The recently released FBI Internet Crime Report 2019 alerts the public to current threats. It’s also useful data for MSSPs looking for insights from law enforcement on recent and ongoing criminal activity. Three of the top issues of most interest to MSSPs are tech support fraud, ransomware and phishing. While none of these is new to the threatscape, they’re all picking up in intensity.

The FBI reports that losses from tech support fraud in 2019 topped $54 million, up 40% from a year ago. The agency received 13,633 complaints about this issue from victims in 48 countries.

Tech-Support Scams

Comparitech’s Paul Bischoff

“Tech-support scams are a fast-growing problem according to the Bureau’s report. Microsoft is the most commonly impersonated company in these scams, and given that it leaked a huge customer service database earlier this year, that’s likely to continue,” said Paul Bischoff, lead researcher and privacy advocate with Comparitech.

The Microsoft customer service database leak Bischoff is referencing exposed 250 million Microsoft customer-service and support records over a 14-year period. No password or user authentication was required for anyone to see all of that data from a web browser. The potential for subsequent personalized tech support scams, phishing, spearphishing and whale phishing attacks is almost incalculable.

There’s an increase in the creativity behind such attacks as well. The FBI report cites some of the most recent as criminals posing as customer support for well-known travel industry companies, financial institutions or virtual currency exchanges.

However, there’s no downtick in more traditional tech support threat attacks including “email or bank account, a virus on a computer, or a software license renewal,” according to the report.

Ransomware

Ransomware attacks are increasing, and some say the number of such attacks exceed that which the FBI reported. But the consensus remains strong — ransomware remains a top threat.

“The FBI received 2,047 ransomware complaints accounting for losses of $8.9 million. I don’t know how the FBI adjusts for losses, but that seems like a very conservative estimate,” said Bischoff.

The FBI discourages paying the ransom in such attacks as the success only serves to encourage criminals to attack even more organizations. However, the FBI says in its report that if an organization does elect to pay the ransom it should also report the incident to the FBI and request assistance.

Ransomware attacks are particularly debilitating to organizations without the proper backups and restore plans in place prior to the incident. But even then, criminals are constantly adapting. For example, now ransomware attacks backups too.

Attackers are also targeting third parties for access to bigger organizations. On Feb. 11, NRC Health was hit by a ransomware attack, effectively expanding the threat to health-care institutions via third-party attack vectors. NRC Health collects patient satisfaction survey data that is used to determine doctors pay and Medicare reimbursements for hospitals.

BitSight’s Jake Olcott

“This incident isn’t just a wake-up call for NRC Health to better manage their own cyber risk, but it should sound the alarms for the hospitals and health systems that leverage their tools. Instead of breaking through the walls of hospitals and health systems, criminals now realize that an easier path to disruption is through a trusted vendor,” said Jake Olcott, vice president of BitSight, a security ratings company

“Supply-chain risk management must be a priority for the health care organizations that rely on an ever-growing ecosystem of vendors for day-to-day operations — and that starts with immediately assessing the security of those vendors and continuously monitoring their performance,” Olcott added.

But it’s not just …

… the health care industry that is suffering from an increase in ransomware activity.

In one recent example, a pipeline operator was hit with ransomware. The Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm across all critical U.S. infrastructure sectors. The agency said the attacker used spearphishing to access to the natural gas compression facility’s information IT network before attacking its OT network too.

Virsec’s Saurabh Sharma

“This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness and human mistakes continue to expose critical infrastructure to attack,” said Saurabh Sharma, VP at critical infrastructure cybersecurity provider Virsec.

“While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems,” Sharma added.

Phishing on the Upswing

Phishing in all its forms is now commonplace and far too often successful given it relies on human misjudgments and errors.

“Phishing is far and away the most common type of cyber crime, with nearly double the number of victims as second-place non-payment scams, according to the FBI report. For criminals, phishing is cheap, easy, difficult to trace, and often effective. It frequently leads to other types of attacks, including ransomware, data breaches, identity theft and email account compromise,” said Bischoff.

The FBI reported its IC3 received 23,775 Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints with adjusted losses of over $1.7 billion. The biggest increase noted was in the diversion of payroll funds.

“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a prepaid card account,” wrote the FBI authors of the report.

MSPs will need to continue and even add more training services to help customers thwart phishing attacks. The bad news is that phishing will continue to accelerate, but the good news is that antiphishing training will continue to be a recurring source of revenue for MSSPs.

“Phishing leverages the weakest point of cybersecurity: humans. No matter how much technology we put into protecting data and computer systems, it seems human error will always be a threat. I think anti-phishing awareness and staff training should be a top priority for businesses in particular,” said Bischoff.