. This incident also illustrates why it is important to only download applications and other forms of software from companies and developers that you know and trust and that if something appears too good to be true, it likely is.

maqn locked out of his laptop

Safeguarding Your Business and Its Digital Assets

Ransomware remains a serious threat to organizations of all sizes and in all industries and verticals. However, there are steps you can take to improve your cybersecurity posture and better secure your organization’s data and devices. 

Trust is Key: Opt for Reputable (& Verified) App & Software Developers

Make sure you, your employees, and anyone else whose devices have access to your network are only using apps and software from trusted companies such as Microsoft or Adobe rather than unknown, potentially malicious companies. 

It also doesn’t hurt to independently verify that “new Microsoft app” was actually developed by Microsoft and not a suspicious actor looking to catch less distracted users unaware. 

Everything Has a Price: Don’t Let it Be Your Privacy or Security

Everything has a price, whether the cost is laid out upfront or not. An app that promises to give you access to normally expensive software (such as the Adobe suite or a program that promises the same functionality) for free or at a fraction of the cost should give you pause. If you aren’t paying for it, it usually means you’re the product, not the customer. 

It’s always better to opt for a paid program or app from a reputable source than to download the “free version” from an unknown or suspicious entity in the name of saving a bit of money. If the app or program is full of ransomware or other forms of malware, you could end up paying much more than you bargained for.

Read Your Emails Carefully

Before you open that file or download that form, make sure to do your due diligence and check who it is from. If the sender appears to be your boss, your bank, or another trusted entity but they are asking you to do something irregular (such as purchase a large number of gift cards, hand over your login credentials, or provide your banking details), make sure you reach out independently (such as by phone) to verify the request.

You should also look for things like typos in the domain name (such as an email from Your Trusted Bank, not Your Trusted Bank) or variations on the sender’s name. For example, if your boss is Jane Smith, and her work email is [email protected]com, but this email came from [email protected]org, [email protected]hotmail.com, or jansmith instead of janesmith, you should proceed with extreme caution and reach out to the purported sender independently for verification before you click on any links, download any files, or complete any other actions the sender has asked you to. 

If you don’t recognize the sender it’s always safer to leave the attachment unopened or the link unclicked and consider forwarding the email to your security team. Passing the email along will not only help you determine if the request is legitimate, but can help your security team track phishing attacks targeting your organization and its employees and improve security for everyone.  

Backup Everything Regularly

Ransomware attacks prey on our fear of losing critical data. By regularly backing up all data stored on your network, you may be able to recover most, if not all, of the data that you can’t currently access without having to pay the ransom. Depending on the nature of your business, and the nature of the data being stored, you may want to consider opting for a cloud system such as iCloud, Google Drive, Microsoft OneDrive, or Dropbox or consider backing up your files locally using an external hard drive. 

However, before you make your final decision, you should ensure your preferred choice complies with all relevant security, privacy, and data protection standards, such as GDPR, HIPAA, or PCI DSS.

An Up to Date Operating System is a More Secure Operating System

One of the simplest things you can do to help keep your security posture strong is to keep your operating system and other software up to date. When developers discover vulnerabilities, bugs, or other security issues with their products, they develop and release patches to fix them. However, you can only take advantage of a new security patch if you actually download it, making out-of-date software a security liability. 

Because security patches are publicly announced, everyone, including cybercriminals, now knows about the vulnerability the patch is designed to fix. As such, attackers frequently target companies running recently patched software in the hopes that not all organizations are as diligent as yours about keeping their software up to date: It’s always better to invest the 20 minutes it takes to update your software than risk compromising your operational security. 

Anti-Virus Software Still Plays a Critical Role

While many people may think antivirus software is outdated, it still plays an important role in your cybersecurity defenses when combined with other security measures. Antivirus software is just one of many tools that, when combined appropriately with other security measures, help keep your organization safe.

It Always Pays to Have a Plan & Invest in Cybersecurity Training

Should your organization fall victim to ransomware or another type of cyberattack, it is critical you have an incident response program in place to help you and your team respond swiftly and effectively. All new employees should undergo cybersecurity training as part of your onboarding process, and all employees, from the CEO downwards, should also undergo regular cybersecurity training to keep their skills and knowledge top of mind and up to date.

secure laptop

Worried About Ransomware? VirtualArmour is Here to Help!

While the internet may feel like it is becoming more like the Wild West every day, there is hope. By partnering with organizations like VirtualArmour, you can take proactive steps to shore up your defenses and keep your data safe and secure. Our team of cybersecurity experts has your back every step of the way: Whether you are looking to develop or update your incident response plan, bolster your internal IT or cybersecurity team, or respond to an ongoing cybersecurity incident, we’re always here for you: 24/7/365. For more information, please contact our team today

Suggested Reading

Cybersecurity is a complex and continually evolving field, so it is vital that you stay up to date and in the loop if you want to safeguard your organization and its data effectively.

