New FBI Report Reveals Cyberthreats with New Twists

Written by Pam Baker
February 21, 2020

Cyberattacks are getting creative and so are MSSPs aiming to stop old threats with new twists in their tracks.

… the health care industry that is suffering from an increase in ransomware activity.

In one recent example, a pipeline operator was hit with ransomware. The Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm across all critical U.S. infrastructure sectors. The agency said the attacker used spearphishing to access to the natural gas compression facility’s information IT network before attacking its OT network too.

Virsec’s Saurabh Sharma

“This alert highlights a growing problem across the industrial control space. While many organizations operate under the assumption that their ICS systems are isolated, increased connectivity, poor security awareness and human mistakes continue to expose critical infrastructure to attack,” said Saurabh Sharma, VP at critical infrastructure cybersecurity provider Virsec.

“While the effect of these attacks might not be catastrophic, ransomware can cause significant disruption, bring systems down, and further erode the public’s confidence in the security of our critical systems,” Sharma added.

Phishing on the Upswing

Phishing in all its forms is now commonplace and far too often successful given it relies on human misjudgments and errors.

“Phishing is far and away the most common type of cyber crime, with nearly double the number of victims as second-place non-payment scams, according to the FBI report. For criminals, phishing is cheap, easy, difficult to trace, and often effective. It frequently leads to other types of attacks, including ransomware, data breaches, identity theft and email account compromise,” said Bischoff.

The FBI reported its IC3 received 23,775 Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints with adjusted losses of over $1.7 billion. The biggest increase noted was in the diversion of payroll funds.

“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a prepaid card account,” wrote the FBI authors of the report.

MSPs will need to continue and even add more training services to help customers thwart phishing attacks. The bad news is that phishing will continue to accelerate, but the good news is that antiphishing training will continue to be a recurring source of revenue for MSSPs.

“Phishing leverages the weakest point of cybersecurity: humans. No matter how much technology we put into protecting data and computer systems, it seems human error will always be a threat. I think anti-phishing awareness and staff training should be a top priority for businesses in particular,” said Bischoff.