To help you stay on top of the latest cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Common Threats (and How to Avoid Them)

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

Hack the Chat

Hack the Chat

Chatbots, those little customer service pop-up menus on websites that ask how they can help you, are becoming ubiquitous, changing how users interact with both websites and the businesses behind them. 

Machine-learning programs such as Siri, Alexa, Google Assistant, and website chatbots have become one of the fastest online sales generating tools businesses have at their disposal. A 2016 study by Oracle found that 80% of businesses planned to onboard customer interaction AIs to their website, and a 2019 article by Gartner predicts that by the end of 2022, a full 70% of white-collar workers will interact with conversational platforms (chatbots) daily. 

However, while website chatbots are incredibly useful, they can also pose a security risk if appropriate cybersecurity measures aren’t taken. In this article, we will discuss how chatbots can leave your organization vulnerable and explore steps your organization should be taking to secure your website chatbot.

If your organization has recently experienced, or is currently experiencing, a cybersecurity incident such as a chatbot hack, please contact our team right away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

man speaking with online store chatbot on his phone

How Chatbots Can Improve the Customer Experience

Chatbots offer many advantages to both customers and businesses. Chatbots allow customers to independently move down the sales funnel, offer users more information about your company’s products and services, and provide your company with valuable data on customer interests. 

By taking over these functions from live staff members, businesses can free up valuable team members for other business-building activities or reallocate the funds that would have been spent on sales staff wages for other uses. Chatbots are also not constrained by reasonable shift lengths or labor laws and never need sick days or vacations.  

When implemented correctly, chatbots can:

Identify Leads in Real Time

Chatbots allow you to engage with customers while they are using your app or website, catching them when they are most engaged. It also allows customers to get answers to common questions right away (an IBM study found chatbots can handle 80% of routine tasks and customer questions) and make the entire website experience more engaging. Chatbots can also gently guide customers towards the next sales funnel stage.

Improve User Engagement

Unlike human beings, chatbots can easily engage with multiple customers at once without losing focus. They can also regularly send customers product updates and offers, offer instant responses to customer inquiries, and are available 24/7/365. They can also be programmed using multiple languages to better engage with all of your target demographics.

Collect Valuable User Data & Engage in A/B Testing

Modern marketing runs on user data, and chatbots are well-positioned to collect it. Chatbots can seamlessly gather customer data in real-time (and ask follow-up questions to gain more information), analyze the data, and provide you with the information you need to continue to improve your products or services and reach new consumers.

Chatbots also allow you to contact A/B tests simultaneously (and much faster than manual A/B testing) and swiftly provide your team with test results and the chatbot’s analysis.

woman messaging a chatbot on an online store

Chatbot Risks

Chatbots are a valuable tool, but like any digital tool, they are also vulnerable to cybercriminals. Without proper security precautions in place, chatbots can be used to:

  • Impersonate individuals 
  • Deliver ransomware and other forms of malware
  • Engage in data-theft
  • Alter data
  • Engage in phishing or whaling attacks

Many companies offer chatbot programs, but not every chatbot is as secure as it could be. Common chatbot vulnerabilities include:

Hack the Chat: How Bad Actors Are Taking Advantage of Chatbots

Before you implement a chatbot, you should ensure it meets your company’s existing security standards and make sure your team is aware of the types of attacks cybercriminals commonly use against chatbots.

Types of Chatbot Attacks

Network Hacks

Much like a burglar can creep through an unlocked window, cybercriminals can use unsecured or insufficiently secured chatbots to gain access to your network. As such, cybercriminals will frequently evaluate chatbots for potential vulnerabilities that can be exploited to gain wider network access.

Social Engineering Attacks Using Chatbots

Cybercriminals can also turn chatbots into tools of their own. If a cybercriminal already has an existing customer’s username, they may be able to leverage the chatbot in a social engineering scheme to reset the account password (granting the cybercriminal access), make unauthorized purchases, or change the payment information on the user’s account.

Real-time Chatbot Takeovers

In this scenario, a cybercriminal would have to have already infiltrated your website and be in a position to intercept customer communication via the chatbot. Because chatbots are an extension of your company, customers may let their guard down as they would around one of your human employees. 

Cybercriminals can take advantage of that presumed trust to ask users for sensitive personal information, such as social insurance numbers or credit card numbers, or direct users to send funds outside of usual payment avenues. 

Safeguard Your Website With These Chatbot Best Practices

Keep Your Software Up to Date

One of the easiest things any company can do to quickly improve their security is keep their software up to date. When software developers discover vulnerabilities, bugs, or other issues with their programs, they release patches to fix them. By downloading all security patches as soon as they become available, you can proactively safeguard your network and the digital assets stored on it. 

Unpatched software is also particularly vulnerable. Companies typically announce when a patch is released, alerting both legitimate users and cybercriminals. This can inadvertently increase a company’s chances of being targeted by cybercriminals as these criminals redirect their attention to companies that they know are using the recently patched software in the hopes of exploiting the vulnerability before all network users have downloaded the patch.

Hire an Experienced Chatbot Developer

While you may be excited to get your chatbot up and running, it pays to shop around and find a developer with chatbot security and design experience. Before you begin production, make sure to ask your developer how they plan to secure your chatbot and make sure their plan meets your high security standards.

Restrict Chatbot Use to Registered Users Only

While restricting chatbot use privileges to registered users may hinder your efforts somewhat from a sales perspective, it can pay attractive security dividends. Cybercriminals are always on the lookout for easy targets, and adding this extra layer of security both eliminates (or at least reduces) anonymity and makes your website chatbot a less appealing target. Requiring users to register with your website before using the chatbot is an easy to implement and cost-effective security measure.

Implement Two-Factor Authentication

In addition to requiring usernames and passwords, you may want to consider implementing two-factor authentication. This adds an extra layer of security during the login process, requiring users to enter two different pieces of information to verify their identity. 

This often takes the form of a strong password paired with a text message prompt or a hardware element. As such, for a cybercriminal to successfully log in to a legitimate user’s account, they would need the user’s username and password as well as access to the one-time code sent to the user’s phone or the physical hardware element attached to that user’s account.

Install a Web Application Firewall (WAF)

Web application firewalls are designed to safeguard your website from malicious traffic and harmful requests. This is critical since it could help prevent cybercriminals or their botnet from using your chatbot to inject malicious code into your network (such as during a ransomware or other malware attack). 

Implement End-to-End Encryption on Chatbot Messages

End-to-end encryption is a critical security measure and should be used both for chatbot conversations and in any context where a message is sent from one person or entity to another (including chatbot sessions, email, and internal employee chat programs). 

Implement Authentication Timeouts

This simple yet effective step, designed to limit how long a user remains logged in before they are automatically logged out, is incredibly effective. If a user remains logged in but inactive for too long, a prompt window will appear asking them to re-enter their login credentials or confirm that they are still active. The prompt window may also be designed to inform the user that they have been logged out. This simple design change can prevent crimes of opportunity, where a cybercriminal is able to take advantage of a still-logged-in user to wreak havoc. 

Self-Destructing Messages

While this may sound like something out of a spy movie, self-destructing messages are a great way to make your chatbot more secure. This security measure is just what it sounds like: either after a chat session has concluded or a select amount of time has elapsed, all messages sent to and any sensitive information shared with the chatbot is automatically erased. While some users may find this inconvenient, the inconvenience is outweighed by this approach’s security benefits.  

Put Your Chatbot to the Test With Pen Testing

As the old saying goes, the best defense is a good offense. Pen (penetration) testing involves hiring an ethical hacker (sometimes called a “white hat”) to stress test your defenses and try to break into your network. The pen tester documents any security gaps or deficiencies they find and then shares their findings and their recommendations with you and your security team once the test is complete. 

By proactively seeking out vulnerabilities, you can ensure these shortcomings are addressed before any actual cybercriminals can exploit them. 

Consider Offering a Bug Bounty

While this option can be risky because it involves actively inviting technically-savvy users to look for security issues, offering a bug bounty can also pay off. Bug bounties are just what they sound like: if a user finds a security bug and tells your team about it, you offer them a reward as a thank you. 

Chatbots can be a great way to reach customers, improve the customer experience, and help move potential customers down the sales funnel. However, like all digital tools, chatbots can pose a risk to your company’s overall security if appropriate measures aren’t taken. 

Worried Your Chatbot is A Security Liability? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. The VirtualArmour team is staffed by security experts from a wide selection of cybersecurity and IT disciplines. Whether you’re starting from scratch or improving an existing website or chatbot, our team is here to help. We offer a variety of services, including vulnerability scanning and managed firewall services.

For more information, or to start improving your company’s security posture, please contact our team

Suggested Reading List 

Cybersecurity is a complex and continually evolving field, and keeping up to date is critical if you want to safeguard your organization and its digital assets effectively. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Subscription Model Software: Pros and Cons

Subscription Model Software: Pros and Cons

The subscription model has become increasingly popular over the last few years as apps and other services move away from one-time purchase models. Once just the domain of magazines and cheese of the month clubs, service providers in the IT and cybersecurity spaces have begun to adopt this model with increased frequency as software transitions away from being desktop-based and migrates to the cloud. In this article, we will discuss the benefits of subscription-based IT and cybersecurity platforms for users.

Cloud and managed IT and cybersecurity services, in particular, are an excellent fit for the subscription-based model. Under this model, users don’t purchase software (or software licenses) outright and instead pay a monthly fee per user. 

Complex IT systems are incredibly expensive to set up, maintain, and operate and come with steep upfront costs, putting them out of reach for most small and medium-sized businesses. Both the OPEX and CAPEX of maintaining the hardware and software needed to support complex IT and cybersecurity systems can be unpredictable, making even those SMBs with the budget to attempt a DIY approach hesitant to take this road.

woman checking her phone

Subscription Models Allow SMBs to Offload the Hassle & Expense of Maintaining Complex Infrastructure

The hardware and software needed to manage IT and cybersecurity systems is complex enough that entire teams of dedicated professionals are required to manage and support them to ensure everything is running smoothly. Should something go wrong, the entire system may grind to a halt until the experts determine what the core problem is. This is completely unacceptable for a SMB, who would need to pull critical team members away from other valuable, revenue-generating tasks to attend to the problem and pausing regular business operations until the situation is resolved. 

By offloading this stress and people-power onto a SaaS (software as a service) company, SMBs can focus on running and growing their business, knowing that if an issue should occur an entire team of dedicated professionals will address it, often before the end user even realizes something was amiss. SaaS companies have one job: to maintain the hardware and software their product needs to run smoothly so that their customers can focus on their business and leave the IT and cybersecurity up to the professionals. 

The User Benefits of Subscription-Based Software Platforms

man and woman working out a cybersecurity solution

Your Software is Always Up to Date

There is nothing worse than sitting down at your desk, ready to start the workday, and turning on your computer only to learn that your software requires updating. While many updates only require a few minutes, others can take much longer, leaving workers twiddling their thumbs while the clock ticks. And since desktop-based software requires users to manually trigger updates, many busy SMB IT managers are forced to continually remind their equally busy co-workers to update their software and download new security patches to ensure everyone is using the same version and that the network remains secure.

The subscription model addresses both of these problems by ensuring all new software updates are applied automatically, and if downtime is required, these updates can be timed so that they happen when the office is closed. This both ensures everyone is always using the same version, security patches are up to date, and eliminates time wasted while employees wait for software updates to finish. 

Get the Latest Features & Bug Fixes Instantly

Security is everyone’s responsibility, from the summer intern to the CEO. Because subscription-model software is kept up to date automatically, businesses can rest easier knowing that every device on the network has its security patches up to date. This simple action, which the SaaS provider handles for you, has outsized results when it comes to cybersecurity. 

Cybercriminals often target recently patched software, knowing that not all users will be as diligent as your business about installing security patches right away. By handing this responsibility back to the SaaS provider, your busy IT team can get this off their plate and focus on activities that build your business instead of just maintaining its infrastructure. 

Everyone is Always on the Same Page

Automatic updates also ensure that every user on the network is using the same version of every program, eliminating versioning issues across your organization. By ensuring everyone is always on the same page, you can focus on building and growing your business instead of worrying about whether your co-workers will be able to access the report you wrote or if they are seeing something different than you are when they open a file.

Dramatically Reduce Up-Front Costs

Setting up and maintaining your own IT and cybersecurity infrastructure is incredibly expensive and labor-intensive; that is why entire companies are built around providing these services for other businesses. 

The subscription model eliminates the need to purchase a bunch of expensive software licenses upfront (a not insignificant expense, even if your business only has a handful of employees). Offloading the stress and hassle of maintaining a server room or other IT or cybersecurity infrastructure also dramatically reduces CAPEX costs, and not needing to hire an entire team to manage and maintain this infrastructure drastically reduces personnel costs at the same time. 

Hiring even a single IT or cybersecurity professional to wait around in case something goes wrong is an unnecessary expense, using up funds that could be better deployed elsewhere. With the subscription model, if something goes wrong, you can breathe easy knowing an entire team of professionals, whose entire job is to make sure things go smoothly, is already on it. These service providers also invest in layers of hardware redundancy, so if something does go wrong, user traffic can be smoothly rerouted (eliminating or at least dramatically reducing downtime) while the experts get to the root of the problem.  

Shop Around Before You Commit

Software licenses can be very expensive, so you want to make sure you have chosen the right tool for the job before you hand over your business’ hard-earned funds. Because the subscription model dramatically reduces these upfront costs, it is much easier to shop around for a SaaS provider that offers a product that meets your team’s needs and plays nicely with your existing infrastructure. 

Scale Your Subscription to Meet Your Current Organizational Needs

When you purchase a software license up-front, you are often locked into a contract that lasts at least a year and may not be easy to cancel. By opting for a provider that operates using a subscription model, you are never paying for more licenses than you are actually using at any point in time, and scaling up or down to meet your organization’s shifting needs is as easy and painless as a few clicks of a button. 

Also, because SaaS subscription models are specifically designed to scale smoothly, you can avoid the headache and lost productivity associated with finding a new vendor should you outgrow your current software solution. 

Multi-Tier Approach & Personalized Options to Suit Your Needs

Every business is unique and has unique IT and cybersecurity needs and concerns that need to be addressed. Many SaaS providers offer multiple tiers for users to choose from so client companies can select the best tier to meet their needs. For example, VirtualArmour offers two tiers: essential services and premium services

Many of these services can also be personalized using an à la carte approach that allows users to pick and choose between multiple services so they can curate a package that suits their needs. This not only gives users more granularity over their solution but eliminates the need to pay for services a particular company doesn’t actually need or want. 

Subscription Model Software Makes Budgeting a Breeze

Moving CAPEX into OPEX by opting for a subscription model approach makes it much easier to budget for software expenses. When a software license is purchased outright, most companies offer users a quote based on the customer’s current number of users and (if relevant) the service tier they would require. However, a once cost-effective solution can transform into a huge financial drain if a company scales more rapidly than anticipated (thereby jumping into a higher, more expensive, user number tier) or requires a more personalized approach, achieved via pricy add-on services, than their current providers’ one-size-fits-all approach can offer (the additional cost of which the customer may not have been made aware of before committing to a one year or multi-year contract). 

Software licenses are also typically purchased on contract, meaning you pay for a full year upfront, whether you will use the full year or not. Suppose a pivot or other business change leaves you with a bunch of unnecessary software licenses. In that case, the traditional licensing approach can leave you eating the cost for the whole year, effectively paying for software you aren’t even using. The subscription model offers much more transparent pricing: You pay a set fee per user, which is communicated upfront before signing on the dotted line. If you need to add or subtract users, your price increases or decreases by the previously communicated per-user amount accordingly, and the change is reflected in your next monthly bill. 

Not having to purchase, upgrade, and maintain your own supporting hardware makes it significantly easier to allocate your infrastructure budget since you don’t need to worry about suddenly replacing damaged hardware or pouring your own money into necessary upgrades to ensure your workers can continue to do their jobs effectively. 

Build Relationships

Unlike one-time purchases, the subscription model approach also helps build relationships between providers and users. In addition to providing you with a service, subscription model providers are now invested in helping ensure you and your team are comfortable using their product and pleased with the functionality it offers since an unhappy subscription customer can quickly and easily switch to a competitor. 

Providers are also more likely to proactively solicit and consider user feedback to keep users happy. There is also a strong incentive for the provider to stay up to date on the latest industry developments and continually work to improve their product by adding more features and addressing user concerns promptly and effectively, all while sharing expert knowledge with their customers so users can get the most out of the provider’s product. 

Unlike the one-time purchase model, the subscription model is a natural relationship-building tool, encouraging ongoing communication and feedback between the user and the provider in a way that benefits both parties: providers typically enjoy higher levels of customer loyalty, while users are often given more say in future features and updates.

Reliability You Can Depend On

You have a job to do: yours, not your IT or cybersecurity teams’. The SaaS business model is predicated on making sure all users have the tools they need to do their jobs effectively at all times. To help ensure smooth, uninterrupted service, many SaaS providers invest in multiple layers of hardware redundancy and multiple secure backups (a high but necessary expense, well out of the reach of the average SMB) and employ an entire team of experts whose only goal is to keep things running smoothly. 

Redundant systems also help ensure that impacted user traffic is swiftly and smoothly rerouted until the problem is solved, a process so seamless that many end users might not even realize there was a hiccup in the first place. This allows customers to focus on their business instead of managing their own IT and cybersecurity infrastructure, hiring internal IT or cybersecurity experts using funds better spent elsewhere, or spending money on now-redundant licenses for software they may not even be using anymore. 

Need an Expert? VirtualArmour is Here to Help

Not everyone is an IT or cybersecurity expert, and that’s okay. A good SaaS provider is more than just a service provider; they are a valued partner, working with you and your team to ensure you have the tools you need to do what you do best and leave the hassle and expense of managing your IT or cybersecurity infrastructure up to a trusted team of experts. 

VirtualArmour offers a wide variety of IT and cybersecurity services, including :

We also offer three service tiers to best suit your needs: Essential services, premium services, and one-time consulting services. For more information about how we can help support your IT and cybersecurity needs, or to request your free, no-obligation quote, please contact us today

Suggested Reading List 

Cybersecurity is a complex and continually evolving field, and keeping up to date is critical if you want to safeguard your organization and its digital assets effectively. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.

If you are currently experiencing, or have recently experienced, a cybersecurity incident, please contact our team for immediate assistance and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next). Our team can help you fend off the attack, identify the root cause of the issue, and create an actionable, comprehensive plan to help mitigate or even avoid further damage.

photo of a credit card with a fishing hooks in it, symbolizing how people use phising to steal credit card information

What is Phishing?

Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number). 

Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter. 

With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.

Phishing Tactics Have Evolved

When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).

The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.

Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.

Why Do Phishing Scams Peak Around the Holiday Season?

Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams. 

However, it isn’t just holiday shoppers that fall for these campaigns; many businesses and other organizations of all sizes continue to fall victim to these types of attacks.

One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.

“Smishing” (SMS Phishing) Scams Are On the Rise

Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams. 

One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).

How to Recognize (& Avoid Falling Prey To) a Smishing Attack

If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey: 

  1. Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
  2. Never click on any links or phone numbers sent from a user you don’t recognize.
  3. Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name. 
  4. Report any messages that appear suspicious to the relevant authority.
    1. In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
    2. In the United States, reports can be filed with the FCC here and FTC here.

A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.

laptop screen with phishing tactics being used on an unsuspecting user

Awareness is Critical

Education and awareness are a cornerstone of any solid cybersecurity strategy. By educating yourself and others about common scams and red flags to look for, you can help reduce the chance someone falls victim. Individual scams are often short-lived, so you need to act quickly; Verizon reports that 50% of scam targets open emails and click on phishing links within an hour of receiving a suspicious email.  

Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process. 

Vulnerability Scanning Offers Total Visibility Into Your Infrastructure

You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses. 

Social Engineering Takes Many Forms

Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails. 

As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish. 

Worried About Phishing Scams? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. VirtualArmour is full of experts like the cybersecurity engineer who helped us write this educational article. Whether you need help drafting a cybersecurity strategy, are looking for someone to monitor your network 24/7/365 for suspicious activities, or are looking to bolster your internal IT or cybersecurity team, our team is here to help. For more information, or to start improving your organization’s cybersecurity posture, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Common Threats (and How to Avoid Them)

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

GoDaddy: Have You Been Impacted and What to Do Next?

GoDaddy: Have You Been Impacted and What to Do Next?

On November 22, 2021, the hosting platform GoDaddy revealed that an unauthorized third party had accessed their Managed WordPress hosting environment. Unfortunately, GoDaddy isn’t unique; many hosting providers remain vulnerable to similar attacks. In this article, we will discuss what is known about the incident so far.

What We Know About the Attack So Far

GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users. 

What Happened?

On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.

In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users. 

So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:

  • The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks
  • The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
  • SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
  • The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.

Six Additional Web Hosting Providers Impacted

GoDaddy has also revealed that six other web hosts have been impacted by this incident. All six are European resellers of GoDaddy’s Managed WordPress hosting services and include:

What is GoDaddy Doing to Address the Situation?

The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers. 

security camera monitoring a lobby, people need this kind of security for the web

It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable

While GoDaddy is currently in the spotlight, incidents like this are hardly unique to one hosting provider. Cybercriminals frequently target websites, and many of those attacks are targeted at web hosting accounts.

Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:

General Web Hosting Vulnerabilities

Botnet-Building Attempts

This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations. 

Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.

DDoS Attacks

DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.

Web Server Misconfigurations

Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications. 

Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access. 

Shared Hosting Vulnerabilities

If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server. 

Non-Siloed Environments

Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.

Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.

Software Vulnerabilities

All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.

Malware (Including Ransomware)

Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.

Shared IP Addresses

Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well. 

This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.

woman review her computer settings and ensuring her cyber security are correct.

VPS & Cloud Hosting Vulnerabilities

Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods. 

Cross-Site Security Forgery

Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure. 

During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password. 

This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.

This can be particularly devastating on admin accounts and can compromise the entire web application. 

SQL Injections

SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server. 

This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels. 

Exploiting XSS Flaws

Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites. 

Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.

Insecure Cryptography

Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.  

Virtual Machine Vulnerabilities

Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure. 

Supply Chain Weaknesses

One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.

Insecure APIs

APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly. 

Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.

Steps You Can Take to Protect Your Organization & Your Website

In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole. 

Website Best Practices 

One of the best things you can do to safeguard your website is to make sure you are following website security best practices

For Static Sites

If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change. 

By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.

For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)

There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.  

You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.

Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action. 

You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.

Interview Your Hosting Provider & Review Your SLA Carefully

The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.

  1. Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
  2. Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
  3. Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it. 

You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.

You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks. 

Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees

When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.

For more information, please consider reading our educational guide on creating an effective incident response plan

Beware of Possible Phishing Scams

In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.

Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

The Growing Trend of “Hacktivism”, & What it Means for Businesses

The Growing Trend of “Hacktivism”, & What it Means for Businesses

When most people think of a hacker, they think of a loner hiding in a dark basement, destroying computer systems and other digital resources for personal financial gain, or a sophisticated computer whiz employed by a foreign government up to no good. 

However, in recent years, a growing number of hackers have been putting their skills to use for a different reason: activism. This trend, dubbed “hacktivism”, is on the rise and can have serious consequences for businesses of all sizes in all verticals and industries. 

computer with hacktivism on the front screen

What is Hacktivism?

Information security researcher Dorothy Denning defines hacktivism as “the marriage of hacking and activism”, more specifically, using computers to achieve a political agenda through legally ambiguous means. As a general rule, hacktivism aims to obstruct normal computer and business activities in some way but, unlike other forms of hacking, does not necessarily aim to cause permanent injury or significant financial loss and is rarely motivated by financial gain. 

Hacktivism Can Be a Force for Good….

When most readers think of hacktivism, they think of large-scale political movements and revolutions such as the Arab Spring, which depended at least in part on technology and hacktivism. 

In 2011, when young protesters took to the streets in cities across the Middle East to rally against oppressive governments, some who had held power for decades, they were emboldened and assisted by technology. In the eyes of some, WikiLeaks and Anonymous played a key role in creating the social conditions that allowed the Arab Spring to happen by posting damning secret government documents online before the protests began. 

A specific example of this hacktivism was the uprising in Tunisia, which was initially largely ignored by the foreign media. When members of Anonymous realized the significance of the uprising, they partnered with Tunisian dissidents to help them share videos of what was really going on on the ground with the outside world. They also created a “care packet” (available in English, Arabic, and French) that offered dissidents advice on how to conceal their identities on the internet to avoid detection by the former Tunisian regime’s cyberpolice.

Though most believe the Arab Spring to be a positive and necessary step, the hacktivism that accompanied it, particularly the act of disclosing confidential documents and personnel files indiscriminately, could endanger lives. Anonymous and similar hacktivist organizations do not always carefully vet what information they release, which could inadvertently expose innocent individuals to cybersecurity threats.

… But it Frequently Harms Innocent Organizations & Individuals

The goal of most hacktivists is to draw attention to a particular cause using virtual political activism. This can be a noble goal, as demonstrated during the Tunisian uprising, but not all hacktivists are so altruistic. Unfortunately, many hacktivists are also not particularly concerned about avoiding collateral damage while carrying out their activist activities, and innocent parties can be caught in the crossfire. 

For example, while protesting the recent police actions on the Bay Area Rapid Transit (BART) system in San Francisco, a hacktivist posted the full names, addresses, and cell phone numbers of cover 2000 MyBART subscribers (ordinary transit users) online, increasing their chances of being targeted by identity thieves and other criminals. 

In a recent article by PC World, a former member of Anonymous called “SparkyBlaze” admitted that he was “fed up with [Anonymous] putting people’s data online and then claiming to be the big heroes.” He also stated that “Getting files and giving them to WikiLeaks, that sort of thing does hurt governments. But putting user names and passwords on a Pastebin doesn’t [affect governments], and posting the info of the people you fight for is just wrong.”

While some hacktivist organizations, like other activist organizations, might be doing real good, too many are using the guise of activism to cause significant harm to innocent organizations and individuals. 

As one article published in the Journal of Human Rights Practice puts it, unlike more familiar forms of activism, hacktivism can often be anonymous, allowing it to operate with a kind of impunity afforded by technology. As such, hacktivists are accountable to no one, not even organizations, groups, and individuals they aim to help, which is deeply problematic

Many hacktivist organizations, including Anonymous and WikiLeaks, engage in highly questionable activities, which they are able to do because of the anonymous nature of hacktivism. Since there is no way to hold individuals accountable, they are incredibly dangerous, both for the problematic organizations and governments they target and for the rest of us. 

large crowd protesting

A Brief History of Hacktivism: Six Infamous Events

While hacking has been around since the 1950s, hacktivism as a concept didn’t really emerge until 1989, when the first “hacktivist” action (referred to as Worms Against Nuclear Killers) took place. 

Worms Against Nuclear Killers (1989)

The 1989 attack, which many believe to be the work of Melbourne-based hackers “Electron” and “Pheonix”, used a malware worm to infiltrate computers at both NASA and the US Energy Department. The worm altered the login screen of infected computers to display the message ”Worms Against Nuclear Killers” and was fueled by rising anti-nuclear sentiment. A second worm, called OILZ, was also deployed and contained bugs designed to prevent access to accounts and files by changing passwords. The goal of this attack was to attempt to shut down the DECnet computer network in the days before a NASA launch, causing disruption and costing roughly half a million dollars in damages and lost time.

Hacktivism has only grown in both scope and influence. Other influential campaigns include:

Hacktivismo Declaration (2001)

Hactivismo, an offshoot of the hacker group Cult of the Dead Cow (cDc), emerged when they released their declaration that aimed to elevate freedom of speech. During this event, the group explicitly attempted to both engage in civil disobedience and explain their reasoning behind their actions. 

The declaration released by Hactivismo cited two United Nations’ documents: the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights, and included an FAQ that stated that the main purpose of their actions was to “cite some internationally recognized documents that equate access of information with human and political rights”.

As a result of their declaration, this group aimed to create both moral and legal grounds for future hacktivists to launch their campaigns. The group went on to release a web browser, called Peekabooty, that prevents censorship from nation-sates that deny or restrict internet access. 

Project Chanology (2008)

When a video of actor Tom Cruise voicing his affiliation with the Church of Scientology appeared on YouTube, the church forced the video hosting platform to remove it. In response to the censorship, Anonymous launched a DDoS (Distributed Denial of Service) attack against the Church of Scientology website, which was also defaced. A series of prank calls and black faxes followed the DDoS attack, and Anonymous also distributed private church documents stolen from Scientology computers during a doxxing attack

The hacktivist actions were also paired with in-person protests across the country where protesters donned the now infamous Guy Fawks masks associated with Anonymous

US Executive Branch Attack (2013)

Presumably believed to be associated with Syrian President Bashar al-Assad, the Syrian Electronic Army (SEA) has carried out a number of attacks using both spear-phishing and DDoS attacks designed to compromise and deface government, media, and privately-held organizational websites. 

The group successfully released a fake tweet claiming that an explosion at the White House had injured the President. After the tweet went live, the Dow briefly plunged 140 points. In 2016, the FBI charged two SEA-affiliated individuals with the attack.

Clinton Emails Leak (2016)

This attack, a joint venture between WikiLeaks and Russia’s foreign military intelligence directorate Glavnoye Razvedyvatel’noye Upravleniye (GRU), focused on emails between then-presidential candidate Hilary Clinton and her campaign manager. The emails were illegally obtained by GRU and released by WikiLeaks, and the goal was to discredit Ms. Clinton in order to further the campaign of her opponent Donald Trump.

Hackers used spear-phishing emails to steal credentials from DNC members and gain unauthorized access to the emails. The campaign significantly impacted the Clinton campaign and may have contributed to her loss. Following the leak, the US Department of Justice indicted 12 Russian hackers for the incident.

Black Lives Matter Movement (2020)

While the BLM (Black Lives Matter) movement reaches beyond the realm of hacktivism, the group Anonymous did throw their weight behind this movement protesting police corruption following the death of George Floyd. The group had also voiced similar condemnations in the past following the murders of Michael Brown and 12-year-old Tamir Rice.

In support of the social-justice-focused BLM movement, Anonymous released a video on Twitter that specifically criticized the Minneapolis police department in the wake of the shooting. As a result of the video, Anonymous’ Twitter account gained 3.5 million new followers in the following days, and the campaign has been linked to a series of DDoS attacks that briefly shut down the Minneapolis police department website, its parent website, and the Buffalo, New York government website over the course of a single weekend.

How Hacktivism Harms Businesses

While some hacktivist activities, such as creating open-source software that allows people in China to circumvent government censorship, are arguably good, we have seen that hacktivism also has a dark side. 

Hackers of all stripes, including some hacktivists, often use open-source hacking tools to penetrate networks with the goal of paralyzing or destroying legitimate businesses. This can be done for a variety of reasons, including retaliatory action in the case of George Hotz.

Sony vs Hotz

In 2010, then-teenage researcher George Hotz (now President at comma.ai) was able to reverse-engineer the Sony private key and published it online. This allowed almost anyone with an internet connection to rewrite Sony’s firmware and classify themselves as a developer on the Sony network, gaining free access to all of Sony’s online games. This action adheres to the philosophy that many hacktivists and other hackers share, which deems that all information, even proprietary information, should be free. 

In response to his actions, Sony sued Hotz, which attracted the attention of hacktivists. The company was targeted by several DDoS attacks and a data breach, which exposed the credit card numbers of 12 million innocent customers, as well as 75,000 “music codes” and 3.5 million “music coupons”, resulting in massive financial losses for the company. All and all, Sony estimates they lost about $173 million, including the cost of increased customer support, incentives to woo customers back, legal costs, loss of sales, and the costs to improve their cybersecurity systems. 

Ultimately, regardless of the goal of the hacktivist organization, gaining unauthorized access to a company’s network or other digital assets is wrong, and companies need to take steps to ensure their cybersecurity posture is robust enough to thwart attacks and avoid or at least minimize damage. 

Is your organization prepared? For more information, or to start crafting your incident response plan, please contact our team today.

Suggested Reading

Cybersecurity is complicated, and the field continues to evolve to respond to new threats, and keeping up to date is critical for safeguarding your organization and its digital assets. To help you expand your knowledge and stay up to date, please consider visiting our blog and reviewing these suggested educational articles and resources.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)